debian-cd

Merge lp://staging/~xnox/debian-cd/missing-keys into lp://staging/~ubuntu-cdimage/debian-cd/ubun3

missing-keys
Merge into ubun3

Proposed by Dimitri John Ledkov on 2019-03-15

Status:	Rejected
Rejected by:	Iain Lane on 2020-06-25
Proposed branch:	lp://staging/~xnox/debian-cd/missing-keys
Merge into:	lp://staging/~ubuntu-cdimage/debian-cd/ubun3
Diff against target:	13 lines (+3/-0) 1 file modified tools/apt-selection (+3/-0)
To merge this branch:	bzr merge lp://staging/~xnox/debian-cd/missing-keys
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Dimitri John Ledkov (community)		Disapprove on 2020-06-25
Steve Langasek	2019-12-23	Abstain on 2019-12-23
Adam Conrad	2019-12-23	Pending
Ubuntu CD Image Team	2019-03-15	Pending
Review via email: mp+364505@code.staging.launchpad.net

Commit message

When traying to operate ubuntu-cdimage/debian-cd on disco, it fails to verify the anonftparchive local mirrir due to lack of GPG keys.

Add a snippet to copy-in system trusted.gpg.d key snippets to validate the repos.

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2019-12-23:

Ping, this is hindering trying to run debian-cd locally when building images.

Can you explain how is this deployed in production, given that all builds must be failing. Or are you running debian-cd in production without verifying signatures on the local mirror?

For me, clean deployments always fail like so:

Get:1 file:/home/xnox/canonical/ubuntu-cdimage/ftp focal InRelease [255 kB]
Get:1 file:/home/xnox/canonical/ubuntu-cdimage/ftp focal InRelease [255 kB]
Get:2 file:/home/xnox/canonical/ubuntu-cdimage/ftp focal-updates InRelease [79.7 kB]
Get:2 file:/home/xnox/canonical/ubuntu-cdimage/ftp focal-updates InRelease [79.7 kB]
Err:1 file:/home/xnox/canonical/ubuntu-cdimage/ftp focal InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3B4FE6ACC0B21F32 NO_PUBKEY 871920D1991BC93C
Err:2 file:/home/xnox/canonical/ubuntu-cdimage/ftp focal-updates InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3B4FE6ACC0B21F32 NO_PUBKEY 871920D1991BC93C

How come ubuntu-cdimage / debian-cd seem to clean the scratch dir and purge trusted.gpg.d and nothing seems to impor the keys.

Revision history for this message

Steve Langasek (vorlon) wrote on 2019-12-23:

I don't know why you are seeing errors due to unverified repositories that we are not seeing on nusakan. I can confirm that there is no gpg keyring in the scratch apt directory, and the sources.list doesn't include any overrides to ignore signature failures. So I don't know how this is meant to work and I don't want to make changes here without understanding it. I'd like Adam to comment on this.

Also ftr /etc/apt/trusted.gpg.d is empty on the host and /etc/apt/trusted.gpg contains the archive keys. So is this a difference between nusakan's xenial host, and a later release that you're deploying on?

review: Abstain

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2020-04-08:

I believe juliank mentioned apt bug, that it used system /etc/apt/trusted.gpg, despite all the configs asking to use alternative config apt root dir. Due to this bug, on nuasakan this probably works, but will stop working once it is upgraded.

I guess I can workaround this locally, but I do still wonder what we want to do long term, w.r.t. using the right keys for the right series in target, without poluting host keys.

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2020-06-12:

So is the new host failing to perform apt-selection operations without this?

Also not all keys in host's /etc/apt/trusted.gpg.d are enough to build all the series. Should ubuntu-archive-keyring.gpg be copied in from /usr/share/keyrings instead?