You have been subscribed to a public bug:
When using an APT mirror that creates its own GPG keys to sign the files
(such as APTLY), and then attempting to use that in an autoinstall file
for subiquity, although we provide the GPG key in the autoinstall yaml,
it still uses the incorrect GPG key in sources.list.
In my APTLY environment example, I provide this snippet in my
autoinstall user-data:
...
apt:
primary:
- arches: [amd64, i386, default]
uri: http://192.168.148.3/ubuntu
security:
- arches: [amd64, i386, default]
uri: http://192.168.148.3/ubuntu
geoip: false
disable_suites: [backports, proposed]
disable_components: [restricted, multiverse]
conf: | # APT config
Acquire::Check-Valid-Until "false";
Acquire::AllowInsecureRepositories "true";
Acquire::AllowDowngradeToInsecureRepositories "true";
Acquire::AllowReleaseInfoChange "true";
sources:
#additional-repo.list:
# source: "http://ubuntumirror.test.att.com/ubuntu/jammy ato_tools
main"
localrepokey:
key: | # full key as block
-----BEGIN PGP PUBLIC KEY BLOCK-----
< . . . Content of the GPG key . . . :
-----END PGP PUBLIC KEY BLOCK-----
...
However, subiquity still fails complaining about:
2024-08-13 16:24:51,746 DEBUG subiquity.server.controllers.mirror:180
The following signatures couldn't be verified because the public key is
not available: NO_PUBKEY 0C0A181F066B7A7C
And checking my installation environment, I see that subiquity adds my
key at /tmp/tmpw3ph2pba/mount/etc/apt/trusted.gpg.d/localrepokey.asc,
but looking
at/tmp/tmpw3ph2pba/mount/etc/apt/sources.list.d/ubuntu.sources` I see it
still has:
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
This is the incorrect GPG key.
If I run this:
cat ./trusted.gpg.d/localrepokey.asc | gpg --dearmor -o
/tmp/tmpw3ph2pba/mount/etc/apt/keyrings/aptly.key
And then change the Signed-By line to point to this file
(/tmp/tmpw3ph2pba/mount/etc/apt/keyrings/aptly.key), I can then run apt-
get update in the chroot environment.
We would need a way to use the correct GPG key to the apt source when
provided in the autoinstall user-data
Steps to reproduce this would involve setting up an aptly mirror using
the following steps:
Add to sources.list:
deb http://repo.aptly.info/ nightly main
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A0546A43624A8331
sudo apt update
sudo apt install aptly
gpg --no-default-keyring --keyring
/usr/share/keyrings/ubuntu-archive-keyring.gpg --export | gpg
--no-default-keyring --keyring trustedkeys.gpg --import
aptly mirror create -architectures=amd64 -with-udebs=true noble
http://archive.ubuntu.com/ubuntu/ noble main restricted universe multiverse
aptly mirror create -architectures=amd64 -with-udebs=true noble-security
http://archive.ubuntu.com/ubuntu/ noble-security main restricted universe
multiverse
aptly mirror create -architectures=amd64 -with-udebs=true noble-updates
http://archive.ubuntu.com/ubuntu/ noble-updates main restricted universe
multiverse
aptly mirror create -architectures=amd64 -with-udebs=true noble-backports
http://archive.ubuntu.com/ubuntu/ noble-backports main restricted universe
multiverse
aptly mirror update noble && aptly mirror update noble-security && aptly
mirror update noble-updates && aptly mirror update noble-backports
aptly snapshot create noble from mirror noble && aptly snapshot create
noble-updates from mirror noble-updates && aptly snapshot create noble-
security from mirror noble-security && aptly snapshot create noble-
backports from mirror noble-backports
gpg --default-new-key-algo rsa4096 --gen-key --keyring pubring.gpg
aptly publish snapshot noble && aptly publish snapshot noble-updates &&
aptly publish snapshot noble-security && aptly publish snapshot noble-
backports
sudo apt install apache2
sudo ln -s /home/ubuntu/.aptly/public/ /var/www/html/ubuntu
chmod 755 /home/ubuntu/
Export the gpg key and use it in the autoinstall yaml:
gpg --list-keys --keyring pubring.gpg
gpg --export --armor 066B7A7C > 066B7A7C.key
** Affects: subiquity (Ubuntu)
Importance: Undecided
Status: New
--
Incorrect GPG signature file during autoinstall when using custom GPG key
https://bugs.launchpad.net/bugs/2076943
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
