Debian Question posted in
The oficial documentation can be found here.

Artifactory not generating InRelease file for Debian repositories

Artifactory Cloud is not generating Inrelease file or Release.gpg file for Debian repositories. Thus not allowing repository metadata signing.

I have uploaded a private/public gpg file to Artifactory settings, yet no signing is taking place in the repos.

Tags:

2

Answers


  1. 0

    TL;DR: Try using gpg --full-generate-key and manually specify a 2048-bit key.

    I had this same issue, and just worked through it with jfrog support. I was creating key pairs using gpg, which defaults to 3072-bit keys. It appears that at least some versions of artifactory will silently fail to handle these keys. Once I used gpg --full-generate-key and manually specified a 2048-bit key, my key was recognized, and the InRelease and Release.gpg files were created (after recalculating the index).

    If you go to Application | Artifactory | Artifacts and click on the top level folder, you should see an information panel like this:

    Screenshot of repo information panel

    When I was using 3072-bit keys, the final line "Signing Key" did not appear. This is despite the "Verification" process in the admin panel claiming that the key and passphrase were successfully verified.

    Login or Signup to reply.
  2. 0

    What worked for me was to define a passphrase when defining gpg keys.

    You can add a passphrase when you are uploading keys through UI:

    enter image description here

    or, as in my case, with help of Terraform JFrog provider:

    resource "artifactory_keypair" "some-keypair6543461672124900137" {
  pair_name   = "some-keypair6543461672124900137"
  pair_type   = "RSA"
  alias       = "foo-alias6543461672124900137"
  private_key = file("samples/rsa.priv")
  public_key  = file("samples/rsa.pub")
  passphrase  = "your-super-secret-passphrase"

  lifecycle {
    ignore_changes = [
      private_key,
      passphrase,
    ]
  }
}

    The gpg key was genereted with gpg --gen-key command.

    After uploading the key with a passhrase and hitting Recalculate Index the InRelease and Release.gpg were created by Artifactory.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search