cloud-init uses gnupg

I want to note it's not clear to me if you use key servers or private key crypto, which requires gnupg or if you would be fine if gpg itself.

Optimally I'd want us to migrate to a world where only gpgv is installed, to avoid having useless binaries around. Receiving keys from keyserver.ubuntu.com, dearmoring keyrings on old releases are all trivial to do yourself.

That said, the preference for bionic+ is to store the keyrings as is, so if they are armored, just let them be and be happy, and let apt deal with it.

Note that the Ubuntu images currently seed gnupg, but it's only through dependencies transitively, not explicit. OTOH, Debian systems can have no gpg around entirely, just gpgv.

Hi Julian,

Thanks for the feedback. I was unaware that gpg was also deprecated. What is the timeline?

Cloud-init had previous dependencies on gpg prior to this change. It looks like usage of gpg is limited to the apt_configure module, but it is worth noting that removing gpg dependence is a different scope than removing apt-key was (LP#1836336).

Don't have a timeline, I think cloud-init and snapd are the only thing using it, as long as you depend on it it should work.

But it stands to reason that if we can avoid this someday, that'd be nice. Our docker images don't have gnupg either, I'd love to not have it in lxd or real cloud to get them smaller and avoid the daemons.

Especially gnupg with dirmngr and stuff creates directories and spawns daemons that don't end, and managing that is a bit annoying, a lot of apt-key code is just cleaning up after gnupg.

Agreed on Brett's comment here scope is a bit bigger than just the apt-key deprecation but I agree it's limited to cc_apt_configure and since cloud-init not longer SRUs updates to Xenial, we might be able to drop the armour awareness in general.

This won't be high priority for 22.04, but we might be able to get to it about mid-cycle.

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/3923