[RTFACT-20257] Initial GPG Verification Fails When Using Your Own GPG Keys In Debian Client When Resolving From Debian Virtual Repository Created: 05/Oct/19  Updated: 01/Apr/20

Status: Open
Project: Artifactory Binary Repository
Component/s: Debian, Virtual Repositories
Affects Version/s: 6.12.0, 6.14.0, 6.14.1
Fix Version/s: None

Type: Bug Priority: High
Reporter: Tim Telman Assignee: Unassigned
Resolution: Unresolved Votes: 9
Labels: None

Attachments: JPEG File 10.jpg     JPEG File 11.jpg     JPEG File 12.jpg     JPEG File 13.jpg     JPEG File 14.jpg     JPEG File 15.jpg     JPEG File 16.jpg    
Issue Links:
Duplicate
is duplicated by RTFACT-20792 Resolution error from debian virtual ... Resolved

 Description   

In some use cases Users do not want to use GPG keys from the upstream in their Debian client & Artifactory. Instead, they want to use their own generated GPG keys to sign Releases file. However, GPG Verification fails during the initial apt-get update, subsequent apt-get succeeds until the Metadata Retrieval Cache period expires in Remote repository:

 

User uses his/her own GPG Keys In Debian Client (and In Artifactory) when resolving from Debian remote repository using apt-get update, with the following ERRORs:

 

root@ip-10-0-1-146:~# apt-get update
Ign:1 http://localhost:8081/artifactory/download.docker.com bionic InRelease
Hit:2 http://localhost:8081/artifactory/download.docker.com bionic Release
Get:3 http://localhost:8081/artifactory/download.docker.com bionic Release.gpg [819 B]
Ign:3 http://localhost:8081/artifactory/download.docker.com bionic Release.gpg
Fetched 819 B in 0s (8,608 B/s)
Reading package lists... Done
W: GPG error: http://localhost:8081/artifactory/download.docker.com bionic Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8
W: The repository 'http://localhost:8081/artifactory/download.docker.com bionic Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
root@ip-10-0-1-146:~#

 

Nothing in the catalina.out logs

Here are the entries from request.log file:

 

20191106194243|14|REQUEST|127.0.0.1|anonymous|GET|/download.docker.com/dists/bionic/InRelease|HTTP/1.1|404|0
20191106194243|1|REQUEST|127.0.0.1|anonymous|GET|/download.docker.com/dists/bionic/Release|HTTP/1.1|304|0
20191106194243|15|REQUEST|127.0.0.1|anonymous|GET|/download.docker.com/dists/bionic/Release.gpg|HTTP/1.1|200|819

=======================================================

 

Steps to  reproduce:

 

On Ubuntu 16

Art v6.12.0

 

1. Create Remote Debian repository (in my case: remote-download.docker.com) pointing to: 

https://download.docker.com/linux/ubuntu

2. Create Debian Virtual repository (in my case: download.docker.com), and aggregate that newly created Debian Remote repository 

3. Create GPG keys using:  gpg --gen-key

4. Add keys to keystore using: apt-key add <your_public.key> , then check if it was added by running: apt-key list

5. Add those two keys(public and private) to Artifactory under: Admin --> Signing Keys

6. Add Artifactory Debian virtual to /etc/apt/sources.list file, in my case:       deb http://localhost:8081/artifactory/download.docker.com bionic stable

7. Delete the following folders in your apt client:     rm -rf /var/cache/apt /var/lib/apt

8. Run: apt-get update

 

You will notice that the very first apt-get will fail, and the subsequent apt-get update will succeed UNTIL the "Missed Retrieval Cache Period" expires. Once it expires, the initial apt-get update will fail again, then it will succeed until "Missed Retrieval Cache Period" expires again. If you set the value of "Missed Retrieval Cache Period" to "0", you will be able to reproduce this issue continuously. 

 

Possible Workaround is to increase the value for "Missed Retrieval Cache Period" to prolong the expiration. With that you will reduce the number of failed "apt-get" updates. 

 

Screenshots of my environment are attached below. I can share my environment for testing and debugging, if needed.

 

 



 Comments   
Comment by Ben Abineri [ 29/Oct/19 ]

We are encountering this issue too on 6.13.1.

If I add the key with `sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ` I get a different error:

```
W: GPG error: https://artifactory.<snip>/artifactory/vendors bionic Release: The following signatures were invalid: BADSIG <keyid>
```

Comment by Arto Hakola [ 07/Nov/19 ]

By default, the functionality should be (logical) like:

  1. If virtual repo has a local repo -> use Artifactory signing key.
  2. If virtual repo is remote repo -> use it's own signing key.

Otherwise, virtual repos can only have local repositories which would make this virtual repository feature quite narrow usability.

Comment by Valeriy Petrov [ 13/Nov/19 ]

Artifactory configuration (6.14.0):

1. Generating and exporting PGP keys, according to the following documentation article - Generating Keys
2. Importing with Set GPG Public Key + Set GPG Private Key + Set GPG Pass Phrase REST API's or via UI.
3. Create remote repo with URL: http://cdn-fastly.deb.debian.org/debian
4. Create remote repo with URL: http://security-cdn.debian.org/debian-security
5. Create virtual repo to aggregate remotes in steps 3+4
6. Trigger Calculate Debian Repository Metadata or right click on the repo via UI, then click "Recalculate Index"

 

Debian 10 instance:

1.export DEBIAN_REPOSITORY=http://admin:password@art.jfrog.local:12176/artifactory/debian
2. rm /etc/apt/sources.list && echo "deb ${DEBIAN_REPOSITORY} buster main" >> /etc/apt/sources.list && echo "deb ${DEBIAN_REPOSITORY} buster-updates main" >> /etc/apt/sources.list && echo "deb ${DEBIAN_REPOSITORY}-security buster/updates main" >> /etc/a
3. curl -uadmin:password -L art.jfrog.local:12176/artifactory/api/gpg/key/public | apt-key add -
4. apt update

****apt update Successful ****

 

However, after Metadata cache retrieval expires or Setting it to 0 on the remote repo, the apt update will fail with the following error:

W: GPG error: http://art.jfrog.local:12176/artifactory/debian buster Release: The following signatures were invalid: BADSIG 04EE7237B7D453EC Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
E: The repository 'http://art.jfrog.local:12176/artifactory/debian buster Release' is not signed.

Then, after triggering Index Recalculation, we were able to run apt update successfully again.

from the artifactory.log after manually triggering recalculation:

2019-10-31 13:50:39,554 [http-nio-8081-exec-5] [INFO ] (o.a.u.r.s.a.b.t.a.RecalculateIndexService:62) - Recalculating index for repository debian scheduled to run

2019-10-31 13:50:42,541 [art-exec-2] [INFO ] (o.a.r.HttpRepo :470) - one downloading http://cdn-fastly.deb.debian.org/debian/dists/buster-updates/Release 46.52 KB

2019-10-31 13:50:42,583 [art-exec-2] [INFO ] (o.a.r.HttpRepo :483) - one downloaded http://cdn-fastly.deb.debian.org/debian/dists/buster-updates/Release 46.52 KB at 1,138.50 KB/sec

2019-10-31 13:50:42,596 [art-exec-2] [INFO ] (o.a.r.d.DbCacheRepo :179) - Zapped 'one-cache:dists/buster-updates/Release.gpg' from local cache: 1 items zapped.

 

Now all this happens due to different gpg returned from a virtual repo on the same requests:

This fails with BADSIG err (Metadata Retrieval Cache Period (Sec) Set to 0 will allways fail):

*GET http://art.jfrog.local:12176/artifactory/debian/dists/buster/Release.gpg*

----BEGIN PGP SIGNATURE----
iQIzBAABCAAdFiEEFukLP99l7eOqfzI8BO5yN7fUU+wFAl1zffoACgkQBO5yN7fU
U+yKFA/9G/jbduMI7fm2Vz3oL7I2bci7BCbIYbNc9a2C3KZfiZaQHuKf8zw30kwB
jtrCUrV0GXKSOcb5iSFAmNModC0C2ACwmJsc1eV8zcb2C55vEI13a1K2cYDJI0J8
NNX73MasIAOrwPIrIEnP7cgW1birQS40ZFN11AwQLd/nzrAtgbr3doOk006E0cnJ
32W51wT5CgQoKRhm+hHn4ck4J9fANmNaOsGKYT6XY+7Be7cKTjtsI2rJD8unCdk5
KydzzzWFqMUx/5gGBw/qPLrJ40Z5Hi3QcgNFwlBQxHSsQBMO2aeTCLLsY5ZjR6sR
fFQZiFRwNu/zQD9PArqQCXVmINuOx7aNjOpAMtzTd84pR/gKqmXozKPlAFT/oi57
pR4/WqNLtEGcBTqCPuJAR6qFiZdfukhXm2iwlPeZl+TO3QfIzujNPv4ZiuYL6CEQ
fOIW7rkZ43t6SRSbvx27UkydkL+OqGibQWMBGNcpCGYcQu5iCpBrpk+hZYFLTXWB
Q4PRCOo/fXfmqK7+LGUCmooACx9rU3FthESVbbAbvD5wIkOJi886UGTq+4brBSO1
YuADKBEvE+a2ULBYny3Wmha1f+HBJarNMUFudSjxaVZOgvWaNZM7mGugoRIqtpRm
t+cKGUVWdYzRMpnuZpcw0G4pWtg3TimRRdEK61xbreSaxeDd7PGJAjMEAAEIAB0W
IQQBRtxtSgspFL3tNNtkis/WIvPROAUCXXN9+wAKCRBkis/WIvPROOOcD/0Vw3KE
CLB61UtvUMQpyGOo4lcsK1FeKm7yhBTsn4z4VEaJZqQfPYwiYZDvcw5tYnR1i4sG
2E0rCC5bQLSxj5laShAV4hPS6+ba2qttomdhe3NIq8PsLOdE11rZgHJc8Z5UuSYG
vCnetdp7dZbBBmO9/Za8YpgZqfb4dXRqG909/lWgxg3/vD00qgweEygy+BjAxRw0
zKyELbCM4mdqAnCO7a4TAIiwhQGedAmQuVkqC53r16neoD8o5UwKu7QYDLDTm2uQ
QOvkoSHZ3ey3xI7bSz0LAMwPowVZbXF2uEaZmvElncMmpGOqKP0+7KxO2/jLjVqF
GR97d7oV36swApmkfcIAuM0YiOccqL6cGWR7jr6pLkHQvKiu4Yp/TrVMR6Xnpv+P
A6S+o+oZCNHpMkgjQ4CBBuTzof0kflfrFSUwavnA5QAoahL8abYDSaylPRD2jxnd
fRKFRH92ty2xAlg+1m7Mwq0ldDxq+V9aKFfJ51JtrDs8zvyTdZG/DfnWTdHy0d+e
Hzp4/kjNH7woYldw6UQh5wN7rS3X4XP7EdrBMdb+HzxnlaRzdcQaL7HXrHUZAkqL
vxsYclP1Ms9vXcdUOndvDtBpyjP/dKF+hDQmRz/JwW92icXV7zJtEiZ2syWM4M/T
wHAOgOKsJ6K4PGwtwqOoiMVKhQwzduxmCHOWXIkCVAQAAQgAPhYhBG0zhm7dj/pB
wBQ67dzJ77934RUXBQJdc35fIBxkZWJpYW4tcmVsZWFzZUBsaXN0cy5kZWJpYW4u
b3JnAAoJENzJ77934RUXlgoQAItUWxvTWs8cV4aBh13T8aRIhGVk3vewcvmsFb7u
Bx8UxfVbs4ixdHyB2N429cfNuVUV/KJzGLMA5GGQYdQyTSaKjFCxC/hOEd+wqboS
B+QDmidgIo9SrRqLpgoSTVxRmqA1un7SAQBkRMdN95+CoaMrbNlEswPgAuoYSKVY
qcWMpjCRF9zKVLF+bRPp3UxAcdpILn2L+ZbXqVu64BDZP7ouSAkyJE8VCrS6BR7V
WGiNmsy2zeqvvobI1i/8H4kiN14Rs6FvWxpTTooAlAo9hZS+Arp7ENYB9jYetD/2
KIkTdp4ebeORg8FI4DqGF3Ry7EZk7/sLgtHcCBSohfORsQQwIItrxLXxVc5aoUR8
ScClbODf1OJzCGLFRCn4GOATLp1KZheqMZwVBmzIbpyrgabzQEyPSOBhHVfLkjAW
DtsqzBRDVpds49llU7oPdsDw8MOHUnlUC/aMF+Wf99cnJfEce/2neIworpj2Ye15
atPlTkC+RhBWDDFhPfObh8WMVczZv3tkzMaMKh7uzGho8PtcPba1GHQdgPJdh2a4
5SD3WGYK3ubftP3/RCPJ7FyZb8HPZ6MQH0LoxHEyErbYLpbkgnUyeUaxh86QOb7b
8YRHgCA8n4g3ohpnxDh3CwEGI+8W2q5w3t08wb5UA+TOwcOOGf9PfU/fIDKUnMiS
CTIc
=EesJ
----END PGP SIGNATURE----

 

This is successfull:

*GET http://art.jfrog.local:12176/artifactory/debian/dists/buster/Release.gpg*

----BEGIN PGP SIGNATURE----
Version: BCPG v1.61
iQGcBAABCAAGBQJdytRdAAoJENwwIUj9Apg0YBgMANAQoK2oR8cXqFpw0cLu44Lg
a+sGcUSEQX5jfsYoC2K4rsSQGTsPiihM1nxAOlZR9y+5dFxSKlJC2wtmfaUSOo+2
W0sT5N4zERAgKem2jYlwZ0ZiifStMJt3aEEEs5Jl21/aH+5xFw0CrBjfQelQe4fr
wiooaVb8ye/2nbKXdIfUbPXGlBrfiAWQrGrPrpxwc/sXbRJnSkPiQkzqfMk/rIzb
dCpRxp5caMD+ExiE1tcF6FOG4rEZRFLXRYg+GkV9IFmZ9ouijLU5X2Q1cAJ7UKzs
9gbprtUkgh5Dhmk4KyF1/TAKpxl6up8f5rVVQw//MJYrx3PG2YzfWsZQVXiQ4sAP
2eRMTVHDtz5OQ74CwQGvoYz6GLMzGJe3J+5oxo7fTe5IHtmDWDy+uLw1BPuvWjgs
8dlL5F/gsjpHq9CJ2ZR44+viCCFwRkBp15qebU+q6JYFmlFsmMef0582C+W9hCn6
BqpmvoEuyICVYHp82B3vhS/XcA+6uCRKzGtiy4Zvrw==
=H+e8
----END PGP SIGNATURE----

 

 

My public key:

*GET http://art.jfrog.local:12176/artifactory/api/gpg/key/public*

----BEGIN PGP PUBLIC KEY BLOCK----

mQGNBF220NMBDACxPmPs+EAEivYi+yvsnzIwKppjJ93aMKPTgqS/o739fWRZXDdZ
0Diszg5/XwpWSg0EYPovJkVdFllhHBxNO5B5PzMp7f8O68Jh6Wm/JkfYAV672ObU
2+jKeyq9PlN+3PncIKln55mihtW0kDCYA1v7sND5hxoPEPctbtHQUXDmJwdKIEwx
VpOJdt65JPiYaMgX0hXVrzwxdIcOQgjLAfhf51+RjaN64udhoGHoJc12QTuFTnss
z96tSOv3V4V5l+Qq/mD42napatGeY6iNLOCn0TdgHJjyKHbal7vDtS2vrpgLPTKo
aBNtKw6NCq8atEY19R7dB/oEuv5QS6CpdIW6VQVxVcfbdT8KynJDHGpmTqBfpvwl
YB0oS4zanBwacVNhU7W4VB+ItzN0ppcRaKP5YhSOsPm7FWnDFkQZn0aO2AgZqAK1
np9UF73uaiLxWkfES+5Ks4zqTk2Rw8uXQT8yeKzIVCSgCCZpXZMxPAXR8peFjo0a
4Szog7yi/FvIEbUAEQEAAbQbdmFsZXJpeXAgPHZhbGVyaXlwQGRvdC5jb20+iQHT
BBMBCgA+FiEEPJg25FCP/w30cOmm/BcRhI8MLg8FAl220NMCGwMFCQPCZwAFCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ/BcRhI8MLg986Qv3Tz1Mygd0kQp+A/DG
ATo98qtDuOvkAJy88mobdbBk6AZYDCYLy0PQgQDk8XnltXOxAZ8STikIAo4eD67L
3Q0rfaiGrEjBoGq9/+4KtaDdD43bzcQPlK3z9Tx19K5v+KBhVs/XAU2si5+ob0kb
2v09vyXCtCNAmkJl1HCy9AnHPFSIHlV3reSYyESGWwJBMZLSfXQF0yEK6VMa6iAw
7+EJu0nUv3pFix2O+cS+EQAard/KtuBiTIJAslKaizP9x9913aK4X4ej8hNrmXnm
LFGJMGLkvNwL5X1B8rfzBk6YC0VWtouxperzt6aEw3Arhhk/6qFt5xvOc83V0rIW
+t0DvQzoZit1riuEyRetgpPgDtNg5D94v4EXKFqsSewqx7leyYJs4mcZ2bYLSi7z
5rp7wDpZKPY2ftPAgNoPoZcF5ltZqv92+mL6sa4SdPzZJBB7zxFzx4zLOHdRRrIG
9f0i31ArnYWuD6ORHYdusZg/zEE63QAnadcyyV20hhyFHky5AY0EXbbQ0wEMANaZ
jPLA/vbh8dYPmU2bQNydHExZnc5Mt2a0sc5iO04FUgyot/Y9b4mN4gn54oWKR7MH
VDFh8HEW/BRmJ9XJc6KTGbLt+ZR3ZLvJ8mrO72Yxmlhg2lv8/3rxECJxlCwVPuSD
lxXKBBcGbDKjopiNiBJiydAqk0MRqkJCCuKOFjlaEuBnvlam+hlgiWyCu6gJ2KUr
3U8Br9q/Qswj8M85GWGL8m5fh748pXRo6OAaHljl0Pvq+JngKBQTebhXJFj9vQFC
nMZLAmvR5eLfsizvnKnisiW30mStMC1attHSmYHPArAw937h4D6M2aidTujWWS0L
d5M+Apk8EQijVxpbDFXmu49IAgU+ntc8Zcyqezn52smyEVwtak8EvsvzkRoSHCM1
VfPu9SdumZmp+l5JD3Q9c+XGUBrF+k/zFyHw02F4RNHzy0eHXTHqCZYsk/cfTJwr
WUtneCEyC6QOokCVdy9PaAdq78kh9HRIzHZNSS/WYI//TnKN40lG5t1lNtdzyQAR
AQABiQG8BBgBCgAmFiEEPJg25FCP/w30cOmm/BcRhI8MLg8FAl220NMCGwwFCQPC
ZwAACgkQ/BcRhI8MLg8RIAwAkluUVeSeeurmM1xk5Qkp2nKRH72Ngtfg0QgJkKlB
09ynS2EzeP8PfLBvlADSJuGTID4vubUHdIcKiY0EQL2803nIj/oljJC5e19ZpXtl
EySJKFbXlRw5Rx8vfEiy0C5h5PjbW9AuX0EoZdjt2DavHAhnWA4GdmqfONgM0NJF
PwKQ7ZgNBJuOo8vfqcikkhUrf23uKYCScRU0sQB0pisWER+mseb3s+pz6ArpJIT5
0wjl9ySsSbtdrOvD/VJ2gqN3lB5DEIRJ7kmwDsIoHglTWZJUZGyq9TZqI3/wIOa2
PS/Bf6t0OhTmwMFfLZW916ltgsdC2OPW1TejhaBycghe7t04hbdArX1VuhLiQ4k6
MkjexuGHxzHh3yS9B6iBqptUKnz0EVBGwpFwavv4uoI+cGFH+jN5BSRQP8v2LaGP
SOi2Py6Iae/CFhmWR/wyaGqsQoSZTJwqeHV41PXAsOj9W1FpzzUvuugQLJzCbNoh
IaIiUyYuJLg36m2gSAx7wNHT
=zMav
----END PGP PUBLIC KEY BLOCK----

Comment by Ben Ifrach [ 21/Nov/19 ]

The bug:

By requesting the release GPG from the virtual repository (see request attached) if the artifact is expired the wrong file GPG file will be served and the client will fail the request.

curl "http://localhost:8080/artifactory/debian/dists/buster/Release.gpg"

 

Two workarounds to use in the meantime:

  1. Increasing the cache retrieval period for all associated remote repositories to a high value.
  2. Edit the sources.list to include all relevant remote/local repositories included in the virtual repository (by this you skip the virtual repository).
Comment by Andrew Ferguson [ 10/Dec/19 ]

We've recently upgraded our instance to 6.15.1 in response to the recent CVE notice & can confirm that this issue is also affecting  Artifactory 6.15.1.

Comment by Grzegorz Skołyszewski [ 16/Dec/19 ]

We're observing the same issue on 6.14.2. This is a blocker for us. Do you have any updates or ETA for the fix?

Generated at Tue Apr 07 08:29:29 UTC 2020 using Jira 8.5.3#805003-sha1:b4933e02eaff29a49114274fe59e1f99d9d963d7.