cloud-init uses gnupg

[ubuntu-server-builder]

This bug was originally filed in Launchpad as LP: #1949602

Launchpad details

affected_projects = []
assignee = None
assignee_name = None
date_closed = None
date_created = 2021-11-03T15:11:51.940060+00:00
date_fix_committed = None
date_fix_released = None
id = 1949602
importance = medium
is_complete = False
lp_url = https://bugs.launchpad.net/cloud-init/+bug/1949602
milestone = None
owner = juliank
owner_name = Julian Andres Klode
private = False
status = triaged
submitter = juliank
submitter_name = Julian Andres Klode
tags = []
duplicates = []

Launchpad user Julian Andres Klode(juliank) wrote on 2021-11-03T15:11:51.940060+00:00

The fix for bug 1836336 made cloud-init use gpg directly, which is odd, given that the reason for getting rid of apt-key is that gpg might not be around in systems (and honestly, shouldn't be).

[ubuntu-server-builder]

Launchpad user Julian Andres Klode(juliank) wrote on 2021-11-03T15:21:42.513839+00:00

I want to note it's not clear to me if you use key servers or private key crypto, which requires gnupg or if you would be fine if gpg itself.

Optimally I'd want us to migrate to a world where only gpgv is installed, to avoid having useless binaries around. Receiving keys from keyserver.ubuntu.com, dearmoring keyrings on old releases are all trivial to do yourself.

That said, the preference for bionic+ is to store the keyrings as is, so if they are armored, just let them be and be happy, and let apt deal with it.

[ubuntu-server-builder]

Launchpad user Julian Andres Klode(juliank) wrote on 2021-11-03T15:23:02.688475+00:00

Note that the Ubuntu images currently seed gnupg, but it's only through dependencies transitively, not explicit. OTOH, Debian systems can have no gpg around entirely, just gpgv.

[ubuntu-server-builder]

Launchpad user Brett Holman(holmanb) wrote on 2021-11-03T15:59:20.760993+00:00

Hi Julian,

Thanks for the feedback. I was unaware that gpg was also deprecated. What is the timeline?

Cloud-init had previous dependencies on gpg prior to this change. It looks like usage of gpg is limited to the apt_configure module, but it is worth noting that removing gpg dependence is a different scope than removing apt-key was (LP#1836336).

[ubuntu-server-builder]

Launchpad user Julian Andres Klode(juliank) wrote on 2021-11-03T16:12:07.473439+00:00

Don't have a timeline, I think cloud-init and snapd are the only thing using it, as long as you depend on it it should work.

But it stands to reason that if we can avoid this someday, that'd be nice. Our docker images don't have gnupg either, I'd love to not have it in lxd or real cloud to get them smaller and avoid the daemons.

Especially gnupg with dirmngr and stuff creates directories and spawns daemons that don't end, and managing that is a bit annoying, a lot of apt-key code is just cleaning up after gnupg.

[ubuntu-server-builder]

Launchpad user Chad Smith(chad.smith) wrote on 2021-11-04T22:09:17.023108+00:00

Agreed on Brett's comment here scope is a bit bigger than just the apt-key deprecation but I agree it's limited to cc_apt_configure and since cloud-init not longer SRUs updates to Xenial, we might be able to drop the armour awareness in general.

This won't be high priority for 22.04, but we might be able to get to it about mid-cycle.