Project

Profile

Help

Issue #5249

pulp_deb does not seem to support InRelease/Release.gpg signing

Added by jamesf 11 months ago. Updated 4 months ago.

Status:
NEW
Priority:
Normal
Assignee:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version - Debian:
Platform Release:
Target Release - Debian:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:

Description

Hi there

I have been testing the Debian support in the latest stable release of Pulp 2, and everything is working well with a mirrored Ubuntu 18.04 Server repository, provided I ignore all package signing, and serve the packages over plain HTTP.

The official Ubuntu upstream feed URL I am using has a Release.gpg file, and the packages are signed by Canonical as expected. However when I create a mirror in Pulp, no InRelease or Release.gpg file is created, and I have to add [trusted=yes] to all entries in my sources.list to ignore the lack of package signing.

I note the presence of these two options in the "deb repo create" subcommand:

--require-signature - Require that Release files are signed and verified
--allowed-keys      - fingerprints of gpg-keys to verify releases signature
                      against

However I have yet to figure out how they work. Is there a documented example anywhere? I tried setting them on an existing repository with this command:

pulp-admin deb repo update --repo-id='bionic-amd64-08aug19' --require-signature=true --allowed-keys='E084DAB9'

However a sync run returned this error:

  1. pulp-admin deb repo sync run --repo-id='bionic-amd64-08aug19'
    --------------------------------------------------------------------
    Synchronizing Repository [bionic-amd64-08aug19]
    --------------------------------------------------------------------

This command may be exited via ctrl+c without affecting the request.

Task Failed

No GPG-keys in keyring, did the import fail?

To which keyring is the error referring? I cannot find reference to one in the documentation, and the Ubuntu key was imported into root's keyring with:

  1. gpg --keyserver keyserver.ubuntu.com --recv E084DAB9

I'm not clear if this is a bug, a feature enhancement, or simply operator error. Can anyone please advise on whether package signing in DEB packages should be supported, and if so how to implement it?

Many thanks

James

History

#1 Updated by quba42 10 months ago

As far as I can tell you are bringing up two separate issues:

(1) Making pulp_deb verify the upstream repository you are syncing from.
(2) Making pulp_deb sign the repository it is publishing (you referred to this as creating a mirror).

The options --require-signature and --allowed-keys relate to issue (1).
I do not personally have much experiencing with regards to issue (1).
If you say you imported the needed keys into roots keyring, but are getting "No GPG-keys in keyring, did the import fail?", then maybe they need to go into some different users keyring. (If anyone knows please comment).

With regard to issue (2), you can find some documentation in the README.md file here: https://github.com/pulp/pulp_deb/tree/2-master
See the "Signing support" and "InRelease file signing" parts. This will tell you how to make pulp_deb publish InRelease files and/or Release.gpg files.

One final note: pulp_deb for pulp2 does not really create a "mirror" of some upstream repository. Rather, it synchronizes a bunch of information from some upstream repository source, and then publishes a repository with the same content according to it's own rules. This will include the same components and architectures as the upstream repository (so long as they were synced by the user), but will not necessarily include all the same fields in the Release file, etc. As such, pulp_deb also can't reuse the signatures from the upstream repository. You can however, sign your published pulp repository with a key of your own.

#2 Updated by quba42 5 months ago

  • Tags Pulp 2 added

#3 Updated by JosepHill 4 months ago

All the challenges and channels are reformed for themed of the strengths for the team. Implementation of the goal and bestessay.com. 9.9 is accentuated for the fort coming items for the field. The region is stiff for the people. Audience is involved for the marks of the true values for the judgement for the fourth coming items for the field.

Please register to edit this issue

Also available in: Atom PDF