Try to sign my personnal deb repository

Jean-Francois · January 10, 2024, 1:44pm

Problem: I created a personnal deb repository with foreman and I need to sign it to use it with apt.

Expected outcome: apt works without adding “allow-insecure=yes” in my sources.list


**Foreman and Proxy versions:** Foreman 3.8.0, Katello 4.10

**Foreman and Proxy plugin versions:**

**Distribution and version:**RedHat 8.9

**Other relevant data:**
<!-- Managed client information, logs from Foreman and/or the Proxy, modified templates, commands issued, etc. For logs and configuration files, please use "preformatted text" from the toolbar to ensure proper formatting. -->
gpg --list-keys  => Ok I got a key to sign the repository

bash-4.4$ pulpcore-manager add-signing-service -v 3 --class 'deb:AptReleaseSigningService' 'katello_deb_sign' /var/lib/pulp/sign_deb_release.sh *my key id*
Traceback (most recent call last):
  File "/usr/bin/pulpcore-manager", line 33, in <module>
    sys.exit(load_entry_point('pulpcore==3.28.19', 'console_scripts', 'pulpcore-manager')())
  File "/usr/lib/python3.9/site-packages/pulpcore/app/manage.py", line 11, in manage
    execute_from_command_line(sys.argv)
  File "/usr/lib/python3.9/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line
    utility.execute()
  File "/usr/lib/python3.9/site-packages/django/core/management/__init__.py", line 436, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/usr/lib/python3.9/site-packages/django/core/management/base.py", line 412, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/usr/lib/python3.9/site-packages/django/core/management/base.py", line 458, in execute
    output = self.handle(*args, **options)
  File "/usr/lib/python3.9/site-packages/pulpcore/app/management/commands/add-signing-service.py", line 89, in handle
    SigningService.objects.create(
  File "/usr/lib/python3.9/site-packages/django/db/models/manager.py", line 87, in manager_method
    return getattr(self.get_queryset(), name)(*args, **kwargs)
  File "/usr/lib/python3.9/site-packages/django/db/models/query.py", line 658, in create
    obj.save(force_insert=True, using=self.db)
  File "/usr/lib/python3.9/site-packages/pulpcore/app/models/content.py", line 869, in save
    self.validate()
  File "/usr/lib/python3.9/site-packages/pulp_deb/app/models/signing_service.py", line 41, in validate
    return_value = self.sign(test_release_path)
  File "/usr/lib/python3.9/site-packages/pulpcore/app/models/content.py", line 812, in sign
    raise RuntimeError(str(completed_process.stderr))
RuntimeError: b'gpg: signing failed: Permission denied\ngpg: signing failed: Permission denied\n'

Can someone help me to find a solution ?

Regards,
JF

quba42 · January 10, 2024, 3:42pm

The documentation to achieve this is somewhat hard to find, since it is mostly a pulp_deb and not a Foreman/Katello feature that you need to set up. What you need to do is create a “AptReleaseSigningService” directly within Pulp, and it must be named “katello_deb_sign” (so that Katello will find and use it).

The documentation for how to create an “AptReleaseSigningService” within Pulp can be found here:
https://docs.pulpproject.org/pulp_deb/workflows/signing_service.html

Just remember to adjust the name from the example to “katello_deb_sign”, and Katello will automatically start using it for all your APT repos. Note that all your APT (deb type) repos in Katello will use the signing service if it exists.

quba42 · January 10, 2024, 3:54pm

Please do let me know how you get on with the documentation I linked to. If it is missing any information we should improve it.

Dirk · January 11, 2024, 8:10am

Should we as a first improvement add some explanation and a link somewhere at Managing Content?

quba42 · January 11, 2024, 8:51am

I guess it would be good to have a Katello specific version of these docs somewhere around what you linked to. I will discuss this internally.

Jean-Francois · January 12, 2024, 9:15am

First, I think this is needed before launching the pulpcore-manager command :

export PULP_SETTINGS=“/etc/pulp/settings.py”

Then my problem is still there.
The public and secret keys are ok for the user pulp, with gpg --list-keys and gpg --list-secret-keys.

I don’t understand from where I get the “Permission denied”.

quba42 · January 12, 2024, 1:57pm

I am consulting some notes of mine, and it looks like the pulpcore-manager command needs to be run as the pulp user. Can you try:

su pulp
PULP_SETTINGS="/etc/pulp/settings.py" pulpcore-manager ...

quba42 · January 12, 2024, 2:06pm

Edit: su pulp won’t work because the pulp user has /sbin/nologin as it’s shell in /etc/passwd, there was some way of using su to run the pulpcore-manager command as the pulp user regardless. I just don’t remember exactly what it was.

Jean-Francois · January 12, 2024, 2:35pm

I have used some info from these threads too :

I run :
sudo -s pulp /bin/bash
export PULP_SETTINGS=“/etc/pulp/settings.py”
pulpcore-manager add-signing-service --class deb:AptReleaseSigningService katello_deb_sign ./sign_deb_release.sh 0B93…900

and get the permission denied
RuntimeError: b’gpg: signing failed: Permission denied\ngpg: signing failed: Permission denied\n’

Jean-Francois · January 12, 2024, 2:37pm

And to be more complete, as pulp user :

bash-4.4$ gpg --list-keys
/var/lib/pulp/.gnupg/pubring.kbx

pub rsa4096 2019-10-29 [SC]
0B93…900
uid [ ultime ] ubuntu

bash-4.4$ gpg --list-secret-keys
/var/lib/pulp/.gnupg/pubring.kbx

sec rsa4096 2019-10-29 [SC]
0B93…900
uid [ ultime ] ubuntu

quba42 · January 12, 2024, 3:00pm

This is just a guess, but try checking ownership on the files in /var/lib/pulp/.gnupg/ with ls -al /var/lib/pulp/.gnupg/, it should look something like this:

# ls -al /var/lib/pulp/.gnupg/
total 20
drwx------.  4 pulp pulp 4096 Jan  9 20:11 .
drwxrwxr-x. 10 pulp pulp  159 Jan  9 19:58 ..
-rw-------.  1 pulp pulp  117 Jan  9 19:58 gpg.conf
drwx------.  2 pulp pulp   58 Jan  9 19:58 openpgp-revocs.d
drwx------.  2 pulp pulp   58 Jan  9 19:58 private-keys-v1.d
-rw-r--r--.  1 pulp pulp 1355 Jan  9 19:58 pubring.kbx
-rw-------.  1 pulp pulp   32 Jan  9 19:58 pubring.kbx~
srwx------.  1 pulp pulp    0 Jan  9 19:58 S.gpg-agent
srwx------.  1 pulp pulp    0 Jan  9 19:58 S.gpg-agent.browser
srwx------.  1 pulp pulp    0 Jan  9 19:58 S.gpg-agent.extra
srwx------.  1 pulp pulp    0 Jan  9 19:58 S.gpg-agent.ssh
-rw-------.  1 pulp pulp 1280 Jan  9 19:58 trustdb.gpg

The important thing is that everything should be owned by the pulp user and nothing by root. I have a vague memory of a similar issue where just one file in the .gnupg folder was owned by root, and that caused permission errors. If that is not it, I am running out of ideas.

Jean-Francois · January 12, 2024, 3:08pm

bash-4.4$ ls -la .gnupg/
total 24
drwx------  3 pulp pulp 4096 12 janv. 15:36 .
drwxrwxr-x 12 pulp pulp 4096 12 janv. 10:19 ..
drwx------  2 pulp pulp 4096 11 janv. 17:42 private-keys-v1.d
-rw-r--r--  1 pulp pulp 1311 12 janv. 10:02 pubring.kbx
-rw-r--r--  1 pulp pulp 2590 11 janv. 17:32 pubring.kbx~
srwx------  1 pulp pulp    0 12 janv. 15:31 S.gpg-agent
srwx------  1 pulp pulp    0 11 janv. 15:02 S.gpg-agent.browser
srwx------  1 pulp pulp    0 11 janv. 15:02 S.gpg-agent.extra
srwx------  1 pulp pulp    0 11 janv. 15:02 S.gpg-agent.ssh
-rw-------  1 pulp pulp 1280 11 janv. 17:39 trustdb.gpg

m-bucher · January 12, 2024, 5:51pm

Can you verify as the pulp user, if the signing-script works in principle and investigate further from there:

su pulp -s /bin/bash
/var/lib/pulp/sign_deb_release.sh <any file>

This should return something like:

{        "signatures": {          "inline": "/tmp/tmp.1pQwZfLogh/InRelease",          "detached": "/tmp/tmp.1pQwZfLogh/Release.gpg"        }      }

Jean-Francois · January 15, 2024, 5:31pm

The problem is with the “–local-user” option in the script :
–local-user “${GPG_KEY_ID}”

I think the problem may be related to the fact I exported the key of our aptly server and import it in the foreman server.

Jean-Francois · January 19, 2024, 3:43pm

Hi,

I fix some problems, and now I’m able to sign a file with the key.
./sign_deb_release.sh testfile
{ “signatures”: { “inline”: “/tmp/tmp.alQ2QSYbkP/InRelease”, “detached”: “/tmp/tmp.alQ2QSYbkP/Release.gpg” } }
My problem was about the “su -”. Running “chown pulp /dev/pts/0” solve the problem.

But there is still an error when I launch the pulpcore-manager command :

dynaconf.validator.ValidationError: CONTENT_ORIGIN is a required setting but it was not configured. This may be caused by invalid read permissions of the settings file. Note that CONTENT_ORIGIN is set by the installer automatically.

but

echo $PULP_SETTINGS
“/etc/pulp/settings.py”

and

grep CONTENT_ORIGIN /etc/pulp/settings.py
CONTENT_ORIGIN = “https://myserveurname”

quba42 · January 22, 2024, 8:19am

Can you post the full pulpcore-manager command that results in the error?

Jean-Francois · January 22, 2024, 8:30am

export PULP_SETTINGS=“/etc/pulp/settings.py”; pulpcore-manager add-signing-service --class deb:AptReleaseSigningService ubuntu my key 0B93…0900

Traceback (most recent call last):
File “/usr/bin/pulpcore-manager”, line 33, in
sys.exit(load_entry_point(‘pulpcore==3.28.19’, ‘console_scripts’, ‘pulpcore-manager’)())
File “/usr/lib/python3.9/site-packages/pulpcore/app/manage.py”, line 11, in manage
execute_from_command_line(sys.argv)
File “/usr/lib/python3.9/site-packages/django/core/management/init.py”, line 442, in execute_from_command_line
utility.execute()
File “/usr/lib/python3.9/site-packages/django/core/management/init.py”, line 382, in execute
settings.INSTALLED_APPS
File “/usr/lib/python3.9/site-packages/django/conf/init.py”, line 102, in getattr
self._setup(name)
File “/usr/lib/python3.9/site-packages/django/conf/init.py”, line 89, in _setup
self._wrapped = Settings(settings_module)
File “/usr/lib/python3.9/site-packages/django/conf/init.py”, line 217, in init
mod = importlib.import_module(self.SETTINGS_MODULE)
File “/usr/lib64/python3.9/importlib/init.py”, line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File “”, line 1030, in _gcd_import
File “”, line 1007, in _find_and_load
File “”, line 986, in _find_and_load_unlocked
File “”, line 680, in _load_unlocked
File “”, line 850, in exec_module
File “”, line 228, in _call_with_frames_removed
File “/usr/lib/python3.9/site-packages/pulpcore/app/settings.py”, line 381, in
settings = DjangoDynaconf(
File “/usr/lib/python3.9/site-packages/dynaconf/contrib/django_dynaconf_v2.py”, line 84, in load
lazy_settings.populate_obj(django_settings_module)
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 115, in getattr
self._setup()
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 174, in _setup
self._wrapped = Settings(
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 253, in init
self.execute_loaders()
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 1025, in execute_loaders
self.pre_load(env, silent=silent, key=key)
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 1044, in pre_load
self.load_file(path=preloads, env=env, silent=silent, key=key)
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 1071, in load_file
if py_loader.try_to_load_from_py_module_name(
File “/usr/lib/python3.9/site-packages/dynaconf/loaders/py_loader.py”, line 68, in try_to_load_from_py_module_name
mod = importlib.import_module(str(name))
File “/usr/lib64/python3.9/importlib/init.py”, line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File “”, line 1030, in _gcd_import
File “”, line 1007, in _find_and_load
File “”, line 986, in _find_and_load_unlocked
File “”, line 680, in _load_unlocked
File “”, line 850, in exec_module
File “”, line 228, in _call_with_frames_removed
File “/usr/lib/python3.9/site-packages/pulp_ansible/app/settings.py”, line 24, in
ANSIBLE_CONTENT_HOSTNAME = settings.CONTENT_ORIGIN + “/pulp/content”
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 115, in getattr
self._setup()
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 174, in _setup
self._wrapped = Settings(
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 256, in init
self.validators.validate(
File “/usr/lib/python3.9/site-packages/dynaconf/validator.py”, line 467, in validate
validator.validate(
File “/usr/lib/python3.9/site-packages/dynaconf/validator.py”, line 213, in validate
self._validate_items(
File “/usr/lib/python3.9/site-packages/dynaconf/validator.py”, line 274, in _validate_items
raise ValidationError(_message, details=[(self, _message)])
dynaconf.validator.ValidationError: CONTENT_ORIGIN is a required setting but it was not configured. This may be caused by invalid read permissions of the settings file. Note that CONTENT_ORIGIN is set by the installer automatically.

quba42 · January 22, 2024, 8:34am

Try running it as a single command:

PULP_SETTINGS="/etc/pulp/settings.py" pulpcore-manager add-signing-service --class deb:AptReleaseSigningService ubuntu <my_key> 0B93…0900

Jean-Francois · January 22, 2024, 9:09am

The result is exactly the same.

quba42 · January 22, 2024, 9:44am

To me, this looks like a bug in pulpcore-manager, perhaps something in the settings load order. Can you create an issue with pulpcore here: Issues · pulp/pulpcore · GitHub

The key information for the issue is that you have CONTENT_ORIGIN in your /etc/pulp/settings.py, PULP_SETTINGS="/etc/pulp/settings.py" is clearly set, the command you ran and its full error output.

The pulpcore version you are running is also important. You should be able to find it by running pulp status on your Foreman host.

Try to sign my personnal deb repository

bash-4.4$ gpg --list-keys /var/lib/pulp/.gnupg/pubring.kbx

bash-4.4$ gpg --list-secret-keys /var/lib/pulp/.gnupg/pubring.kbx

bash-4.4$ gpg --list-keys
/var/lib/pulp/.gnupg/pubring.kbx

bash-4.4$ gpg --list-secret-keys
/var/lib/pulp/.gnupg/pubring.kbx