diff options
Diffstat (limited to 'doc/examples')
-rw-r--r-- | doc/examples/apt-https-method-example.conf | 21 | ||||
-rw-r--r-- | doc/examples/configure-index | 20 |
2 files changed, 35 insertions, 6 deletions
diff --git a/doc/examples/apt-https-method-example.conf b/doc/examples/apt-https-method-example.conf index 0067171bd..cc7889044 100644 --- a/doc/examples/apt-https-method-example.conf +++ b/doc/examples/apt-https-method-example.conf @@ -36,6 +36,8 @@ to access its content. - The certificate presented by both server have (as expected) a CN that matches their respective DNS names. + - We have CRL available for both dom1.tld and dom2.tld PKI, and intend + to use them. - It somtimes happens that we had other more generic https available repository to our list. We want the checks to be performed against a common list of anchors (like the one provided by ca-certificates @@ -56,10 +58,13 @@ Acquire::https::CaInfo "/etc/ssl/certs/ca-certificates.pem"; // Use a specific anchor and associated CRL. Enforce issuer of // server certificate using its cert. Acquire::https::secure.dom1.tld::CaInfo "/etc/apt/certs/ca-dom1-crt.pem"; +Acquire::https::secure.dom1.tld::CrlFile "/etc/apt/certs/ca-dom1-crl.pem"; +Acquire::https::secure.dom1.tld::IssuerCert "/etc/apt/certs/secure.dom1-issuer-crt.pem"; // Like previous for anchor and CRL, but also provide our // certificate and keys for client authentication. Acquire::https::secure.dom2.tld::CaInfo "/etc/apt/certs/ca-dom2-crt.pem"; +Acquire::https::secure.dom2.tld::CrlFile "/etc/apt/certs/ca-dom2-crl.pem"; Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem"; Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem"; @@ -97,6 +102,22 @@ Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem"; used for the https entries in the sources.list file that use that repository (with the same name). + Acquire::https[::repo.domain.tld]::CrlFile "/path/to/all/crl.pem"; + + Like previous knob but for passing the list of CRL files (in PEM + format) to be used to verify revocation status. Again, if the + option is defined with no specific mirror (probably makes little + sense), this CRL information is used for all defined https entries + in sources.list file. In a mirror specific context, it only applies + to that mirror. + + Acquire::https[::repo.domain.tld]::IssuerCert "/path/to/issuer/cert.pem"; + + Allows to constrain the issuer of the server certificate (for all + https mirrors or a specific one) to a specific issuer. If the + server certificate has not been issued by this certificate, + connection fails. + Acquire::https[::repo.domain.tld]::Verify-Peer "true"; When authenticating the server, if the certificate verification fails diff --git a/doc/examples/configure-index b/doc/examples/configure-index index 93f28ce74..1dd11a5b4 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -90,11 +90,6 @@ APT TrustCDROM "false"; // consider the CDROM always trusted }; - GPGV - { - TrustedKeyring "/etc/apt/trusted.gpg"; - }; - // Some general options Ignore-Hold "false"; Clean-Installed "true"; @@ -179,7 +174,10 @@ Acquire Source-Symlinks "true"; PDiffs "true"; // try to get the IndexFile diffs - + PDiffs::FileLimit "4"; // don't use diffs if we would need more than 4 diffs + PDiffs::SizeLimit "50"; // don't use diffs if size of all patches excess + // 50% of the size of the original file + // HTTP method configuration http { @@ -327,6 +325,8 @@ Dir "/" SourceParts "sources.list.d"; VendorList "vendors.list"; VendorParts "vendors.list.d"; + Trusted "trusted.gpg"; + TrustedParts "trusted.gpg.d"; }; // Locations of binaries @@ -353,6 +353,13 @@ Dir "/" // Media AutoDetect mount path MountPath "/media/apt"; }; + + // Media + Media + { + // Media AutoDetect mount path + MountPath "/media/apt"; + }; }; // Things that effect the APT dselect method @@ -410,6 +417,7 @@ Debug pkgProblemResolver::ShowScores "false"; pkgDepCache::AutoInstall "false"; // what packages apt install to satify dependencies pkgDepCache::Marker "false"; + pkgCacheGen "false"; pkgAcquire "false"; pkgAcquire::Worker "false"; pkgAcquire::Auth "false"; |