Add-signing-service: (_("The signature is not valid."), verified=verified)

Hello All.

Would you please assist?

Problem:

Registering a signing script fails on pulp/pulp-minimal:3.31 started as API

The signing script works fine manually

Also it seems the the singing is completed but verification fails.

bash-4.4$ gpg testfile.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: assuming signed data in 'testfile'
gpg: Signature made Fri 18 Aug 2023 03:20:09 PM CEST
gpg:                using RSA key E38DEFEB15E1356215FAC26E09EE34F78BEEB7E6
gpg: Good signature from "LSB (Linux RPM Software Repository TEST Vault) <solutions@list.com>" [ultimate]

The external gpg signer is Hasicorp Vault and plugin: vault-gpg-plugin

Expected outcome:

Need help to get more information on the error.

Pulpcore version:

ansible-core 2.13.11
pulpcore 3.31.0

Pulp plugins installed and their versions:

Operating system - distribution and version:

NAME=“CentOS Stream”
VERSION=“8”
ID=“centos”
ID_LIKE=“rhel fedora”
VERSION_ID=“8”
PLATFORM_ID=“platform:el8”
PRETTY_NAME=“CentOS Stream 8”

Other relevant data:

The signer script:

FILE_PATH="$1"
SIGNATURE_PATH="$1.asc"

curl -s --header “X-Vault-Token: $VAULT_TOKEN” -X POST
–data ‘{ “format” : “ascii-armor”, “input” : "’$(base64 -w0 $1 )’" }’
$VAULT_GPG_SIGNER | jq -r .data.signature > “${SIGNATURE_PATH}” || exit $?

echo “{“file”: “$FILE_PATH”, “signature”: “$SIGNATURE_PATH”}”

This is set for user pulp:
PULP_SIGNING_KEY_FINGERPRINT=E38DEFEB15E1356215FAC26E09EE34F78BEEB7E6

Register command:

/usr/local/bin/pulpcore-manager add-signing-service collection_signer_vault /var/lib/pulp/scripts/vault_collection_sign.sh E38DEFEB15E1356215FAC26E09EE34F78BEEB7E6

Output from register command.

/usr/local/bin/pulpcore-manager add-signing-service --gnupghome /var/lib/pulp/.gnupg collection_signer_vault  /var/lib/pulp/scripts/vault_collection_sign.sh E38DEFEB15E1356215FAC26E09EE34F78BEEB7E6
pulp [None]: gnupg:WARNING: gpg returned a non-zero error code: 2
Traceback (most recent call last):
  File "/usr/local/bin/pulpcore-manager", line 8, in <module>
    sys.exit(manage())
  File "/usr/local/lib/python3.8/site-packages/pulpcore/app/manage.py", line 11, in manage
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python3.8/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python3.8/site-packages/django/core/management/__init__.py", line 436, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/usr/local/lib/python3.8/site-packages/django/core/management/base.py", line 412, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/usr/local/lib/python3.8/site-packages/django/core/management/base.py", line 458, in execute
    output = self.handle(*args, **options)
  File "/usr/local/lib/python3.8/site-packages/pulpcore/app/management/commands/add-signing-service.py", line 89, in handle
    SigningService.objects.create(
  File "/usr/local/lib/python3.8/site-packages/django/db/models/manager.py", line 87, in manager_method
    return getattr(self.get_queryset(), name)(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/db/models/query.py", line 658, in create
    obj.save(force_insert=True, using=self.db)
  File "/usr/local/lib/python3.8/site-packages/pulpcore/app/models/content.py", line 870, in save
    self.validate()
  File "/usr/local/lib/python3.8/site-packages/pulpcore/app/models/content.py", line 908, in validate
    gpg_verify(self.public_key, return_value["signature"], temp_file.name)
  File "/usr/local/lib/python3.8/site-packages/pulpcore/app/util.py", line 294, in gpg_verify
    raise InvalidSignatureError(_("The signature is not valid."), verified=verified)
pulpcore.exceptions.validation.InvalidSignatureError: The signature is not valid.

Thank you.

I don’t see what your issue is here, but I want to ask a few sanity questions.

• As the service user pulp can you ensure gpg --armor --export E38DEFEB15E1356215FAC26E09EE34F78BEEB7E6 and show its output.

• Am I right in understanding that you’re using the home folder gpg key ring for pulp?

• The signing script got formatted a little strangely in your post (but that’s ok).Can you confirm it has a shebang at the top and show it’s posix permissions also? It needs the shebang and also the pulp user needs execute perms on it.

• Can you manually take a signature produced by the signing script and have the gpg tools verify it using the public key E38DEFEB15E1356215FAC26E09EE34F78BEEB7E6? I think you can do this with gpg --verify --keyid-format long=0xE38DEFEB15E1356215FAC26E09EE34F78BEEB7E6 foo.asc foo or gpg --verify foo.asc foo. This is more or less what the code here does.

Hello bmbouter

Thank you for the reply.

The reply is lengthy but is probably best this way.

The gpghome is /var/lib/pulp/.gnupg for user pulp.
The export exported the correct public key.

Reply to your bullets.

bash-4.4$ id
uid=700(pulp) gid=700(pulp) groups=700(pulp)

bash-4.4$ ls -la
total 0
drwxr-xr-x 1 pulp pulp  46 Aug 18 14:41 .
drwxr-xr-x 1 root root  40 Aug 16 03:27 ..
drwxrwsr-x 1 pulp root   6 Aug 16 03:27 assets
drwx------ 3 pulp pulp 183 Aug 21 07:45 .gnupg
drwxrwsr-x 1 pulp root   6 Aug 16 03:27 media
drwxrwsr-x 1 pulp root  38 Aug 18 14:41 scripts
drwxrwsr-x 1 pulp root  42 Aug 21 07:45 tmp

bash-4.4$ pwd
/var/lib/pulp

bash-4.4$ gpg --armor --export
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGTcuvIBEAChI6spEu5jobb0+t7PbRUCDgCNAtTCsQTvxNcxdVLur2szsMLl
.
.
BwURi1Yr8GnfaxOmLdkNgsVWTqPaGmlu2E6bfGeGwbhC+2Q2
=ES2S
-----END PGP PUBLIC KEY BLOCK-----


bash-4.4$ ls -l /var/lib/pulp/scripts/vault_collection_sign.sh
-rwxr-xr-x 1 pulp pulp 703 Aug 18 14:42 /var/lib/pulp/scripts/vault_collection_sign.sh

bash-4.4$ cat /var/lib/pulp/scripts/vault_collection_sign.sh   

-- bash start --
#!/bin/bash
# vault_collection_sign.sh (remote_collection_sign.sh)
#

# Get Signger URL (http://vault01.abcgroup.net:8200/v1/gpg/sign/pulp3/sha2-512)
VAULT_GPG_SIGNER="$(/bin/awk -F'=' '/VAULT_GPG_SIGNER/ {gsub(/[ \042]/,"",$2); print $2 }' /etc/pulp/settings.py )"

FILE_PATH="$1"
SIGNATURE_PATH="$1.asc"

curl -s --header "X-Vault-Token: $VAULT_TOKEN" -X POST \
        --data '{ "format" : "ascii-armor", "input" : "'$(base64 -w0 $1 )'" }' \
        $VAULT_GPG_SIGNER | jq -r .data.signature > "${SIGNATURE_PATH}" || exit $?

echo "{\"file\": \"$FILE_PATH\", \"signature\": \"$SIGNATURE_PATH\"}"
-- bash end --

bash-4.4$ gpg --verify --keyid-format long=0xE38DEFEB15E1356215FAC26E09EE34F78BEEB7E6 testfile.asc testfile
gpg: unknown keyid-format 'long=0xE38DEFEB15E1356215FAC26E09EE34F78BEEB7E6'

bash-4.4$ gpg --verify --keyid-format long testfile.asc testfile
gpg: Signature made Mon 21 Aug 2023 07:32:44 AM CEST
gpg:                using RSA key E38DEFEB15E1356215FAC26E09EE34F78BEEB7E6
gpg: Good signature from "LSB (Linux RPM Software Repository TEST Vault) <linux-solutions@list.com>" [ultimate]

bash-4.4$ gpg --verify testfile.asc testfile
gpg: Signature made Mon 21 Aug 2023 07:32:44 AM CES
gpg:                using RSA key E38DEFEB15E1356215FAC26E09EE34F78BEEB7E6
gpg: Good signature from "LSB (Linux RPM Software Repository TEST Vault) <linux-solutions@list.com>" [ultimate]

Thank you.

Issue is resolved.

Will update this thread tomorrow.

The problem was that the action add-signing-service does not see environment variables for the user pulp
in the signing script.

This caused the calculated signature to be empty as it could reach the Vault GPG service.

You have to ‘pull’ the variables in for this add-signing-service to see them.
A new variable used in the signing script, the Vault token.
This Token is available to the user ‘pulp’ environment like any of the others.
But during registration it is not.

This is why the running the signing script in the shell of user pulp worked.

So in the signing script you have to pull this in as it is not read from the ENV.

VAULT_TOKEN=$(cat /secrets/vault_token)

Thanks

Thanks for posting the followup @Janr! I’m glad it’s working for you.