feat: Custom keys for apt archives #5828
Open
+211
−6
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Users with local Ubuntu archive mirrors and Landscape instances have been unable to specify the corresponding gpg keys. This resulted in errors such as "NO_PUBKEY" on commands such as "apt update"
This commit adds the functionality to read a user specified "key" field in the primary and security sections of the apt declaration in a cloud-init-config.yaml. The provided key can be raw or path based, and is formatted appropriately. The function that provides this feature, get_mirror_key was modelled after the existing function, get_mirror, which obtains user specified archive URIs. The deb822 templates were updated to reflect the new primary and security key parameters
If no primary key is declared, it defaults to the distro gpg key in /usr/share/keyrings. If no security mirror is declared, the corresponding key falls back on the primary key. This is to match the existing behaviour where the security mirror falls back on the primary mirror URI. Therefore, when no keys are specified, the behaviour becomes indistinguishable from the current cloud-init implementation
Keys can also be specified using a keyid and optionally a keyserver. When this is the case, the key is obtained and artificially added to the parsed mirror config and treated as described above.
The commit has new unit tests in test_apt_configure_sources_list_v3.py
Related issue: GH-#5473
I also added my GitHub to the CLA signers doc in this commit