1. Home
  2. Categories
  3. Support
  4. Support for gpg in rpm feed

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Support for gpg in rpm feed

  • S

    Hello. Is there a way to have gpgcheck enabled in rpm feeds? The servers using the rpm feeds from our proget server does not have access to the internet, so they cannot download the gpg keys from the public repositories. So to have an own "feed" for gpg keys would be nice. I've tried to create an asset for gpg keys, but manually downloading and uploading gpg keys does not work, probably because the timestamp on the keys change.
    Keys from our old repo server which has been synced from public repos using rsync to a local server works.

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @Sigve-opedal_6476,

    I'm not really sure what you mean by this request.

    An RPM repository is basically just a "dumb file server" with like repodata.xml and a bunch of index.tar.gz files. The rpm client downloads this files and does all the gpg stuff.

    ProGet feeds implement an RPM repository and generate these indexes on the fly... but to the client, it seems like it's just downloading static files.

    Thanks,
    Alana

    0
  • S

    Sorry. Maybe I was a bit unclear. I guess my question is: Is it possible to host gpg keys through proget so that we can have gpgcheck enabled?

    For example, the docker ce repo looks like this straight from docker.com:

    [docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://download.docker.com/linux/rhel/$releasever/$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://download.docker.com/linux/rhel/gpg

    Is there a way to replace the gpgkey url with

    gpgkey=https://myproget.mycompany.com/gpg/docker/gpg

    The gpgkeys are not included in a rpm feed through proget, since the feeds have to point to the repodata/ folder in the public repository.

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @Sigve-opedal_6476 ,

    Thanks for clarifying; I should have mentioned that I know basically nothing about rpm except how a repository works 😅

    A gpgkey is just a file, right? I think you were on the right track with using an asset directory. I guess you would configure things like this, for an aset directory called gpg in the docker/gpg folder:

    gpgkey=https://myproget.mycompany.com/endpoints/gpg/content/docker/gpg

    There's really no "timestamp" on web-based files, the browser/protocol just does a GET and the bytes are returned. I can't imagine rpm is looking at a modified cache header.

    Thanks,
    Alana

    0 S 1 Reply
  • S

    Hi @atripp

    I have already tried to make an asset and then download gpg keys to my machine and upload to the asset and then use the url for the gpg key in the asset. I doesn't work, I don't know why.

    But I know the same gpkey works in our old solution, which just mirrors the entire remote repository to a local server with rsync.

    When I tried Sonatype, I also got it to work, but I don't remember exactly how.

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @Sigve-opedal_6476 ,

    No idea why it wouldn't work, but I would look at something like ProxyMan or Wireshark to capture HTTP traffic, and see what requests are different.

    You should see a pattern of requests that work, and a pattern that doesn't.

    Maybe the client is requesting some other file that you aren't uploading? I don't think there's an API or HTTP header... I think it's all basic GET requests. But that will tell you the delta.

    Thanks,
    Alana

    0 S 1 Reply
  • S

    Hello again @atripp
    Just wanted to let you know that I figured out why the gpg key didn't work. It was just a case of me not being to familiar with proget, so I used the wrong url.

    I right-clicked the file in the asset, and just copied the url instead of cliking on the file and copy the url from the "Usage instructions" portion. After fixing the url's, the gpg verification now works and I can hav gpgcheck = 1 in my repos and pointing the gpg url to the key in an asset.

    It is some manual work to be done downloading and uploading gpg keys, but it works

    0 atripp felfert 2 Replies
  • atripp
    inedo-engineer

    @Sigve-opedal_6476 great news! Thanks for the update

    0
  • felfert

    @Sigve-opedal_6476

    Sorry for the intrusion in this thread.
    Could you probably share more info (ideally: write a little HOWTO)?
    I have exactly the same issue and wondered how to solve that.

    Thanks in Advance
    -Fritz

    0 apxltd 1 Reply
  • apxltd
    inedo-engineer

    @felfert I saw the set-up first-hand, though I forgot what files were being edited, a .repo file I think.

    But the final setup is something like...

    [docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://download.docker.com/linux/rhel/$releasever/$basearch/stable
enabled=1
gpgcheck=1
gpgkey={put the asset download url here, e.g. https://proget/endpoints/...}

    ... I know basically nothing about rpm so not sure if that helps at all 😅

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation