hackage-repo-tool: Manage secure file-based package repositories

[ bsd3, distribution, program ] [ Propose Tags ]

This utility can be used to manage secure file-based package repositories (creating TUF metadata as well as a Hackage index tarball) which can be used by clients such as cabal-install. Currently it also provides various lower level utilities for creating and signing TUF files.

This is part of the Hackage Security infrastructure.

[Skip to Readme]
Versions [faq],, 0.1.1,,
Change log ChangeLog.md
Dependencies base (>=4.5 && <4.14), bytestring (>=0.9 && <0.11), Cabal (>=1.14 && <1.26 || >=2.0 && <2.6 || >=3.0 && <3.4), directory (>=1.1 && <1.4), filepath (>=1.3 && <1.5), hackage-security (==0.6.*), microlens (>= && <0.5), network (>=2.5 && <2.9 || >=3.0 && <3.2), network-uri (==2.6.*), old-time (==1.1.*), optparse-applicative (>=0.15.1 && <0.16), tar (==0.5.*), time (>=1.4 && <1.10), unix (>=2.5 && <2.8), zlib (==0.6.*) [details]
License BSD-3-Clause
Copyright Copyright 2015 Well-Typed LLP
Author Edsko de Vries
Maintainer cabal-devel@haskell.org
Revised Revision 1 made by phadej at 2019-12-12T15:06:32Z
Category Distribution
Home page https://github.com/haskell/hackage-security
Bug tracker https://github.com/haskell/hackage-security/issues
Source repo head: git clone https://github.com/haskell/hackage-security.git
Uploaded by HerbertValerioRiedel at 2019-11-30T19:17:43Z
Distributions NixOS:
Executables hackage-repo-tool
Downloads 4053 total (11 in the last 30 days)
Rating 2.0 (votes: 1) [estimated by Bayesian average]
Your Rating
  • λ
  • λ
  • λ
Status Hackage Matrix CI
Docs not available [build log]
Last success reported on 2019-11-30 [all 2 reports]



Are we using network-uri?


Are we using old-time?


Use -f <flag> to enable a flag, or -f -<flag> to disable that flag. More info


Note: This package has metadata revisions in the cabal description newer than included in the tarball. To unpack the package including the revisions, use 'cabal get'.

Maintainer's Corner

For package maintainers and hackage trustees

Readme for hackage-repo-tool-

[back to package description]

hackage-repo-tool: Manage secure file-based package repositories

Please refer to the package description for an overview of hackage-repo-tool, TUF and hackage-security.

Setting up a secure file-based repo

A file-based repository (as opposed to one running the actual Hackage software) is much easier to set up and will suffice for many purposes. Note that such a local file-based package repository can be turned into a remotely accessible secure package repository by any HTTP server supporting static file serving such as Nginx or Apache httpd.

  1. Create a directory ~/my-secure-repo containing a single subdirectory ~/my-secure-repo/package. Put whatever packages you want to make available from your repo in this subdirectory. At this point your repository might look like


    (Due to #174 this folder must contain at least one package tarball or hackage-repo-tool will fail in non-obvious ways)

    Note the flat directory structure: different packages and different versions of those packages all live in the one directory.

  2. Create public and private keys:

    # hackage-repo-tool create-keys \
                        --keys ~/my-private-keys

    This will create a directory structure such as


    containing keys for all the various TUF roles.

    Note that these keys are stored outside of the repository proper.

  3. Create the initial TUF metadata and construct an index using

    # hackage-repo-tool bootstrap \
                        --repo ~/my-secure-repo \
                        --keys ~/my-private-keys

    This will create a directory ~/my-secure-repo/index containing the .cabal files (extracted from the package tarballs) and TUF metadata for all packages


    and package the contents of that directory up as the index tarball ~/my-secure-repo/00-index.tar.gz; it will also create the top-level metadata files

  4. The timestamp and snapshot are valid for three days, so you will need to resign these files regularly using

    # hackage-repo-tool update \
                        --repo ~/my-secure-repo \
                        --keys ~/my-private-keys

    You can use the same command whenever you add any additional packages to your repository.

  5. If you now make this directory available (for instance, by pointing Apache httpd at it) you'll be able to use cabal to access it remotely by defining an appropriate repository stanza:

    repository my-secure-repo
      url: http://packages.example.org/
      secure: True
      root-keys: 2ae741f4c4a5f70ed6e6c48762e0d7a493d8dd265e9cbc6c4037dfc7ceaec70e
      key-threshold: 2

    Note that the keys in example above must be replaced: You need to copy the root key IDs from your generated root.json file (or you can set key-threshold to 0 if you're aware of the security implications)