[BUG] Debian Bullseye pkgrepo.managed deprecation failure if non-default key_url and pkgrepo is set

[hkbakke]

Your setup

Formula commit hash / release tag

1.9.4: 99b14699f3f2eedf9f01081e218c1d29112f3a88

Versions reports (master & minion)

Salt Version:
          Salt: 3004

Dependency Versions:
          cffi: Not Installed
      cherrypy: Not Installed
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: 4.0.5
     gitpython: 3.1.14
        Jinja2: 2.11.3
       libgit2: 1.1.0
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.0
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: Not Installed
      pycrypto: Not Installed
  pycryptodome: 3.9.7
        pygit2: 1.4.0
        Python: 3.9.2 (default, Feb 28 2021, 17:03:44)
  python-gnupg: Not Installed
        PyYAML: 5.3.1
         PyZMQ: 20.0.0
         smmap: 4.0.0
       timelib: Not Installed
       Tornado: 4.5.3
           ZMQ: 4.3.4

System Versions:
          dist: debian 11 bullseye
        locale: utf-8
       machine: x86_64
       release: 5.10.0-9-amd64
        system: Linux
       version: Debian GNU/Linux 11 bullseye

Pillar / config used

pillar config:

salt:
  install_packages: true
  pin_version: true
  py_ver: py3
  pkgrepo: "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg] https://nexus.example.com/repository/{{ grains['os_family']|lower }}-{{ grains['oscodename']|lower }}-{{ grains['osarch']|lower }}-salt {{ grains['oscodename']|lower }} main"
  key_url: https://mirror.example.com/keys/salt.asc
  pkgrepo_keyring: https://mirror.example.com/keys/salt-archive-keyring.gpg
  version: '3004+ds-1'

---

Bug details

Describe the bug

As you may or may not know the functionality provided by key_url in salts pkgrepo.managed is deprecated in Debian Bullseye and replaced by explicitly defining the signing key in the repo definition. Ideally pkgrepo.managed would understand that this is Bullseye and create a keyring for us from the key_url, but this is not currently the case.

I need to use an internal mirrored repository of salt with mirrored version of the key_url and pkgrepo_keyring available, but the state salt-pkgrepo-install-saltstack-debian keeps on failing because salt can't apt-key add the key_url because the functionality is deprecated. salt-formula currently handles the keyring outside of pkgrepo.managed so everything should be fine as long as you provide the signed-by file in the repo definition.

The fix is easy however, either

• Don't add the key_url kwarg in salt-pkgrepo-install-saltstack-debian for Debian Bullseye by default
• ...or give us a pillar configurable way to not use key_url in the state. I tried no value and '', but those are invalid values. Bullseye need to not have it set at all with the current pkgrepo.managed state.

Steps to reproduce the bug

Change to non-default pkgrepo and key_url on bullseye (or you could probably also just remove the existing global apt-key and repo and use the defaults in this state, but not tested)

[ERROR   ] Command 'apt-key' failed with return code: 2                                                                      [ERROR   ] stderr: Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
gpg: no valid OpenPGP data found.
[ERROR   ] retcode: 2
[ERROR   ] Failed to configure repo 'deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg] https://nexus.example.com/re
pository/debian-bullseye-amd64-salt bullseye main': Error: failed to add key from https://mirror.example.com/keys/salt.asc
[WARNING ] /usr/lib/python3/dist-packages/salt/utils/files.py:385: RuntimeWarning: line buffering (buffering=1) isn't support
ed in binary mode, the default buffer size will be used
  f_handle = open(*args, **kwargs)  # pylint: disable=resource-leakage

[WARNING ] /usr/lib/python3/dist-packages/salt/utils/files.py:385: RuntimeWarning: line buffering (buffering=1) isn't support
ed in binary mode, the default buffer size will be used
  f_handle = open(*args, **kwargs)  # pylint: disable=resource-leakage

local:
----------
          ID: salt-pkgrepo-install-saltstack-debian
    Function: pkgrepo.managed
        Name: deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg] https://nexus.example.com/repository/debian-bullsey
e-amd64-salt bullseye main
      Result: False
     Comment: Failed to configure repo 'deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg] https://nexus.example.com
/repository/debian-bullseye-amd64-salt bullseye main': Error: failed to add key from https://mirror.example.com/keys/salt.asc
     Started: 13:44:01.126825
    Duration: 171.904 ms
     Changes:

Expected behaviour

salt-pkgrepo-install-saltstack-debian should work on Debian Bullseye with custom pkgrepo and pkgrepo_keyring without the not needed key_url

Attempts to fix the bug

Just commenting out key_url in salt-pkgrepo-install-saltstack-debian in the formula removes the issue on Bullseye, but obviously this should be controlled by a toggle in os*.yaml or something.

Additional context

salt.asc was downloaded from this url: https://repo.saltproject.io/py3/debian/11/amd64/latest/SALTSTACK-GPG-KEY.pub

[saltstack-formulas-travis]

:tada: This issue has been resolved in version 1.9.5 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: