0

I followed the instructions to set up a Debian package registry for my GitLab project.

  • ✔️ I enabled the API
  • ✔️ I created a distribution
  • ✔️ I uploaded packages

Now I have a CI job that needs to pull these packages from the registry. I followed the instructions and tried this in my CI job:

curl --fail-with-body --header "Job-Token: ${CI_JOB_TOKEN}" "https://<my-gitlab-url>/api/v4/projects/45/debian_distributions/<my-codename>/key.asc" | gpg --dearmor | tee /usr/local/share/keyrings/<my-codename>-archive-keyring.gpg > /dev/null
apt-get update

I also added this to the sources.list file:

deb [ signed-by=/usr/local/share/keyrings/<my-codename>-archive-keyring.gpg ] https://<my-gitlab-url>/api/v4/projects/45/packages/debian <my-codename> main

Finally, I created /etc/apt/auth.conf.d/sources.conf with:

echo "machine <my-gitlab-url> login gitlab-ci-token password ${CI_JOB_TOKEN}" > /etc/apt/auth.conf.d/sources.conf

However, when apt-get update actually runs, I get the following output:

Err:5 https://<my-gitlab-url>/api/v4/projects/45/packages/debian <my-codeame> InRelease
 401 Unauthorized [IP: 10.0.0.5 443]
Reading package lists...
E: Failed to fetch https://<my-gitlab-url>/api/v4/projects/45/packages/debian/dists/<my-codename>/InRelease 401 Unauthorized [IP: 10.0.0.5 443]
E: The repository 'https://<my-gitlab-url>/api/v4/projects/45/packages/debian <my-codename> InRelease' is not signed.

Based on the fact that it says Unauthorized, I think something is wrong with the authentication. Maybe the CI_JOB_TOKEN does not work. I tried doing this manually outside the CI using a personal access token and it did work.

Update

I added this to my .gitlab-ci.yml file

- echo "${CI_JOB_TOKEN:1}"
- echo "${CI_JOB_TOKEN::-1}"

so that I could snoop on the CI_JOB_TOKEN, then while the job was running I manually entered it in the /etc/apt/auth.conf.d/sources.conf file on my computer and apt-get update worked while the job was running. After the job ended, apt-get update no longer worked since the token expired (as expected). So the process works with the token, but for some reason it does not work in the CI...

asked Dec 31, 2024 at 18:40

1 Answer 1

0

My problem was that the CI_JOB_TOKEN was not getting passed properly into my job. I passed it into the build script, but I needed to also export it from there so that the rest of my workflow had access to the token.

I will vote to close this question because it's related to a mistake.

answered Dec 31, 2024 at 22:01
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.