Issue #5249
closed
pulp_deb does not seem to support InRelease/Release.gpg signing
Description
Hi there
I have been testing the Debian support in the latest stable release of Pulp 2, and everything is working well with a mirrored Ubuntu 18.04 Server repository, provided I ignore all package signing, and serve the packages over plain HTTP.
The official Ubuntu upstream feed URL I am using has a Release.gpg file, and the packages are signed by Canonical as expected. However when I create a mirror in Pulp, no InRelease or Release.gpg file is created, and I have to add [trusted=yes] to all entries in my sources.list to ignore the lack of package signing.
I note the presence of these two options in the "deb repo create" subcommand:
--require-signature - Require that Release files are signed and verified
--allowed-keys - fingerprints of gpg-keys to verify releases signature
against
However I have yet to figure out how they work. Is there a documented example anywhere? I tried setting them on an existing repository with this command:
pulp-admin deb repo update --repo-id='bionic-amd64-08aug19' --require-signature=true --allowed-keys='E084DAB9'
However a sync run returned this error:
- pulp-admin deb repo sync run --repo-id='bionic-amd64-08aug19'
--------------------------------------------------------------------
Synchronizing Repository [bionic-amd64-08aug19]
--------------------------------------------------------------------
This command may be exited via ctrl+c without affecting the request.
Task Failed
No GPG-keys in keyring, did the import fail?
To which keyring is the error referring? I cannot find reference to one in the documentation, and the Ubuntu key was imported into root's keyring with:
- gpg --keyserver keyserver.ubuntu.com --recv E084DAB9
I'm not clear if this is a bug, a feature enhancement, or simply operator error. Can anyone please advise on whether package signing in DEB packages should be supported, and if so how to implement it?
Many thanks
James
Updated by quba42 over 4 years ago
As far as I can tell you are bringing up two separate issues:
(1) Making pulp_deb verify the upstream repository you are syncing from.
(2) Making pulp_deb sign the repository it is publishing (you referred to this as creating a mirror).
The options --require-signature and --allowed-keys relate to issue (1).
I do not personally have much experiencing with regards to issue (1).
If you say you imported the needed keys into roots keyring, but are getting "No GPG-keys in keyring, did the import fail?", then maybe they need to go into some different users keyring. (If anyone knows please comment).
With regard to issue (2), you can find some documentation in the README.md file here: https://github.com/pulp/pulp_deb/tree/2-master
See the "Signing support" and "InRelease file signing" parts. This will tell you how to make pulp_deb publish InRelease files and/or Release.gpg files.
One final note: pulp_deb for pulp2 does not really create a "mirror" of some upstream repository. Rather, it synchronizes a bunch of information from some upstream repository source, and then publishes a repository with the same content according to it's own rules. This will include the same components and architectures as the upstream repository (so long as they were synced by the user), but will not necessarily include all the same fields in the Release file, etc. As such, pulp_deb also can't reuse the signatures from the upstream repository. You can however, sign your published pulp repository with a key of your own.
Updated by quba42 over 3 years ago
- Status changed from NEW to CLOSED - WORKSFORME
Pulp 2 does support signing and verification. I presume this was a configuration issue.
Either way, there won't be any more significant work on these features for Pulp 2.
Feel free to open a new issue, if you have problems relating to signature and verification in Pulp 3.
.