Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix broken apt::source declaration for Debian-based systems #142

Merged
merged 3 commits into from
Oct 17, 2023
Merged

Fix broken apt::source declaration for Debian-based systems #142

merged 3 commits into from
Oct 17, 2023

Conversation

logicminds
Copy link
Contributor

Clone of #129

Pull Request (PR) description

This PR adds Gitlab's Apt sigining key directly from the source instead of relying on keyserver.ubuntu.com (which currently doesn't seem to provide the key when running
/usr/bin/apt-key adv --keyserver keyserver.ubuntu.com --recv-keys F6403F6544A38863DAA0B6E03F01618A51312F3F
which is what this module attempts to do on Debian-based systems.).

This Pull Request (PR) fixes the following issues

#128 and closes #129

@kenyon
Copy link
Member

kenyon commented Mar 8, 2022

Looks like tests need to be updated as well.

@thorstenk
Copy link

The key is still (again?) available on keyserver.ubuntu.com, see http://keyserver.ubuntu.com/pks/lookup?search=packages%40gitlab.com&fingerprint=on&op=index

The original key expired on 2022-03-02T15:16:59Z but GitLab refreshed the key the same day at 2022-03-02T17:21:45Z. This is fine for manual key management (and documented) but requires a bit more effort in config management. Fortunately the maintainers of puppetlabs-apt already considered that case and implemented a ensure => 'refresh' option that only looks for a refreshed key when it's already expired (see source code).

IMHO keyserver.ubuntu.com is still/again valid as a source for the Apt signing key but a ensure => 'refresh' should be added to the key hash.

bastelfreak
bastelfreak reviewed Dec 13, 2022
View reviewed changes
manifests/repo.pp Outdated
@@ -16,6 +16,7 @@
repos => 'main',
key => {
'id' => 'F6403F6544A38863DAA0B6E03F01618A51312F3F',
'source' => 'https://packages.gitlab.com/gpg.key',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my preference, but that would be a breaking change: configure only source, and not server.

@NeatNerdPrime
Copy link

NeatNerdPrime commented Apr 16, 2023
edited
Loading

Just my 2cents for whoever is still encountering this issue.

This branch would indeed fix the Apt key issue source. Today it's still not available on the default keyserver (keyserver.ubuntu.com) .

However it should be noted that the injection of apt keys with apt-key add is deprecated in favor of "signed-by" mechanism.

I'd say the "clean fix/workaround" is either to :

  • Set the repo_keyserver explicitly in the gitlab/gitlac_ci_runner class
  • Disable the repo management with "manage_repo: false" and provision the repo beforehand, rpeferrably with the "signed-by" mechanisms

References:

@bastelfreak bastelfreak added the bug Something isn't working label Oct 17, 2023
@bastelfreak
Copy link
Member

I think this is a valid workaround until puppetlabs/apt is improved.

@bastelfreak bastelfreak merged commit 7c8e68a into master Oct 17, 2023
18 checks passed
@bastelfreak bastelfreak deleted the apt_fix branch October 17, 2023 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bastelfreak bastelfreak bastelfreak approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@logicminds @kenyon @thorstenk @NeatNerdPrime @bastelfreak @omeinderink