go-carbon icon indicating copy to clipboard operation
go-carbon copied to clipboard
verified publisher icon go-graphite

[BUG] GPG key not valid with apt 2.9.21

Open Glandos opened this issue 1 year ago • 6 comments

Describe the bug With APT 2.9.21, the GPG key from https://packagecloud.io/go-graphite/stable/gpgkey isn't accepted anymore

Logs Err :6 https://packagecloud.io/go-graphite/stable/debian bookworm InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 40B29610C48DA4E2152C4E5FA3C7D6C388AEDEA5 is not bound: primary key because: No binding signature at time 2023-11-09T12:47:22Z because: Policy rejected non-revocation signature (PositiveCertification) requiring collision resistance because: SHA1 is not considered secure since 2013-02-01T00:00:00Z

Go-carbon Configuration: N/A

Metric retention and aggregation schemas N/A

Simplified query (if applicable) N/A

Additional context APT is now using sqv instead of gnupg. There is a workaround for accepting SHA1, but it should be changed anyway

Glandos avatar Jan 11 '25 13:01 Glandos

@Civil : maybe we need to regenerate packagecloud keys? I have no admin access there. Could you please do that?

deniszh avatar Jan 12 '25 15:01 deniszh

@deniszh their open-source plan is weird, they are managing the keys (at least it seems so), but there is no button to regenrate them. For paid plans they allows you to upload your own keys to sign, but that is way too expensive in my opinion.

Civil avatar Jan 13 '25 11:01 Civil

Did you find a way to fix or workaround this? The new release of carbonapi is not easily installable without it.

Glandos avatar Oct 05 '25 11:10 Glandos

I'm afraid packagecloud.io have no viable alternatives. @Civil : could you please ping packagecloud support maybe? @Glandos - you probably can do the same as end user too. Please take note that current pipeline still have issues and I'm not sure if it'll build and / or upload any packages. Alternatively we can ditch it out completely and just upload packages to GitHub release page, like we doing for go-carbon, for example.

deniszh avatar Oct 05 '25 21:10 deniszh

@deniszh well, we can either migrate to our own GPG key for signing the metadata and packages (they allow uploading gpg public key and providing that) with all the migration pain that it would cause or just indeed ditch it and upload packages to github release page or host our own repo somewhere (setting up something like Pulp at colo is an option, with all the problems that comes with that).

Civil avatar Oct 05 '25 23:10 Civil

Thanks for your quick answer :)

GitHub release page is less practical, since it requires to manually download packages. However, given the low frequency of carbonapi/go-carbon release (which is good 👍 ), it shouldn't be a real problem.

Glandos avatar Oct 06 '25 11:10 Glandos