Resolution: Not a Bug
Affects Version/s: None
Fix Version/s: None
Symptoms: An apt-get client command fails due to an untrusted GPG signature from a virtual Debian repository
Steps to reproduce:
- Create a local, remote, and virtual Debian Artifactory repositories (Using defaults)
- Attempt to download the "Release.gpg" file from debian-remote, it should succeed
The remote by default goes to http://archive.ubuntu.com/ubuntu/ which has GPG signing
Use debian/dists/xenial/Release.gpg for the path
- Get a 404 not found error only on the virtual repository for the same path
Workaround: You can add signing keys to the Artifactory to add a GPG signature to the virtual's remote Release file.
This is a bug, as currently Debian virtual repositories follow the same virtual repository resolution structure as regular virtual repositories. The same Release file from the remote should use the same GPG signature file.
Attached to this Jira are 3 items:
- The public GPG key (public.crt)
- The private GPG key (private.key)
- The virtual trace log (virt.log)