search

cloudfoundry / apt-buildpack

MIT License
31 stars 48 forks source link

Only first key is imported from given URL #163

Open sabberworm opened 11 months ago

sabberworm commented 11 months ago

What version of Cloud Foundry and CF CLI are you using? (i.e. What is the output of running cf curl /v2/info && cf version?

{
  "name": "",
  "build": "",
  "support": "https://***REDACTED***/support",
  "version": 0,
  "description": "Cloud Foundry provided by ***REDACTED***",
  "authorization_endpoint": "https://***REDACTED***",
  "token_endpoint": "https://***REDACTED***",
  "min_cli_version": "6.51.0",
  "min_recommended_cli_version": "latest",
  "app_ssh_endpoint": "ssh.***REDACTED***:2222",
  "app_ssh_host_key_fingerprint": "***REDACTED***",
  "app_ssh_oauth_client": "ssh-proxy",
  "doppler_logging_endpoint": "wss://***REDACTED***:443",
  "api_version": "2.206.0",
  "osbapi_version": "2.15",
  "routing_endpoint": "https://***REDACTED***/routing",
  "user": "***REDACTED***"
}

cf version 8.7.1+9c81242.2023-06-15

What version of the buildpack you are using?

0.3.0

If you were attempting to accomplish a task, what was it you were attempting to do?

I was trying to install google-chrome-stable from the http://dl.google.com/linux/chrome/deb/ repo.

keys:
  - https://dl.google.com/linux/linux_signing_key.pub
repos:
  - deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main
packages:
  - google-chrome-stable

manifest:

---
applications:
  - stack: cflinuxfs4
    buildpacks:
      - apt_buildpack
      - nodejs_buildpack

What did you expect to happen?

The buildpack installs both keys present in https://dl.google.com/linux/linux_signing_key.pub and is able to install google-chrome-stable

What was the actual behavior?

The buildpack only installs the first key present in https://dl.google.com/linux/linux_signing_key.pub, which is no longer used for signing, and installation fails:

   Downloading nodejs_buildpack...
   Downloading apt_buildpack...
   Downloaded apt_buildpack
   Downloaded nodejs_buildpack
   Cell 92c27375-1388-4198-8483-ddcb70f93543 creating container for instance e428c1e1-5b93-4aa0-b09d-1052aba82d73
   Cell 92c27375-1388-4198-8483-ddcb70f93543 successfully created container for instance e428c1e1-5b93-4aa0-b09d-1052aba82d73
   Downloading build artifacts cache...
   Downloading app package...
   Downloaded app package (21.2M)
   Downloaded build artifacts cache (159.2M)
   -----> Apt Buildpack version 0.3.0
   -----> Adding apt keys
   Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
   gpg: key 7FAC5991: public key "Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>" imported
   gpg: Total number processed: 1
   gpg:               imported: 1
   -----> Adding apt repos
   -----> Updating apt cache
   **ERROR** Error running supply: failed to apt-get update Get:1 http://dl.google.com/linux/chrome/deb stable InRelease [1,825 B]
   Hit:2 http://archive.ubuntu.com/ubuntu jammy InRelease
   Get:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]
   Get:4 http://archive.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
   Err:1 http://dl.google.com/linux/chrome/deb stable InRelease
   The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4EB27DB2A3B88B8B
   Get:5 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [1,340 kB]
   Get:6 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1,266 kB]
   rm: cannot remove '/var/cache/apt/archives/partial/*.deb': Permission denied
   Reading package lists...
   W: GPG error: http://dl.google.com/linux/chrome/deb stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4EB27DB2A3B88B8B
   E: The repository 'http://dl.google.com/linux/chrome/deb stable InRelease' is not signed.

   exit status 100
   Failed to run all supply scripts: exit status 14
   Exit status 225

This is apparently a known issue with with gpg --fetch-keys, which is why most manuals opt to do curl $KEY_URL | apt-key add - instead (though it works for me locally but I might have a newer version of gpg).

Maybe this can be tackled along with #152?

Please confirm where necessary:

sabberworm commented 11 months ago

I tried working around the issue using gpg_advanced_options but ran into an issue there as well: it’s not possible to pass in multiple options to adv, at least not the way the feature is meant to be used, as indicated in the corresponding test:

https://github.com/cloudfoundry/apt-buildpack/blob/a21d77127d301ea7df33714e441306910b5b2128/src/apt/apt/apt_test.go#L144-L161

As you can see from the test assertion, each item in gpg_advanced_options is a string that represents a single option so there is no way to pass multiple options. So I guess I found a second bug.