> I expect that the existing curtin functionality today supports this request, > albeit it may not be obvious how to do so. > > To that end please provide failing configurations for analysis.
Hi Dan, Note that the following confs use a standard but non-default mirror and its corresponding GPG key, whereas the customer is using their local landscape mirrors and keys. As well, for simplicity I have omitted the version/identity etc. sections here, but we used the values: https://canonical-subiquity.readthedocs-hosted.com/en/latest/howto/autoinstall-quickstart.html#autoinstall-quick-start Our first configuration, based on the curtin docs, is as follows: #cloud-config autoinstall: apt: preserve_sources_list: false fallback: offline-install disable_suites: [backports] primary: - arches: [default] uri: http://plug-mirror.rcac.purdue.edu/ubuntu/ security: - arches: [amd64] uri: http://plug-mirror.rcac.purdue.edu/ubuntu/ sources: localrepokey: key: | -----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFufwdoBEADv/Gxytx/LcSXYuM0MwKojbBye81s0G1nEx+lz6VAUpIUZnbkq ... qHHzE4GlHpregPNABgwTrWy3DQD/XpdyzHbfgShbJyVIdBVD60ta/D5O3GWC5keh KGXprgA= =TrSo -----END PGP PUBLIC KEY BLOCK----- which produces the ubuntu.sources: Types: deb URIs: http://plug-mirror.rcac.purdue.edu/ubuntu/ Suites: noble noble-updates Components: main restricted universe multiverse Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg Types: deb URIs: http://plug-mirror.rcac.purdue.edu/ubuntu/ Suites: noble-security Components: main restricted universe multiverse Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg Which does not contain the expected raw key or /etc/apt/trusted.gpg.d/localrepokey.gpg Next option tried is providing a custom template (that's deb822 format) and replacing the Signed-By field: #cloud-config autoinstall: apt: primary: - arches: [default] uri: http://plug-mirror.rcac.purdue.edu/ubuntu/ sources_list: | Types: deb URIs: $PRIMARY Suites: $RELEASE $RELEASE-updates $RELEASE-security $RELEASE-proposed Components: main Signed-By: -----BEGIN PGP PUBLIC KEY BLOCK----- Comment: Hostname: Version: Hockeypuck 2.2 xsFNBFufwdoBEADv/Gxytx/LcSXYuM0MwKojbBye81s0G1nEx+lz6VAUpIUZnbkq ... qHHzE4GlHpregPNABgwTrWy3DQD/XpdyzHbfgShbJyVIdBVD60ta/D5O3GWC5keh KGXprgA= =TrSo -----END PGP PUBLIC KEY BLOCK----- which successfully updates the ubuntu.sources file, but the key doesn't get registered. The following is encountered on apt update: GPG error: http://plug-mirror.rcac.purdue.edu/ubuntu noble InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C Currently, the best solution so far seems to be: provide the template with: Signed-By: /etc/apt/trusted.gpg.d/localrepokey.gpg and simply have a runcmd that echoes the GPG key to a localrepokey.asc and dearmors it into the trusted.gpg.d directory Again, I appreciate you taking the time. Thank you Bryan -- https://code.launchpad.net/~bryanfraschetti/curtin/+git/curtin/+merge/476864 Your team curtin developers is subscribed to branch curtin:master. -- Mailing list: https://launchpad.net/~curtin-dev Post to : curtin-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~curtin-dev More help : https://help.launchpad.net/ListHelp
