Package Repositories

A package repository is a collection of packages and extra data detailing what packages are available and more information about them. They offer an easy way for remote machines to download and install packages via a package manager.

Each package repository created by PKG Deploy is private and can only be accessed using the access keys generated when the repository is created.

To go from nothing to deploying your code via one of our package repositories you need to:

  1. Create a package repository to host the packages you create
  2. Add the package repository to a machine that you want to install packages on
  3. Use APT or YUM to install your packages

Repository types

PKG Deploy supports two types of repositories. APT and YUM.

  • APT repositories are used to host deb packages. APT handles the installation and removal of software on Debian, Ubuntu, and other related Linux distributions
  • YUM repositories are used to host rpm packages. YUM handles install, updates and dependency management on RPM-based distributions such as RHEL, Centos and Fedora

All our repositories are private

All repositories created via PKG deploy are private and require access keys to be provided before we return any information.

These access keys are generated when the package repository is first created and are automatically bundled into the created installer.

If it is believed a set of access keys for a repository have been compromised, they can be rolled and new ones generated. This will remove access to any machine with the old access keys configured. To help with this when new keys are generated a new version of the installer is also created. To update the access keys on a machine you need to update the installer.

All our repositories are secure

Repository metadata is signed via GPG allowing you to ensure that the metadata we provide is generated by us and not by anyone else. If you follow the documentation to add the package repository to a machine, GPG checks will be automatically carried out.

rpm packages are also signed before they are published, YUM also runs GPG verification on these packages.

deb packages are not signed as APT does not come with an easy way to verify package signatures by default.

An export of our public key can always be found at