Problem:
I’m trying to solve a chicken/egg scenario. I want to sync the OSS ATIX subscription-manager repository into my foreman server and access that synced repository for registration. Problem is it only syncs the Release file and not the InRelease or Release.gpg. From what I understand when you publish the content view it automatically signs the Release file and your hosts can access the content…but I can’t do that in this case because the ubuntu client wouldn’t be registered/configured for Foreman. In the end I’ll be setting this up for an air gapped network but working the kinks out in my connected environment
Pulp_deb for pulp3 in Katello
I’ve followed the above article (with slight adjustments), but I’m wondering if I should undo this configuration based on the article’s comments. What this accomplished was signing my Release files upon syncing with a key I created. After signing I’m successfully able to register hosts through the synced OSS ATIX repo when referencing the exported armored gpg key (placed in /var/www/html/pub) as well as the synced main ubuntu jammy repo for dependencies.
Unfortunately, the above article creates a deb signing service that is signing all deb repositories I suspect is messing me up. Aafter registering and publishing a new content view I try to perform updates on the client I receive errors pointing towards my created GPG key Get:1 katello://pulp/content/path/to/repository default InRelease Ign:1 katello://pulp/content/path/to/repository default InRelease W: GPG error: katello://pulp/content/path/to/repository default InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY
Do I have a fundamental misunderstanding on how deb repository signing works? Has anyone been able to successfully sync the OSS ATIX repo and access the repo for use by the registering client prior to registration?
Expected outcome:
Sync OSS ATIX (subscription-manager) Repository. Access repository for use during registration. Ability to be used in an air gapped environment
Did you import the ATIX GPG pub key as content credential into your Foreman+Katello?
Did you run Host Registration with both the upstream URL as part of the URL field and the FQDN/pub/pulp_deb_signing.key as GPG key? This is required because Debian itself does not provide subscription-manager.
Can you consume any signed Deb content from Foreman+Katello? This would ensure that in principle, Katello/Pulp signs the meta data of Deb content correctly.
As far as I can tell you do not have any misunderstanding. The process essentially works as follows:
During sync you may or may not verify the upstream repositories’ signature by supplying the relevant public key as a content credential (or not doing so).
Locally on your instance, Katello will publish it’s own metadata for the synced repository, which inherently cannot be signed by the upstream repositories’ key (since you don’t have it, that is the entire point of signatures). If you have configured a signing service named katello_deb_sign, all repositories on your Katello instance will be signed using it. If not, your repositories will not be signed. That is it.
It follows that your hosts either need to be set up to be able to consume unsigned repositories (which is getting ever more strongly discouraged by current versions of APT), or need to be set up to trust your signing key in order to consume any Katello repositories.
That is really all there is to it. The way Katello uses the katello_deb_sign signing service is pretty much all or nothing.
I should’ve been more clear in the steps I’ve taken so far. Running off memory but will try to be as accurate as possible
Again at this point I have a foreman server and an Ubuntu22 client that has not yet been registered or had subscription-manager installed
obtain relevant repository GPG keys, add to content credentials, and synced (Ubuntu jammy and OSS ATIX repos)
a) this gives me only the Release file and not Release.gpg or InRelease files.
set up host group, host collection, content views, and activation key
attempt to register declaring insecure, ignore errors, and force. Adding the repositories (Ubuntu jammy and OSS ATIX) with the repos published path in my foreman server (deb jammy main for example) and GPG from synced repo associated through content credentials in the GPG field
(if I recall correctly) fails saying the Release file isn’t signed
after researching the previously mentioned article, created my own GPG key and configured a signing service. Placed the armored .asc file in <fqdn/pub>
Resynced the repositories with advanced > complete sync. Noticed I now have Release, InRelease, and Release.gpg for both of my repos
attempt to register declaring insecure, ignore errors, and force. Adding the repositories (Ubuntu jammy and OSS ATIX) with the repos published path in my foreman server (deb jammy main for example) and the GPG I created at <fqdn/pub>
successfully installed subscription-manager with dependencies
This is where I start having issues
9) sync repo data, receive updates, and publish a new content view
10) attempt to do sudo apt update and receive the errors I mentioned above
Then the question is what changed between 8. and 10. on your client host (9 only changes the content served on your server but with a signature by the same key as before and should therefore be irrelevant).
What was the exact command to install subscription-manager in 8.? If it was sudo apt install subscription-manager and that worked, then it does not make sense that sudo apt update with the same repositories as before, signed by the same key as before, would suddenly say: “The following signatures couldn’t be verified because the public key is not available”. Not unless apt somehow lost access to the public key between the two commands. Which might be the case if registering using subscription-manager somehow changed your APT configuration.
In any case. Whatever the reason it sounds like APT (on your host) is missing the public key to go with your katello_deb_sign signing service. Try re-adding it?
Subscription Manager was installed during registration after generating the command in the Web UI.
Unfortunately I won’t be able to provide hands on information and continue troubleshooting until Monday. Thank you for the assistance and I’ll update next week
I might have one more hint where to look. I checked what our registered Ubuntu hosts look like, and found the following.
On the APT repo host check in /etc/apt/sources.list.d/rhsm.sources. This is where your Katello APT repos that are managed by subscription-manager should be configured. In our case I see a line like the following for each configured repo:
@quba42 thank you for your assistance troubleshooting. I was able to trace the Signed-By: field. In my case I believe I had a previous failed registration attempt. I had the following
I removed the file, subscription-manager and related packages, as well as the relevant files in /etc/apt/sources.list.d/, re-registered, and am now able to access content again. I’m not sure what happened to my file, but we’re now good to go.
