apt-buildpack
apt-buildpack copied to clipboard
cloudfoundry
Only first key is imported from given URL
What version of Cloud Foundry and CF CLI are you using? (i.e. What is the output of running
cf curl /v2/info && cf version?
{
"name": "",
"build": "",
"support": "https://***REDACTED***/support",
"version": 0,
"description": "Cloud Foundry provided by ***REDACTED***",
"authorization_endpoint": "https://***REDACTED***",
"token_endpoint": "https://***REDACTED***",
"min_cli_version": "6.51.0",
"min_recommended_cli_version": "latest",
"app_ssh_endpoint": "ssh.***REDACTED***:2222",
"app_ssh_host_key_fingerprint": "***REDACTED***",
"app_ssh_oauth_client": "ssh-proxy",
"doppler_logging_endpoint": "wss://***REDACTED***:443",
"api_version": "2.206.0",
"osbapi_version": "2.15",
"routing_endpoint": "https://***REDACTED***/routing",
"user": "***REDACTED***"
}
cf version 8.7.1+9c81242.2023-06-15
What version of the buildpack you are using?
0.3.0
If you were attempting to accomplish a task, what was it you were attempting to do?
I was trying to install google-chrome-stable from the http://dl.google.com/linux/chrome/deb/ repo.
keys:
- https://dl.google.com/linux/linux_signing_key.pub
repos:
- deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main
packages:
- google-chrome-stable
manifest:
---
applications:
- stack: cflinuxfs4
buildpacks:
- apt_buildpack
- nodejs_buildpack
What did you expect to happen?
The buildpack installs both keys present in https://dl.google.com/linux/linux_signing_key.pub and is able to install google-chrome-stable
What was the actual behavior?
The buildpack only installs the first key present in https://dl.google.com/linux/linux_signing_key.pub, which is no longer used for signing, and installation fails:
Downloading nodejs_buildpack...
Downloading apt_buildpack...
Downloaded apt_buildpack
Downloaded nodejs_buildpack
Cell 92c27375-1388-4198-8483-ddcb70f93543 creating container for instance e428c1e1-5b93-4aa0-b09d-1052aba82d73
Cell 92c27375-1388-4198-8483-ddcb70f93543 successfully created container for instance e428c1e1-5b93-4aa0-b09d-1052aba82d73
Downloading build artifacts cache...
Downloading app package...
Downloaded app package (21.2M)
Downloaded build artifacts cache (159.2M)
-----> Apt Buildpack version 0.3.0
-----> Adding apt keys
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
gpg: key 7FAC5991: public key "Google, Inc. Linux Package Signing Key <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
-----> Adding apt repos
-----> Updating apt cache
**ERROR** Error running supply: failed to apt-get update Get:1 http://dl.google.com/linux/chrome/deb stable InRelease [1,825 B]
Hit:2 http://archive.ubuntu.com/ubuntu jammy InRelease
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Err:1 http://dl.google.com/linux/chrome/deb stable InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4EB27DB2A3B88B8B
Get:5 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [1,340 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1,266 kB]
rm: cannot remove '/var/cache/apt/archives/partial/*.deb': Permission denied
Reading package lists...
W: GPG error: http://dl.google.com/linux/chrome/deb stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4EB27DB2A3B88B8B
E: The repository 'http://dl.google.com/linux/chrome/deb stable InRelease' is not signed.
exit status 100
Failed to run all supply scripts: exit status 14
Exit status 225
This is apparently a known issue with with gpg --fetch-keys, which is why most manuals opt to do curl $KEY_URL | apt-key add - instead (though it works for me locally but I might have a newer version of gpg).
Maybe this can be tackled along with #152?
Please confirm where necessary:
- [✔] I have included a log output
- [✔] My log includes an error message
- [✔] I have included steps for reproduction
I tried working around the issue using gpg_advanced_options but ran into an issue there as well: it’s not possible to pass in multiple options to adv, at least not the way the feature is meant to be used, as indicated in the corresponding test:
https://github.com/cloudfoundry/apt-buildpack/blob/a21d77127d301ea7df33714e441306910b5b2128/src/apt/apt/apt_test.go#L144-L161
As you can see from the test assertion, each item in gpg_advanced_options is a string that represents a single option so there is no way to pass multiple options. So I guess I found a second bug.