Signing Service Creation¶
To sign your APT release files on your pulp_deb
publications, you will first need to create a signing service of type AptReleaseSigningService
.
Prerequisites¶
Creating a singing service requires the following:
- A unique name for the signing service, use
pulp signing-service list --field=name
to see what has been taken already. - The public key fingerprint of the GPG key that the signing service should use for signing. The public key itself must be available in the pulp user's GPG home directory.
- A path to a signing script or executable that must meet the following criteria:
- Must be executable by the user pulp is running as.
- Must be available on each pulp worker.
- Any dependencies must also be available on each pulp worker.
- Must accept the path to the file to be signed as a argument, e.g.:
/tmp/LJDSFHD/Release
. - Must do at least one of the following using the GPG key specified in the signing service:
- Clearsign the file and write the output to e.g.:
/tmp/LJDSFHD/InRelease
. - Detached-sign the file and write the output to e.g.:
/tmp/LJDSFHD/Release.gpg
- Clearsign the file and write the output to e.g.:
- Must return a JSON dict detailing the path to any signed files, e.g.:
{ "signatures": { "inline": "/tmp/LJDSFHD/InRelease", "detached": "/tmp/LJDSFHD/Release.gpg", } }
Example Signing Script¶
The following example signing service script is used as part of the pulp_deb
test suite:
#!/bin/bash
set -e
RELEASE_FILE="$(/usr/bin/readlink -f $1)"
OUTPUT_DIR="$(/usr/bin/mktemp -d)"
DETACHED_SIGNATURE_PATH="${OUTPUT_DIR}/Release.gpg"
INLINE_SIGNATURE_PATH="${OUTPUT_DIR}/InRelease"
GPG_KEY_ID="Pulp QE"
COMMON_GPG_OPTS="--batch --armor --digest-algo SHA256"
# Create a detached signature
/usr/bin/gpg ${COMMON_GPG_OPTS} \
--detach-sign \
--output "${DETACHED_SIGNATURE_PATH}" \
--local-user "${GPG_KEY_ID}" \
"${RELEASE_FILE}"
# Create an inline signature
/usr/bin/gpg ${COMMON_GPG_OPTS} \
--clearsign \
--output "${INLINE_SIGNATURE_PATH}" \
--local-user "${GPG_KEY_ID}" \
"${RELEASE_FILE}"
echo { \
\"signatures\": { \
\"inline\": \"${INLINE_SIGNATURE_PATH}\", \
\"detached\": \"${DETACHED_SIGNATURE_PATH}\" \
} \
}
It assumes that both public and secret key for GPG_KEY_ID="Pulp QE"
is present in the GPG home of the Pulp user and that the secret key is not protecteded by a password.
Creation Steps¶
- Add the public key to your pulp users GPG home, for example, if pulp workers are running as the
pulp
user:sudo -u pulp gpg --import <path/to/public.gpg>
- Deploy the signing service script and any dependencies to all your pulp workers.
- Create the signing service:
Consult
sudo -u pulp pulpcore-manager add-signing-service --class deb:AptReleaseSigningService \ PulpQE </path/to/script> 6EDF301256480B9B801EBA3D05A5E6DA269D9D98
pulpcore-manager add-signing-service --help
for more information. - You can retrieve the
pulp_href
of the newly created signing service using:pulp signing-service show --name=PulpQE | jq -r .pulp_href
- Start using the signing service to sign metadata.