Ubuntu
subiquity package

Incorrect GPG signature file during autoinstall when using custom GPG key

Bug #2076943 reported by Fabio Augusto Miranda Martins
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
subiquity (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

When using an APT mirror that creates its own GPG keys to sign the files (such as APTLY), and then attempting to use that in an autoinstall file for subiquity, although we provide the GPG key in the autoinstall yaml, it still uses the incorrect GPG key in sources.list.

In my APTLY environment example, I provide this snippet in my autoinstall user-data:

...
    apt:
      primary:
      - arches: [amd64, i386, default]
        uri: http://192.168.148.3/ubuntu
      security:
      - arches: [amd64, i386, default]
        uri: http://192.168.148.3/ubuntu
      geoip: false
      disable_suites: [backports, proposed]
      disable_components: [restricted, multiverse]
      conf: | # APT config
        Acquire::Check-Valid-Until "false";
        Acquire::AllowInsecureRepositories "true";
        Acquire::AllowDowngradeToInsecureRepositories "true";
        Acquire::AllowReleaseInfoChange "true";
      sources:
        #additional-repo.list:
        # source: "http://ubuntumirror.test.att.com/ubuntu/jammy ato_tools main"
        localrepokey:
          key: | # full key as block
            -----BEGIN PGP PUBLIC KEY BLOCK-----
 < . . . Content of the GPG key . . . :
            -----END PGP PUBLIC KEY BLOCK-----
...

However, subiquity still fails complaining about:

2024-08-13 16:24:51,746 DEBUG subiquity.server.controllers.mirror:180 The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0C0A181F066B7A7C

And checking my installation environment, I see that subiquity adds my key at /tmp/tmpw3ph2pba/mount/etc/apt/trusted.gpg.d/localrepokey.asc, but looking at/tmp/tmpw3ph2pba/mount/etc/apt/sources.list.d/ubuntu.sources` I see it still has:

Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

This is the incorrect GPG key.

If I run this:

cat ./trusted.gpg.d/localrepokey.asc | gpg --dearmor -o /tmp/tmpw3ph2pba/mount/etc/apt/keyrings/aptly.key

And then change the Signed-By line to point to this file (/tmp/tmpw3ph2pba/mount/etc/apt/keyrings/aptly.key), I can then run apt-get update in the chroot environment.

We would need a way to use the correct GPG key to the apt source when provided in the autoinstall user-data

Steps to reproduce this would involve setting up an aptly mirror using the following steps:

Add to sources.list:

deb http://repo.aptly.info/ nightly main

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A0546A43624A8331
sudo apt update
sudo apt install aptly

gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg --export | gpg --no-default-keyring --keyring trustedkeys.gpg --import

aptly mirror create -architectures=amd64 -with-udebs=true noble http://archive.ubuntu.com/ubuntu/ noble main restricted universe multiverse
aptly mirror create -architectures=amd64 -with-udebs=true noble-security http://archive.ubuntu.com/ubuntu/ noble-security main restricted universe multiverse
aptly mirror create -architectures=amd64 -with-udebs=true noble-updates http://archive.ubuntu.com/ubuntu/ noble-updates main restricted universe multiverse
aptly mirror create -architectures=amd64 -with-udebs=true noble-backports http://archive.ubuntu.com/ubuntu/ noble-backports main restricted universe multiverse

aptly mirror update noble && aptly mirror update noble-security && aptly mirror update noble-updates && aptly mirror update noble-backports

aptly snapshot create noble from mirror noble && aptly snapshot create noble-updates from mirror noble-updates && aptly snapshot create noble-security from mirror noble-security && aptly snapshot create noble-backports from mirror noble-backports

gpg --default-new-key-algo rsa4096 --gen-key --keyring pubring.gpg

aptly publish snapshot noble && aptly publish snapshot noble-updates && aptly publish snapshot noble-security && aptly publish snapshot noble-backports

sudo apt install apache2
sudo ln -s /home/ubuntu/.aptly/public/ /var/www/html/ubuntu
chmod 755 /home/ubuntu/

Export the gpg key and use it in the autoinstall yaml:

gpg --list-keys --keyring pubring.gpg
gpg --export --armor 066B7A7C > 066B7A7C.key

---

Workaround: provide sources content in deb822 format and include the text of the key in signed-by

      sources:
        ubuntu.sources:
          source: |
            Types: deb
            URIs: http://ip/ubuntu
            Suites: noble noble-updates noble-backports noble-security
            Components: main
            #Signed-By: /etc/apt/trusted.gpg.d/localrepokey.asc
            Signed-By: |
              -----BEGIN PGP PUBLIC KEY BLOCK-----
              .
              <key>
              -----END PGP PUBLIC KEY BLOCK-----

See original description

Related branches

~tiago.pasqualini/curtin:fix_doc
Superseded for merging into curtin:master
Server Team CI bot: Needs Fixing (continuous-integration)
curtin developers: Pending requested
Diff: 69 lines (+50/-1)
1 file modified
doc/topics/apt_source.rst (+50/-1)
~tiago.pasqualini/curtin:fix_doc
Superseded for merging into curtin:master
Server Team CI bot: Needs Fixing (continuous-integration)
curtin developers: Pending requested
Diff: 60 lines (+49/-0)
1 file modified
doc/topics/apt_source.rst (+49/-0)
Dan Bungert (dbungert)
affects: subiquity → subiquity (Ubuntu)
Changed in subiquity (Ubuntu):
status: New → Triaged
importance: Undecided → High
Dan Bungert (dbungert)
description: updated
Revision history for this message
Chris Peterson (cpete) wrote :

Dropping the severity to Medium now that we know there is an acceptable workaround for now.

Changed in subiquity (Ubuntu):
importance: High → Medium
Revision history for this message
Christoph Roeder (brightdroid) wrote :

For me the workaround still produces a ubuntu.sources with two URIs, the first with "Signed-By" (wrong keyfile) and the second for noble-security with my custom key as a string.
---

Types: deb
URIs: http://landscape/repository/standalone/ubuntu
Suites: noble noble-updates
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
Types: deb
URIs: http://landscape/repository/standalone/ubuntu
Suites: noble noble-updates noble-security
Components: main
Signed-By: |
  -----BEGIN PGP PUBLIC KEY BLOCK-----
  ...
  -----END PGP PUBLIC KEY BLOCK-----

Revision history for this message
Tiago Pasqualini da Silva (tiago.pasqualini) wrote :

It is currently possible to achieve this by using templates, which is supported by curtin. This is currently not documented anywhere besides one of the examples: https://github.com/canonical/curtin/blob/master/examples/apt-source.yaml#L109

I have proposed a PR that adds documentation for this in curtin: https://code.launchpad.net/~tiago.pasqualini/curtin/+git/curtin/+merge/473478

Revision history for this message
Christoph Roeder (brightdroid) wrote :

The workaround from your PR does not work for me, I still get a "wrong" ubuntu.sources file in /etc/apt/sources.list.d/ubuntu.sources and the same copied by curtin to /target/etc/apt/sources.list.d/ubuntu.sources.cutrin.orig

Both contain the default config with ubuntu.com as mirror and not my own config.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.