Open twau opened 3 months ago
Hi @twau - thank you for the bug report and sorry for taking a while to respond.
You are right - right now the pro-client doesn't support enabling a service to a mirror with re-signed packages. Generally, if you change any metadata from the original packages, not all pro-client functionality is guaranteed to work.
It appears there is an option in the landscape interface for selecting the GPG key to use for signing the mirrored packages. @Perfect5th if you select "none" for that option, will Landscape not re-sign the packages?
@orndorffgrant if you select "none", then Landscape signs the packages with Ubuntu's public keys.
The option in the landscape interface for selecting the GPG key is forced to the default "Landscape" GPG key, can't set it to "none" there, must this be done with CLI?
Description of the bug
We are testing out a POC with selfhosted landscape 24.04+ua-airgapped in an airgapped environment. We are mirroring esm-apps/esm-infra to our local selfhosted landscape server, the repo is using the landscape GPG Key. With Ubuntu 24.04 (Noble) https://github.com/canonical/ubuntu-pro-client/commit/e39f45c6e13e934f7a06dfd986df85b7fd948844 the .source repo-file is created and that also includes the "Signed-By:" that points to the default esm-gpg'keys, hence "pro enable esm-apps" fails to enable the repos since we using the landscape GPG Key on our repo.
Expected behavior
Would be great to have an option to have the ubuntu-pro-client import your current landscape-server-mirror.asc public key. On bionic, focal and jammy the old ubuntu-esm-apps.list files still are created, they don't specify any sign key, so we dont have the issue there.
Current behavior
With ubuntu 24.04 server pro enable esm-apps fails due to the new .source format on the repo-file includes Signed-By As workaround we can edit and add noble to "SERIES_NOT_USING_DEB822" in /usr/lib/python3/dist-packages/uaclient/apt.py and it enables without any issues since it finds our key in /etc/apt/trusted.gpg.d/landscape-server-mirror8a61e8a5-ef88-45d5-8efc-2c3d7229091c.asc
To Reproduce
Please include details on how to reproduce the bug.
System information:
Additional context I understand that specifying "Signed-by" in the repo file is a good thing for security, just want to have an option to have the ubuntu-pro-client to populate a custom key so it wont fail when trying to register.