[Bug 2076943] Re: Incorrect GPG signature file during autoinstall when using custom GPG key

Wed Sep 18 22:38:31 UTC 2024

It is currently possible to achieve this by using templates, which is
supported by curtin. This is currently not documented anywhere besides
one of the examples:
https://github.com/canonical/curtin/blob/master/examples/apt-
source.yaml#L109

I have proposed a PR that adds documentation for this in curtin:
https://code.launchpad.net/~tiago.pasqualini/curtin/+git/curtin/+merge/473478

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2076943

Title:
  Incorrect GPG signature file during autoinstall when using custom GPG
  key

Status in subiquity package in Ubuntu:
  Triaged

Bug description:
  When using an APT mirror that creates its own GPG keys to sign the
  files (such as APTLY), and then attempting to use that in an
  autoinstall file for subiquity, although we provide the GPG key in the
  autoinstall yaml, it still uses the incorrect GPG key in sources.list.

  In my APTLY environment example, I provide this snippet in my
  autoinstall user-data:

  ...
      apt:
        primary:
        - arches: [amd64, i386, default]
          uri: http://192.168.148.3/ubuntu
        security:
        - arches: [amd64, i386, default]
          uri: http://192.168.148.3/ubuntu
        geoip: false
        disable_suites: [backports, proposed]
        disable_components: [restricted, multiverse]
        conf: | # APT config
          Acquire::Check-Valid-Until "false";
          Acquire::AllowInsecureRepositories "true";
          Acquire::AllowDowngradeToInsecureRepositories "true";
          Acquire::AllowReleaseInfoChange "true";
        sources:
          #additional-repo.list:
          #  source: "http://ubuntumirror.test.att.com/ubuntu/jammy ato_tools main"
          localrepokey:
            key: | # full key as block
              -----BEGIN PGP PUBLIC KEY BLOCK-----
   < . . . Content of the GPG key . . . :
              -----END PGP PUBLIC KEY BLOCK-----
  ...

  However, subiquity still fails complaining about:

  2024-08-13 16:24:51,746 DEBUG subiquity.server.controllers.mirror:180
  The following signatures couldn't be verified because the public key
  is not available: NO_PUBKEY 0C0A181F066B7A7C

  And checking my installation environment, I see that subiquity adds my
  key at /tmp/tmpw3ph2pba/mount/etc/apt/trusted.gpg.d/localrepokey.asc,
  but looking
  at/tmp/tmpw3ph2pba/mount/etc/apt/sources.list.d/ubuntu.sources` I see
  it still has:

  Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

  This is the incorrect GPG key.

  If I run this:

  cat ./trusted.gpg.d/localrepokey.asc  | gpg --dearmor -o
  /tmp/tmpw3ph2pba/mount/etc/apt/keyrings/aptly.key

  And then change the Signed-By line to point to this file
  (/tmp/tmpw3ph2pba/mount/etc/apt/keyrings/aptly.key), I can then run
  apt-get update in the chroot environment.

  We would need a way to use the correct GPG key to the apt source when
  provided in the autoinstall user-data

  Steps to reproduce this would involve setting up an aptly mirror using
  the following steps:

  Add to sources.list:

  deb http://repo.aptly.info/ nightly main

  sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A0546A43624A8331
  sudo apt update
  sudo apt install aptly

  gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-archive-
  keyring.gpg --export | gpg --no-default-keyring --keyring
  trustedkeys.gpg --import

  aptly mirror create -architectures=amd64 -with-udebs=true noble http://archive.ubuntu.com/ubuntu/ noble main restricted universe multiverse
  aptly mirror create -architectures=amd64 -with-udebs=true noble-security http://archive.ubuntu.com/ubuntu/ noble-security main restricted universe multiverse
  aptly mirror create -architectures=amd64 -with-udebs=true noble-updates http://archive.ubuntu.com/ubuntu/ noble-updates main restricted universe multiverse
  aptly mirror create -architectures=amd64 -with-udebs=true noble-backports http://archive.ubuntu.com/ubuntu/ noble-backports main restricted universe multiverse

  aptly mirror update noble && aptly mirror update noble-security &&
  aptly mirror update noble-updates && aptly mirror update noble-
  backports

  aptly snapshot create noble from mirror noble && aptly snapshot create
  noble-updates from mirror noble-updates && aptly snapshot create
  noble-security from mirror noble-security && aptly snapshot create
  noble-backports from mirror noble-backports

  gpg --default-new-key-algo rsa4096 --gen-key --keyring pubring.gpg

  aptly publish snapshot noble && aptly publish snapshot noble-updates
  && aptly publish snapshot noble-security && aptly publish snapshot
  noble-backports

  sudo apt install apache2
  sudo ln -s /home/ubuntu/.aptly/public/ /var/www/html/ubuntu
  chmod 755 /home/ubuntu/

  Export the gpg key and use it in the autoinstall yaml:

  gpg --list-keys --keyring pubring.gpg
  gpg --export --armor 066B7A7C > 066B7A7C.key

  ---

  Workaround: provide sources content in deb822 format and include the
  text of the key in signed-by

        sources:
          ubuntu.sources:
            source: |
              Types: deb
              URIs: http://ip/ubuntu
              Suites: noble noble-updates noble-backports noble-security
              Components: main
              #Signed-By: /etc/apt/trusted.gpg.d/localrepokey.asc
              Signed-By: |
                -----BEGIN PGP PUBLIC KEY BLOCK-----
                .
                <key>
                -----END PGP PUBLIC KEY BLOCK-----

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subiquity/+bug/2076943/+subscriptions