bash-4.4$ ls -la .gnupg/
total 24
drwx------ 3 pulp pulp 4096 12 janv. 15:36 .
drwxrwxr-x 12 pulp pulp 4096 12 janv. 10:19 ..
drwx------ 2 pulp pulp 4096 11 janv. 17:42 private-keys-v1.d
-rw-r--r-- 1 pulp pulp 1311 12 janv. 10:02 pubring.kbx
-rw-r--r-- 1 pulp pulp 2590 11 janv. 17:32 pubring.kbx~
srwx------ 1 pulp pulp 0 12 janv. 15:31 S.gpg-agent
srwx------ 1 pulp pulp 0 11 janv. 15:02 S.gpg-agent.browser
srwx------ 1 pulp pulp 0 11 janv. 15:02 S.gpg-agent.extra
srwx------ 1 pulp pulp 0 11 janv. 15:02 S.gpg-agent.ssh
-rw------- 1 pulp pulp 1280 11 janv. 17:39 trustdb.gpg
Can you verify as the pulp user, if the signing-script works in principle and investigate further from there:
su pulp -s /bin/bash
/var/lib/pulp/sign_deb_release.sh <any file>
This should return something like:
{ "signatures": { "inline": "/tmp/tmp.1pQwZfLogh/InRelease", "detached": "/tmp/tmp.1pQwZfLogh/Release.gpg" } }
1 Like
The problem is with the “–local-user” option in the script :
–local-user “${GPG_KEY_ID}”
I think the problem may be related to the fact I exported the key of our aptly server and import it in the foreman server.
Hi,
I fix some problems, and now I’m able to sign a file with the key.
./sign_deb_release.sh testfile
{ “signatures”: { “inline”: “/tmp/tmp.alQ2QSYbkP/InRelease”, “detached”: “/tmp/tmp.alQ2QSYbkP/Release.gpg” } }
My problem was about the “su -”. Running “chown pulp /dev/pts/0” solve the problem.
But there is still an error when I launch the pulpcore-manager command :
dynaconf.validator.ValidationError: CONTENT_ORIGIN is a required setting but it was not configured. This may be caused by invalid read permissions of the settings file. Note that CONTENT_ORIGIN is set by the installer automatically.
but
echo $PULP_SETTINGS
“/etc/pulp/settings.py”
and
grep CONTENT_ORIGIN /etc/pulp/settings.py
CONTENT_ORIGIN = “https://myserveurname”
Can you post the full pulpcore-manager command that results in the error?
export PULP_SETTINGS=“/etc/pulp/settings.py”; pulpcore-manager add-signing-service --class deb:AptReleaseSigningService ubuntu my key 0B93…0900
Traceback (most recent call last):
File “/usr/bin/pulpcore-manager”, line 33, in
sys.exit(load_entry_point(‘pulpcore==3.28.19’, ‘console_scripts’, ‘pulpcore-manager’)())
File “/usr/lib/python3.9/site-packages/pulpcore/app/manage.py”, line 11, in manage
execute_from_command_line(sys.argv)
File “/usr/lib/python3.9/site-packages/django/core/management/init.py”, line 442, in execute_from_command_line
utility.execute()
File “/usr/lib/python3.9/site-packages/django/core/management/init.py”, line 382, in execute
settings.INSTALLED_APPS
File “/usr/lib/python3.9/site-packages/django/conf/init.py”, line 102, in getattr
self._setup(name)
File “/usr/lib/python3.9/site-packages/django/conf/init.py”, line 89, in _setup
self._wrapped = Settings(settings_module)
File “/usr/lib/python3.9/site-packages/django/conf/init.py”, line 217, in init
mod = importlib.import_module(self.SETTINGS_MODULE)
File “/usr/lib64/python3.9/importlib/init.py”, line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File “”, line 1030, in _gcd_import
File “”, line 1007, in _find_and_load
File “”, line 986, in _find_and_load_unlocked
File “”, line 680, in _load_unlocked
File “”, line 850, in exec_module
File “”, line 228, in _call_with_frames_removed
File “/usr/lib/python3.9/site-packages/pulpcore/app/settings.py”, line 381, in
settings = DjangoDynaconf(
File “/usr/lib/python3.9/site-packages/dynaconf/contrib/django_dynaconf_v2.py”, line 84, in load
lazy_settings.populate_obj(django_settings_module)
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 115, in getattr
self._setup()
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 174, in _setup
self._wrapped = Settings(
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 253, in init
self.execute_loaders()
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 1025, in execute_loaders
self.pre_load(env, silent=silent, key=key)
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 1044, in pre_load
self.load_file(path=preloads, env=env, silent=silent, key=key)
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 1071, in load_file
if py_loader.try_to_load_from_py_module_name(
File “/usr/lib/python3.9/site-packages/dynaconf/loaders/py_loader.py”, line 68, in try_to_load_from_py_module_name
mod = importlib.import_module(str(name))
File “/usr/lib64/python3.9/importlib/init.py”, line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File “”, line 1030, in _gcd_import
File “”, line 1007, in _find_and_load
File “”, line 986, in _find_and_load_unlocked
File “”, line 680, in _load_unlocked
File “”, line 850, in exec_module
File “”, line 228, in _call_with_frames_removed
File “/usr/lib/python3.9/site-packages/pulp_ansible/app/settings.py”, line 24, in
ANSIBLE_CONTENT_HOSTNAME = settings.CONTENT_ORIGIN + “/pulp/content”
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 115, in getattr
self._setup()
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 174, in _setup
self._wrapped = Settings(
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 256, in init
self.validators.validate(
File “/usr/lib/python3.9/site-packages/dynaconf/validator.py”, line 467, in validate
validator.validate(
File “/usr/lib/python3.9/site-packages/dynaconf/validator.py”, line 213, in validate
self._validate_items(
File “/usr/lib/python3.9/site-packages/dynaconf/validator.py”, line 274, in _validate_items
raise ValidationError(_message, details=[(self, _message)])
dynaconf.validator.ValidationError: CONTENT_ORIGIN is a required setting but it was not configured. This may be caused by invalid read permissions of the settings file. Note that CONTENT_ORIGIN is set by the installer automatically.
Try running it as a single command:
PULP_SETTINGS="/etc/pulp/settings.py" pulpcore-manager add-signing-service --class deb:AptReleaseSigningService ubuntu <my_key> 0B93…0900
The result is exactly the same.
To me, this looks like a bug in pulpcore-manager, perhaps something in the settings load order. Can you create an issue with pulpcore here: Issues · pulp/pulpcore · GitHub
The key information for the issue is that you have CONTENT_ORIGIN in your /etc/pulp/settings.py, PULP_SETTINGS="/etc/pulp/settings.py" is clearly set, the command you ran and its full error output.
The pulpcore version you are running is also important. You should be able to find it by running pulp status on your Foreman host.
I had one more thought: What does ls -al /etc/pulp/settings.py say?
-rw-r----- 1 root pulp 2938 Nov 24 10:58 /etc/pulp/settings.py
That looks correct to me.
@Jean-Francois I was able to reproduce your error on a Foreman 3.9/Katello 3.11 instance, but then I was able to fix it with a small change to the command I ran, can you try your command as I described in this comment?
Hi,
So I was finally able to create the signing service. Thanks for fixing this.
Now I’m trying to use it with my repository. But I don’t have the “pulp deb” command. Did I miss something ?
If you are using Katello, and there is a signing service named katello_deb_sign in Pulp, then Katello will automatically use it for all future publish actions. So for example, the next time you sync a repo with some new content, and create a new content view version from it, it should be signed. You can test this by creating a small new repo, sync it and look at the link under “Published At” on the repo page.
For existing content views and lifecycle environments you can run Katello’s “republish repository metadata” feature. One way to do this is via Hammer, the following may help:
hammer content-view version republish-repositories --help
Does that answer the question?
And if I don’t use content-views and lifecycles for Ubuntu ?
In that case you can just go to the repository page for the repo in question and select “Republish Repository Metadata” from the drop down “Select Action” menu in the top right. Once the so triggered task has completed, the published repository should be signed. This can also be done via hammer, see:
hammer repository republish --help
When I’m running apt-update from a client, I still get the message :
E: The repository ‘https://path_of_the_repo default Release’ is not signed.
Have you tried creating an entirely new repository and checking if the published repository is signed?
For example, I have just created and synced the following test repo:
If I now open the “Published At” link, and navigate to the /dists/bookworm/ folder I see the following:
The existence of the InRelease and Release.gpg file at this location tells me my signing service was used.
If you don’t have these files for a newly created repo, then your signing service is not being used.
If newly created repos are signed, you can next check the specific repositories your APT hosts are complaining about (In your example https://path_of_the_repo). Navigate to the dists/default/ folder within the repo and look for InRelease and/or Release.gpg files. If those are missing, you have not re-published that publication since adding your signing service.