← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #86181

[Bug 1930281] [NEW] APT repo PGP keys not handled appropriately

  Thread PreviousDate PreviousThread Next 
Public bug reported:

For further reference within this bug, I provide the example file
https://pastebin.ubuntu.com/p/txzYWpY33j/

I am attempting to employ the apt tools provided within the cloud-init
system to configure a new apt repository for installing docker during
initial deployment. This is of course preferred to using shell commands
as this would ideally allow better handling of issues of package
installation and also hopefully be more secure.

packages:
...
  - docker-ce
  - docker-ce-cli
  - containerd.io

Are described within the user-data and

apt:
  sources:
    docker:
      source: "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu focal stable"
      key: |
        -----BEGIN PGP PUBLIC KEY BLOCK-----
...
        -----END PGP PUBLIC KEY BLOCK-----

Is provided as the corresponding key. This key is obtained by running
the command :

curl -fsSL https://download.docker.com/linux/ubuntu/gpg

I am using the stock Ubuntu 20.04.2 cloud image as the guest platform.

The expected/desired behavior of this would be to dearmor the GPG key
provided into the /usr/share/keyrings directory with a filename
(sourcename)-archive.gpg

The actual behavior however is to install the GPG key within the
/etc/trusted.gpg directory which appears to no longer be supported as
apt-key is no longer supported (my reference for this information is
https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-
add.html)

As such, apt (update|upgrade|install) does not operate correctly and the
following is seen in /var/log/cloud-init-output.log

W: GPG error: https://download.docker.com/linux/ubuntu focal InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8
E: The repository 'https://download.docker.com/linux/ubuntu focal InRelease' is not signed.
2021-05-31 13:40:10,144 - util.py[WARNING]: Running module apt-configure (<module 'cloudinit.config.cc_apt_configure' from '/usr/lib/python3/dist-packages/cloudinit/config/cc_apt_configure.py'>) failed

** Affects: cloud-init
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1930281

Title:
  APT repo PGP keys not handled appropriately

Status in cloud-init:
  New

Bug description:
  For further reference within this bug, I provide the example file
  https://pastebin.ubuntu.com/p/txzYWpY33j/

  I am attempting to employ the apt tools provided within the cloud-init
  system to configure a new apt repository for installing docker during
  initial deployment. This is of course preferred to using shell
  commands as this would ideally allow better handling of issues of
  package installation and also hopefully be more secure.

  packages:
  ...
    - docker-ce
    - docker-ce-cli
    - containerd.io

  Are described within the user-data and

  apt:
    sources:
      docker:
        source: "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu focal stable"
        key: |
          -----BEGIN PGP PUBLIC KEY BLOCK-----
  ...
          -----END PGP PUBLIC KEY BLOCK-----

  Is provided as the corresponding key. This key is obtained by running
  the command :

  curl -fsSL https://download.docker.com/linux/ubuntu/gpg

  I am using the stock Ubuntu 20.04.2 cloud image as the guest platform.

  The expected/desired behavior of this would be to dearmor the GPG key
  provided into the /usr/share/keyrings directory with a filename
  (sourcename)-archive.gpg

  The actual behavior however is to install the GPG key within the
  /etc/trusted.gpg directory which appears to no longer be supported as
  apt-key is no longer supported (my reference for this information is
  https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-
  add.html)

  As such, apt (update|upgrade|install) does not operate correctly and
  the following is seen in /var/log/cloud-init-output.log

  W: GPG error: https://download.docker.com/linux/ubuntu focal InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8
  E: The repository 'https://download.docker.com/linux/ubuntu focal InRelease' is not signed.
  2021-05-31 13:40:10,144 - util.py[WARNING]: Running module apt-configure (<module 'cloudinit.config.cc_apt_configure' from '/usr/lib/python3/dist-packages/cloudinit/config/cc_apt_configure.py'>) failed

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1930281/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next