curtin-dev team mailing list archive

[Bryan Fraschetti <mp+476864@xxxxxxxxxxxxxxxxxx>]

> I expect that the existing curtin functionality today supports this request,
> albeit it may not be obvious how to do so.
> 
> To that end please provide failing configurations for analysis.

Hi Dan,

Note that the following confs use a standard but non-default mirror and its corresponding GPG key, whereas the customer is using their local landscape mirrors and keys. As well, for simplicity I have omitted the version/identity etc. sections here, but we used the values: https://canonical-subiquity.readthedocs-hosted.com/en/latest/howto/autoinstall-quickstart.html#autoinstall-quick-start

Our first configuration, based on the curtin docs, is as follows: 

#cloud-config
autoinstall:
  apt:
    preserve_sources_list: false
    fallback: offline-install
    disable_suites: [backports]
    primary:
      - arches: [default]
        uri: http://plug-mirror.rcac.purdue.edu/ubuntu/
    security:
      - arches: [amd64]
        uri: http://plug-mirror.rcac.purdue.edu/ubuntu/
    sources:
      localrepokey:
        key: |
          -----BEGIN PGP PUBLIC KEY BLOCK-----
           
          xsFNBFufwdoBEADv/Gxytx/LcSXYuM0MwKojbBye81s0G1nEx+lz6VAUpIUZnbkq
          ...
          qHHzE4GlHpregPNABgwTrWy3DQD/XpdyzHbfgShbJyVIdBVD60ta/D5O3GWC5keh
          KGXprgA=
          =TrSo
          -----END PGP PUBLIC KEY BLOCK-----

which produces the ubuntu.sources:
Types: deb
URIs: http://plug-mirror.rcac.purdue.edu/ubuntu/
Suites: noble noble-updates
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

Types: deb
URIs: http://plug-mirror.rcac.purdue.edu/ubuntu/
Suites: noble-security
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

Which does not contain the expected raw key or /etc/apt/trusted.gpg.d/localrepokey.gpg

Next option tried is providing a custom template (that's deb822 format) and replacing the Signed-By field:
#cloud-config
autoinstall:
  apt:
    primary:
      - arches: [default]
        uri: http://plug-mirror.rcac.purdue.edu/ubuntu/
    sources_list: |
      Types: deb
      URIs: $PRIMARY
      Suites: $RELEASE $RELEASE-updates $RELEASE-security $RELEASE-proposed
      Components: main
      Signed-By: -----BEGIN PGP PUBLIC KEY BLOCK-----
        Comment: Hostname:  
        Version: Hockeypuck 2.2
        xsFNBFufwdoBEADv/Gxytx/LcSXYuM0MwKojbBye81s0G1nEx+lz6VAUpIUZnbkq
       ...
       qHHzE4GlHpregPNABgwTrWy3DQD/XpdyzHbfgShbJyVIdBVD60ta/D5O3GWC5keh
        KGXprgA=
        =TrSo
        -----END PGP PUBLIC KEY BLOCK-----

which successfully updates the ubuntu.sources file, but the key doesn't get registered. The following is encountered on apt update:
GPG error: http://plug-mirror.rcac.purdue.edu/ubuntu noble InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C

Currently, the best solution so far seems to be:
provide the template with: Signed-By: /etc/apt/trusted.gpg.d/localrepokey.gpg
and simply have a runcmd that echoes the GPG key to a localrepokey.asc and dearmors it into the trusted.gpg.d directory

Again, I appreciate you taking the time. Thank you

Bryan

-- 
https://code.launchpad.net/~bryanfraschetti/curtin/+git/curtin/+merge/476864
Your team curtin developers is subscribed to branch curtin:master.