ARTIFACTORY: How to configure GPG Keys with Artifactory Remote Repositories

Shisiya Sebastian
2023-02-19 10:14

This article describes how to use GPG Keys with Debian or RPM remote repositories in Artifactory.

What are GPG Keys and why do we have to enable it in Artifactory Repositories?

GPG, also known as GNU Privacy Guard, is very commonly used to digitally sign files in order to guarantee their authenticity. Like SSH, GPG also has a public-private key pair. Public key is shared and private key is kept secret. Every repository, be it a CentOS, Ubuntu or a third party repository, is signed with GPG keys by its provider. When you add a repository to your system, and enable its GPG Key, the public GPG key from the provider is added in trusted GPG keys on your system. This ensures that your Linux system trusts the packages coming from the repository.

Can I add a GPG Key to sign my Remote Repository Packages in the Artifactory?

Artifactory will not sign for packages as it does not create them. When a package is pulled from an upstream registry through Artifactory remote repository, as the upstream registry already contains the metadata, it will be pulled along with the package and stored in the remote repository’s cache. Hence, you will not find any issue while accessing directly via remote repository. 

Why are my binary packages failing with GPG errors?

Whenever a package or repository metadata fails GPG Signature verification, it gives errors similar to the following.
 repomd.xml GPG signature verification error: Bad GPG signatureError: GPG check FAILEDThe following signatures couldn't be verified because the public key is not available
GPG Verification is implemented as a security measure, in order to verify whether we are downloading the correct package, for yum/apt configurations. It fails when the GPG key is not present in the server.

This can be resolved by adding the GPG key from the provider to the apt/yum repository configurations in the server.

How to configure GPG Keys in Yum

If you want to enable GPG signature checks enabled in your yum clients, please make sure to specify the GPG public Key URL from the upstream repository in your yum client configuration. gpgcheck=1
gpgKey=<URL to GPG public key>
Below snippet is a mirror for the ElasticSearch repository, using rpm remote repository mysearchrpm with the upstream URL as "https://artifacts.elastic.co/packages/8.x/yum".

Based on the elasticsearch document here, we need to add the repository to the yum repo configuration /etc/yum.repos.d/artifactory.repo as follows.[Artifactory]
name=Artifactory
baseurl=http://username:password_encoded@ARTIFACTORY_HOST:8081/artifactory/mysearchrpm/
enabled=1
gpgcheck=1
#Optional - if you have GPG signing keys installed, use the below flags to verify the repository metadata signature:
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
repo_gpgcheck=1
Here, gpgcheck=1 is set to verify the packages and repo_gpgcheck=1 is set to verify the metadata from the repository. Since both the packages and metadata are signed using the same key, you can specify that GPGkey URL in the repo configuration as above. Since the GPGKeys are not already imported to the yum repository, it will ask for confirmation. 

Sample snippet of downloading a package from the Artifactory Elasticsearch repo:yum install filebeat --disablerepo="*" --enablerepo="Artifactory"
User-added image

Alternatively, you can download the package and import GPG Key or you can directly import the GPG key from the upstream URL using the command below.rpm --import <GPG_KEY_PATH>/<GPG_KEY_URL>
For Example:rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch 

How to configure GPG Keys in Apt

If you want to enable GPG signature checks enabled in your apt clients, please make sure to download the GPG public Key from the upstream registry and use that path in your apt client configuration.deb [signed-by=<path to the GPG public Key>] <Repository-URL> <DISTRIBUTION> <COMPONENT>
Below is the example for ElasticSearch repository, using a debian remote repository myseardeb with the upstream URL as "https://artifacts.elastic.co/packages/8.x/apt".

As per the ElasticSearch documentation, package and metadata are signed with the same key and you can download it and use it in your Apt configuration. wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
I have added my remote repository to the Apt configuration /etc/apt/sources.list as follows.deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] http://artifactory_host:8082/artifactory/mysearchdeb stable main
Sample snippet of downloading a package from the Artifactory Elasticsearch repo:apt install filebeatroot@test-ubuntu:/etc/apt# apt-get update
Hit:1 http://artifactory_host:8082/artifactory/mysearchdeb stable InRelease
Reading package lists... Done
root@test-ubuntu:/etc/apt# apt install filebeat
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  filebeat
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/41.8 MB of archives.
After this operation, 155 MB of additional disk space will be used.
Selecting previously unselected package filebeat.
(Reading database ... 150600 files and directories currently installed.)
Preparing to unpack .../filebeat_8.6.1_amd64.deb ...
Unpacking filebeat (8.6.1) ...
Setting up filebeat (8.6.1) ...
Processing triggers for systemd (237-3ubuntu10.56) ...
Processing triggers for ureadahead (0.100.0-21) ...
root@test-ubuntu:/etc/apt#
Alternatively, you can directly import GPG Key using the key and Keyserver mentioned by the repository provider.apt-key adv --keyserver <keyserver_name> --recv-keys <keyid>In this case,apt-key adv --keyserver pgp.mit.edu --recv-keys D88E42B4
If the key is not specified in the Apt configuration and you receive an error as follows, you can use the above command to resolve the error.The following signatures couldn't be verified because the public key is not available: NO_PUBKEY <keyid>

How to use GPG Keys if the upstream URL is not accessible from the server?

If the outbound access is allowed only to the Artifactory from the server, you can download the key from the provider and upload it to your Artifactory Generic local repository and use that path in your yum repo configuration file.

Example for yum: rpm --import  http://username:password@artifactory_host/artifactory/mypubkeys/GPG-KEY-elasticsearch.keyHere, mypubkeys is a Generic local repository I created in the Artifactory.

Example for Apt:curl http://username:password@artifactory_host/artifactory/mypubkeys/GPG-KEY-elasticsearch.key|gpg --dearmor >/usr/share/keyrings/elasticsearch-keyring.gpg

Ref: https://www.jfrog.com/confluence/display/JFROG/RPM+Repositories#RPMRepositories-RemoteRepositories
https://www.elastic.co/guide/en/elasticsearch/reference/8.6/deb.html
https://www.jfrog.com/confluence/display/JFROG/Debian+Repositories