If you want to mirror repositories from your current aptly server to a new server you must import the GPG key from your old server because you are going to encounter the following error:
gpgv: Signature made Fri 22 Apr 2019 17:35:04 AM UTC using DSA key ID FDC7A25E gpgv: Can't check signature: public key not found Looks like some keys are missing in your trusted keyring, you may consider importing them from keyserver: gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver pool.sks-keyservers.net --recv-keys 181482CCFDC7A25E Sometimes keys are stored in repository root in file named Release.key, to import such key: wget -O - https://some.repo/repository/Release.key | gpg --no-default-keyring --keyring trustedkeys.gpg --import ERROR: unable to fetch mirror: verification of detached signature failed: exit status 2
And the mirror command fails. The problem is
you must import the GPG key from your old server in trustedkeys.gpg (even if you have already imported it in the new server with apt-key!!!)
Here is how to list, export and import it (we are going to import it in default and trustedkeys.gpg, because it is more convenient, but it is not mandatory to be in the default).
Before we begin here is the problem listing the default and trustedkeys keyring:
The old server:
root@srv-aptly-1:~# gpg --no-default-keyring --keyring trustedkeys.gpg --list-keys /root/.gnupg/trustedkeys.gpg ---------------------------- pub 2048D/FDC7A25E 2017-09-16 uid My-aptly (aptly key no passphrase) <my-aptly@example.com> root@srv-aptly-1:~# gpg --list-keys /root/.gnupg/pubring.gpg ------------------------ pub 2048D/FDC7A25E 2017-09-16 uid My-aptly (aptly key no passphrase) <my-aptly@example.com> root@srv-aptly-1:~# apt-key list|grep -A 1 FDC7A25E pub 2048D/FDC7A25E 2017-09-16 uid My-aptly (aptly key no passphrase) <my-aptly@example.com>
The new server:
root@srv-aptly-2:~# gpg --no-default-keyring --keyring trustedkeys.gpg --list-keys root@srv-aptly-2:~# root@srv-aptly-2:~# gpg --list-keys root@srv-aptly-2:~# root@srv-aptly-2:~# apt-key list|grep -A 1 FDC7A25E pub 2048D/FDC7A25E 2017-09-16 uid My-aptly (aptly key no passphrase) <my-aptly@example.com>
As you can see the key is missing in the new server’s GPG, but it is imported in apt system. You must import it in your system with the GPG tool! apt keys are used only with apt package system and not with the aptly, which uses more generic configuration with GPG. Yes, if you want to use your repository, this key must be imported with apt-key, but it is not enough for your mirrored aptly server.
Here is how to do it:
Export the public GPG key from your old server (the cat command is show you what is the content of the file and how should look a GPG exported public key):
root@srv-aptly-1:~# gpg --no-default-keyring --keyring trustedkeys.gpg --export --armor FDC7A25E > pub-FDC7A25E.key root@srv-aptly-1:~# cat pub-FDC7A25E.key -----BEGIN PGP PUBLIC KEY BLOCK----- mQILdjitiexuangai1aiP0ahtohqu3hiej2chaiduT3Fee5euxaithee1xie6aic eiReip6jobi3phaiph0hoo5bee9abahdeiyaitieriCh0oming4shai4Achaegus ais0ze8pooHacharai3thi4CeiGi9ci3bephiaDeiboch0Pop9ohg8phooqu1ohW MithaisaeS7eimoh0CahyeilooPheeweiloGhooGh4odie0fohXekail6Co0Aev5 ooc7Aekohfaed5Iephepohnga5Yaitohnunahshohd8meew7VaixouTie8Io8OoT ang9AhlozahSaeji6iet0Iv9ahB3mohTo9ogh6eeneica4yiegauwufohraekeel ahphieFooShei7Jah5je2aikoow9aosh3Odae7ochor7chaiShor8Hae2uikahpo Auxaachi7aY9Ohlie5Eequ5oqueaboofiaphugauPo1eiheetofo7ahzoh0Eisie vootie3eJo8um2aXeef9leki8iefo5moob9uyahv2hohz2doo4pheezo1se2ohvu JeeCeiwie8queexahcai6looNeshe2OoTh9ahGhaiyer6ShohphieChahfaephu5 Teiy0hahCh8Foahu2phah7ta3aiShooNg6chair9ax5Thu2phi4za1eph1oothoo ooTh4gah1aengaim4FaefiecheicoPh1geez2tae8oith9iemuiv7eiphaivoh5e hao2quaij1saec7cie7ooha2to0LiNg6Jumeid7quuv2eeT7Kohb4eigeic6thoo ahleic3rei1lairaojei0Loo5eXaoquahseingahkah7aimahPheefiseedoh6th wix7uxie7ahfieChie3lohL2jai3Em0su9fooVaehahquochei9eeNingual6aij ahhoowae3quoo5nee4ia4aela7ekierahng7fo8wahngo6oquer9ohRosohyelog choomohdiethuHoo6raipohngie9Iayoudah0iy8eeje4rooku7Aire1vush9chi pieshee8dohdaweeGo0Opohgun2aif5eegh8ooJaho5ui7aph0me5xu0eiZoongu maizooDeib9viephooY6chaitai6aiv7xoopaph1ouRohwaiv5seo0theigh2eiM eepoobilainge7aiyoh6na4Gu5shaeng6za6ooSheil8aem5ae4AhZai6iloduvu wix7uxie7Ggg== =PX7K -----END PGP PUBLIC KEY BLOCK-----
Upload the file generated from the old server and import it in the new server:
root@srv-aptly-2:~# cat ./pub-FDC7A25E.key| gpg --no-default-keyring --keyring trustedkeys.gpg --import gpg: key FDC7A25E: public key "My-aptly (aptly key no passphrase) <my-aptly@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1 root@srv-aptly-2:~# gpg --import ./pub-FDC7A25E.key gpg: key FDC7A25E: public key "My-aptly (aptly key no passphrase) <my-aptly@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1 root@srv-aptly-2:~# apt-key list|grep -A 1 FDC7A25E pub 2048D/FDC7A25E 2017-09-16 uid My-aptly (aptly key no passphrase) <my-aptly@example.com>
The key FDC7A25E is successfully imported and you may proceed in mirroring your server with aptly.
And now if you execute your mirror command the signature is recogized:
root@srv:~# aptly --config="/etc/aptly/.aptly.conf" mirror create -architectures=amd64 salt http://aptly-srv1.example.com/ubuntu xenial-myrepo main Downloading http://aptly-srv1.example.com/ubuntu/dists/xenial-myrepo/InRelease... gpgv: Signature made Fri 22 Apr 2019 17:35:04 AM UTC using DSA key ID FDC7A25E gpgv: Good signature from "My-aptly (aptly key no passphrase) <my-aptly@example.com>" Mirror [main]: http://aptly-srv1.example.com/ubuntu/ xenial-myrepo successfully added. You can run 'aptly mirror update main' to download repository contents.
The whole output of the error
root@srv:~# aptly --config="/etc/aptly/.aptly.conf" mirror create -architectures=amd64,i386,source salt http://aptly-srv1.example.com/ubuntu xenial-myrepo main Looks like your keyring with trusted keys is empty. You might consider importing some keys. If you're running Debian or Ubuntu, it's a good idea to import current archive keys by running: gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --export | gpg --no-default-keyring --keyring trustedkeys.gpg --import (for Ubuntu, use /usr/share/keyrings/ubuntu-archive-keyring.gpg) Downloading http://aptly-srv1.example.com/ubuntu/dists/xenial-myrepo/InRelease... gpgv: Signature made Fri 22 Apr 2019 17:35:04 AM UTC using DSA key ID FDC7A25E gpgv: Can't check signature: public key not found Looks like some keys are missing in your trusted keyring, you may consider importing them from keyserver: gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver pool.sks-keyservers.net --recv-keys 181482CCFDC7A25E Sometimes keys are stored in repository root in file named Release.key, to import such key: wget -O - https://some.repo/repository/Release.key | gpg --no-default-keyring --keyring trustedkeys.gpg --import Downloading http://aptly-srv1.example.com/ubuntu/dists/xenial-myrepo/Release... Downloading http://aptly-srv1.example.com/ubuntu/dists/xenial-myrepo/Release.gpg... gpgv: Signature made Fri 22 Apr 2019 17:35:04 AM UTC using DSA key ID FDC7A25E gpgv: Can't check signature: public key not found Looks like some keys are missing in your trusted keyring, you may consider importing them from keyserver: gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver pool.sks-keyservers.net --recv-keys 181482CCFDC7A25E Sometimes keys are stored in repository root in file named Release.key, to import such key: wget -O - https://some.repo/repository/Release.key | gpg --no-default-keyring --keyring trustedkeys.gpg --import ERROR: unable to fetch mirror: verification of detached signature failed: exit status 2
NOTE
Just to note here we give you all the examples with the root user and the GPG keys are for the root user. You may use a different user for the aptly process and you must ensure the GPG keys to present for this user (the directories and files are the same, just home directory is different – the home directory of the aptly user i.e. “/[my-aptly-home-directory]/.gnupg/trustedkeys.gpg” and for all other GPG files “/[my-aptly-home-directory]/.gnupg/”).