Requires gpg keys to use buildcache as a normal user

[krishnakumarg1984]

==> Installing libiconv-1.16-uaerdnaqvy2hrkk2gkiirw5mqkq7cg44
==> Fetching file:///shared/ucl/apps/spack/0.20/buildcache/build_cache/linux-rhel7-broadwell-gcc-11.2.1-libiconv-1.16-uaerdnaqvy2hrkk2gkiirw5mqkq7cg44.spec.json.sig
gpg: keyring `/scratch/home/uccagop/apps/spack/0.20/kg_site_micheal_ucl/spack/opt/spack/gpg/pubring.gpg' created
gpg: Signature made Wed Aug  2 16:22:38 2023 BST using RSA key ID 72643654
gpg: Can't check signature: No public key
==> Warning: Failed to verify: file:///shared/ucl/apps/spack/0.20/buildcache/build_cache/linux-rhel7-broadwell-gcc-11.2.1-libiconv-1.16-uaerdnaqvy2hrkk2gkiirw5mqkq7cg44.spec.json.sig
==> Warning: Skipping build of diffutils-3.8-ehpjj76pln2dakw5zahbo7eztvsb3jha since libiconv-1.16-uaerdnaqvy2hrkk2gkiirw5mqkq7cg44 failed
==> Warning: Skipping build of binutils-2.40-y5z2x63iwl6lski65ohvslxc56clv3nx since diffutils-3.8-ehpjj76pln2dakw5zahbo7eztvsb3jha failed
==> Warning: Skipping build of gcc-12.2.0-kut6cpbompf56zcvwf4vkipaifgmre7u since binutils-2.40-y5z2x63iwl6lski65ohvslxc56clv3nx failed

[heatherkellyucl]

It looks like we just need to make sure that ccspapp exports the public gpg key when creating the buildcache, then third parties can use it.

https://spack.readthedocs.io/en/latest/command_index.html#spack-gpg-export

spack buildcache keys https://spack.readthedocs.io/en/latest/binary_caches.html#spack-buildcache-keys List public keys available on Spack mirror (eg our buildcache).

(To read https://spack.readthedocs.io/en/latest/signing.html in case anything else we need to know).

[cjlegg]

Current code for creating a spack site says:

        self.run_command(['spack', 'gpg', 'create', 'ARCHPCSolutions', 'rc-support@ucl.ac.uk'])
        # 2 steps to use the common build cache - thw first, a config copy, links it into this site as spack mirror
        shutil.copy(initial_mirrors_yaml, os.path.join(self.yaml_dir, 'mirrors.yaml'))    
        self.run_command(['spack', 'buildcache', 'keys', '--install', '--trust'])```

So this says it is short term fix. The goal was to get the packages signed somehow (so a new key is created is created for the site), because if I recall correctly, it is much nicer to have the packages signed when it comes to the downloading step. Not sure why it was failing, when the steps are only to create an entirely new key and they say use it. There is nothing here dependent on a particular user id.

[cjlegg]

See also issue #28

[heatherkellyucl]

It isn't failing to create the site, it is failing to import the existing packages from the buildcache - because it doesn't have the public gpg key they were signed with. If we export the gpg key into the buildcache with ccspapp (and make sure that the third party user then has that show up in spack buildcache keys) this should solve it.

[heatherkellyucl]

At the moment, spack buildcache keys for Krishna has no entries, so this is not installing anything: self.run_command(['spack', 'buildcache', 'keys', '--install', '--trust'])

[krishnakumarg1984]

Interesting.

==> Warning: Failed to verify: file:///shared/ucl/apps/spack/0.20/buildcache/build_cache/linux-rhel7-broadwell-gcc-11.2.1-gmake-4.4.1-3yeveltufgmue74npuzemeaxfiivvt6k.spec.json.sig
==> Error: Failed to install gmake due to NoVerifyException: Spack found new style signed binary packages, but was unable to verify any of them.  Please obtain and trust the correct public key.  If these are public spack binaries, please see the spack docs for locations where keys can be found.

[heatherkellyucl]

Ok, the buildcache's public key exists in /shared/ucl/apps/spack/0.20/buildcache/build_cache/_pgp/9EDD6764E6A3D5145ABF8E6EFD20819772643654.pub on Michael already, it appears.

[heatherkellyucl]

https://spack.readthedocs.io/en/latest/getting_started.html#trusting-keys

Additional keys may be added to the keyring using spack gpg trust <keyfile>. Once a key is trusted, packages signed by the owner of the key may be installed.