Unable to set up Deb signature

Overlord · December 12, 2024, 11:24am

Problem:
it is not possible according to the instructions Pulp_deb for pulp3 in Katello configure the signature of DEB repositories. I get an error at the output

Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/django/db/backends/base/base.py", line 289, in ensure_connection
    self.connect()
  File "/usr/lib/python3.11/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/django/db/backends/base/base.py", line 270, in connect
    self.connection = self.get_new_connection(conn_params)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/django/db/backends/postgresql/base.py", line 275, in get_new_connection
    connection = self.Database.connect(**conn_params)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/psycopg/connection.py", line 119, in connect
    raise last_ex.with_traceback(None)
psycopg.OperationalError: connection failed: database "pulp" does not exist

Expected outcome:
successful creation of a DEB signature
Foreman and Proxy versions:
3.12.1
Foreman and Proxy plugin versions:
katello 4.14.1
Distribution and version:
AlmaLinux8.9
Other relevant data:

quba42 · December 12, 2024, 11:28am

The linked thread contains a lot of variations and updates.

What are the exact commands/steps you performed?

Overlord · December 12, 2024, 11:39am

created a key

su pulp -s /bin/bash
 
# this is necessary for GPG's pinentry to work.
script /dev/null
 
# make sure to set the correct ID for the key here, this example uses 'Pulp QE'
# also either set no passphrase here (which you should not use for productive use!!!)
# or add additional code to handle the passphrase in the signing-script
gpg --gen-key
 
# export the public-key
gpg --export --armor "Pulp QE"

created a bash script

#!/bin/bash
 
set -e
 
RELEASE_FILE="$(/usr/bin/readlink -f $1)"
OUTPUT_DIR="$(/usr/bin/mktemp -d)"
DETACHED_SIGNATURE_PATH="${OUTPUT_DIR}/Release.gpg"
INLINE_SIGNATURE_PATH="${OUTPUT_DIR}/InRelease"
PUBLIC_KEY_PATH="${OUTPUT_DIR}/public.key"
 
GPG_KEY_ID="Pulp QE"
 
# Export a public key
/usr/bin/gpg --armor --export "${GPG_KEY_ID}" > ${PUBLIC_KEY_PATH}
 
COMMON_GPG_OPTS="--batch --armor --digest-algo SHA256"
 
# Create a detached signature
/usr/bin/gpg ${COMMON_GPG_OPTS} \
  --detach-sign \
  --output "${DETACHED_SIGNATURE_PATH}" \
  --local-user "${GPG_KEY_ID}" \
  "${RELEASE_FILE}"
 
# Create an inline signature
/usr/bin/gpg ${COMMON_GPG_OPTS} \
  --clearsign \
  --output "${INLINE_SIGNATURE_PATH}" \
  --local-user "${GPG_KEY_ID}" \
  "${RELEASE_FILE}"
 
echo { \
       \"public_key\": \"${PUBLIC_KEY_PATH}\", \
       \"signatures\": { \
         \"inline\": \"${INLINE_SIGNATURE_PATH}\", \
         \"detached\": \"${DETACHED_SIGNATURE_PATH}\" \
       } \
     }

created a python script

#!/usr/bin/env python3
 
import os
import sys
 
 
if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: {} <path_to_signing_script>".format(sys.argv[0]))
        sys.exit(1)
 
    script_path = os.path.realpath(sys.argv[1])
    if not os.path.exists(script_path):
        print("Usage: {} <path_to_signing_script>".format(sys.argv[0]))
        sys.exit(1)
 
    import django
 
    django.setup()
 
    from pulp_deb.app.models import AptReleaseSigningService
 
    AptReleaseSigningService.objects.create(
        name="katello_deb_sign",
        script=script_path,
    )

changed the rights and owners of files to pulp:pulp, Made the files executable

and then I did


sudo -u pulp \
  pulpcore-manager add-signing-service \
  --class 'deb:AptReleaseSigningService' \
  katello_deb_sign "${PWD}/sign_deb_release.sh" 'Pulp QE'

and I got the error described above

quba42 · December 12, 2024, 1:25pm

Ok, first things first, I believe the python script you created and the pulpcore-manager command are two different ways to accomplish the same thing. (Create a signing service named katello_deb_sign in Katello). You don’t need both. The preferred supported way going forwards is to use the pulpcore-manager command.

Before you try anything else try running the following to see if one of your attempts already created the signing service you want:

pulp signing-service list

For me, the output looks something like this:

[
  {
    "pulp_href": "/pulp/api/v3/signing-services/0193b6a4-cc2f-7151-9ea6-c6d6108c7ed8/",
    "pulp_created": "2024-12-11T16:54:33.907635Z",
    "pulp_last_updated": "2024-12-11T16:54:33.907668Z",
    "name": "katello_deb_sign",
    "public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQINBGdZw8ABEACiMcZfTXl8d63DxYokFN8ltcIlA95QhQrThF6jeQEwZaiLW4aD\n63elhoYJWaqbmG4+Duckowpz9lVqrna6ReNLDCOHkp72KBtEytstkBsHfDfvu9Vr\nibihPPgi4jwa9TyFdwi+lyTZ0vv5QkS2yEZnvPbCtjMduqq4ec6XymBE02h0PmTZ\nNncZc+bYwv880zua57lCntZCTvtwGfQ8Xlr2Xq3y/5QxJTHOniS0/H3CVN6tOHyI\nHCV32e9qjJ48lTiMIgbUhV5rEf+VsIKEAFOnencdLs39X1SMMM/7weY618dszodc\nB7XvMT1JKX80nmpFiMvWYCkn6fIb3LFykHe0R2aNEC7hh31y10mcMXp3Axd/gjsF\n60HMEoVhJPi9Eir6ZvEVCIyBNjr7eszMoSE84f+BE9+rQglhmQqrb/cuP4Rg7Q1w\nGBh8cwEao+HEiD1PIqlyrY1smKHWriA7X8xZuUH3EzqlJD2NPEqalC86079oOZ1y\nNKTwYgO93OSGplJQCji4vSL+v6VHc1pHNptSUotgJWy1Dg5fxdAXmLXpdWxD3Lm4\nVljIqYBqRs/n3zrsNDMNqwreYmcHlWqbtWGX1vjGfmalYsV8rbEMQAOS7frkO+nM\nYlR1BAOLlGc6CYsxINnco3sYmtdTN4HEah2xkFmOee4Kv/JVWZqsnU0mtwARAQAB\ntC5wdWxwX2RlYiBzaWduaW5nIGtleSAoS2F0ZWxsbyBBUFQgc2lnbmluZyBrZXkp\niQJUBBMBCAA+FiEELfJAgvzOdrJaBWJvWOleYv8K+AkFAmdZw8ACGwMFCRLMAwAF\nCwkIBwMFFQoJCAsFFgIDAQACHgUCF4AACgkQWOleYv8K+AmHGw//b2JLaReph7vp\nu8dbWnKFZdkzSTMfh1wZqy20+Jk3R6Q6+uHXpbGJvAn2qLMXYVpvo0SnEgk1tSDO\nT+UDZMirXeILZaFwfMN/RG/wQLQKIdn1i6qEPwy3MOjuTOecSK/F25IDrfM/Wd3o\n+ofHAyeZ2aenPB9aMNXKko7wVjlaeIL/q9JSfakQbYo5Tc+Kx50cvYV98JFdYAUP\nuzxloOjBio5haJVrVA0aShXvcS8CyxzKfrAbZesTdaopSyDjByM1SixRYrTerGnE\nNzAKy0iP7XMqsvKvHwn8/B4uS8jyx/z4OvLaWByvblOVFsM+GLRfOqpvFIbTwwJk\nwcY+GhWRp5ErXoEEB20iuRt6GtPGvC6hujcACsPK1gDLlc5WGZTgISSFnoHJrtdw\nvqqifodhNkNjG9EEPKgyEOVpqgeI19nRkvdOGscsAjIdFfylBrVifFjRCrWg3FJ5\naotl6jBdsGsrmuMFw+74wCwKXRQXGfvJj1Z1bLM98q9bhUF/Nj/V0iu0+FuiWeG8\nOgt1YTatcKuASl03GFLXY3gXcptrHPkAC8XkdHw3RptPt/D+PdjUBLPCxFNe9mbw\nQMLOy2VpK+3hjQ5vMpqjCjYcgpjhdCPkOMNKzWPLpQhx9hU04cjzk+qdG0AM8QeC\naLUF19vHVboXL/Y55G8knLqb0rJx6Vc=\n=wJVg\n-----END PGP PUBLIC KEY BLOCK-----\n",
    "pubkey_fingerprint": "2DF24082FCCE76B25A05626F58E95E62FF0AF809",
    "script": "/opt/katello/apt_signing_service.sh"
  }
]

If you don’t yet have a signing service like this, we should try to get your pulpcore-manager command to work. The error you are getting from the pulpcore-manager command suggests it is looking for a Postgress DB named “pulp” even though the Pulp DB is always called “pulpcore” on Katello installations. This makes me think the execution environment of the pulpcore-manager command is missing some environmental variables. Try amending your command as follows:

sudo -u pulp \
  PULP_SETTINGS=/etc/pulp/settings.py \
  pulpcore-manager add-signing-service \
  --class 'deb:AptReleaseSigningService' \
  katello_deb_sign "${PWD}/sign_deb_release.sh" 'Pulp QE'

Overlord · December 16, 2024, 9:06am

Thanks, I checked it out. There was no signature, but when I added the line during the formation process PULP_SETTINGS=/etc/pulp/settings.py everything worked as it should! thank you very much!