req: provide deb repository

[tokred]

What would you like to be added

It would be amazing if the releases of both step-cli and step-ca would be published in a Debian/Ubuntu repository. Not in the "official" Debian/Ubuntu repos but in a separate "Smallstep repo" which could be added in one's sources.list.

Many OSS projects do this for good reasons, and considering .deb files are already created as part of Smallstep's build process, covering this would require only minimal effort (i.e. automatically signing the .deb's, generating the meta data and putting into the right folder structure). Traffic does not seem a concern, considering the existing release downloads are self-hosted on dl.step.sm already.

Why this is needed

Operationality: This would allow to use standard APT package managers, especially package manager-facilitated installs and updates!

The current release model with publishing .deb files as releases on GitHub is understandable but completely negates well-established, package manager-based software handling and maintenance. It is quite hard to distribute and maintain software updates with those "static" .deb's to multiple machines (and requires manual checking if updates are available!), compared to being able to simply add a "Smallstep repo" to sources.list and letting APT do its magic via apt upgrade (or even unattended-upgrades).

Maybe a service like Cloudsmith could be used? No affiliation, just saw it being used by e.g. ISC

Regards

[sylr]

step-ssh as well.

[spyesx]

While I would prefer official repositories for stability purposes, I still agree with the idea of using the standard APT manager.

Would be good to support ARM deb as well :) For Raspberry Pi <3

[NickBouwhuis]

I second this. Would make deployment a lot easier, as well as the update process.

Hosting a repository should not be too much work. There is already a process in place for building deb files.

You could use open-source software like Nexus Repo Manager to host an apt/dnf repository.

[hax0rbana-adam]

Seeing as how this has been open since March and hasn't even been triaged yet, I don't have any hope of the maintainers taking this on, so I decided to add this to my own personal repo. If others want to use it, go for it.

Challenges

Challenges with SmallStep's current release process include:

• No directory listings on the URLs listed in the Debian installation instructions
• No indication what version of step-ssh is being installed in the installation instructions
• There doesn't appear to be a github repo for step-ssh
• There's no ARM releases for step-cli (sorry @spyesx and others who use ARM computers)
• The latest version of step-ca and step-cli is 0.23.0, but the latest step-ssh release is only 0.21.0-1

These challenges are trivial to overcome manually, but rather annoying to overcome when trying to automate this. I hope they step up their automation game and fix these things in the future.

Sources

Because there's not GitHub repos for all the projects we want, and there are so many repos for things that do not belong in an apt repo, it's only proper to document where the things in my repo came from.

• https://github.com/smallstep/cli/releases/
• https://github.com/smallstep/certificates/releases/
• https://dl.step.sm/s3/ssh/docs-ssh-host-step-by-step/step-ssh_latest_amd64.deb
  • Downloaded, installed, and then renamed to step-ssh_0.21.0-1_amd64.deb

Adding my repo

There are a number of ways to add a 3rd party repo, but here's one that should be compatible with both old and new Debian systems.

echo 'deb https://repo.hax0rbana.org/debs /' > /etc/apt/sources.list.d/hax0rbana.list
wget -qO - https://repo.hax0rbana.org/debs/KEY.gpg | apt-key add -
apt update
apt install -y step-ca step-cli step-ssh

Or, if you use Ansible, below is a playbook that will add the repo, install step-cli and step-ssh everywhere, and install step-ca if the host is in a group called ca.

# Installs step-cli and step-ssh from a third party repo
#       
- hosts: all
  remote_user: root
  tasks:
    - name: Add the signing key for the apt repo
      ansible.builtin.apt_key:
        url: https://repo.hax0rbana.org/debs/KEY.gpg
    - name: Add repository into sources list
      ansible.builtin.apt_repository:
        repo: deb https://repo.hax0rbana.org/debs /
    - name: Installing step-cli and step-ssh
      ansible.builtin.package:
        update_cache: true
        name:
          - step-cli
          - step-ssh
    - name: Installing step-ca
      ansible.builtin.package:
        name: step-ca
      when: "'ca' in group_names"

[jdoss]

Hey @hax0rbana-adam I am sorry for the lack of response here and thanks for taking a crack at getting something going that will fit your needs. The issue is actually assigned to me and I have been actively working on our packaging and repository support for RPM and Debs the past few weeks in my spare time. We should have RPM repos and Apt repos in the future. I should of kept this issue up to date with what is happening behind the scenes. My bad on that.

The reason why things have taken longer on this request is due to us refactoring how we are doing packaging internally which we will roll out for the step-cli and step-ca projects once that automation is sorted out.

[hax0rbana-adam]

Is there any task I can pick up to help with the packaging or automation.

Nobody wants .rpm building to be assigned to me, but I've done quite a bit with building and hosting .deb packages and would be glad to help there. Or if there is any work to be done with automation, signing, or CI/CD pipelines, just let me know.

Hope I didn't offend with my comments. I just figured this wasn't a priority for the organization, but I'm glad to hear it's on the radar.

[tokred]

@jdoss, wanted to kindly ask for an update as I just noticed this issue has its 1 year anniversary 😜

Regards

[jdoss]

Heyyyy @tokred 😅 I'm sorry this is taking longer than expected. I have the RPM builds done for some of our other packages and as soon as I have that sorted out and DNF/YUM repos made, I will turn my focus onto doing the same for Debs.

[hax0rbana-adam]

Is the step-ssh package open source?

I can't find a git repo for it anywhere under https://github.com/smallstep and the installation instructions just have users download a compiled version from an AWS host.

I see that the .deb file is still getting updated, as what's there now is 0.22.1-1 instead of 0.21.0-1, despite being the same filename for both versions. In order to determine what version we're getting before it is installed, users have to run dpkg -I ./step-ssh_latest_amd64.deb to see the version.

On a related note, I've also updated my repos to contain the newest versions of all three packages.

[dopey]

Hey @hax0rbana-adam 👋. Thestep-ssh binary is not open source. It's publicly available, but it's part of our commercial product and connects to our hosted platform in order to function. Without an account and SSH Product on our hosted platform step-ssh won't be usable.

If you're looking to set up SSO for SSH using our open source check out this blog post - https://smallstep.com/blog/diy-single-sign-on-for-ssh/. This won't have the automation and observability of the commercial product, but it's a good example for the workflows you could expect.

If you're interested in trying out our SSO for SSH product - check out our products page here (https://smallstep.com/sso-ssh/) and get in touch through the site.

[killermoehre]

You know, you could use https://build.opensuse.org to build and publish for Debian and Ubuntu.

[duplexsystem]

@jdoss any updates on this? My project relies on everything being in a deb repo to be able to auto update. Thanks!