Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-16251

provide option to serve yum gpgkey urls

    XMLWordPrintable

    Details

    • Notability:
      4

      Description

      An rpm yum client can check the GPG signature of packages in a repository.

      See gpgcheck option as described here https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-configuring_yum_and_yum_repositories

      One can also specify a URI to the gpgkey to validate the packages. In the case of a remote repository, the repository maintainer may include the public gpgkey file directly on the remote host.

      The request validation for Nexus proxy repositories currently returns 404 not found for any requests other than rpm files and repodata/ metadata files, and so configuring the rpm client to try and get the gpgkey at random paths from the proxy repository can fail.

      There does not appear to be a naming convention or path convention for these key files.

      Example Key files:

      http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol7
      https://repo.saltstack.com/yum/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub
      A list of keys here: https://access.redhat.com/security/team/key/

      Getting these key files through means other than NXRM proxy URLs is challenging for fire-walled environments where the only way out to these remotes is through Nexus - yum clients don't have external access.

      Expected

      Nexus Repository Manager should provide some common facility to allow rpm clients to get gpgkeys to verify package signatures in remote repositories.

      As part of this work, consider that hosted YUM repos may also need to support providing clients a GPGkey to validate packages published into Nexus.

      Group repositories are a special consideration since the packages served from them potentially come from many different sources.

      Workaround

      As a workaround, you can create a RAW proxy repository to the same remote URL as the YUM proxy repository and set gpgkey to point to that URL instead.

      Or an administrator can create a single RAW hosted repo to store all remote keys in whatever layout you need and the URL to specific keys can be shared with YUM clients as needed.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mjohnson Matt Johnson
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Michael Prescott Michael Prescott
              Team:
              NXRM - Neo
              Votes:
              11 Vote for this issue
              Watchers:
              18 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title