Skip to content

Signing Service Creation

To sign your APT release files on your pulp_deb publications, you will first need to create a signing service of type AptReleaseSigningService.

Prerequisites

Creating a singing service requires the following:

  • A unique name for the signing service, use pulp signing-service list --field=name to see what has been taken already.
  • The public key fingerprint of the GPG key that the signing service should use for signing. The public key itself must be available in the pulp user's GPG home directory.
  • A path to a signing script or executable that must meet the following criteria:
  • Must be executable by the user pulp is running as.
  • Must be available on each pulp worker.
  • Any dependencies must also be available on each pulp worker.
  • Must accept the path to the file to be signed as a argument, e.g.: /tmp/LJDSFHD/Release.
  • Must do at least one of the following using the GPG key specified in the signing service:
    • Clearsign the file and write the output to e.g.: /tmp/LJDSFHD/InRelease.
    • Detached-sign the file and write the output to e.g.: /tmp/LJDSFHD/Release.gpg
  • Must return a JSON dict detailing the path to any signed files, e.g.:
    {
        "signatures": {
             "inline": "/tmp/LJDSFHD/InRelease",
             "detached": "/tmp/LJDSFHD/Release.gpg",
        }
    }
    

Example Signing Script

The following example signing service script is used as part of the pulp_deb test suite:

#!/bin/bash

set -e

RELEASE_FILE="$(/usr/bin/readlink -f $1)"
OUTPUT_DIR="$(/usr/bin/mktemp -d)"
DETACHED_SIGNATURE_PATH="${OUTPUT_DIR}/Release.gpg"
INLINE_SIGNATURE_PATH="${OUTPUT_DIR}/InRelease"
GPG_KEY_ID="Pulp QE"
COMMON_GPG_OPTS="--batch --armor --digest-algo SHA256"

# Create a detached signature
/usr/bin/gpg ${COMMON_GPG_OPTS} \
  --detach-sign \
  --output "${DETACHED_SIGNATURE_PATH}" \
  --local-user "${GPG_KEY_ID}" \
  "${RELEASE_FILE}"

# Create an inline signature
/usr/bin/gpg ${COMMON_GPG_OPTS} \
  --clearsign \
  --output "${INLINE_SIGNATURE_PATH}" \
  --local-user "${GPG_KEY_ID}" \
  "${RELEASE_FILE}"

echo { \
       \"signatures\": { \
         \"inline\": \"${INLINE_SIGNATURE_PATH}\", \
         \"detached\": \"${DETACHED_SIGNATURE_PATH}\" \
       } \
     }

It assumes that both public and secret key for GPG_KEY_ID="Pulp QE" is present in the GPG home of the Pulp user and that the secret key is not protecteded by a password.

Creation Steps

  1. Add the public key to your pulp users GPG home, for example, if pulp workers are running as the pulp user:
    sudo -u pulp gpg --import <path/to/public.gpg>
    
  2. Deploy the signing service script and any dependencies to all your pulp workers.
  3. Create the signing service:
    sudo -u pulp pulpcore-manager add-signing-service --class deb:AptReleaseSigningService \
      PulpQE </path/to/script> 6EDF301256480B9B801EBA3D05A5E6DA269D9D98
    
    Consult pulpcore-manager add-signing-service --help for more information.
  4. You can retrieve the pulp_href of the newly created signing service using:
    pulp signing-service show --name=PulpQE | jq -r .pulp_href
    
  5. Start using the signing service to sign metadata.