APT repo PGP keys not handled appropriately
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init |
Expired
|
High
|
Unassigned |
Bug Description
For further reference within this bug, I provide the example file https:/
I am attempting to employ the apt tools provided within the cloud-init system to configure a new apt repository for installing docker during initial deployment. This is of course preferred to using shell commands as this would ideally allow better handling of issues of package installation and also hopefully be more secure.
packages:
...
- docker-ce
- docker-ce-cli
- containerd.io
Are described within the user-data and
apt:
sources:
docker:
source: "deb [arch=amd64 signed-
key: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----
Is provided as the corresponding key. This key is obtained by running the command :
curl -fsSL https:/
I am using the stock Ubuntu 20.04.2 cloud image as the guest platform.
The expected/desired behavior of this would be to dearmor the GPG key provided into the /usr/share/keyrings directory with a filename (sourcename)
The actual behavior however is to install the GPG key within the /etc/trusted.gpg directory which appears to no longer be supported as apt-key is no longer supported (my reference for this information is https:/
As such, apt (update|
W: GPG error: https:/
E: The repository 'https:/
2021-05-31 13:40:10,144 - util.py[WARNING]: Running module apt-configure (<module 'cloudinit.
Changed in cloud-init: | |
status: | New → Triaged |
importance: | Undecided → High |
Thanks for the detailed bug report.
You can make your example "work" by removing the "signed- by=/usr/ share/keyrings/ docker- archive- keyring. gpg" section on your deb line, though this is insecure for the reasons you linked.
cloud-init is currently adding raw keys via the apt-key command. We'll need to change this.