Project

Profile

Help

Issue #9032

closed

create publication with signing: invalid hyperlink - object does not exist

Added by igagis over 2 years ago. Updated about 2 years ago.

Status:
CLOSED - DUPLICATE
Priority:
Normal
Assignee:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version - Debian:
Platform Release:
Target Release - Debian:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

Ticket moved to GitHub: "pulp/pulp_deb/414":https://github.com/pulp/pulp_deb/issues/414


I'm trying to create a publication with metadata siging via REST api and I get the following error:

HTTP code = 400

{"signing_service":["Invalid hyperlink - Object does not exist."]}

I have created the signing service via pulpcore_manager add-signing-service and there is a GPG key in the keyring and signing shell script, as described here: https://docs.pulpproject.org/pulpcore/workflows/signed-metadata.html

I am able to get the signing service via REST api using its pulp_href, here is the response from REST request:

{
  "pulp_href": "/pulp/api/v3/signing-services/f204bdc9-2c5c-4963-b5a9-75dae6f4960d/",
  "pulp_created": "2021-07-08T12:14:33.021734Z",
  "name": "sign-metadata",
  "public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQINBGDm6n0BEADJ4jRZGZOfkgXJlbKL2TqhdStTmOedfVYi5VjxbmKVq1bsLqHO\nLb8/7u70M+iz18ERnRVG/F0EziKVOouXVdXKEsZhG2SPkOb9gKT1KlVp33k/bNyr\nJDyAVh3uYTeodCgMyHucFwkI8j5ums48rmIS/GzDxMDNLdzKLWspoQs6956F0mf+\nmmuVglfS0l8RncjXIFsh9JMlDeiK3trrbMGdhBo6U/QadxROYtfTdAZ6a10IW7iL\nMBAPe+pXtTHnCa43cJrqGXV9Y2FJ54GJVV3Kbr9T13M7zjj1ygAzm/eBnm9OqdgD\n55k0ZAyzLcpIdK//0ZLMgLIkcFQ+2BzQXLsi6xAIkzcycfXnvgSY7vUi6uwCLyLf\nyGbPoHd8Fz3q/9XJpa+3dw/q/p96d6dN+o/QmI82dy1I+D4iJ1NtLzH/lTX2ge5K\nh4FIIwGbfzJmgBSGb/2XAqBdh4FFIemmnIu2qq2Yk5SnR6wdw7FvMm3st3ww0PQZ\nnr3udNZ8MlG3AaATODa0Y/UPpUnN6sjNfLjC5sAwIzZw3LerCo6Q70AjVQOhm/x8\nqh0Smz2uupbCR7NAceHlxqWA+4I6r094rHnab4BNntUh/IE2ZQaL02fqAaCgaGjU\nlhQyuBM6Z/oZjrXTiyyC+Oh/b8hjrGbKWgs4ifgyHpuVNRnpubR1R4qPywARAQAB\ntEFJdmFuIEdhZ2lzIChyZXBvc2l0b3JpZXMgbWV0YWRhdGEgc2lnbmluZyBrZXkp\nIDxpZ2FnaXNAZ21haWwuY29tPokCTgQTAQoAOBYhBN8FDZUx8V9VxKhNOlkz8F4w\nKnUCBQJg5up9AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEFkz8F4wKnUC\n2IMQAKstqHrbj3pG4kVJl2VgYB+HujoDqhf2q95XI+gbLS3A9vE6UOP7Le/2WxVc\nWtaSbqxv9lPZwXL7krhtAPVfNHOs11N4SloBxFnCyrgmgC/xZxAPRD0DofA4Numt\nVYq5TvIjZ9CUFb0NhAE5TuuWljlk76DwZeiZ4zbKRrmJcnatOqPBv5RnYlGjIAVj\nyyCCOCSEYDmAQNwQCyBqTlP+TzsXj/x95lWU54zAn+DbwckKAavbYbowVhlKev/+\nmZpK5Vnpp9Taea2rsh9mWC2tAExLE9nPBP4ed2BKYHQEJzCkYavp9vO9xC2/f02N\nYZpmzMwWP0KFrGTx+Fk89uyVd89ML1zZs5Rysf2jgDbBAcbHJb5rXG9y4CZm0wUZ\nGumohuomz5ywzkE/RSjmdhJJmOylqylvcs2+eTbIkWSvWQjd8pE535QSWeItJNup\nfSc8x+GV1Ln31kPNpClcAjnR31/Xoak694soYEc7uEzVrkBF9UiLXfzmfhXyV0Su\nHZ+py+8zf6XXJ3APi1y/MdnP1KilBbosC3mTIHdVq/oAx8BRxm4FJlb+j4pjnMgl\nVIgDVNiHZCSZIhwj0ZqMlLaDRjGc30iYmA7sn3gnbrpDG3uwc7/7WDHg/NHY41WQ\nOePcoL//9zsx3AtgsCb6ZzkIi51MoyyOnwLTmFDIbQQ32ZZEuQINBGDm6n0BEACf\nnKQtcxqQadDZ0UadqLwFyWuSi8K5khoBFcaaNK6nQc/eZLmj6FjcPvqBzSA/TBg+\nptvwPjD2yRWZKfOrsQTVL9Bijdcu5KF4BEMqtpntqhbtoSnQXqwa8u1aEs0zt/vw\nU5nf6g6G+kX9/whTetFIsGg9eLcUZvETuWrovOKsffF+nkznB89fbSK7MznoOTO5\nu86jc3PRdYMzFjWLT+5N+90HO9ZoGzaegOEx8EraYyeIMXoXwEtR0Yy7vaIG3YaM\nua6UvPRbXh7dtMXSKUJmDsdw5puwE7jez2GQ05898gRtJE5HcRAWkS0yD4UnPp0t\nG2Pe1GRv65lshMa8XTufzzddK8dZOyrxQ5e71La02ZWK5pWNi3CLP8WsSF/jc0Ej\n9K+6YY3iTZSZmU6vYJ17KUFRjN33xFYRvKbBp0S7TVWx9cqWYPCyavG3iDyKsyyI\nLZB8w1t4Ao3p/2uYSYUOu7ifCd9iL1KZ0o3eFa+YxFZigaTtMiYaE5HUaU8akZG8\nReAR2OSyj43GtgrO92lLMFoN/XXg7nnrAiTfmcwH6TKior5ZZQjsot69uSgbKaSj\nxnrGGUPe3yPSxoxEGMYdi7nNqB3VX4d+W/McSK5etNme5OPC4TU7yaEhgxyHhJ4x\nvn3e2EVa+8Hwb8Jh5pd4FGaCsWuaCoWfE0vZ8NaiJQARAQABiQI2BBgBCgAgFiEE\n3wUNlTHxX1XEqE06WTPwXjAqdQIFAmDm6n0CGwwACgkQWTPwXjAqdQKA4RAAjfnI\nCbFd9r893tw5j98TncD7iIfnBt0ESUJ3iGq8KA37q4WFvtdE+zvs7Wq+9cmB0/z+\nt30IATNdnAkLjbON2AQP9KjXQ20KtcXONVuf2hjEogY7L3s4gEwvVeA4hLaLprlj\nETQdWYjiWilD4WQfdWeAEmTDbQLlbFqxCJgz3vT+ImJFh89SePFZgbzUMyTgII+V\n+8cS3FCeQLF/IXxLuNRnM951zat8XnALfi9swbRVMp/ZhQMuHfPJxUBmQ1H4YE46\ny6t6PqVBRrGPSov82vX39vJjoN97JaCSE7ib+bRKrKIZIBk2Cy+j00cusm8HI2xy\nP0pEC9NYXQtV1k0kOiDTdBjYS/9vmSEC/eXa99w3+ScwerRnS61fSNXsAn0RQ6WS\nbitMd3rfhL6Mh3kyGf5pzkBv1iSFtfJFGdKxiDPKKeLLCr0u6/YTmhzaGRy0XwtW\n7u86efHFVneHM9uR6tWthNNy0VHNJcRip9I6Ghfa28TIDKpHsGC221Kvdh5VudkO\n/1mogvFDLTSq1RpBWV5EEVBbymwcmvSrToGCFl7R1PozyHLLG61jt+ofuanku3Ux\n+DqgGnoLJRZtLtMBV/3rd/ywdkRDWzwRQsID6sQV7/ECQvo5Giu0d3+IbsfGcTWf\n9iUCxpwW8haBtIj8FRNx3fczSxGetUodQN6QjUc=\n=tgAd\n-----END PGP PUBLIC KEY BLOCK-----\n",
  "pubkey_fingerprint": "DF050D9531F15F55C4A84D3A5933F05E302A7502",
  "script": "/var/lib/pulp/scripts/sign-metadata.sh"
}

I'm using pulp v3 installation made via ansible.

Actions #1

Updated by igagis over 2 years ago

the original REST request I do for creating the publication is:

curl
--location
--request
POST
http://cppfw.hopto.org/pulp/api/v3/publications/deb/apt/
--user
*****
--header
Content-Type: application/json
--data
{"repository":"http://cppfw.hopto.org/pulp/api/v3/repositories/deb/apt/f0f0d008-b093-4a84-bf41-48c2df0e99ca/","simple":true,"signing_service":"http://cppfw.hopto.org/pulp/api/v3/signing-services/f204bdc9-2c5c-4963-b5a9-75dae6f4960d/"}

Actions #2

Updated by quba42 over 2 years ago

When running the pulpcore manager command, did you use the --class "pulp_deb:AptReleaseSigningService" option, because I think it will default to "core:AsciiArmoredDetachedSigningService", which is not what you need for pulp_deb.

Note: I have never used pulpcore manager to create my signing services, so I am not sure if I am interpreting the --class options syntax correctly... See here for more info: https://github.com/pulp/pulpcore/blob/master/pulpcore/app/management/commands/add-signing-service.py

Actions #3

Updated by jxsxs over 2 years ago

I'm also seeing the behavior @igagis describes.

openapi_client.exceptions.ApiException: (400)
Reason: Bad Request
HTTP response headers: HTTPHeaderDict({'Date': 'Wed, 14 Jul 2021 08:15:55 GMT', 'Content-Type': 'application/json', 'Content-Length': '66', 'Connection': 'keep-alive', 'Vary': 'Accept', 'Allow': 'GET, POST, HEAD, OPTIONS', 'X-Frame-Options': 'SAMEORIGIN', 'Correlation-ID': '897ba59380c24f74baf219541438a333', 'Access-Control-Expose-Headers': 'Correlation-ID', 'Strict-Transport-Security': 'max-age=15724800; includeSubDomains'})
HTTP response body: {"signing_service":["Invalid hyperlink - Object does not exist."]}

Is there a way to figure out which SigningService was used?

Actions #4

Updated by quba42 over 2 years ago

I cannot reproduce this issue, so I will post my entire procedure in the hope that this will help you either fix your issue or further describe what is different in your case.

To create my signing service using the Pulp QE GPG key (the secret key is publicly available), I am using the following:

curl -L https://github.com/pulp/pulp-fixtures/raw/master/common/GPG-PRIVATE-KEY-pulp-qe | gpg --import
echo "6EDF301256480B9B801EBA3D05A5E6DA269D9D98:6:" | gpg --import-ownertrust
pulpcore-manager add-signing-service --class 'deb:AptReleaseSigningService' 'Pulp QE' pulp_deb/pulp_deb/tests/functional/sign_deb_release.sh 6EDF301256480B9B801EBA3D05A5E6DA269D9D98
SIGNING_SERVICE_HREF=$(http get "${BASE_ADDR}/pulp/api/v3/signing-services/ name="Pulp QE" | jq '.results[0].pulp_href' | tr -d '"')

The signing service script is the one from the pulp_deb Git repo. You will need to set BASE_ADDR="<your_pulp_instance_url>" (e.g.: for my test system it is http://pulp3-source-fedora33.qatix71.example.com) for the above to work, and you need httpie and jq installed.

When I am ready to create my publication I use:

PUBLICATION_TASK_HREF=$(http post "${BASE_ADDR}"/pulp/api/v3/publications/deb/apt/ repository="${REPO_HREF}" simple=true structured=true signing_service="${BASE_ADDR}${SIGNING_SERVICE_HREF}" | jq -r '.task')

This requires REPO_HREF to contain the repo href of the Pulp deb repo I want to publish.

I can check on the task using:

http get "${BASE_ADDR}${PUBLICATION_TASK_HREF}" | jq '.state'

Using these steps, everything works for me.

Actions #5

Updated by jxsxs over 2 years ago

Thanks for the update quba42. I'll follow your instructions and see if I can get it to work.

Actions #6

Updated by jxsxs over 2 years ago

quba42 Unfortuantely the same issue prevails.

 http ${BASE_ADDR}pulp/api/v3/publications/deb/apt/ repository=/pulp/api/v3/repositories/deb/apt/84ef2ab7-d8ad-4695-895e-614abc3aa25a/  simple=true signing_service=${BASE_ADDR}pulp/api/v3/signing-services/9aa302f7-0b7e-444d-a66f-281ba509afc3/  --auth <removed>


{
    "signing_service": [
        "Invalid hyperlink - Object does not exist."
    ]
}

but I can see my signing_service

http ${BASE_ADDR}pulp/api/v3/signing-services/9aa302f7-0b7e-444d-a66f-281ba509afc3/

{
    "name": "sign-metadata-v1-XXXXXXXXX",
    "pubkey_fingerprint": "C9CDB2D2F029FAE51568B2E12CAC36C51D5F3726",
...
}
Actions #7

Updated by quba42 over 2 years ago

@jxsxs Do you remember the command that was used to create your signing service?

One thing you can try on a hunch of mine: Try having the URL you supply for the signing service (signing_service=${BASE_ADDR}pulp/api/v3/signing-services/9aa302f7-0b7e-444d-a66f-281ba509afc3/) start with https:// (even if your pulp instance has HTTPS disabled). I think I did that on my test system and it worked. I have no idea why this should make a difference, but it can't hurt to try. Instead of ${BASE_ADDR}, just hard code the entire URL, starting with https://.

Actions #8

Updated by jxsxs over 2 years ago

My instance is configured for https and that's what I use as BASE_ADDR. I tried to force http by changing the URL but that just redirects me (as anticipated).

Do you remember the command that was used to create your signing service?

I can dig that up

Actions #9

Updated by jxsxs over 2 years ago

quba42 turns out we're using the AsciiArmoredDetachedSigningService. I can report if chaning that to AptReleaseSigningService fixes the issue.

An nicer error message would avoid confusion I guess :)

Actions #10

Updated by quba42 over 2 years ago

Using the wrong signing service class can't work, though I agree that the symptoms are not very informative of what went wrong. I will keep this issue open as a reminder to find a way to provide an informative error message in such cases.

I should also improve the documentation on creating APT repo signing services. With the pulpcore-manager command it is now somewhat easier than it used to be...

If I get the following PR merged: https://github.com/pulp/pulpcore/pull/1696

It will also be possible to provide a completely generic APT repo signing service example script. (The current one from the pulp_deb tests is hard coded for a specific GPG key...)

Actions #11

Updated by pulpbot about 2 years ago

  • Description updated (diff)
  • Status changed from NEW to CLOSED - DUPLICATE

Also available in: Atom PDF