1. Home
  2. Categories
  3. Support
  4. Support for gpg in rpm feed

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Support for gpg in rpm feed

  • S

    Hello. Is there a way to have gpgcheck enabled in rpm feeds? The servers using the rpm feeds from our proget server does not have access to the internet, so they cannot download the gpg keys from the public repositories. So to have an own "feed" for gpg keys would be nice. I've tried to create an asset for gpg keys, but manually downloading and uploading gpg keys does not work, probably because the timestamp on the keys change.
    Keys from our old repo server which has been synced from public repos using rsync to a local server works.

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @Sigve-opedal_6476,

    I'm not really sure what you mean by this request.

    An RPM repository is basically just a "dumb file server" with like repodata.xml and a bunch of index.tar.gz files. The rpm client downloads this files and does all the gpg stuff.

    ProGet feeds implement an RPM repository and generate these indexes on the fly... but to the client, it seems like it's just downloading static files.

    Thanks,
    Alana

    0
  • S

    Sorry. Maybe I was a bit unclear. I guess my question is: Is it possible to host gpg keys through proget so that we can have gpgcheck enabled?

    For example, the docker ce repo looks like this straight from docker.com:

    [docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://download.docker.com/linux/rhel/$releasever/$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://download.docker.com/linux/rhel/gpg

    Is there a way to replace the gpgkey url with

    gpgkey=https://myproget.mycompany.com/gpg/docker/gpg

    The gpgkeys are not included in a rpm feed through proget, since the feeds have to point to the repodata/ folder in the public repository.

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @Sigve-opedal_6476 ,

    Thanks for clarifying; I should have mentioned that I know basically nothing about rpm except how a repository works 😅

    A gpgkey is just a file, right? I think you were on the right track with using an asset directory. I guess you would configure things like this, for an aset directory called gpg in the docker/gpg folder:

    gpgkey=https://myproget.mycompany.com/endpoints/gpg/content/docker/gpg

    There's really no "timestamp" on web-based files, the browser/protocol just does a GET and the bytes are returned. I can't imagine rpm is looking at a modified cache header.

    Thanks,
    Alana

    0 S 1 Reply
  • S

    Hi @atripp

    I have already tried to make an asset and then download gpg keys to my machine and upload to the asset and then use the url for the gpg key in the asset. I doesn't work, I don't know why.

    But I know the same gpkey works in our old solution, which just mirrors the entire remote repository to a local server with rsync.

    When I tried Sonatype, I also got it to work, but I don't remember exactly how.

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @Sigve-opedal_6476 ,

    No idea why it wouldn't work, but I would look at something like ProxyMan or Wireshark to capture HTTP traffic, and see what requests are different.

    You should see a pattern of requests that work, and a pattern that doesn't.

    Maybe the client is requesting some other file that you aren't uploading? I don't think there's an API or HTTP header... I think it's all basic GET requests. But that will tell you the delta.

    Thanks,
    Alana

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation