0

We are trying to host a private mirror of some repositories. The ubuntu repositories appear to be working fine however we have also added a repository from ppa launchpad. Whilst apt-mirror seems to be doing the trick the problem is that when apt (client) is trying to download the repo it complains there's no PUBKEY

W: GPG error: http://apt.mydomain.com/ondrej/php/ubuntu bionic InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4F4EA0AAE5267A6C

How can I provide the key through the repo?

We're using apt-mirror and serve via nginx running on Ubuntu 18.04 server.

ptheofan
  • 411
  • 1
  • 4
  • 6
  • What are your constraints? Why not just let the client fetch the original PPA key so it knows the mirror is pristine? – Ginnungagap Sep 22 '20 at 21:09
  • @Ginnungagap The problem is legal and our devices/servers on their premises are explicitly allowed access only to our infrastructure. – ptheofan Sep 23 '20 at 09:52
  • Then either resign the repo with your own infra key or serve the keys on an internal server. – Ginnungagap Sep 23 '20 at 09:56
  • which brings us back to the question at hand, how do I provide a PUBKEY for a mirrored ppa repo? – ptheofan Sep 24 '20 at 10:13
  • A public key is just a GPG key, serve it however you best like distributing files. It sounds like you're expecting APT to automatically fetch and add it, which is impossible. – Ginnungagap Sep 24 '20 at 14:09
  • I am expecting someone to tell me something like, sign the packages doing that (if needed) and apt will require this and that additional URLs to resolve. It queries /ReportServer which of course is 404 on my server. Would be helpful if could be a bit more constructive. – ptheofan Sep 29 '20 at 13:13

1 Answers1

0

After reading about the file structure expected by apt, it turns out all needed to do was manually add the missing key to the clients. In short, all packages in the top-level folder require a Release.gpg. If this is already in place (it should) all you need to manually do is add the key to the client.

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys <MISSING_KEY_HERE>

Would love to know how exactly this can be 'automated' if possible. In the ppa.launchpad.net when I apt install a package from there usually I do not need to explicitly download and add the key to the machine.

ptheofan
  • 411
  • 1
  • 4
  • 6
  • That's because Ubuntu already includes that public key. You have to do it yourself for every third party apt repo, and every one gives explicit instructions on where to download their key. – Michael Hampton Sep 29 '20 at 14:19
  • I wonder how you can access Ubuntu's keyserver if you're supposed to be blocked from the internet... Unless you're mirroring it as well and rewriting the DNS, it looks like you have access. – Ginnungagap Oct 08 '20 at 06:38