aptly icon indicating copy to clipboard operation
aptly copied to clipboard

Published 20 hours ago verified publisher icon aptly-dev

Debian/Ubuntu: Aptly only compatible with GPG v1, installs v2 anyway

Open DClabaut opened this issue 2 years ago • 1 comments

Detailed Description

Per the documentation here, Aptly is only compatible with GPG v1.

However, the dependencies for the packages ( debian, ubuntu) force installation of gnupg which is gpg version 2.

This can be tested by building and running this Dockerfile:

FROM debian:latest

RUN apt-get update && \
apt-get install gnupg1 -y && \
apt-get clean

RUN apt-get install aptly ca-certificates -y && \
apt-get clean

ADD aptly.conf /etc/aptly.conf
VOLUME ["/aptly"]
VOLUME ["/public"]
EXPOSE 8080

ENTRYPOINT ["aptly", "api", "serve"]

$ sudo docker build . -t aptly:0.0.1

$ sudo docker run --entrypoint="" aptly:0.0.1 gpg --version
gpg (GnuPG) 2.2.27

$ sudo docker run --entrypoint="" aptly:0.0.1 gpgv1 --version
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "gpgv1": executable file not found in $PATH: unknown.
ERRO[0000] error waiting for container: context canceled

Context

Packages hosted on Debian and Ubuntu default repositories are not functional.

Possible Implementation

The cleanest way would be to make Aptly work with GPG v2, which has been the default for many years. Fixing the dependencies in the Debian packaging would be a good quick-win though.

Your Environment

See Dockerfile above to reproduce

Other

Possibly the same as:

  • https://github.com/aptly-dev/aptly/issues/822
  • https://github.com/aptly-dev/aptly/issues/931
  • https://github.com/aptly-dev/aptly/issues/1111
  • https://github.com/aptly-dev/aptly/issues/1114
  • https://github.com/aptly-dev/aptly/issues/1121

DClabaut avatar Dec 19 '22 20:12 DClabaut

aptly works with gpg2:

  • https://github.com/aptly-dev/aptly/pull/779
  • https://github.com/aptly-dev/aptly/releases/tag/v1.4.0

However, it requires the additional -keyring option, I guess the reason is that it still tries to find the trustedkeys.gpg file (gpg1 keyring format) by default.

-keyring=trustedkeys.gpg: gpg keyring to use when verifying Release file (could be specified multiple times)

https://www.aptly.info/doc/aptly/mirror/create/

Or edit the documentation to reflect this?

HilebertSpace avatar Dec 29 '22 14:12 HilebertSpace