Setting up your own Package Server
The following steps can be carried out locally on a TwinCAT/BSD system.
1. Creating a key for RSA encryption
First, an RSA key pair must be created. An RSA key pair consists of a private and a public key. The private RSA key is used to generate digital signatures and the public RSA key is used to verify digital signatures.
Create a private RSA key. You have the choice between RSA key sizes of 2048 or 4096 bits:openssl genrsa -out myRSAprivate.key 2048
Create a public RSA key:openssl rsa -in myRSAprivate.key -out myRSApublic.key -pubout
Restrict access to solely root or store the private key in a different location:chmod 0400 myRSAprivate.key
2. Fetching packages from the Beckhoff Package Server
In this step, either all packages can be fetched from the Beckhoff Package Server or only the packages that are installed on the system.
Fetch all packages from the server:doas pkg fetch --yes --output /var/db/myRepository --all
Only fetch the installed packages:doas sh -c "pkg info | awk '{print \$1}' | xargs -I {} pkg fetch --yes --output /var/db/myRepository {}"
3. Modifying and creating the repository
The downloaded packages can be enriched with user-defined packages to create your own repository.
Move user-defined packages to the repository:mv my-package /var/db/myRepository/All/
Create repository and provide it with the previously created private key:doas pkg repo /var/db/myRepository/ myRSAprivate.key
4. Moving the repository directory to the web server
If you want to use HTTPS, you either need a web server with a valid certificate (e.g. obtain via letsencrypt) or you can use HTTP as the packages are already signed.
HTTPS
If you use your own certificate authority (CA), add the certificate of your CA to the certificate list/usr/local/etc/ssl/cert.pem
When using the nginx server supplied with TwinCAT/BSD, add the following lines further down in the file /usr/local/etc/nginx/IPCDiagnostics.conf under the area "Server {":
location /pkg {
alias /var/db/myRepository/;
autoindex on;
}The web server must then be restarted with doas service nginx restart for the configuration to become active. Other pages that can be accessed via the web server are also located here.
HTTP
If you only want to make the repository available via HTTP, allow the web browser to listen on port 80 and open the port in the firewall at /etc/pf.conf. Add the following lines to the file pf.conf:
# allow port 80 for pkg repository
pass in quick proto tcp to port 80Add the following lines at the end of the file /usr/local/etc/nginx/IPCDiagnostics.conf under the area "http {":
server {
listen 80;
location /pkg {
alias /var/db/myRepository/;
autoindex on;
}
}The web server must then be restarted with doas service nginx restart for the configuration to become active. Make sure that this entry is still enclosed by the outermost bracket of the http function. This entry only allows HTTPS access for all services preconfigured by Beckhoff, but allows access to the own repository via HTTP as an exception.
5. Distributing the public key to the target computer
Copy the public key myRSApublic.key to the target computer, for example to the directory /usr/share/keys using scp.
6. Using the repository on target computers
The user-defined repository or the internal web server can now be added as a target on the target computers and enabled. TCBSD.conf is the standard Beckhoff repository and is located in the directory at /etc/pkg. The file contains the following entries.
TCBSD: {
url: https://tcbsd.beckhoff.com/TCBSD/14/stable/packages
enabled: true,
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/bhf-pkg"
}In the first step, copy the file TCBSD.conf and rename the file, for example to TCBSD_original, so that all changes can be undone quickly and the standard Beckhoff repository can be used again. This step is not mandatory and is only a safety measure.
In the next step, adjust the file TCBSD.conf at /etc/pkg so that the target computers can access their own web server in future:
TCBSD: {
url: "http://my-webserver/pkg",
enabled: true,
signature_type: "pubkey",
pubkey: "/usr/share/keys/myRSApublic.key"
}Note the last line, which contains the path to the public key on the target computer that you copied to the target computer in step 5. If necessary, adjust the path if you are using a different storage location.