Merge lp:~xnox/debian-cd/missing-keys into lp:~ubuntu-cdimage/debian-cd/ubun3

Proposed by Dimitri John Ledkov
Status: Rejected
Rejected by: Iain Lane
Proposed branch: lp:~xnox/debian-cd/missing-keys
Merge into: lp:~ubuntu-cdimage/debian-cd/ubun3
Diff against target: 13 lines (+3/-0)
1 file modified
tools/apt-selection (+3/-0)
To merge this branch: bzr merge lp:~xnox/debian-cd/missing-keys
Reviewer Review Type Date Requested Status
Dimitri John Ledkov (community) Disapprove
Steve Langasek Abstain
Adam Conrad Pending
Ubuntu CD Image Team Pending
Review via email: mp+364505@code.launchpad.net

Commit message

When traying to operate ubuntu-cdimage/debian-cd on disco, it fails to verify the anonftparchive local mirrir due to lack of GPG keys.

Add a snippet to copy-in system trusted.gpg.d key snippets to validate the repos.

To post a comment you must log in.
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Ping, this is hindering trying to run debian-cd locally when building images.

Can you explain how is this deployed in production, given that all builds must be failing. Or are you running debian-cd in production without verifying signatures on the local mirror?

For me, clean deployments always fail like so:

Get:1 file:/home/xnox/canonical/ubuntu-cdimage/ftp focal InRelease [255 kB]
Get:1 file:/home/xnox/canonical/ubuntu-cdimage/ftp focal InRelease [255 kB]
Get:2 file:/home/xnox/canonical/ubuntu-cdimage/ftp focal-updates InRelease [79.7 kB]
Get:2 file:/home/xnox/canonical/ubuntu-cdimage/ftp focal-updates InRelease [79.7 kB]
Err:1 file:/home/xnox/canonical/ubuntu-cdimage/ftp focal InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3B4FE6ACC0B21F32 NO_PUBKEY 871920D1991BC93C
Err:2 file:/home/xnox/canonical/ubuntu-cdimage/ftp focal-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3B4FE6ACC0B21F32 NO_PUBKEY 871920D1991BC93C

How come ubuntu-cdimage / debian-cd seem to clean the scratch dir and purge trusted.gpg.d and nothing seems to impor the keys.

Revision history for this message
Steve Langasek (vorlon) wrote :

I don't know why you are seeing errors due to unverified repositories that we are not seeing on nusakan. I can confirm that there is no gpg keyring in the scratch apt directory, and the sources.list doesn't include any overrides to ignore signature failures. So I don't know how this is meant to work and I don't want to make changes here without understanding it. I'd like Adam to comment on this.

Also ftr /etc/apt/trusted.gpg.d is empty on the host and /etc/apt/trusted.gpg contains the archive keys. So is this a difference between nusakan's xenial host, and a later release that you're deploying on?

review: Abstain
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

I believe juliank mentioned apt bug, that it used system /etc/apt/trusted.gpg, despite all the configs asking to use alternative config apt root dir. Due to this bug, on nuasakan this probably works, but will stop working once it is upgraded.

I guess I can workaround this locally, but I do still wonder what we want to do long term, w.r.t. using the right keys for the right series in target, without poluting host keys.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

So is the new host failing to perform apt-selection operations without this?

Also not all keys in host's /etc/apt/trusted.gpg.d are enough to build all the series. Should ubuntu-archive-keyring.gpg be copied in from /usr/share/keyrings instead?

Revision history for this message
Dimitri John Ledkov (xnox) wrote :
review: Disapprove
Revision history for this message
Iain Lane (laney) wrote :

Ah, sorry for not paying attention to this touching a similar area before.

Unmerged revisions

2021. By Dimitri John Ledkov on 2019-03-15

Copy-in trusted key snippets.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'tools/apt-selection'
2--- tools/apt-selection 2010-07-05 10:39:38 +0000
3+++ tools/apt-selection 2019-03-15 15:51:13 +0000
4@@ -58,6 +58,9 @@
5 if [ ! -d "$APTTMP/$CODENAME-$FULLARCH/apt" ]; then
6 mkdir -p "$APTTMP/$CODENAME-$FULLARCH/apt"
7 fi
8+if [ ! -d "$APTTMP/$CODENAME-$FULLARCH/apt/trusted.gpg.d" ]; then
9+ cp -r /etc/apt/trusted.gpg.d "$APTTMP/$CODENAME-$FULLARCH/apt"
10+fi
11 if [ ! -e "$APTTMP/$CODENAME-$FULLARCH/apt/sources.list" ]; then
12 # Generating a correct sources.list file
13 echo "deb file:$MIRROR $CODENAME $sections" \

Subscribers

People subscribed via source and target branches