Ubuntu 20.04 - Sync not working with GPG Key

Problem: Hello Team,

I noticed it’s not possible to use a GPG Key for Ubuntu Repository. Error message : No valid Release file found for ‘focal’.

also some files are missing after the sync ( Without GPG Key set ) :

http://archive.ubuntu.com/ubuntu/ubuntu/ubuntu/dists/focal/InRelease
http://archive.ubuntu.com/ubuntu/ubuntu/ubuntu/dists/focal/Release.gpg

Did somebody have the same behavior ? I don’t if it’s a config issue or a missing feature.

Thank you.

Fabe

Distribution and version: Foreman 3.3

Other relevant data:

Hello,

About the GPG Key, I found what I was missing on the foreman Forum :

wget http://archive.ubuntu.com/ubuntu/dists/focal/Release.gpg -P focal
wget http://archive.ubuntu.com/ubuntu/dists/focal/Release -P focal

gpg --verify ./focal/Release.gpg ./focal/Release 2>&1 | tee ./focal/rsa_id

gpg --keyserver-options http-proxy=myproxy:8080 --keyserver keyserver.ubuntu.com --recv-keys cat ./focal/rsa_id | grep "using RSA key ID" | awk -F' ' '{print $NF}' | sort | uniq

gpg --armor --export cat ./focal/rsa_id | grep "using RSA key ID" | awk -F' ' '{print $NF}' | sort | uniq > ./focal/focal.Release.gpg

Now I am able to sync with a GPG Key.

Thank you

1 Like

Hello,

The Syncro is working but files Release and Release.gpg are still missing.

Is it possible to add them somehow manually?

Thank you,

@quba42 Could you comment on this? Thanks.

What are you setting for Upstream URL and Releases/Distributions?

Hello,

Thank you for contacting me

Settings :

Currently I’m trying this steps , found of the forum :

Generating Signing-Keys

su pulp -s /bin/bash

script /dev/null

gpg --gen-key

gpg --export --armor “Pulp QE”

Create Signing-Script

#!/bin/bash

set -e

RELEASE_FILE="$(/usr/bin/readlink -f $1)"
OUTPUT_DIR="$(/usr/bin/mktemp -d)"
DETACHED_SIGNATURE_PATH="${OUTPUT_DIR}/Release.gpg"
INLINE_SIGNATURE_PATH="${OUTPUT_DIR}/InRelease"
PUBLIC_KEY_PATH="${OUTPUT_DIR}/public.key"

GPG_KEY_ID=“Pulp QE”

/usr/bin/gpg --armor --export “${GPG_KEY_ID}” > ${PUBLIC_KEY_PATH}

COMMON_GPG_OPTS="–batch --armor --digest-algo SHA256"

Create a detached signature

/usr/bin/gpg ${COMMON_GPG_OPTS}
–detach-sign
–output “${DETACHED_SIGNATURE_PATH}”
–local-user “${GPG_KEY_ID}”
“${RELEASE_FILE}”

Create an inline signature

/usr/bin/gpg ${COMMON_GPG_OPTS}
–clearsign
–output “${INLINE_SIGNATURE_PATH}”
–local-user “${GPG_KEY_ID}”
“${RELEASE_FILE}”

echo {
“public_key”: “${PUBLIC_KEY_PATH}”,
“signatures”: {
“inline”: “${INLINE_SIGNATURE_PATH}”,
“detached”: “${DETACHED_SIGNATURE_PATH}”
}
}

Get add_signing_service Script :

sudo -u pulp PULP_SETTINGS=’/etc/pulp/settings.py’ pulpcore-manager add-signing-service --class ‘deb:AptReleaseSigningService’ katello_deb_sign “/var/lib/pulp/sign_deb_release.sh” ‘Pulp QE’

[root@az66u1971 pulp]# sudo -u pulp PULP_SETTINGS=’/etc/pulp/settings.py’ pulpcore-manager add-signing-service --class ‘deb:AptReleaseSigningService’ katello_deb_sign “/var/lib/pulp/sign_deb_release.sh” ‘Pulp QE’
/opt/theforeman/tfm-pulpcore/root/usr/lib64/python3.8/site-packages/cryptography/hazmat/bindings/openssl/binding.py:173: CryptographyDeprecationWarning: OpenSSL version 1.0.2 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will drop support for it.
warnings.warn(
System check identified some issues:

WARNINGS:
?: (guardian.W001) Guardian authentication backend is not hooked. You can add this in settings as eg: AUTHENTICATION_BACKENDS = ('django.contrib.auth.backends.ModelBackend', 'guardian.backends.ObjectPermissionBackend').
Successfully added signing service katello_deb_sign for key F8A172E72483C0F82B2EAE7870570F6F50DA5CCE.

Good news, It works now after the last step

image

Looks like you are now successfully doing both of the following:

  1. Checking the signatures on the upstream repo you are syncing from archive.ubuntu.com using a GPG Key “Content Credential”. Note that this signature checking works by simply discarding any Release files that cannot be successfully verified using the GPG key you provided. This can lead to problems if any of the “Releases/Distributions” you are syncing are signed with different keys from eachother.

  2. You are signing all the repos your Katello instance is publishing using the katello_deb_sign signing service you created.

Hello Quba42,

I removed all GPG KEY to avoiding future issues.

Thank you for the advice,