[CPR-384] APT pubkey.gpg doesn't work in preseed Created: 2016/10/08  Updated: 2017/08/02  Resolved: 2016/10/26

Status: Closed
Project: Community Package Repository
Component/s: None
Affects Version/s: None
Fix Version/s: 2017/08/02

Type: Bug Priority: Normal
Reporter: Michael Moll Assignee: Unassigned
Resolution: Won't Do Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:

 Description   

https://github.com/theforeman/community-templates/blob/develop/preseed/provision.erb#L102-L106 is leading to problems since a few days: https://github.com/theforeman/community-templates/issues/303 - I noticed that the keyfile delivered with the puppetlabs-release-pc1 is noticable bigger then pubkey.gpg, maybe something needs to get added there?



 Comments   
Comment by Melissa Stone [ 2016/10/10 ]

The keyfile delievered in puppetlabs-release-pc1 contains three keys: the old signing key, the new signing key, and the nightlies key. pubkey.gpg is only the key used to sign the repos on apt.puppetlabs.com, so it's only the new signing key.

Are there any other problems you're having with the signing keys, or is it just the size difference?

With the reported issue above, we'd have to see what keys are installed on the failing system. apt-key list will get us that. You should see an entry for the new signing key

pub   4096R/EF8D349F 2016-08-18 [expires: 2021-08-17]
uid                  Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>

Comment by Michael Moll [ 2016/10/10 ]

The problem seems to be specific to Ubuntu/xenial and I suspect it to be this Ubuntu issue: https://bugs.launchpad.net/ubuntu/+source/base-installer/+bug/1553121

root@dave-neuweg:~# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   1024D/437D05B5 2004-09-12
uid                  Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub   2048g/79164387 2004-09-12
 
pub   4096R/C0B21F32 2012-05-11
uid                  Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
 
pub   4096R/EFE21092 2012-05-11
uid                  Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
 
pub   1024D/FBB75451 2004-12-30
uid                  Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
 
pub   4096R/EF8D349F 2016-08-18 [expires: 2021-08-17]
uid                  Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
sub   4096R/656674AE 2016-08-18 [expires: 2021-08-17]
 
root@dave-neuweg:~# apt-get -y install puppet-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  puppet-agent
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 13.9 MB of archives.
After this operation, 82.0 MB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  puppet-agent
E: There were unauthenticated packages and -y was used without --allow-unauthenticated

So I'm closing this Issue.

Comment by Michael Moll [ 2016/10/10 ]

Reopened, as this might be related to the following. On a recent Debian/testing, the following appears:

W: Invalid 'Date' entry in Release file /var/lib/apt/lists/apt.puppetlabs.com_dists_xenial_Release
W: The repository 'http://apt.puppetlabs.com xenial Release' provides only weak security information.

Is this repository generated with freight, by any chance? If yes, which version?

Comment by Melissa Stone [ 2016/10/26 ]

Oops, apologies this fell off my radar.

The repos are generated with freight, though I believe we're using the latest version. Is there a bug open against freight that may be causing this?

Can you elaborate on how you produced that warning for the invalid data entry?

Comment by Michael Moll [ 2016/10/26 ]

No worries... after looking at this again, I mixed up things.

The warning is happening only on apt 1.3+, which is not included in Ubuntu 16.04: https://github.com/freight-team/freight/pull/35

So let's close this issue and hope for the Ubuntu installer people to fix the problem...

In the meantime I guess we (Foreman template people) should look at installing the puppetlabs-release package in the finish script as method to enable the repository and install the puppet-agent packages simply later in that process.

Comment by Melissa Stone [ 2016/10/27 ]

Cool. Let us know if anything crops up that we might be able to help you with!

Generated at Fri Jan 17 19:13:02 PST 2020 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.