search

GoogleCloudPlatform / artifact-registry-apt-transport

Apache License 2.0
9 stars 15 forks source link

signed-by option is not supported for ar+https #10

Open LumaKernel opened 1 year ago

LumaKernel commented 1 year ago

Documentations instructions are like following:

echo "deb ar+https://<location>-apt.pkg.dev/projects/<project> <repository> main" | sudo tee -a  /etc/apt/sources.list.d/artifact-registry.list
curl https://<location>-apt.pkg.dev/doc/repo-signing-key.gpg | sudo apt-key add -
sudo apt update

This would work, but managing GPG keys by apt-key is currently deprecated. Using /etc/apt/keyrings/... is recommended, but ar+https handling by this plugin looks not supporting signed-by=... option.

...
W: ar+https://<location>-apt.pkg.dev/projects/<project>/dists/<repository>/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

Expected flow is following.

echo "deb [signed-by=/etc/apt/keyrings/<location>-artifact.gpg] ar+https://<location>-apt.pkg.dev/projects/<project> <repository> main" | sudo tee -a  /etc/apt/sources.list.d/artifact-registry.list
sudo curl https://<location>-apt.pkg.dev/doc/repo-signing-key.gpg -o /etc/apt/keyrings/<location>-artifact.gpg

But this causes error:

...
Err:5 ar+https://<location>-apt.pkg.dev/projects/<project> <repository> InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY <GPG-KEY-NAME>
...
W: GPG error: ar+https://<location>-apt.pkg.dev/projects/<project> <repository> InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY <GPG-KEY-NAME>
E: The repository 'ar+https://<location>-apt.pkg.dev/projects/<project> <repository> InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Confirmed in Ubuntu22.04 Google Cloud Compute Engine environment. Thanks

hopkiw commented 1 year ago

Thanks for reporting, we will investigate updating the signing method

ericsampson commented 1 year ago

That would be great, thanks!

eriksw commented 1 year ago

@hopkiw Any update on this?