Gitea is awesome for self-hosting git repos. One of the neat features it has is package repository hosting, including for debian (their docs on this in general). For debian stable/bookworm/12, this works seamlessly at least in my experience.
Things get a bit hairier once you start using testing (trixie/13 at present). The root problem is that the go pgp library used produces signatures that the new apt tooling in 13 does not like, specifically in regards to signature verification. See here for an example bug report / fix. “apt update” from a testing machine will fail with ugly mumbling along the lines of “OpenPGP signature verification failed, sub-process sqv returned an error code (god hates you, everything is ruined forever) , error message is demonic howling, signing key unknown, E_FUCKED, no binding signature on this shit, boss!”. (God help you if google search lands you here on those keywords.) Gitea 1.24 contains newer dependencies that should fix this. BUT! The debian package repository signing key material has to be regenerated. And that is where the fun starts, as there’s no way to do this via web ui or cli as far as I can tell.
This process seems to do the right things, but it is admittedly a big hassle:
- upgrade to 1.24.latest if not already done
- delete all package versions/files through web ui. there should be no debian repo listed in the packages page
- open up your database and delete the debian.private.key and debian.public.key rows for your user in the user_settings table (whether sqlite, postgres, whatever)
- (I also got paranoid here and went on a cleaning sweep for all things “debian” in the package* tables as there were remnants despite there being no visible listing for a debian package repo after the delete package step above. I have not verified if this step is required, but it doesn’t seem to hurt per se.)
- this part is important: restart the gitea service
- re-upload your package file(s). you should notice the upload take a hair longer, as it’s regenerating the repository.key et al.
- to verify, curl https://your-gitea-host:3000/api/packages/yourusername/debian/repository.key -o test, gpg –show-keys test. the dates shown should be the current day if everything worked.
- you’ll have to re-download the repository.key into /etc/apt/keyrings/gitea-yourusername.asc (or wherever you put it, and matching the signed-by bit in the list file establishing gitea as a repo debian can draw from
- apt update / upgrade should now work