Getting GPG key for ubuntu repository?

gawainxl · April 13, 2022, 8:17pm

I’m having some difficulty adding the Ubuntu Debian repos into Foreman

I’ve gotten the repository added but I’m having some difficulty figuring out how to get the GPG keys or whether they are nescicarry. This was pretty easy for YUM/RPM based repos but I’m not finding much on how to do this for deb and googling hasn’t had much success.

For example, how would I get the keys for this repo?
deb Index of /ubuntu bionic main restricted universe multiverse

Using Foreman 3.2 Katello 4.4 on AlmaLinux 8.5

quba42 · April 14, 2022, 12:48pm

First of all, adding GPG keys to your APT repos is very much optional, if you do not supply a key there simply won’t be any integrity checking.

For help with finding GPG keys for Debian and Ubuntu, see the following resources:

I hope that helps.

saltyollpheist · April 14, 2022, 1:51pm

I had to do some trial and error with this because of the steps provided in the documentation. I’m honestly not sure if I even succeeded since I’m still running into the issue of No content added even though it’s synchronizes successfully. Having said all that, these are the steps I followed with results below:

Starting with steps from Extracting GPG Public Key Fingerprints from a Release Files, I got as far as step 2. I received the following output:
(NOTE: the RSA key shown below is for example only and is not valid)

gpg --verify Release.gpg Release
gpg: Signature made Thu 14 Apr 2022 07:10:37 AM CDT
gpg:                using RSA key 3B4GE6BCC0D21E34
gpg: Can't check signature: No public key

Since I received the Can't check signature message, I followed onto step 3 using the following command:

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 3B4GE6BCC0D21E34

Notice I’m referencing the previous RSA key that was generated. The following output was generated:

gpg: key 3B4GE6BCC0D21E34: public key "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

As show in the steps, albeit it’s stated as optional, I went ahead and verified the Release.gpg again and received the following output:

gpg --verify Release.gpg Release
gpg: Signature made Thu 14 Apr 2022 07:10:37 AM CDT
gpg:                using RSA key 3B4GE6BCC0D21E34
gpg: Good signature from "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: AAAA BBBB CCCC DDDD EEEE FFFF 1111 2222 3333 4444

(NOTE: Primary key fingerprint above is placeholder for example only.)

I then followed the rest of the steps in the documentation:

gpg --armor --export 3B4GE6BCC0D21E34 > ubuntu_bionic_updates.txt
cat ubuntu_bionic_updates.txt

After you cat the file, it’ll display the PGP Public Key Block that you can then copy and paste in the applicable field as detailed in the following steps 5.23 Importing a GPG Key.

Sorry for the lengthy detail. I hope this helps you and others. And if anyone comes along and finds my response to be in error, please, offer correction as I would hate to be giving incorrect info.