salt icon indicating copy to clipboard operation
salt copied to clipboard
verified publisher icon saltstack

[BUG] apt pkg.managed changes key file

Open MartinEmrich opened this issue 2 years ago • 2 comments

Description A pkgrepo.managed state with a key_url modifies the key file, resulting in an apt error message.

Setup

  • Debian 12
  • Salt-Minion 3006.5

Steps to Reproduce the behavior

My example: install Jenkins. (from https://www.jenkins.io/doc/book/installing/linux/#debianubuntu)

State:

jenkins-lts:
  pkgrepo.managed:
    - name: "deb [signed-by=/etc/apt/keyrings/jenkins-keyring.asc] https://pkg.jenkins.io/debian-stable binary/"
    - file: /etc/apt/sources.list.d/jenkins.list
    - aptkey: False
    - key_url: https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key

Expected behavior

Install Key file and source.list file as specified.

Screenshots

Error message:

----------
          ID: jenkins-lts
    Function: pkgrepo.managed
        Name: deb [signed-by=/etc/apt/keyrings/jenkins-keyring.asc] https://pkg.jenkins.io/debian-stable binary/
      Result: False
     Comment: Failed to configure repo 'deb [signed-by=/etc/apt/keyrings/jenkins-keyring.asc] https://pkg.jenkins.io/debian-stable binary/': W: GPG error: https://pkg.jenkins.io/debian-stable binary/ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5BA31D57EF5975CA
              E: The repository 'https://pkg.jenkins.io/debian-stable binary/ Release' is not signed.
     Started: 11:19:20.251128
    Duration: 1545.135 ms
     Changes:
----------

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) 
Salt Version:
          Salt: 3006.5

Python Version:
        Python: 3.10.13 (main, Nov 15 2023, 04:34:27) [GCC 11.2.0]

Dependency Versions:
          cffi: 1.14.6
      cherrypy: 18.6.1
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.2
       libgit2: Not Installed
  looseversion: 1.0.2
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 22.0
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.9.8
        pygit2: Not Installed
  python-gnupg: 0.4.8
        PyYAML: 6.0.1
         PyZMQ: 23.2.0
        relenv: 0.14.2
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4

System Versions:
          dist: debian 12 bookworm
        locale: utf-8
       machine: x86_64
       release: 6.1.0-16-amd64
        system: Linux
       version: Debian GNU/Linux 12 bookworm

Additional context

IMHO related to #64130 ff., in that Salt tries to be "smart" regarding apt repo management, instead of just do what it's told (put files in the right places).

Downloading the key file manually with wget, it results in a different file:

# file jenkins.io-2023.key jenkins-keyring.asc
jenkins.io-2023.key: PGP public key block Public-Key (old)
jenkins-keyring.asc: OpenPGP Public Key Version 4, Created Mon Mar 27 17:11:07 2023, RSA (Encrypt or Sign, 4096 bits); User ID; Signature; OpenPGP Certificate

And moving the downloaded key file to the specified file name makes apt happy:

# mv jenkins.io-2023.key jenkins-keyring.asc
# apt-get update
OK:1 http://security.debian.org/debian-security bookworm-security InRelease
Ign:2 https://pkg.jenkins.io/debian-stable binary/ InRelease
Holen:3 https://pkg.jenkins.io/debian-stable binary/ Release [2.044 B]
Holen:4 https://pkg.jenkins.io/debian-stable binary/ Release.gpg [833 B]
OK:5 https://repo.saltproject.io/salt/py3/debian/12/amd64/latest bookworm InRelease
OK:6 http://ftp.de.debian.org/debian bookworm InRelease
OK:7 https://repo.saltproject.io/salt/py3/debian/11/amd64/3006 bullseye InRelease
OK:8 http://ftp.de.debian.org/debian bookworm-updates InRelease
Holen:9 https://pkg.jenkins.io/debian-stable binary/ Packages [26,0 kB]
OK:10 http://repo.zabbix.com/zabbix/5.5/debian bookworm InRelease
Es wurden 28,9 kB in 1 s geholt (44,8 kB/s).
Paketlisten werden gelesen… Fertig

Having seen some massaging of the key files with some "gpg", "dearmor" and similar commands in some installation docs for some packages in the past, my guess is that Salt is doing something like that to the key file regardless of whether it needed or not, resulting in a wrong file (format?) in this case.

MartinEmrich avatar Dec 29 '23 10:12 MartinEmrich

Luckily, #56828 acts in my favour for now: once I downloaded the key file manually, salt thinks that state is fulfilled.

MartinEmrich avatar Dec 29 '23 10:12 MartinEmrich

I just had the same issue where the key file is changed to a format that does not work. Doing a simple wget works fine.

deb [arch=amd64 signed-by=/usr/share/keyrings/ACCC4CF8.asc] https://apt.postgresql.org/pub/repos/apt bookworm-pgdg main

salt puts the file in keyrings but if I run file on the file from salt its: /usr/share/keyrings/ACCC4CF8.asc: OpenPGP Public Key Version 4, Created Thu Oct 13 20:19:14 2011, RSA (Encrypt or Sign, 4096 bits); User ID; Signature; OpenPGP Certificate

if I just download with wget I get this file type: ACCC4CF8.asc: PGP public key block Public-Key (old)

heimdull avatar Feb 06 '24 21:02 heimdull