Issue #5249
closedpulp_deb does not seem to support InRelease/Release.gpg signing
Description
Hi there
I have been testing the Debian support in the latest stable release of Pulp 2, and everything is working well with a mirrored Ubuntu 18.04 Server repository, provided I ignore all package signing, and serve the packages over plain HTTP.
The official Ubuntu upstream feed URL I am using has a Release.gpg file, and the packages are signed by Canonical as expected. However when I create a mirror in Pulp, no InRelease or Release.gpg file is created, and I have to add [trusted=yes] to all entries in my sources.list to ignore the lack of package signing.
I note the presence of these two options in the "deb repo create" subcommand:
--require-signature - Require that Release files are signed and verified
--allowed-keys - fingerprints of gpg-keys to verify releases signature
against
However I have yet to figure out how they work. Is there a documented example anywhere? I tried setting them on an existing repository with this command:
pulp-admin deb repo update --repo-id='bionic-amd64-08aug19' --require-signature=true --allowed-keys='E084DAB9'
However a sync run returned this error:
- pulp-admin deb repo sync run --repo-id='bionic-amd64-08aug19'
--------------------------------------------------------------------
Synchronizing Repository [bionic-amd64-08aug19]
--------------------------------------------------------------------
This command may be exited via ctrl+c without affecting the request.
Task Failed
No GPG-keys in keyring, did the import fail?
To which keyring is the error referring? I cannot find reference to one in the documentation, and the Ubuntu key was imported into root's keyring with:
- gpg --keyserver keyserver.ubuntu.com --recv E084DAB9
I'm not clear if this is a bug, a feature enhancement, or simply operator error. Can anyone please advise on whether package signing in DEB packages should be supported, and if so how to implement it?
Many thanks
James