Bug#970796: Bug

To: Jarosław Wygoda <jaroslaw@wygoda.me>, 970796@bugs.debian.org
Subject: Bug#970796: Bug
From: Noah Meyerhans <noahm@debian.org>
Date: Thu, 8 Apr 2021 11:33:31 -0700
Message-id: <[🔎] YG9MeyxNmhfFrmM5@doom.morgul.net>
Reply-to: Noah Meyerhans <noahm@debian.org>, 970796@bugs.debian.org
In-reply-to: <[🔎] CAJngtOEc8+umaaV+YTRRPrCedpTHD1nSjMwNMq5dj+KhiUrq-g@mail.gmail.com>
References: <160087307078.66343.1493865154480697557.reportbug@surprise> <[🔎] CAJngtOEc8+umaaV+YTRRPrCedpTHD1nSjMwNMq5dj+KhiUrq-g@mail.gmail.com> <160087307078.66343.1493865154480697557.reportbug@surprise>

On Thu, Apr 08, 2021 at 04:32:37PM +0000, Jarosław Wygoda wrote:
>    I tried to add complete key on debian 10 and it turns out it requires
>    gnupg. Here's a relevant cloud-init config and error.
>    apt:
>      preserve_sources_list: true
>      sources:
>        docker.list:
>          source: "deb [arch=amd64]
>    [1]https://download.docker.com/linux/debian $RELEASE edge"
>          key: |
>            -----BEGIN PGP PUBLIC KEY BLOCK-----
>            ...
>    Cloud-init v. 20.2 running 'modules:config' at Thu, 08 Apr 2021 15:33:51
>    +0000. Up 16.04 seconds.
>    2021-04-08 15:33:52,098 - cc_apt_configure.py[ERROR]: failed to add apt
>    GPG Key to apt keyring
>    Traceback (most recent call last):
>      File
>    "/usr/lib/python3/dist-packages/cloudinit/config/cc_apt_configure.py",
>    line 553, in add_apt_key_raw
>        util.subp(['apt-key', 'add', '-'], data=key.encode(), target=target)
>      File "/usr/lib/python3/dist-packages/cloudinit/util.py", line 2192, in
>    subp
>        cmd=args)
>    cloudinit.util.ProcessExecutionError: Unexpected error while running
>    command.
>    Command: ['apt-key', 'add', '-']
>    Exit code: 255
>    Reason: -
>    Stdout:
>    Stderr: E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one
>    of them is required for this operation
>    2021-04-08 15:33:52,133 - util.py[WARNING]: Running module apt-configure
>    (<module 'cloudinit.config.cc_apt_configure' from
>    '/usr/lib/python3/dist-packages/cloudinit/config/cc_apt_configure.py'>)
>    failed

There are a couple issues here.

First, cloud-init should stop using apt-key to add keys provided via
this mechanism.  That's tracked upstream at
https://bugs.launchpad.net/cloud-init/+bug/1836336

Second, if the file is provided in ASCII-armored format inline in
cloud-config, as you've shown here, then cloud-init *should* install it
to /usr/share/keyrings/ and the deb sources line should be specified to
include a signed-by directive, as documented in the third-party apt
sources list best practices. [1] In order for that to work, though, the
key needs to be available in *binary* format.  So we still do need gpg
to do the conversion.

For now, to work around this in our cloud images, I recommend using a
cloud-config "packages:" entry to install gpg, and then use a script
similar to the one shown at [2] as a user-data script.

Alternatively, you can use a bootcmd cloud-config directive to install
gpg early in your instance's boot process, which will make it available
in time for the apt-configure module's execution.

noah

1. https://wiki.debian.org/DebianRepository/UseThirdParty
2. https://github.com/docker/docker.github.io/issues/11625#issuecomment-751388087

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#970796: Bug
  - From: Bastian Blank <waldi@debian.org>

References:
- Bug#970796: Bug
  - From: Jarosław Wygoda <jaroslaw@wygoda.me>

Prev by Date: Bug#970796: Bug and the error message
Next by Date: Bug#970796: Bug
Previous by thread: Bug#970796: Bug and the error message
Next by thread: Bug#970796: Bug
Index(es):
- Date
- Thread