use port 80 to connect to ubuntu keyserver

tailhook / vagga

Vagga is a containerization tool without daemons

http://vagga.readthedocs.org

MIT License

1.86k stars 96 forks source link

use port 80 to connect to ubuntu keyserver #485

Closed rainboh closed 6 years ago

rainboh commented 6 years ago

At office I got an error when I use !AptTrust

According to this info https://gpgtools.tenderapp.com/kb/faq/cant-reach-key-server-are-you-behind-a-company-firewall it's because port 11371 is blocked.

# this was failing
!AptTrust keys: [93C4A3FD7BB9C367]
# this did working
!Sh
apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 93C4A3FD7BB9C367

As port 80 should usually not be blocked, I changed default keyserver port in this PR. Did not yet test this change in office, but expect it to work.

Let me know if you prefer port 443

tailhook commented 6 years ago

If 443 does work, it's better to use it.

Also, in the future we're going to implement #478 and deprecate AptTrust. It looks like it solves your problem too, right? Just I'm not sure a minimum ubuntu version which supports the option.

rainboh commented 6 years ago

Reading doc https://wiki.debian.org/DebianRepository/UseThirdParty I understood that it always require to download a keyring file.

If AptTrust gets deprecated this means to install repos which only provide the key but no keyring we still need to get the key by

!Sh
apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 93C4A3FD7BB9C367

Why not keep AptTrust in addition to support 'signed-by' ?

Do you know where to get keyring for ansible (https://launchpad.net/~ansible/+archive/ubuntu/ansible) ?

tailhook commented 6 years ago

Why not keep AptTrust in addition to support 'signed-by' ?

It will be kept anyway. Deprecation is not removal.

But it looks like I have understood what is the new way mistakenly in #478, and I'm not yet sure what the right way is. I've only seen few mentions like this that it's deprecated.

Anyway, can you confirm that port 443 works for you? And we will merge this PR regarless of the future of apt-key :)

rainboh commented 6 years ago

Port 80 works out of the box.

Port 443 ("hkps://keyserver.ubuntu.com:443") will only work when adding this to container

      - !UbuntuUniverse
      - !BuildDeps [gnupg-curl, ca-certificates]

If "gnupg-cur"l is not installed error "gpgkeys: HTTP fetch error 1: unsupported protocol" is reported. Without "ca-certificates" error "gpgkeys: HTTP fetch error 77:" is reported.

This means switching to https will break existing containers unless vagga takes care to install this 2 packages.

Is that possible with something like ?

guard.ctx.build_deps.insert(packagename)

Your expertise is needed if https should be used.

tailhook commented 6 years ago

We already have something similar here and here to use https-based repositories. These pieces might need to be factored out to a functions, but it shouldn't be too hard. Don't hesitate to ask for more help though.

rainboh commented 6 years ago

Updated PR.

Adding same key twice is not detected, e.g. if this is inside vagga.yaml

- !AptTrust keys: [93C4A3FD7BB9C367]
- !AptTrust keys: [93C4A3FD7BB9C367]

key will get downloaded twice, but required packages [gnupg-curl, ca-certificates] only downloaded and installed once.

tailhook commented 6 years ago

Looks good. Thanks!