Pulp_deb for pulp3 in Katello

quba42 · October 25, 2021, 11:49am

One more slight update/add-on:

The post pulpcore 3.13 version of the signing service script can be found here (make sure you adjust the GPG_KEY_ID to identify your signing key!):

github.com

pulp/pulp_deb/blob/main/pulp_deb/tests/functional/sign_deb_release.sh

#!/bin/bash

set -e

RELEASE_FILE="$(/usr/bin/readlink -f $1)"
OUTPUT_DIR="$(/usr/bin/mktemp -d)"
DETACHED_SIGNATURE_PATH="${OUTPUT_DIR}/Release.gpg"
INLINE_SIGNATURE_PATH="${OUTPUT_DIR}/InRelease"
GPG_KEY_ID="Pulp QE"
COMMON_GPG_OPTS="--batch --armor --digest-algo SHA256"

# Create a detached signature
/usr/bin/gpg ${COMMON_GPG_OPTS} \
  --detach-sign \
  --output "${DETACHED_SIGNATURE_PATH}" \
  --local-user "${GPG_KEY_ID}" \
  "${RELEASE_FILE}"

# Create an inline signature
/usr/bin/gpg ${COMMON_GPG_OPTS} \

This file has been truncated. show original

(In fact, this URL points at the main branch so it will always point at the latest version of the script).

Also, I would amend the instructions for creating the signing service using pulpcore-manager as follows:

export PULP_SETTINGS="/etc/pulp/settings.py"  # needed for pulpcore-manager on Katello installations
pulpcore-manager add-signing-service \
  --class 'deb:AptReleaseSigningService' \
  'katello_deb_sign' \
  <path_to_signing_service_script> <signing_key_fingerprint>

Strictly speaking <signing_key_fingerprint> can be anything that will allow gpg to identify the signing key it should use. However, I recommend using the full fingerprint, since this is saved to the signing service’s fingerprint field in the Pulp DB, and who knows what kind of validation may be added to that in the future.

If you are using a local gpg key owned by the Pulp user, you can find out the fingerprint by running gpg --list-keys --fingerprint as the Pulp user. If you want more details, consult man gpg.