Bionic-updates Release' is not signed

Problem:
good afternoon, Comrades. Please tell me, maybe someone has encountered a problem with synchronization of the deb repository. It syncs without the Release file.gpg, as a result, when executing apt-get update on the target machine, the error "bionic-updates Release’ is not signed " appears.
". I found this instruction on the forum Foreman Katello - Deb Sync no Release.gpg but it still doesn’t work. Duma. this is related to the pulp version. I use pulp3

Expected outcome:
Updates from Foreman repo / mirror works without gpg error message.
Foreman and Proxy versions:
Foreman 2.4
Foreman and Proxy plugin versions:

Distribution and version:
PulpV3
Other relevant data:

Did no one ever come across it?

This potentially sounds like a bug because I could not reproduce the error on pulp2: I successfully synchronized Release bionic-updates with Component main,restricted and Architecture amd64 using the GPG public key as content credential. After provisioning a host, I sucessfully installed a package (aspell-en, for testing purposes). There were no errors on my side.

Can you post the upstream URL and the settings I mentioned above?
Did you try another Ubuntu mirror?

hi, I tried using a mirror on ubuntu.com and on yandex.ru. the result is the same.



2
with pulp2, I did not notice such problems, everything works well there. And now I switched to pulp3 and there was such a problem

I talked to my colleages and basically have three answers/ideas for you:

  • Release files from upstream have never been signed in pulp2. It is not possible as you cannot change the Release file and the sign it with the upstream priviate key.
  • You can sign the Release file using your own private key. See Signing metadata in pulp3.
  • You can tell the apt clients that consume content to not verify the signature.
1 Like

You probably misunderstood me. When syncing the repository together with the file directories, the “RELEASE” file is also downloaded, and this file according to the content already contains the signature, but the release file.gpg is ignored when downloading, meaning it doesn’t appear in my local repository. in pulp 2, this problem was solved thanks to this instruction on your forum Foreman Katello - Deb Sync no Release.gpg

This is not quite right. Let me take a step back to explain. There are three “types” of release files, commonly found in upstream Debian repositories:

Release
Release.gpg
InRelease

Release is the unsigned release file. Release.gpg is a detached signature file to go with Release. InRelease contains both the release file and the signature in a single file. InRelease files are the preferred best practice format for current APT clients.

What pulp_deb (for Pulp 3) does with these files during sync: If present, all three files are downloaded and stored in the pulp database. However, when publishing a repository within Katello (the repo you and your clients see on your Katello host) none of the downloaded upstream files are used directly. Instead pulp_deb will write an entirely new release file. This new release file cannot use the upstream signature, because it is a different file. It also can’t be signed using the upstream key since pulp_deb does not have access to the upstream (secret) key. That is the whole point of signatures!

What you can do: Have pulp_deb sign the repositories it publishes on your Katello with a secret key that you provide or generate. How to do this (for Pulp 3) is described in the link provided by @maximilian (Pulp_deb for pulp3 in Katello)

1 Like

I’m afraid this option won’t work. Since in pulp2 after the end of synchronization of the deb repository, it was possible to get a full mirror of folders, as it was on the repository, and in pulp3 everything falls into the pulp/media/artifact / folder and then has a rather incomprehensible appearance, so there is no way to specify the path to the Release file, since I do not know where it is located. find doesn’t see it either

Just in case, for clarity, I will attach a screenshot

I am not sure what you are trying to achieve directly in the pulp artifact storage. It sounds like you are trying to manually manipulate the published pulp repository metadata. (Which was technically possible in Pulp 2 times, but was certainly never an intentional “feature”). Since Pulp 3 serves published repos via a content app that serves the right artifacts in the right place, this is neither intended nor possible in Pulp 3.

The question is: Why does creating a SigningService to sign your repository during publication (as described in the other thread) not serve your needs?

in general, this option is suitable, but in the script sign_deb_release.sh it is not clear what to specify in the variable RELEASE_FILE="$(/usr/bin/readlink-f $1)". I do not know where the Release file is located. Or do I misunderstand the value of the variable?

For your version of Foreman, you should be able to use the following signing script for your signing service: pulp_deb/sign_deb_release.sh at 2.9 · pulp/pulp_deb · GitHub

You do not need to change the RELEASE_FILE variable in the scrtipt, since pulp_deb will pass the path to the release file it wants signed to the script as an argument (and $(/usr/bin/readlink-f $1) will then evaluate any symbolic links to the correct physical path). It will then automatically include the resulting signature files in the new publication.

I think the only thing you must change in the example script is the GPG_KEY_ID="Pulp QE" variable. It needs to be the GPG_KEY_ID of the signing key you have generated on your Katello instance.

executed, but the file is release.gpg still doesn’t show up, I even created a new repository and synced it. The end user’s error remains the same “Release is not signed”

Did you use the setup script here?
Did you change the name in line 26 to name="katello_deb_sign", (as described in the other thread)?
Did you use the following command (as described in the other thread)?:

sudo -u pulp \
  PULP_SETTINGS='/etc/pulp/settings.py' \
  DJANGO_SETTINGS_MODULE='pulpcore.app.settings' \
  ./setup_signing_service.py "${PWD}/sign_deb_release.sh"

(It is pretty easy to overlook something…)

exactly) the name was not changed in line 26) I’ll check it out.

yay) works. Thank you for your help and for your explanations!