Foreman Katello - Deb Sync no Release.gpg

Problem:
I want to use Foreman as Mirror for Debian and Ubuntu systems. Therefore I am syncing repos with type “deb”, which works fine.

After successful sync, I am able to browse the repos via http: “http://hostname/pulp/deb/organiuation/Library/custom/Debian/Buster-Security/”. Foreman downloads the repo just fine, but it does not download the Release.gpg file… I can only see the Release file

As soon as I add this url to sources.list on my Debian machine, and run “apt update”, I get the error, that the Release file is not signed.

Am I missing something? Is there an option to enable downloading the Release.gpg file? Or is this not the supposed way to use Foreman as mirror for deb systems?

Expected outcome:
Updates from Foreman repo / mirror works without gpg error message.

Foreman and Proxy versions:
1.22.1
Foreman and Proxy plugin versions:

foreman-tasks 0.15.8
foreman_ansible 3.0.2
foreman_openscap 1.0.1
foreman_remote_execution 1.8.2
katello 3.12.3
  

@dIELERx
I’m not as familiar with Debian package support for Katello, but I’ve asked some of the other team members if they know.

If no one has a ready answer, I’ll investigate further and try to get you answer ASAP.

James

@jjeffers alright, thanks for your prompt answer. Hopefully its just some missing configuration and not a bug.

When I setup my Foreman/Katello instance for Ubuntu clients two years ago, I used a workaround that involves a pulp hook.

It looks like the original article that I used has been taken down. I think it was on the pulp wiki.

There is an article in French on the web that include a section that describes how to do it.

https://community.capensis.org/t/provisioning-via-foreman-pulp-katello/157

The essential steps are

You generate a new GPG private/public keypair on the Katello box.
Setup a shell script to sign the release files
Hook that shell script into pulp by creating a deb_distributor.json file
That hook will fire every time the deb_distributor is update (evertime you sync and publish)
On the clients you import the public GPG key you generated on Katello into apt so that it will be trusted.

In that article they set it up for the yum_distributor also - that shoudn’t be needed so I would skip that step.

You may be thinking that the Release.gpg file should simply be created automatically for you based on the upstream Release.gpg file.
That’s what I thought at first - but as I understand it, it can’t work that way since you don’t have access to the private key of the upstream distro (Debian or Ubuntu or whatnot).
Since you are creating a custom Release file using pulp - you have to provide a local gpg keypair for the pulp repos or forgo GPG signing of the Release file.

1 Like

Thanks for those useful information. I’ll try that tomorrow. I will add some feedback tomorrow, if I was sucessful :wink:

I followed the tutorial, but I am not able to get it working.

As soon as I want to change the GPG Key on a repo, I get the following error:

hammer repository update --product Ubuntu1804 --gpg-key "DEB-GPG-KEY-Ubuntu"
Could not update the repository:
  Task 99b56dd1-1515-42c6-beaf-b8a4d62dbccd: Katello::Errors::PulpError: PLP0000: Configuration key [gpg_sign_metadata] is not supported

This option gpg_sign_metadata does not seem to be supported. In Pulp Version 2.15 this feature was implemented and I am using Version 2.19 at the moment.

cat /etc/pulp/server/plugins.conf.d/deb_distributor.json

{
  "gpg_sign_metadata": true,
  "gpg_cmd": "/usr/local/bin/sign.sh",
  "gpg_key_id": "$GPG_KEY_ID"
}

Finally, the Release.gpg is created and signed.

Thanks for all your help. :slight_smile:

Those are the steps I did:

1. GPG

1.1 Create GPG Signing Keys

echo "cert-digest-algo SHA256" >> /var/lib/pulp/gpg-home/gpg.conf
echo "digest-algo SHA256" >> /var/lib/pulp/gpg-home/gpg.conf
export real_name=Foreman-Repos
export email=foreman@domain
gpg --homedir /var/lib/pulp/gpg-home --batch --gen-key <<EOF
Key-Type: RSA
Key-Length: 4096
Key-Usage: sign
Name-Real: ${real_name}
Name-Email: ${email}
Name-Comment: sign metadata repo
Expire-Date: 0
%commit
EOF

1.2 Check your key

gpg --homedir /var/lib/pulp/gpg-home --list-keys

1.3 Set correct permissions

chown -R apache:apache /var/lib/pulp/gpg-home

2. Pulp

2.1 Create Signing Script

/usr/local/bin/sign.sh

#!/bin/bash -e
rm -f ${1}.gpg
gpg --homedir /var/lib/pulp/gpg-home --default-key $GPG_KEY_ID -abs -o ${1}.gpg ${1}
chmod +x /usr/local/bin/sign.sh

2.2 Get GPG-Pubkey ID

 gpg --list-public-keys --homedir /var/lib/pulp/gpg-home
 
 /var/lib/pulp/gpg-home/pubring.gpg
----------------------------------
pub   4096R/62DYXXXX 2019-09-12
uid                  Foreman-Repos (sign metadata repo) <foreman@domain>

Make sure to copy only the GPG-Key-ID (bold, 8 chars) → 4096R/62DYXXXX

2.3 Configure Plugin

/etc/pulp/server/plugins.conf.d/deb_distributor.json

{
  "gpg_cmd": "/usr/local/bin/sign.sh",
  "gpg_key_id": "62DYXXXX"
}

3. Reload Foreman

foreman-maintain service restart

4. Deb Repo

4.1 Create Repo

It it important to use the official Repo GPG-Key not the one we created!

hammer repository create \
  --product "Ubuntu1804" \
  --name "Bionic-Updates" \
  --label "Bionic-Updates" \
  --content-type "deb" \
  --gpg-key "DEB-GPG-KEY-Ubuntu" \
  --url "http://de.archive.ubuntu.com/ubuntu" \
  --mirror-on-sync "no" \
  --deb-architectures "amd64" \
  --deb-components "main,restricted,universe,multiverse" \
  --deb-releases "bionic-updates" \

4.2 Sync it

Sync the repo and afterwards you will find the Release.gpg attached to the repo.

5. Client

5.1 Export your GPG Pub-Key

gpg --homedir /var/lib/pulp/gpg-home --export -a 62DYXXXX

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
...
...
...
-----END PGP PUBLIC KEY BLOCK-----

5.2 Create a file containing your Pub Key

5.3 Import this key to your Clients

apt-key add pub_key_foreman.key

DONE

Update your sources.list or install a subscription-manager to manage the repos.

Hope this helps anyone whos failing at debian repo sync with a signed Release file.

2 Likes

It it important to use the official Repo GPG-Key not the one we created!

So do we required to obtain the key from officical ubuntu website, if yes please let us know which key have consider (URL path ) for bionic version

How do I install the Katello client for Ubuntu?

This does not appear to work on Katello 3.18.1. Is there a way to do this on pulp3?

I tried this on 3.12 and 3.8 also…but doesn’t seems to be working.

How to set up repository metadata signing for deb content in Pulp 3 is described in this thread: Pulp_deb for pulp3 in Katello

Note that the process has changed somewhat with the pulp_deb 2.10.0 release since the SigningService model in pulpcore was changed. If you use the scripts from the pulp_deb repo, make sure you use the right version for your installed version of pulp_deb.

1 Like