GPG signing APT repository in Spacewalk
After following my article on how to register Ubuntu and Debian clients with Spacewalk you might have noticed a APT warning
This happens because the APT repositories in Spacewalk are not GPG signed. You can still install the packages but have to acknowledge it by entering “yes”.
For various reasons it would be better to have the repository signed. Read on after the jump how I got that working.
… about what turns an APT repo into a signed repo:
– Sign each package individually
– Dont sign each package but the entire repo at once
As all? major repo maintainers (Ubuntu and Debian) use the second approach and we are mirroring them, we will mimic them.
Two repository metadata files are necessary and missing: Release and Release.gpg
(Here is the Debian wiki about secure-apt explaining all this in detail https://wiki.debian.org/SecureApt)
Contains information about the content of the repo, such as architecture, but most important for us: The MD5 / SHA checksums for the Packages and Packages.gz files which contain checksums for each package.
Contains the GPG signature for the “Release” file.
Chain of Trust
APT uses the checksums in the Packages file to verify each package. It also uses the checksum in the Release file to verify the Packages file.
For verifying the Release file itself it uses GPG against the Release.gpg file. The fitting GPG pubkey needs to be imported in APT first.
Creating the files Release and Release.gpg is really simple. What turned out to be a bit of a mess was the wrongly formatted /etc/apt/sources.list.d/spacewalk.list that gets generated by apt-transport-spacewalk package based on the channels the system is subscribed to.
deb spacewalk://spacewalk.xxx.lan channels: main precise-spacewalk-client precise-security precise-updates
Which only worked because of some “creative” magic in /usr/lib/apt/methods/spacewalk
# deb http://site.example.com/debian distribution component1 component2
# where distribution is sth like precise, precise-updates, trusty, trusty-backports etc.. and component fixed to repodata
# see https://wiki.debian.org/SourcesList
deb spacewalk://spacewalk.xxx.lan precise repodata
deb spacewalk://spacewalk.xxx.lan precise-updates repodata
deb spacewalk://spacewalk.xxx.lan precise-security repodata
If we dont change the format, the Release / Release.gpg file will only be queried for one of our channels. Find the required patch for /usr/lib/apt-spacewalk/pre_invoke.py here as I submitted it to the Bugtracker.
Next up we need to patch /usr/lib/apt/methods/spacewalk , diff is here
Unfortunately we also need to patch a single line in the Spacewalk Server package to allow the download of our two new metadata files, get it here and afterwards do
Now we fixed everything needed so we can finally GPG sign our repo.
Signing the Repo
Ok first of all we need a GPG key. On Spacewalk server it needs to be imported to the GPG keyring. On the clients only the public key needs to be imported to APT.
# 4) RSA sign only
# 0 expires never
# Real Name: Spacewalk, email, comment: For GPG signing APT repos
# Export the key parts
gpg --export-secret-keys --armor firstname.lastname@example.org > spacewalk.gpg.privkey
gpg --armor --export email@example.com > spacewalk.gpg.pubkey
# Import the public key on ALL clients
apt-key add spacewalk.gpg.pubkey
Now we need to sign our repos. I created a handy bash script for that purpose that can be used as cronjob until this gets implemented in the Spacewalk server repo generation.
Take this script here and run it in every folder in /var/cache/rhn/repodata/
For each channel you have one folder in there like precise, precise-updates, precise-backports….
/opt/spacewalk/secureApt.sh precise precise
/opt/spacewalk/secureApt.sh precise precise-security
/opt/spacewalk/secureApt.sh precise precise-backports
This creates a Release and Release.gpg file for every channel based on the Packages and Packages.gz files. These can change after every repo sync so you need to run the secureApt cron right after every repo sync !
If you now apt-get update on your clients, you should see the files being downloaded and when installing packages you shouldnt get warnings about unauthenticated packages.
Apt-Spacewalk: Updating sources.list
Get:1 spacewalk://spacewalk.xxx.lan precise Release.gpg [490 B]
Get:2 spacewalk://spacewalk.xxx.lan precise-security Release.gpg [490 B]
Get:3 spacewalk://spacewalk.xxx.lan precise-updates Release.gpg [490 B]
Get:4 spacewalk://spacewalk.xxx.lan precise Release [927 B]
Get:5 spacewalk://spacewalk.xxx.lan precise-security Release [932 B]
Get:6 spacewalk://spacewalk.xxx.lan precise-updates Release [935 B]
Get:7 spacewalk://spacewalk.xxx.lan precise/repodata amd64 Packages [1,890 kB]
Get:8 spacewalk://spacewalk.xxx.lan precise/repodata i386 Packages [1,890 kB]
Ign spacewalk://spacewalk.xxx.lan precise/repodata TranslationIndex
Ign spacewalk://spacewalk.xxx.lan precise-spacewalk-client/repodata TranslationIndex
Get:9 spacewalk://spacewalk.xxx.lan precise-security/repodata amd64 Packages [724 kB]
Get:10 spacewalk://spacewalk.xxx.lan precise-security/repodata i386 Packages [724 kB]
Ign spacewalk://spacewalk.xxx.lan precise-security/repodata TranslationIndex
Get:11 spacewalk://spacewalk.xxx.lan precise-updates/repodata amd64 Packages [1,364 kB]
Get:12 spacewalk://spacewalk.xxx.lan precise-updates/repodata i386 Packages [1,364 kB]
Ign spacewalk://spacewalk.xxx.lan precise-updates/repodata TranslationIndex
Get:13 spacewalk://spacewalk.xxx.lan precise-spacewalk-client/repodata amd64 Packages [1,238 B]
Get:14 spacewalk://spacewalk.xxx.lan precise-spacewalk-client/repodata i386 Packages [1,238 B]
Fetched 7,964 kB in 6s (1,229 kB/s)
Reading package lists... Done
Now, enjoy your signed repo and report back any bugs you might notice.