wazuh-documentation
wazuh-documentation copied to clipboard
wazuh
Ubuntu Jammy GPG key retrieve error
Hello!
We have detected that Ubuntu Jammy has deprecated the way to include GPG key inside APT keyring verification. We will need to update documentation steps to set up the repository. Specifically, we will need to change this:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
To This:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg --import && chown _apt /etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg
(Root user required)
Documentation link: https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html
This issue is being investigated in https://github.com/wazuh/wazuh-packages/issues/1623
The command:
- curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg --import && chown _apt /etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg
Will throw an error about chown _apt
root@ubuntu14:/home/vagrant# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg --import && chown _apt /etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 29111145: public key "Wazuh.com (Wazuh Signing Key) <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
chown: invalid user: ‘_apt’
Update report
Running curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg --import without chown _apt in Ubuntu 22, the apt-get update command show those warnings and error, Ubuntu 14 does not show this output and install the agent,
W: https://packages.wazuh.com/4.x/apt/dists/stable/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: https://packages.wazuh.com/4.x/apt stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 96B3EE5F29111145
E: The repository 'https://packages.wazuh.com/4.x/apt stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: https://mirrors.edge.kernel.org/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://mirrors.edge.kernel.org/ubuntu/dists/jammy-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://mirrors.edge.kernel.org/ubuntu/dists/jammy-backports/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://mirrors.edge.kernel.org/ubuntu/dists/jammy-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
Sumarizing:
Problem
Our documentation and installer assistant use apt-key for adding the repository GPG key to the OS with the following command:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
Ubuntu 22.04 shows the following message:
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
Man page mention:
use of apt-key is deprecated, except for the use of apt-key del in maintainer scripts to remove existing keys from the main keyring and apt-key will last be available in Debian 11 and Ubuntu 22.04..
When the user adds an OpenPGP key, this key is used to verify all other possible user repositories without signed-by. See the following post explaining it.
The apt-key deprecation message says manage keyring files in trusted.gpg.d instead, located at /etc/apt/. But, Debian Wiki recommends the use of /usr/share/keyrings/ folder. (Elastic use this one).
Option 1: use /usr/share/keyrings/
Tested here: https://github.com/wazuh/wazuh-packages/issues/1623#issuecomment-1167574823, the command used doesn't work for Ubuntu 14. If we decide to go with this option, Ubuntu 14 should have specific installation instructions in the documentation. Something like a note warning about, if you are using Ubuntu 14 you need to use the old apt-key. The command works like a charm in all other Debian-based OS.
Option 2: use /etc/apt/trusted.gpg.d folder
Tested here: https://github.com/wazuh/wazuh-packages/issues/1623#issuecomment-1163370218. the command explained works on all supported Debian-based OS. Inconvenience: it doesn't match with the Debian Security expectations.
Note: The command used can be split into 2 or 3 lines in order to clarify it to users in the documentation. We are validating the method right now.
Update report
- Option 2 must not be valid due to the Debian wiki:
- https://wiki.debian.org/DebianRepository/UseThirdParty
-
The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add.
- Option 1 tests: https://github.com/wazuh/wazuh-packages/issues/1623#issuecomment-1168664475
Just for reference: I've already created a pull request: https://github.com/wazuh/wazuh-documentation/pull/5344
Hope this helps. :)
