search

weechat / weechat.org

Source code of weechat.org.
https://weechat.org/
GNU General Public License v3.0
44 stars 18 forks source link

Documentation: Issues in installation instructions for Debian 11 "Bullseye" (at least) #107

Closed 01100001 closed 2 years ago

01100001 commented 2 years ago

Bug summary

Installation instructions at https://weechat.org/download/debian/ fail on Debian 11 "Bullseye" at least.

Issue starts with the required packages installation command provided sudo apt-get install dirmngr gpg-agent apt-transport-https as it doesn't install gpg itself.

Then the use of --no-default-keyring in the sudo gpg ... command that follows causes other errors due to it not allowing for the /root/.gnupg/ directory to be created.

(Couldn't have identified the issues without the help of the kind folks on #weechat IRC channel.)

Steps to reproduce

(Simply following instructions at https://weechat.org/download/debian/ for Debian 11 "Bullseye" and applying fixes as necessary. Output of the commands is shown indented after each command—where necessary, for clarity.)

Install required packages as per the documentation:

$ sudo apt-get install dirmngr gpg-agent apt-transport-https

Import the GPG key used to sign the repositories:

$ sudo mkdir -p /usr/local/share/keyrings

$ sudo gpg --no-default-keyring --keyring /usr/local/share/keyrings/weechat-archive-keyring.gpg --keyserver hkps://keys.openpgp.org --recv-keys 11E9DE8848F2B65222AA75B8D1820DB22A11534E

    sudo: gpg: command not found

Install gpg to fix the issue of missing package:

$ sudo apt-get install gpg

Run the command to import the GPG key used to sign the repositories — again:

$ sudo gpg --no-default-keyring --keyring /usr/local/share/keyrings/weechat-archive-keyring.gpg --keyserver hkps://keys.openpgp.org --recv-keys 11E9DE8848F2B65222AA75B8D1820DB22A11534E

    gpg: keybox '/usr/local/share/keyrings/weechat-archive-keyring.gpg' created
    gpg: failed to create temporary file '/root/.gnupg/.#lk0x000055ad529dc160.temp2.14929': No such file or directory
    gpg: connecting dirmngr at '/root/.gnupg/S.dirmngr' failed: No such file or directory
    gpg: keyserver receive failed: No dirmngr

It appears the /root/.gnupg/ directory isn't being created automatically by gpg due to use of the --no-default-keyring flag.

Current behavior

(See above. It's clearer if the output is shown with the commands so I added it above.)

Expected behavior

Installation should be possible by simply following the instructions in the documentation.

Suggested solutions

  1. Include gpg among the packages to install, along with any other recommended packages.

  2. Remove --no-default-keyring from the sudo gpg command.

    Alternatively, user should simply run gpg and exit it (Ctrl + C) for /root/.gnupg/ directory to be created. Then the sudo gpg command, with the --no-default-keyring flag, should run without issues.

    User could, of course, also create it manually, like so:

    sudo mkdir /root/.gnupg
sudo chown -R root:root /root/.gnupg/
sudo chmod 700 /root/.gnupg/

Additional information

N/A

iam-TJ commented 2 years ago

To integrate correctly with apt which stores individual keys in a backward-compatible PGP/GPG key public ring (v4) format in the directory /etc/apt/trusted.gpg.d/ two operations are required:

  1. fetch the key from the key-server (which stores it in GPG keybox database version 1 format)
  2. export the key in the format apt prefers (PGP/GPG key public ring (v4))

The following statement does it in one line but is hard to read here so is broken into the separate steps after:

KEY="11E9DE8848F2B65222AA75B8D1820DB22A11534E"; for cmd in "--keyserver hkps://keys.openpgp.org --recv-keys" "--output /etc/apt/trusted.gpg.d/weechat.gpg --export"; do sudo gpg --no-default-keyring --keyring /tmp/weechat.keyring $cmd $KEY; done

Separate steps shown for clarity:

KEY="11E9DE8848F2B65222AA75B8D1820DB22A11534E";
for cmd in "--keyserver hkps://keys.openpgp.org --recv-keys" \
               "--output /etc/apt/trusted.gpg.d/weechat.gpg --export";
    do sudo gpg --no-default-keyring --keyring /tmp/weechat.keyring $cmd $KEY;
done

This creates a temporary keybox keyring at /tmp/weechat.keyring and then exports the key from there to where apt expects to find it /etc/apt/trusted.gpg.d/weechat.gpg.

$ file /tmp/weechat.keyring /etc/apt/trusted.gpg.d/weechat.gpg
/tmp/weechat.keyring:      GPG keybox database version 1, created-at Sun Oct 24 11:14:28 2021, last-maintained Sun Oct 24 11:14:28 2021
/etc/apt/trusted.gpg.d/weechat.gpg: PGP/GPG key public ring (v4) created Sun Oct 11 08:02:10 2015 RSA (Encrypt or Sign) 4096 bits MPI=0xb7803826fbd30a65...
01100001 commented 2 years ago

Notes to self

(Also provided for developer's convenience, at a glance.)

Incorporating @iam-TJ's suggestion, the documented instructions would look like (recommended):

sudo apt-get install dirmngr gpg-agent gpg apt-transport-https

sudo gpg # To initialize /root/.gnupg/ dir, then exit with Ctrl+C

KEY="11E9DE8848F2B65222AA75B8D1820DB22A11534E"; for cmd in "--keyserver hkps://keys.openpgp.org --recv-keys" "--output /etc/apt/trusted.gpg.d/weechat.gpg --export"; do sudo gpg --no-default-keyring --keyring /tmp/weechat.keyring $cmd $KEY; done

echo "deb https://weechat.org/debian bullseye main" | sudo tee /etc/apt/sources.list.d/weechat.list
echo "deb-src https://weechat.org/debian bullseye main" | sudo tee -a /etc/apt/sources.list.d/weechat.list

sudo apt update

sudo apt install weechat-curses weechat-plugins weechat-python weechat-perl

(Removing --no-default-keyring didn't work in the above case.)

vs. mine (only fixing default instructions in the documentation):

sudo apt-get install dirmngr gpg-agent gpg apt-transport-https

sudo mkdir -p /usr/local/share/keyrings

sudo gpg --keyring /usr/local/share/keyrings/weechat-archive-keyring.gpg --keyserver hkps://keys.openpgp.org --recv-keys 11E9DE8848F2B65222AA75B8D1820DB22A11534E

echo "deb [signed-by=/usr/local/share/keyrings/weechat-archive-keyring.gpg] https://weechat.org/debian bullseye main" | sudo tee /etc/apt/sources.list.d/weechat.list
echo "deb-src [signed-by=/usr/local/share/keyrings/weechat-archive-keyring.gpg] https://weechat.org/debian bullseye main" | sudo tee -a /etc/apt/sources.list.d/weechat.list

sudo apt update

sudo apt install weechat-curses weechat-plugins weechat-python weechat-perl

Or alternatively (as previously mentioned):

sudo apt-get install dirmngr gpg-agent gpg apt-transport-https

sudo mkdir -p /usr/local/share/keyrings

sudo gpg # To initialize /root/.gnupg/ dir, then exit with Ctrl+C

sudo gpg --no-default-keyring --keyring /usr/local/share/keyrings/weechat-archive-keyring.gpg --keyserver hkps://keys.openpgp.org --recv-keys 11E9DE8848F2B65222AA75B8D1820DB22A11534E

echo "deb [signed-by=/usr/local/share/keyrings/weechat-archive-keyring.gpg] https://weechat.org/debian bullseye main" | sudo tee /etc/apt/sources.list.d/weechat.list
echo "deb-src [signed-by=/usr/local/share/keyrings/weechat-archive-keyring.gpg] https://weechat.org/debian bullseye main" | sudo tee -a /etc/apt/sources.list.d/weechat.list

sudo apt update

sudo apt install weechat-curses weechat-plugins weechat-python weechat-perl
Mikaela commented 2 years ago

I am not sure gpg needs to be run as root, wouldn't it be possible to import the key as unprivileged user and then through piping or output redirection install the key in the required place?

shurane commented 2 years ago

Can something like how nodesource or vscode imports the GPG key be done here with weechat? Both download the key directly instead of receiving it from a keyserver. It seems like it makes it easier to move it around and import it into a new keyring that way.

Also, isn't the path for trusted keyrings in /usr/share/keyrings, not /usr/local/share/keyrings?

iam-TJ commented 2 years ago

/usr/share/keyrings/ is for 'system' package-manager installed whereas /usr/local/share/keyrings/ would be the place for administrator installed additions; at least that is the usual convention for system-wide mixing that don't tread on each other.

shurane commented 2 years ago

It seems like /use/share/keyrings is preferred, at least according to Debian docs. I guess it is not conclusive though. I do see a bunch of 3rd party repos like riot.im using that path instead of the /usr/local path.

For what it's worth, this is what I did to use the weechat repo on Debian. I modeled it to match the style of Running Visual Studio Code on Linux. Not sure if it's the best way but it seems like it works for me.

$ wget -q https://weechat.org/dev/info/debian_repository_signing_key -O weechat-archive-keyring.gpg
$ gpg --no-options --show-keys weechat-archive-keyring.gpg
pub   rsa4096 2015-10-11 [SC]
      11E9DE8848F2B65222AA75B8D1820DB22A11534E
uid                      WeeChat Debian Repository <debian@weechat.org>
sub   rsa4096 2015-10-11 [E]

$ sudo install -o root -g root -m 644 weechat-archive-keyring.gpg /usr/share/keyrings/
$ sudo sh -c 'echo "deb [signed-by=/usr/share/keyrings/weechat-archive-keyring.gpg] https://weechat.org/debian bullseye main" > /etc/apt/sources.list.d/weechat.list'
$ cat /etc/apt/sources.list.d/weechat.list 
deb [signed-by=/usr/share/keyrings/weechat-archive-keyring.gpg] https://weechat.org/debian bullseye main