Closed juliantaylor closed 6 days ago
I can't comment on overriding the trusted key, but dirmngr is missing because gnupg has been built with USE="-ssl"
due to the ssl
flag being masked against this package. The reason given in the package.use.mask file is that Flatcar doesn't ship with gnutls by default, but I don't think that's true anymore. I can see libgnutls.so on my test VM.
thanks, removing the masking of ssl in sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.mask
and thus having dirmngr installed allows self signed images to install again.
I may make that change, but it's not the proper fix here. I understand the issue now and am discussing the solution. We probably want --assert-signer
rather than --trusted-key
and it obviously needs to be adjusted for custom keys.
Description
since 3913.1.0 in the beta channel gnupg 2.4 is used, this seems to break usage of custom signing keys due to dirmngr not being present in the installer image and the installer using hardcoded key in the --trusted-key argument despite running
flatcar-install -k customkey
Impact
self signed images cannot be installed
Environment and steps to reproduce
gnupg 2.4 on flatcar 3941.1.0
verification failed here despite
gpg: Good signature from "testt" [unknown]
, it exited with code 2in comparison on flatcar 3874.1.0:
verification succeeded
Expected behavior
self signed images can be installed with verification
If we could override the --trusted-key in the flatcar installer gnugpg would not try to invoke dirmngr and it would work but the trusted key is hardcoded in the installer.