platformsh
[Debian/Ubuntu] function install_apt() - NO_PUBKEY <fingerprint>
Hi team, the error below is returned when permissions of .gpg key is not world readable:
Executing the setup script for the 'platformsh/cli' repository ...
OK: Checking for required executable 'curl' ...
OK: Checking for required executable 'apt-get' ...
OK: Detecting your OS distribution and release using system methods ...
^^^^: ... Detected/provided for your OS/distribution, version and architecture:
>>>>:
>>>>: ... distro=ubuntu version=22.04 codename=jammy arch=x86_64
>>>>:
NOPE: Checking for apt dependency 'apt-transport-https' ...
OK: Updating apt repository metadata cache ...
OK: Attempting to install 'apt-transport-https' ...
OK: Checking for apt dependency 'ca-certificates' ...
OK: Checking for apt dependency 'gnupg' ...
OK: Checking for apt signed-by key support ...
OK: Importing 'platformsh/cli' repository GPG keys ...
OK: Checking if upstream install config is OK ...
OK: Installing 'platformsh/cli' repository via apt ...
NOPE: Updating apt repository metadata cache ...
Failed to update via apt-get update
Hit:1 http://archive.ubuntu.com/ubuntu jammy InRelease
Hit:2 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
Hit:3 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Hit:4 http://security.ubuntu.com/ubuntu jammy-security InRelease
Get:5 https://dl.cloudsmith.io/public/platformsh/cli/deb/ubuntu jammy InRelease [3669 B]
Err:5 https://dl.cloudsmith.io/public/platformsh/cli/deb/ubuntu jammy InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6ED8A90E60ABD941
Reading package lists...
W: GPG error: https://dl.cloudsmith.io/public/platformsh/cli/deb/ubuntu jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6ED8A90E60ABD941
E: The repository 'https://dl.cloudsmith.io/public/platformsh/cli/deb/ubuntu jammy InRelease' is not signed.
^^^^: ... Failed to update via apt-get update - Context above (maybe no packages?).
!!!!: Oh no, your setup failed! :-( ... But we might be able to help. :-)
!!!!:
!!!!: You can contact PlatformSH for further assistance.
!!!!:
In mostly cases, this happens because the default umask system value is too restrictive, 022 is the Ubuntu default value but some users can set to 027:
File: /usr/share/keyrings/platformsh-cli-archive-keyring.gpg
Size: 926 Blocks: 8 IO Block: 4096 regular file
Device: 252,3 Inode: 277035 Links: 1
Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2024-08-26 07:50:26.788391739 +0000
Modify: 2024-08-26 07:50:27.293391067 +0000
Change: 2024-08-26 07:50:27.293391067 +0000
Birth: 2024-08-26 07:50:26.788391739 +0000
I don't see any risk to make this public key world readable (as it's public), so I worked-around this issue by adding the following line :):
root@server:/home/user# diff -U 10 file.sh file.new.sh
--- file.sh 2024-08-26 08:15:20.123900845 +0000
+++ file.new.sh 2024-08-26 08:15:08.885928915 +0000
@@ -479,20 +479,22 @@
check_dpkg_tool "apt-transport-https"
check_dpkg_tool "ca-certificates" false
check_dpkg_tool "gnupg"
}
function import_gpg_key {
local text="Importing 'platformsh/cli' repository GPG keys ..."
echo_running "$text"
local gpg_keyring_path="/usr/share/keyrings/platformsh-cli-archive-keyring.gpg"
+ umask 022
curl -1sLf "https://dl.cloudsmith.io/public/platformsh/cli/gpg.6ED8A90E60ABD941.key" | gpg --dearmor >> $gpg_keyring_path
local signed_by_version="1.1"
local detected_version=$(dpkg -s apt | grep Version | cut -d' ' -f2)
[ "$(printf "%s\n" $detected_version $signed_by_version | sort -V | head -n 1)" == "$signed_by_version" ]
echo_okfail "Checking for apt signed-by key support ..." || {
mv ${gpg_keyring_path} /etc/apt/trusted.gpg.d/platformsh-cli.gpg
}
Which results in the following permissions:
File: /usr/share/keyrings/platformsh-cli-archive-keyring.gpg
Size: 926 Blocks: 8 IO Block: 4096 regular file
Device: 48h/72d Inode: 43727 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2024-08-26 08:31:36.852708674 +0000
Modify: 2024-08-26 08:31:34.120704064 +0000
Change: 2024-08-26 08:31:34.120704064 +0000
Birth: 2024-08-26 08:31:33.469702957 +0000
In my case, the error is triggered in line https://github.com/platformsh/cli/blob/d7b6e8736e75e21ba1b9bf7bfeeb1e764e9d1724/installer.sh#L436C1-L436C128.
I'm not sure how other distributions, such as RHE, act, but please tell me how I can help.
Regards,
Hey, thanks a lot for letting us know. This script is provided by our installation partner, we'll check if we can update it and get back here.
Thanks a lot for providing a potential solution.
Hello, this has been resolved but I never got back here. Please let us know if this continues happening.