Closed rainboh closed 6 years ago
If 443 does work, it's better to use it.
Also, in the future we're going to implement #478 and deprecate AptTrust. It looks like it solves your problem too, right? Just I'm not sure a minimum ubuntu version which supports the option.
Reading doc https://wiki.debian.org/DebianRepository/UseThirdParty I understood that it always require to download a keyring file.
If AptTrust gets deprecated this means to install repos which only provide the key but no keyring we still need to get the key by
!Sh
apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 93C4A3FD7BB9C367
Why not keep AptTrust in addition to support 'signed-by' ?
Do you know where to get keyring for ansible (https://launchpad.net/~ansible/+archive/ubuntu/ansible) ?
Why not keep AptTrust in addition to support 'signed-by' ?
It will be kept anyway. Deprecation is not removal.
But it looks like I have understood what is the new way mistakenly in #478, and I'm not yet sure what the right way is. I've only seen few mentions like this that it's deprecated.
Anyway, can you confirm that port 443 works for you? And we will merge this PR regarless of the future of apt-key
:)
Port 80 works out of the box.
Port 443 ("hkps://keyserver.ubuntu.com:443") will only work when adding this to container
- !UbuntuUniverse
- !BuildDeps [gnupg-curl, ca-certificates]
If "gnupg-cur"l is not installed error "gpgkeys: HTTP fetch error 1: unsupported protocol" is reported. Without "ca-certificates" error "gpgkeys: HTTP fetch error 77:" is reported.
This means switching to https will break existing containers unless vagga takes care to install this 2 packages.
Is that possible with something like ?
guard.ctx.build_deps.insert(packagename)
Your expertise is needed if https should be used.
Updated PR.
Adding same key twice is not detected, e.g. if this is inside vagga.yaml
- !AptTrust keys: [93C4A3FD7BB9C367]
- !AptTrust keys: [93C4A3FD7BB9C367]
key will get downloaded twice, but required packages [gnupg-curl, ca-certificates] only downloaded and installed once.
Looks good. Thanks!
At office I got an error when I use !AptTrust
According to this info https://gpgtools.tenderapp.com/kb/faq/cant-reach-key-server-are-you-behind-a-company-firewall it's because port 11371 is blocked.
As port 80 should usually not be blocked, I changed default keyserver port in this PR. Did not yet test this change in office, but expect it to work.
Let me know if you prefer port 443