Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

signed-by option is not supported for ar+https #10

Open
LumaKernel opened this issue Dec 14, 2022 · 3 comments
Open

signed-by option is not supported for ar+https #10

LumaKernel opened this issue Dec 14, 2022 · 3 comments
Assignees
@lindsayismith

Comments

@LumaKernel
Copy link

Documentations instructions are like following:

echo "deb ar+https://<location>-apt.pkg.dev/projects/<project> <repository> main" | sudo tee -a  /etc/apt/sources.list.d/artifact-registry.list
curl https://<location>-apt.pkg.dev/doc/repo-signing-key.gpg | sudo apt-key add -
sudo apt update

This would work, but managing GPG keys by apt-key is currently deprecated. Using /etc/apt/keyrings/... is recommended, but ar+https handling by this plugin looks not supporting signed-by=... option.

...
W: ar+https://<location>-apt.pkg.dev/projects/<project>/dists/<repository>/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

Expected flow is following.

echo "deb [signed-by=/etc/apt/keyrings/<location>-artifact.gpg] ar+https://<location>-apt.pkg.dev/projects/<project> <repository> main" | sudo tee -a  /etc/apt/sources.list.d/artifact-registry.list
sudo curl https://<location>-apt.pkg.dev/doc/repo-signing-key.gpg -o /etc/apt/keyrings/<location>-artifact.gpg

But this causes error:

...
Err:5 ar+https://<location>-apt.pkg.dev/projects/<project> <repository> InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY <GPG-KEY-NAME>
...
W: GPG error: ar+https://<location>-apt.pkg.dev/projects/<project> <repository> InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY <GPG-KEY-NAME>
E: The repository 'ar+https://<location>-apt.pkg.dev/projects/<project> <repository> InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Confirmed in Ubuntu22.04 Google Cloud Compute Engine environment. Thanks
@hopkiw hopkiw self-assigned this Dec 14, 2022
@hopkiw
Copy link
Contributor

hopkiw commented Dec 14, 2022

Thanks for reporting, we will investigate updating the signing method

@ericsampson
Copy link

That would be great, thanks!

@eriksw
Copy link

eriksw commented Mar 16, 2023

@hopkiw Any update on this?

@illfelder illfelder assigned lindsayismith and unassigned hopkiw Mar 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lindsayismith lindsayismith

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@lindsayismith @ericsampson @hopkiw @eriksw @LumaKernel