Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-18324

Debian Virtual fails to pull GPG signature file

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Not a Bug
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Debian
    • Labels:
      None

      Description

      Symptoms: An apt-get client command fails due to an untrusted GPG signature from a virtual Debian repository

      Steps to reproduce:

      1. Create a local, remote, and virtual Debian Artifactory repositories (Using defaults)
      2. Attempt to download the "Release.gpg" file from debian-remote, it should succeed
        The remote by default goes to http://archive.ubuntu.com/ubuntu/ which has GPG signing
        Use debian/dists/xenial/Release.gpg for the path
      3. Get a 404 not found error only on the virtual repository for the same path

       

      Workaround: You can add signing keys to the Artifactory to add a GPG signature to the virtual's remote Release file.

      This is a bug, as currently Debian virtual repositories follow the same virtual repository resolution structure as regular virtual repositories. The same Release file from the remote should use the same GPG signature file.

      Attached to this Jira are 3 items:

      • The public GPG key (public.crt)
      • The private GPG key (private.key)
      • The virtual trace log (virt.log)

       

        Attachments

        1. private.key
          5 kB
        2. public.crt
          2 kB
        3. virt.log
          6 kB

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              patrickr Patrick Russell
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: