** Description changed: When using an APT mirror that creates its own GPG keys to sign the files (such as APTLY), and then attempting to use that in an autoinstall file for subiquity, although we provide the GPG key in the autoinstall yaml, it still uses the incorrect GPG key in sources.list. In my APTLY environment example, I provide this snippet in my autoinstall user-data: ... - apt: - primary: - - arches: [amd64, i386, default] - uri: http://192.168.148.3/ubuntu - security: - - arches: [amd64, i386, default] - uri: http://192.168.148.3/ubuntu - geoip: false - disable_suites: [backports, proposed] - disable_components: [restricted, multiverse] - conf: | # APT config - Acquire::Check-Valid-Until "false"; - Acquire::AllowInsecureRepositories "true"; - Acquire::AllowDowngradeToInsecureRepositories "true"; - Acquire::AllowReleaseInfoChange "true"; - sources: - #additional-repo.list: - # source: "http://ubuntumirror.test.att.com/ubuntu/jammy ato_tools main" - localrepokey: - key: | # full key as block - -----BEGIN PGP PUBLIC KEY BLOCK----- - < . . . Content of the GPG key . . . : - -----END PGP PUBLIC KEY BLOCK----- + apt: + primary: + - arches: [amd64, i386, default] + uri: http://192.168.148.3/ubuntu + security: + - arches: [amd64, i386, default] + uri: http://192.168.148.3/ubuntu + geoip: false + disable_suites: [backports, proposed] + disable_components: [restricted, multiverse] + conf: | # APT config + Acquire::Check-Valid-Until "false"; + Acquire::AllowInsecureRepositories "true"; + Acquire::AllowDowngradeToInsecureRepositories "true"; + Acquire::AllowReleaseInfoChange "true"; + sources: + #additional-repo.list: + # source: "http://ubuntumirror.test.att.com/ubuntu/jammy ato_tools main" + localrepokey: + key: | # full key as block + -----BEGIN PGP PUBLIC KEY BLOCK----- + < . . . Content of the GPG key . . . : + -----END PGP PUBLIC KEY BLOCK----- ... However, subiquity still fails complaining about: 2024-08-13 16:24:51,746 DEBUG subiquity.server.controllers.mirror:180 The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0C0A181F066B7A7C And checking my installation environment, I see that subiquity adds my key at /tmp/tmpw3ph2pba/mount/etc/apt/trusted.gpg.d/localrepokey.asc, but looking at/tmp/tmpw3ph2pba/mount/etc/apt/sources.list.d/ubuntu.sources` I see it still has: Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg This is the incorrect GPG key. If I run this: cat ./trusted.gpg.d/localrepokey.asc | gpg --dearmor -o /tmp/tmpw3ph2pba/mount/etc/apt/keyrings/aptly.key And then change the Signed-By line to point to this file (/tmp/tmpw3ph2pba/mount/etc/apt/keyrings/aptly.key), I can then run apt- get update in the chroot environment. We would need a way to use the correct GPG key to the apt source when provided in the autoinstall user-data Steps to reproduce this would involve setting up an aptly mirror using the following steps: Add to sources.list: deb http://repo.aptly.info/ nightly main sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A0546A43624A8331 sudo apt update sudo apt install aptly - - gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg --export | gpg --no-default-keyring --keyring trustedkeys.gpg --import + gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-archive- + keyring.gpg --export | gpg --no-default-keyring --keyring + trustedkeys.gpg --import aptly mirror create -architectures=amd64 -with-udebs=true noble http://archive.ubuntu.com/ubuntu/ noble main restricted universe multiverse aptly mirror create -architectures=amd64 -with-udebs=true noble-security http://archive.ubuntu.com/ubuntu/ noble-security main restricted universe multiverse aptly mirror create -architectures=amd64 -with-udebs=true noble-updates http://archive.ubuntu.com/ubuntu/ noble-updates main restricted universe multiverse aptly mirror create -architectures=amd64 -with-udebs=true noble-backports http://archive.ubuntu.com/ubuntu/ noble-backports main restricted universe multiverse aptly mirror update noble && aptly mirror update noble-security && aptly mirror update noble-updates && aptly mirror update noble-backports aptly snapshot create noble from mirror noble && aptly snapshot create noble-updates from mirror noble-updates && aptly snapshot create noble- security from mirror noble-security && aptly snapshot create noble- backports from mirror noble-backports gpg --default-new-key-algo rsa4096 --gen-key --keyring pubring.gpg aptly publish snapshot noble && aptly publish snapshot noble-updates && aptly publish snapshot noble-security && aptly publish snapshot noble- backports sudo apt install apache2 sudo ln -s /home/ubuntu/.aptly/public/ /var/www/html/ubuntu chmod 755 /home/ubuntu/ - Export the gpg key and use it in the autoinstall yaml: gpg --list-keys --keyring pubring.gpg gpg --export --armor 066B7A7C > 066B7A7C.key + + + --- + + Workaround: provide sources content in deb822 format and include the + text of the key in signed-by + + sources: + ubuntu.sources: + source: | + Types: deb + URIs: http://ip/ubuntu + Suites: noble noble-updates noble-backports noble-security + Components: main + #Signed-By: /etc/apt/trusted.gpg.d/localrepokey.asc + Signed-By: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + . + <key> + -----END PGP PUBLIC KEY BLOCK-----
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2076943 Title: Incorrect GPG signature file during autoinstall when using custom GPG key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subiquity/+bug/2076943/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
