[DOCS] Update Salt Install Guide to include instructions to check permissions on keyrings

[HomerThreepwood]

Description

# lsb_release -a
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:    11
Codename:   bullseye
# sudo curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt/py3/debian/11/amd64/SALT-PROJECT-GPG-PUBKEY-2023.gpg
echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg arch=amd64] https://repo.saltproject.io/salt/py3/debian/11/amd64/latest bullseye main" | sudo tee /etc/apt/sources.list.d/salt.list
deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg arch=amd64] https://repo.saltproject.io/salt/py3/debian/11/amd64/latest bullseye main
# aptitude update
Get: 1 https://repo.saltproject.io/salt/py3/debian/11/amd64/latest bullseye InRelease [1,585 B]
Err https://repo.saltproject.io/salt/py3/debian/11/amd64/latest bullseye InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 64CBBC8173D76B3F
(...)
W: GPG error: https://repo.saltproject.io/salt/py3/debian/11/amd64/latest bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 64CBBC8173D76B3F
E: The repository 'https://repo.saltproject.io/salt/py3/debian/11/amd64/latest bullseye InRelease' is not signed.
E: Failed to download some files
W: Failed to fetch https://repo.saltproject.io/salt/py3/debian/11/amd64/latest/dists/bullseye/InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 64CBBC8173D76B3F
E: Some index files failed to download. They have been ignored, or old ones used instead

Is there a step I am missing?

Type of documentation Salt Install Guide

Location or format of documentation https://docs.saltproject.io/salt/install-guide/en/latest/topics/install-by-operating-system/debian.html

[welcome[bot]]

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

• Community Wiki
• Salt’s Contributor Guide
• Join our Community Slack
• IRC on LiberaChat
• Salt Project YouTube channel
• Salt Project Twitch channel

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. If you have additional questions, email us at saltproject@vmware.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!

[HStry]

@HomerThreepwood I don't know why, but it didn't work before, and I got the same message as you had. Did some things through gpg, and now it seems to work. I'm using Debian 12 for this container, and using the new apt sources config format:

root@4a4070412c4d:/etc/apt# cat sources.list.d/salt.sources
Types: deb
URIs: https://repo.saltproject.io/salt/py3/debian/11/arm64/latest
Suites: bullseye
Components: main
Signed-By: /etc/apt/keyrings/salt-archive-keyring-2023.gpg

What I did:

# gpg --keyserver hkps://keys-openpgp.org --receive-keys 64CBBC8173D76B3F
# gpg --export --armor 64CBBC8173D76B3F > /etc/apt/keyrings/salt-archive-keyring-2023.pub
# gpg --export 64CBBC8173D76B3F > /etc/apt/keyrings/salt-archive-keyring-2023.gpg

The keys generated through this method were exactly the same as pulled from saltproject.io, so I guess somewhere in this method I must've fixed a typo I overlooked. I see - for my situation - no other reason why this would have worked. Everything seems the same.

[OrangeDog]

Can you please add some details as to what the documentation problem is, including a title for the issue.

[barbaricyawps]

@HomerThreepwood , I agree with @OrangeDog : can you add some details around what the documentation problem is and what fix you'd like to see. It sounds like you were having some problems with your GPG keys on Debian.

Did you follow the steps to add the Salt GPG key to your repository? Is there anything about those steps that needs some clarification? For example, did you see the note on the Debian 11 install instructions:

The GPG key for the 3006.1 release is now named: SALT-PROJECT-GPG-PUBKEY-2023. You must import the new GPG key before upgrading or your upgrade will fail.

Can you tell me if you were upgrading or running a fresh install?

[arnoldasb]

For some reason we had 0750 permissions on /etc/apt/keyrings folder, it took us hours of searching for solutions.

Following apt update error:

The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 64CBBC8173D76B3F

So make sure you check permissions:

chmod 755 /etc/apt/keyrings
chmod 644 /etc/apt/keyrings/salt-archive-keyring-2023.gpg

[BlackMetalz]

For some reason we had 0750 permissions on /etc/apt/keyrings folder, it took us hours of searching for solutions.

Following apt update error:

The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 64CBBC8173D76B3F

So make sure you check permissions:

chmod 755 /etc/apt/keyrings
chmod 644 /etc/apt/keyrings/salt-archive-keyring-2023.gpg

This is the solution. It may be affected by some policy for hardening

[tryauuum]

silly me, also had this error (because I paranoidally set umask to 0077)

the solution for me was

umask 0022; curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt/py3/ubuntu/24.04/amd64/SALT-PROJECT-GPG-PUBKEY-2023.gpg

But it's not a foolproof solution to put in docs, user can have the same error if the parent directory has wrong permissions.

---

Maybe the solution for docs update would be:

• to remove "You must import the new GPG key before upgrading or your upgrade will fail" tooltip, correct me if I'm wrong but there's no need to import the key if we use signed-by syntax
• instead write something about the key readability