Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-26590

After creating a virtual repo and setting a signing key, metadata not signed

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Resolution: Unresolved
    • Affects Version/s: 7.27.3
    • Fix Version/s: None
    • Component/s: RPM
    • Labels:

      Description

      I created a new virtual repository with the following configuration:

      When examining the metadata however, it is not signed by the key specified:

      $ gpg --dry-run --no-default-keyring --keyring pubkey.gpg --verify <(curl -s 'https://[redacted]/artifactory/centos-8-x86_64-group/repodata/repomd.xml.asc') <(curl -s 'https://[redacted]/artifactory/centos-8-x86_64-group/repodata/repomd.xml')
      gpg: Signature made Thu 02 Dec 2021 07:56:28 PM EST
      gpg:                using RSA key 05B555B38483C65D
      gpg: Can't check signature: No public key
      

      That key is the signing key of one of the virtual repo members. Specifically it's theĀ CentOS Official Key as documented on this page:

      pub  4096R/8483C65D 2019-05-03 CentOS (CentOS Official Signing Key) <security@centos.org>
      Key fingerprint = 99DB 70FA E1D7 CE22 7FB6  4882 05B5 55B3 8483 C65D
      

      So it would seem that Artifactory is not signing that repository's metadata with the signing key it was configured to sign it with. That of course means the client fails GPG validation of the repo metadata when they are configured to use the specified public key in their repo definition.

        Attachments

          Activity

              People

              Assignee:
              Unassigned
              Reporter:
              bmurrell Brian J. Murrell
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: