Foreman Katello - Deb Sync no Release.gpg

dIELERx · September 13, 2019, 8:44am

Finally, the Release.gpg is created and signed.

Thanks for all your help.

Those are the steps I did:

1. GPG

1.1 Create GPG Signing Keys

echo "cert-digest-algo SHA256" >> /var/lib/pulp/gpg-home/gpg.conf
echo "digest-algo SHA256" >> /var/lib/pulp/gpg-home/gpg.conf

export real_name=Foreman-Repos
export email=foreman@domain

gpg --homedir /var/lib/pulp/gpg-home --batch --gen-key <<EOF
Key-Type: RSA
Key-Length: 4096
Key-Usage: sign
Name-Real: ${real_name}
Name-Email: ${email}
Name-Comment: sign metadata repo
Expire-Date: 0
%commit
EOF

1.2 Check your key

gpg --homedir /var/lib/pulp/gpg-home --list-keys

1.3 Set correct permissions

chown -R apache:apache /var/lib/pulp/gpg-home

2. Pulp

2.1 Create Signing Script

/usr/local/bin/sign.sh

#!/bin/bash -e
rm -f ${1}.gpg
gpg --homedir /var/lib/pulp/gpg-home --default-key $GPG_KEY_ID -abs -o ${1}.gpg ${1}

chmod +x /usr/local/bin/sign.sh

2.2 Get GPG-Pubkey ID

 gpg --list-public-keys --homedir /var/lib/pulp/gpg-home
 
 /var/lib/pulp/gpg-home/pubring.gpg
----------------------------------
pub   4096R/62DYXXXX 2019-09-12
uid                  Foreman-Repos (sign metadata repo) <foreman@domain>

Make sure to copy only the GPG-Key-ID (bold, 8 chars) → 4096R/62DYXXXX

2.3 Configure Plugin

/etc/pulp/server/plugins.conf.d/deb_distributor.json

{
  "gpg_cmd": "/usr/local/bin/sign.sh",
  "gpg_key_id": "62DYXXXX"
}

3. Reload Foreman

foreman-maintain service restart

4. Deb Repo

4.1 Create Repo

It it important to use the official Repo GPG-Key not the one we created!

hammer repository create \
  --product "Ubuntu1804" \
  --name "Bionic-Updates" \
  --label "Bionic-Updates" \
  --content-type "deb" \
  --gpg-key "DEB-GPG-KEY-Ubuntu" \
  --url "http://de.archive.ubuntu.com/ubuntu" \
  --mirror-on-sync "no" \
  --deb-architectures "amd64" \
  --deb-components "main,restricted,universe,multiverse" \
  --deb-releases "bionic-updates" \

4.2 Sync it

Sync the repo and afterwards you will find the Release.gpg attached to the repo.

5. Client

5.1 Export your GPG Pub-Key

gpg --homedir /var/lib/pulp/gpg-home --export -a 62DYXXXX

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
...
...
...
-----END PGP PUBLIC KEY BLOCK-----

5.2 Create a file containing your Pub Key

5.3 Import this key to your Clients

apt-key add pub_key_foreman.key

DONE

Update your sources.list or install a subscription-manager to manage the repos.

Hope this helps anyone whos failing at debian repo sync with a signed Release file.