pg_probackup icon indicating copy to clipboard operation
pg_probackup copied to clipboard
verified publisher icon postgrespro

Debian 11 - bullseye

Open sgrinko opened this issue 3 years ago • 4 comments

With this OS there is a problem with installing the repository key.

RUN echo "deb [arch=amd64] https://repo.postgrespro.ru/pg_probackup/deb/ $DEBIAN_RELEASE main-$DEBIAN_RELEASE" > /etc/apt/sources.list.d/pg_probackup.list \
      && wget -O - https://repo.postgrespro.ru/pg_probackup/keys/GPG-KEY-PG_PROBACKUP | apt-key add - \
      && apt-get update \

out

--2022-11-15 07:13:46--  https://repo.postgrespro.ru/pg_probackup/keys/GPG-KEY-PG_PROBACKUP
Распознаётся repo.postgrespro.ru (repo.postgrespro.ru)… Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
213.171.56.11
Подключение к repo.postgrespro.ru (repo.postgrespro.ru)|213.171.56.11|:443... соединение установлено.
ОШИБКА: Нет доверия сертификату для «repo.postgrespro.ru».
ОШИБКА: Неизвестный издатель сертификата «repo.postgrespro.ru».
gpg: no valid OpenPGP data found.

apt-key is deprecated - Now you need to refuse to use this utility

I solved the problem with such commands:

wget --no-check-certificate -O - https://repo.postgrespro.ru/pg_probackup/keys/GPG-KEY-PG_PROBACKUP | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/GPG-KEY-PG_PROBACKUP.gpg --import
chmod 644 /etc/apt/trusted.gpg.d/GPG-KEY-PG_PROBACKUP.gpg

out:

gpg: keyring '/etc/apt/trusted.gpg.d/GPG-KEY-PG_PROBACKUP.gpg' created
--2022-11-14 15:47:12--  https://repo.postgrespro.ru/pg_probackup/keys/GPG-KEY-PG_PROBACKUP
Распознаётся repo.postgrespro.ru (repo.postgrespro.ru)… 213.171.56.11
Подключение к repo.postgrespro.ru (repo.postgrespro.ru)|213.171.56.11|:443... соединение установлено.
ПРЕДУПРЕЖДЕНИЕ: Нет доверия сертификату для «repo.postgrespro.ru».
ПРЕДУПРЕЖДЕНИЕ: Неизвестный издатель сертификата «repo.postgrespro.ru».
HTTP-запрос отправлен. Ожидание ответа… 200 OK
Длина: 3120 (3,0K) [application/octet-stream]
...
Reading package lists...
W: https://repo.postgrespro.ru/pg_probackup/deb/dists/bullseye/InRelease: No system certificates available. Try installing ca-certificates.
W: Failed to fetch https://repo.postgrespro.ru/pg_probackup/deb/dists/bullseye/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 213.171.56.11 443]
W: Some index files failed to download. They have been ignored, or old ones used instead.
...
E: Unable to locate package pg-probackup-14

This command apt-get update was not completed.

I ask you to finalize before compatibility with Debian 11

Thank you!

sgrinko avatar Nov 14 '22 17:11 sgrinko

We look forward to fixing this issue. For this reason, it is not possible to build new docker containers with PostgreSQL.

xinferum avatar Nov 17 '22 14:11 xinferum 

W: Failed to fetch https://repo.postgrespro.ru/pg_probackup/deb/dists/bullseye/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 213.171.56.11 443]

I managed to fix it by install ca-certificates

apt-get install ca-certificates

I would like to listen to your opinion about this problem in your repository. My solution is correct?

sgrinko avatar Nov 17 '22 15:11 sgrinko

I can't reproduce the certificate error on a clean Debian 11.7 (latest at the moment) Docker image. Please follow the installation instructions and check if the problem still exists. Major CA certificates like the one repo.postgrespro.ru is using are built into OS distributions so normally you don't have to install them separately.

asavchkov avatar Nov 27 '23 02:11 asavchkov

Change key filename GPG-KEY-PG_PROBACKUP to GPG-KEY-PG-PROBACKUP: https://repo.postgrespro.ru/pg_probackup/keys/GPG-KEY-PG-PROBACKUP

...but the right and secure way to add repo\store key is:

# Установка pg_probackup
RUN mkdir -p /etc/apt/keyrings && \
    # Установка ключа и репозитория
    curl -o /tmp/pg_probackup.asc https://repo.postgrespro.ru/pg_probackup/keys/GPG-KEY-PG-PROBACKUP && \
    gpg --no-default-keyring --keyring /tmp/keyring.gpg --import /tmp/pg_probackup.asc && \
    gpg --no-default-keyring --keyring /tmp/keyring.gpg --export --output /etc/apt/keyrings/pg_probackup.gpg && \
    sh -c 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/pg_probackup.gpg] https://repo.postgrespro.ru/pg_probackup/deb/ $(lsb_release -cs) main-$(lsb_release -cs)" > /etc/apt/sources.list.d/pg_probackup.list' && \
    rm /tmp/pg_probackup.asc && \
    rm /tmp/keyring.gpg && \
    # Установка пакетов
    apt-get update && \
    apt-get install pg-probackup-$NODE_PG_VERSION && \
    apt-get install pg-probackup-$NODE_PG_VERSION-dbg && \
    ln -sr /usr/bin/pg_probackup-$NODE_PG_VERSION /usr/bin/pg_probackup

from https://askubuntu.com/questions/1286545/what-commands-exactly-should-replace-the-deprecated-apt-key

ADMDevMit avatar Jan 12 '24 16:01 ADMDevMit