[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#970796: Bug

On Thu, Apr 08, 2021 at 04:32:37PM +0000, Jarosław Wygoda wrote:
>    I tried to add complete key on debian 10 and it turns out it requires
>    gnupg. Here's a relevant cloud-init config and error.
>    apt:
>      preserve_sources_list: true
>      sources:
>        docker.list:
>          source: "deb [arch=amd64]
>    [1]https://download.docker.com/linux/debian $RELEASE edge"
>          key: |
>            -----BEGIN PGP PUBLIC KEY BLOCK-----
>            ...
>    Cloud-init v. 20.2 running 'modules:config' at Thu, 08 Apr 2021 15:33:51
>    +0000. Up 16.04 seconds.
>    2021-04-08 15:33:52,098 - cc_apt_configure.py[ERROR]: failed to add apt
>    GPG Key to apt keyring
>    Traceback (most recent call last):
>      File
>    "/usr/lib/python3/dist-packages/cloudinit/config/cc_apt_configure.py",
>    line 553, in add_apt_key_raw
>        util.subp(['apt-key', 'add', '-'], data=key.encode(), target=target)
>      File "/usr/lib/python3/dist-packages/cloudinit/util.py", line 2192, in
>    subp
>        cmd=args)
>    cloudinit.util.ProcessExecutionError: Unexpected error while running
>    command.
>    Command: ['apt-key', 'add', '-']
>    Exit code: 255
>    Reason: -
>    Stdout:
>    Stderr: E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one
>    of them is required for this operation
>    2021-04-08 15:33:52,133 - util.py[WARNING]: Running module apt-configure
>    (<module 'cloudinit.config.cc_apt_configure' from
>    '/usr/lib/python3/dist-packages/cloudinit/config/cc_apt_configure.py'>)
>    failed

There are a couple issues here.

First, cloud-init should stop using apt-key to add keys provided via
this mechanism.  That's tracked upstream at

Second, if the file is provided in ASCII-armored format inline in
cloud-config, as you've shown here, then cloud-init *should* install it
to /usr/share/keyrings/ and the deb sources line should be specified to
include a signed-by directive, as documented in the third-party apt
sources list best practices. [1] In order for that to work, though, the
key needs to be available in *binary* format.  So we still do need gpg
to do the conversion.

For now, to work around this in our cloud images, I recommend using a
cloud-config "packages:" entry to install gpg, and then use a script
similar to the one shown at [2] as a user-data script.

Alternatively, you can use a bootcmd cloud-config directive to install
gpg early in your instance's boot process, which will make it available
in time for the apt-configure module's execution.


1. https://wiki.debian.org/DebianRepository/UseThirdParty
2. https://github.com/docker/docker.github.io/issues/11625#issuecomment-751388087

Attachment: signature.asc
Description: PGP signature

Reply to: