[RESOLVED] Secure Central Repository

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
nicolas.pissard
Messages: 5
Registration: Nov 18, 2022 - 1:53 p.m.

March 10, 2023 - 1:40 PM

Good morning,

I want to set up a private central repository without installing wapt but secured via password.

I installed and configured a central repository server in Debian 11 and configured Nginx with https and password-protected Wapt folder access (.htpasswd) so without installing Wapt Server.

I can securely upload my packages to the /var/www/wapt folder created on this server using SFTP.

All I need to do now is get the Packages file which lists the packages in this folder.

Previously, there was a tis-waptrepo package which provided the scripts needed to create the Packages file for listing in the wapt console (wapt-scanpackages and wapt-signpackages)

However, I cannot find the tis-waptrepo package for version 1.8. The latest available version is 1.2. (on Git)

To move forward with my project, I tested by copying the complete "/opt/wapt" folder from a working Wapt 1.8.2 Community server to my central repository server.

Then, on my central repository, I created a small bash script that reproduces this:

Code: Select all

#!/bin/bash
chown -R wapt:www-data /var/www/wapt

PYTHONPATH=/opt/wapt PYTHONHOME=/opt/wapt python /opt/wapt/wapt-signpackages.py -s --message-digest=sha256,sha1 -c /tmp/cert.crt /var/www/wapt/*.wapt

PYTHONHOME=/opt/wapt PYTHONPATH=/opt/wapt /opt/wapt/bin/python /opt/wapt/wapt-scanpackages.py -r -f -ldebug /var/www/wapt
Everything works rather well, the debug does not display any errors, renaming the .wapt files correctly by adding the MD5, and generating the Packages file.

From the wapt console of another site, I can add my secure URL and I do have my list of packages from this console.


However, when I try to download the package, I consistently get the following message:

"Download cancelled. The downloaded file xxxxx... is corrupted; the MD5 checksum does not match."

However, when you look at the file name, the contents of Packages, the MD5 sum is indeed the same...


I don't understand where the MD5 comparison error could be coming from...

Thank you for your help.

Sincerely
High
User avatar
dcardon
WAPT Expert
Messages: 1930
Registration: June 18, 2014 - 09:58
Location: Saint Sébastien sur Loire
Contact :
Contact dcardon

March 10, 2023 - 4:50 PM

Hello Nicolas,

please refer to the forum rules. Topics about WAPT 1.8.2 are only accepted for upgrade issues to version 2.x. Sorry.

WAPT version 1.8.2 is no longer maintained by Tranquil IT, and to our knowledge, there is no fork maintained by anyone else. There are several security vulnerabilities in the pip libraries included in version 1.8.2 [1], and it should at least be rebuilt with the pip updates and the Python 2.7 version from python.org should be replaced with the Python version from Active State, which is still maintained.

If you want to maintain version 1.8.2, you can create a fork on GitHub, and we can add a link to your fork in the documentation.

Best regards,

Denis

[1] See https://www.wapt.fr/en/doc-1.8/index.html
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
High
Locked

Return to "WAPT Server"


  • To go further with WAPT