Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Custom keys for apt archives #5828

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

bryanfraschetti
Copy link

@bryanfraschetti bryanfraschetti commented Oct 17, 2024

Users with local Ubuntu archive mirrors and Landscape instances have been unable to specify the corresponding gpg keys. This resulted in errors such as "NO_PUBKEY" on commands such as "apt update"

This commit adds the functionality to read a user specified "key" field in the primary and security sections of the apt declaration in a cloud-init-config.yaml. The provided key can be raw or path based, and is formatted appropriately. The function that provides this feature, get_mirror_key was modelled after the existing function, get_mirror, which obtains user specified archive URIs. The deb822 templates were updated to reflect the new primary and security key parameters

If no primary key is declared, it defaults to the distro gpg key in /usr/share/keyrings. If no security mirror is declared, the corresponding key falls back on the primary key. This is to match the existing behaviour where the security mirror falls back on the primary mirror URI. Therefore, when no keys are specified, the behaviour becomes indistinguishable from the current cloud-init implementation

Keys can also be specified using a keyid and optionally a keyserver. When this is the case, the key is obtained and artificially added to the parsed mirror config and treated as described above.

The commit has new unit tests in test_apt_configure_sources_list_v3.py

Related issue: GH-#5473

I also added my GitHub to the CLA signers doc in this commit

Users with local Ubuntu archive mirrors and Landscape instances have
been unable to specify the corresponding gpg keys. This resulted in
errors such as "NO_PUBKEY" on commands such as "apt update"

This commit adds the functionality to read a user specified "key" field
in the primary and security sections of the apt declaration in a
cloud-init-config.yaml. The provided key can be raw or path based, and
is formatted appropriately. The function that provides this feature,
get_mirror_key was modelled after the existing function, get_mirror,
which obtains user specified archive URIs. The deb822 templates were
updated to reflect the new primary and security key parameters

If no primary key is declared, it defaults to the distro gpg key in
/usr/share/keyrings. If no security mirror is declared, the
corresponding key falls back on the primary key. This is to match the
existing behaviour where the security mirror falls back on the primary
mirror URI. Therefore, when no keys are specified, the behaviour
becomes indistinguishable from the current cloud-init implementation

Keys can also be specified using a keyid and optionally a keyserver.
When this is the case, the key is obtained and artificially added to
the parsed mirror config and treated as described above.

The commit has new unit tests in test_apt_configure_sources_list_v3.py

I also added my GitHub to the CLA signers doc in this commit
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant