Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-18324

Debian Virtual fails to pull GPG signature file

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Not a Bug
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Debian
    • Labels:
      None

      Description

      Symptoms: An apt-get client command fails due to an untrusted GPG signature from a virtual Debian repository

      Steps to reproduce:

      1. Create a local, remote, and virtual Debian Artifactory repositories (Using defaults)
      2. Attempt to download the "Release.gpg" file from debian-remote, it should succeed
        The remote by default goes to http://archive.ubuntu.com/ubuntu/ which has GPG signing
        Use debian/dists/xenial/Release.gpg for the path
      3. Get a 404 not found error only on the virtual repository for the same path

       

      Workaround: You can add signing keys to the Artifactory to add a GPG signature to the virtual's remote Release file.

      This is a bug, as currently Debian virtual repositories follow the same virtual repository resolution structure as regular virtual repositories. The same Release file from the remote should use the same GPG signature file.

      Attached to this Jira are 3 items:

      • The public GPG key (public.crt)
      • The private GPG key (private.key)
      • The virtual trace log (virt.log)

       

        Attachments

        1. private.key
          5 kB
        2. public.crt
          2 kB
        3. virt.log
          6 kB

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            patrickr Patrick Russell
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: