Signing Service Creation¶
To sign your APT release files on your pulp_deb
publications, you will first need to create a signing service of type AptReleaseSigningService
.
Prerequisites¶
Creating a singing service requires the following:
A unique name for the signing service, use
pulp signing-service list --field=name
to see what has been taken already.The public key fingerprint of the GPG key that the signing service should use for signing. The public key itself must be available in the pulp user’s GPG home directory.
A path to a signing script or executable that must meet the following criteria:
Must be executable by the user pulp is running as.
Must be available on each pulp worker.
Any dependencies must also be available on each pulp worker.
Must accept the path to the file to be signed as a argument, e.g.:
/tmp/LJDSFHD/Release
.Must do at least one of the following using the GPG key specified in the signing service:
Clearsign the file and write the output to e.g.:
/tmp/LJDSFHD/InRelease
.Detached-sign the file and write the output to e.g.:
/tmp/LJDSFHD/Release.gpg
Must return a JSON dict detailing the path to any signed files, e.g.:
{ "signatures": { "inline": "/tmp/LJDSFHD/InRelease", "detached": "/tmp/LJDSFHD/Release.gpg", } }
Example Signing Script¶
The following example signing service script is used as part of the pulp_deb
test suite:
#!/bin/bash
set -e
RELEASE_FILE="$(/usr/bin/readlink -f $1)"
OUTPUT_DIR="$(/usr/bin/mktemp -d)"
DETACHED_SIGNATURE_PATH="${OUTPUT_DIR}/Release.gpg"
INLINE_SIGNATURE_PATH="${OUTPUT_DIR}/InRelease"
GPG_KEY_ID="Pulp QE"
COMMON_GPG_OPTS="--batch --armor --digest-algo SHA256"
# Create a detached signature
/usr/bin/gpg ${COMMON_GPG_OPTS} \
--detach-sign \
--output "${DETACHED_SIGNATURE_PATH}" \
--local-user "${GPG_KEY_ID}" \
"${RELEASE_FILE}"
# Create an inline signature
/usr/bin/gpg ${COMMON_GPG_OPTS} \
--clearsign \
--output "${INLINE_SIGNATURE_PATH}" \
--local-user "${GPG_KEY_ID}" \
"${RELEASE_FILE}"
echo { \
\"signatures\": { \
\"inline\": \"${INLINE_SIGNATURE_PATH}\", \
\"detached\": \"${DETACHED_SIGNATURE_PATH}\" \
} \
}
It assumes that both public and secret key for GPG_KEY_ID="Pulp QE"
is present in the GPG home of the Pulp user and that the secret key is not protecteded by a password.
Creation Steps¶
Add the public key to your pulp users GPG home, for example, if pulp workers are running as the
pulp
user:sudo -u pulp gpg --import <path/to/public.gpg>
Deploy the signing service script and any dependencies to all your pulp workers.
Create the signing service:
sudo -u pulp pulpcore-manager add-signing-service --class deb:AptReleaseSigningService \ PulpQE </path/to/script> 6EDF301256480B9B801EBA3D05A5E6DA269D9D98
Consult
pulpcore-manager add-signing-service --help
for more information.You can retrieve the
pulp_href
of the newly created signing service using:pulp signing-service show --name=PulpQE | jq -r .pulp_href