canonical-hw-cert team mailing list archive

[Rod Smith <mp+455159@xxxxxxxxxxxxxxxxxx>]

Rod Smith has proposed merging ~rodsmith/maas-cert-server:remove-apt-key-from-preseed into maas-cert-server:main.

Commit message:
Remove apt-key calls from MAAS preseed file

Requested reviews:
  Jeff Lane  (bladernr)

For more details, see:
https://code.launchpad.net/~rodsmith/maas-cert-server/+git/maas-cert-server/+merge/455159

Removes the apt-key calls from the preseed file, instead copying the GPG file directly to /etc/apt.d/trusted.gpg.d. After much testing, there are TWO CAVEATS:

First, something else in MAAS or curtin still seems to still be using apt-key; installation logs show that apt-key is still being used, with the warnings associated with this usage. AFAIK, this will have to be handled by whatever upstream project is still using apt-key.

Second, the code in the curtin_userdata file appears to be called only when certain non-standard drivers are installed. I'm not sure which, if any, of our systems might trigger this code, so I've really been unable to test that my changes will work as intended, once triggered. My testing has focused on systems on my own network, and the updated file works fine with them, with both Ubuntu 22.04 and Ubuntu 18.04. Thus, the worst that seems likely is that this will break deployment of whatever system(s) trigger the relevant code. If you know what system(s) that might be, I can test against them. Otherwise, we may just have to either keep using apt-key until it breaks or accept the risk that this MR will break on some system(s).
-- 
Your team hardware-certification-users is subscribed to branch maas-cert-server:main.

diff --git a/debian/changelog b/debian/changelog
index 1e2d967..167ae6e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+maas-cert-server (0.7.7-0ppa1) jammy; urgency=medium
+
+  * Remove apt-key calls from certification preseed file
+
+ -- Rod Smith <rodsmith@xxxxxxxxxxxxxxxxxxxxx>  Sat, 04 Nov 2023 10:21:06 -0400
+
 maas-cert-server (0.7.6-0ppa1) jammy; urgency=medium
 
   * Copy changes from network.py to better support systems on which
diff --git a/preseed/curtin_userdata_cert b/preseed/curtin_userdata_cert
index a59d24a..6129a73 100644
--- a/preseed/curtin_userdata_cert
+++ b/preseed/curtin_userdata_cert
@@ -36,8 +36,7 @@ debconf_selections:
 early_commands:
   {{py: key_string = ''.join(['\\x%x' % x for x in driver['key_binary']])}}
   {{if driver['key_binary'] and driver['repository'] and driver['package']}}
-  driver_00_get_key: /bin/echo -en '{{key_string}}' > /tmp/maas-{{driver['package']}}.gpg
-  driver_01_add_key: ["apt-key", "add", "/tmp/maas-{{driver['package']}}.gpg"]
+  driver_00_get_key: /bin/echo -en '{{key_string}}' > /etc/apt.d/trusted.gpg.d/maas-{{driver['package']}}.gpg
   {{endif}}
   {{if driver['repository']}}
   driver_02_add: ["add-apt-repository", "-y", "deb {{driver['repository']}} {{node.get_distro_series()}} main"]
@@ -185,8 +184,7 @@ late_commands:
   maas: [wget, '--no-proxy', {{node_disable_pxe_url|escape.json}}, '--post-data', {{node_disable_pxe_data|escape.json}}, '-O', '/dev/null']
 {{if third_party_drivers and driver}}
   {{if driver['key_binary'] and driver['repository'] and driver['package']}}
-  driver_00_key_get: curtin in-target -- sh -c "/bin/echo -en '{{key_string}}' > /tmp/maas-{{driver['package']}}.gpg"
-  driver_02_key_add: ["curtin", "in-target", "--", "apt-key", "add", "/tmp/maas-{{driver['package']}}.gpg"]
+  driver_00_key_get: curtin in-target -- sh -c "/bin/echo -en '{{key_string}}' > /etc/apt/trusted.gpg.d/maas-{{driver['package']}}.gpg"
   {{endif}}
   {{if driver['repository']}}
   driver_03_add: ["curtin", "in-target", "--", "add-apt-repository", "-y", "deb {{driver['repository']}} {{node.get_distro_series()}} main"]