Deb Mirror, multiple gpgkeys

jgrammen-agilitypr · May 27, 2022, 6:29pm

Problem:

I am trying to create a ubuntu deb mirror of Index of /ubuntu
for both “focal” and “bionic”, when I create the pulp remote, I am filling in the gpgkey field. but the signing key for focal and bionic are different. so when I attempt to sync the repository it fails.
Is there any way to support both keys?
Do I have to make 2 separate repo’s one for focal, one for bionic?

I will be polishing as verbatim, but would still like the additional safety net of upstream gpg verification

Expected outcome:

Pulpcore version:
3.19
Pulp plugins installed and their versions:
pulp-deb 2.18.0
pulp-file 1.10.2
Operating system - distribution and version:
ubuntu 20.04
Other relevant data:

quba42 · May 29, 2022, 10:08pm

You have found a design flaw: There is currently no way of associating more than one GPG key with any one APT remote. It is worth opening an issue for this, but it will most likely take a while before it will be worked on.

In the mean time you have two options:

Don’t associate any GPG keys with the remote (no signature verification during sync), publish verbatim, and rely on the clients for signature checking.
Create two separate repositories for focal and bionic.

I would probably recommend option 2. since it will allow you to perform signature checking during sync, and also keep down the repo size of your Pulp repos (very large repos have been known to cause performance issues).

jgrammen-agilitypr · May 30, 2022, 11:27am

Thank you very much for the reply
I have opens a issue

github.com/pulp/pulp_deb

Deb Mirror, multiple gpgkeys

opened 11:24AM - 30 May 22 UTC

jgrammen-agilitypr

Triage-Needed

**Version** Pulpcore version: 3.19 Pulp plugins installed and their versions:… pulp-deb 2.18.0 pulp-file 1.10.2 **Describe the bug** There is no way to associate multiple gpgkeys with a single repository. Which is necessary when trying to mirror archive.ubuntu.com, which publishes different gpgkeys for different distributions (focal vs bionic) **To Reproduce** Create a remote, that mirrors "http://ca.archive.ubuntu.com/ubuntu" with distributions: "focal bionic" supply the gpgkey field with the value for bionic. Get error about no release file for focal, becasue the gpgkey is different. **Expected behavior** Support mulitple gpgkeys so that both distributions can sync **Additional context** [Add any other context about the problem here. Please provide links to any previous discussions via Discourse or Bugzilla.](https://discourse.pulpproject.org/t/deb-mirror-multiple-gpgkeys/471)

I removed the gpgkey (#1) in an attempt to get it to work (and it did sync), but I will explore option 2 as well.

quba42 · May 30, 2022, 11:42am

I have not tested this, but I have seen some documentation that suggests it may be possible to add “multiple” GPG keys into a single Pulp gpgkey field, by making the content of the field something like the following:

@jgrammen-agilitypr Can you test if this approach works in your case?

maximilian · May 31, 2022, 6:47am

Hi @jgrammen-agilitypr

Can you try exporting multiple GPG keys into a single ASCII-armoured file at once? Have a look at the following procedure: Extracting GPG Public Key Fingerprints from a Release Files in the Foreman/Katello documentation.

jgrammen-agilitypr · May 30, 2022, 6:57pm

I have just test the first suggestion from quba42, putting both gpg public keys concatenated together into one gpgkey field. It seems to work,

I have yet to test maximilian’s workaround, but will test it in the near future.

jgrammen-agilitypr · May 31, 2022, 11:52am

I have now tested maximilian’s workaround using a single combined gpg key. It also works.