Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Packaging] APT repository sign doesn't work on Debian trixie #45118

Closed
kou opened this issue Dec 29, 2024 · 7 comments
Closed

[Packaging] APT repository sign doesn't work on Debian trixie #45118

kou opened this issue Dec 29, 2024 · 7 comments
Assignees
@kou
Labels
Component: Packaging Type: bug
Milestone
19.0.0

Comments

@kou
Copy link
Member

kou commented Dec 29, 2024

Describe the bug, including details regarding any error messages, version, and platform.

https://github.com/ursacomputing/crossbow/actions/runs/12491251505/job/34857011325#step:17:589

  Err:1 file:/host/dev/release/../../dev/tasks/linux-packages/apt/repositories/debian trixie InRelease
    The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1729E5EF3EF74D10
  Hit:2 http://deb.debian.org/debian trixie InRelease
  Hit:3 http://deb.debian.org/debian trixie-updates InRelease
  Hit:4 http://deb.debian.org/debian-security trixie-security InRelease
  Get:5 http://deb.debian.org/debian trixie/non-free amd64 Packages [98.7 kB]
  Get:6 http://deb.debian.org/debian trixie/contrib amd64 Packages [51.0 kB]
  Reading package lists...
  Warning: file:/host/dev/release/../../dev/tasks/linux-packages/apt/repositories/debian/dists/trixie/InRelease: The key(s) in the keyring /usr/share/keyrings/apache-arrow-apt-source.gpg are ignored as the file has an unsupported filetype.
  Warning: GPG error: file:/host/dev/release/../../dev/tasks/linux-packages/apt/repositories/debian trixie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1729E5EF3EF74D10
  Error: The repository 'file:/host/dev/release/../../dev/tasks/linux-packages/apt/repositories/debian trixie InRelease' is not signed.
  rake aborted!

Component(s)

Packaging
@kou kou added the Type: bug label Dec 29, 2024
@raulcd
Copy link
Member

raulcd commented Dec 30, 2024

how is the KEYS file generated? I can't seem to find where we generate /dev/tasks/linux-packages/KEYS:

   + gpg --no-default-keyring --keyring /usr/share/keyrings/apache-arrow-apt-source.gpg --import /host/dev/release/../../dev/tasks/linux-packages/KEYS
  gpg: directory '/root/.gnupg' created
  gpg: /root/.gnupg/trustdb.gpg: trustdb created
  gpg: key 1729E5EF3EF74D10: public key "Test <test@example.com>" imported
  gpg: Total number processed: 1
  gpg:               imported: 1

@kou
Copy link
Member Author

kou commented Dec 30, 2024

Ah, it's generated here:

arrow/dev/tasks/linux-packages/github.linux.yml

Lines 101 to 108 in f5c340b

(echo "Key-Type: RSA"; \
echo "Key-Length: 4096"; \
echo "Name-Real: Test"; \
echo "Name-Email: test@example.com"; \
echo "%no-protection") | \
gpg --full-generate-key --batch
GPG_KEY_ID=$(gpg --list-keys --with-colon test@example.com | grep fpr | cut -d: -f10)
echo "GPG_KEY_ID=${GPG_KEY_ID}" >> ${GITHUB_ENV}

FYI: This happens with the current released apache-arrow-apt-source too: https://github.com/groonga/groonga/actions/runs/12499316173/job/34876380693?pr=2166#step:10:506
9.523 Err:4 https://apache.jfrog.io/artifactory/arrow/debian trixie InRelease
9.523 The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 91D18FCF079F8007
10.02 Get:5 https://packages.groonga.org/debian trixie InRelease [9539 B]

10.45 Warning: https://apache.jfrog.io/artifactory/arrow/debian/dists/trixie/InRelease: The key(s) in the keyring /usr/share/keyrings/apache-arrow-apt-source.gpg are ignored as the file has an unsupported filetype.
10.45 Warning: GPG error: https://apache.jfrog.io/artifactory/arrow/debian trixie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 91D18FCF079F8007
10.45 Error: The repository 'https://apache.jfrog.io/artifactory/arrow/debian trixie InRelease' is not signed.

I thought that this problem and the current released apache-arrow-apt-source have the same problem but it may be a different problem...

@kou
Copy link
Member Author

kou commented Dec 30, 2024

How to generate apache-arrow-apt-source.gpg:

arrow/dev/tasks/linux-packages/apache-arrow-apt-source/debian/rules

Lines 13 to 16 in f5c340b

gpg \
--no-default-keyring \
--keyring ./apache-arrow-apt-source.gpg \
--import KEYS

@raulcd
Copy link
Member

raulcd commented Dec 30, 2024
edited
Loading

It seems like a different issue but the 91D18FCF079F8007 seems to be your public key, right? (below extracted from the public keys file)

sig          91D18FCF079F8007 2010-08-30  Kouhei Sutou <kou@cozmixng.org>

The key has more than 14 years, I am unsure how they are validating the public KEYS now but probably something has changed on the process. Do you know if this is something new?

@kou
Copy link
Member Author

kou commented Dec 30, 2024
edited
Loading

Yes. It's my public key used for the latest release.

https://salsa.debian.org/apt-team/apt/-/merge_requests/409/diffs#e3f4163114eae4ff41ebb44a774fddac10b4e6a7_0_122 may be related. We're using the "GPG keybox database" format but it accepts only the "OpenPGP Public Key" formats.

Hmm. It seems that we need to use armor-ed format for keyring: https://salsa.debian.org/apt-team/apt/-/merge_requests/409/diffs#e3f4163114eae4ff41ebb44a774fddac10b4e6a7_0_96

@kou
Copy link
Member Author

kou commented Dec 30, 2024

Ah, the merge request may not be related.
https://salsa.debian.org/apt-team/apt/-/merge_requests/407 may be related.

kou added a commit to kou/arrow that referenced this issue Dec 30, 2024
@kou
apacheGH-45118: [Packaging] Use armored keyring for APT repository
d5e48a0 
We're using the keybox format for keyring because we have multiple GPG
keys. It seems that we should use the armored format for keyring.

libapt-pkg 2.9.16 or later shipped by Debian trixie rejects the keybox
format files. So we should use the armored format.
@github-actions github-actions bot mentioned this issue Dec 30, 2024
Merged
kou added a commit that referenced this issue Dec 31, 2024
@kou
GH-45118: [Packaging] Use armored keyring for APT repository (#45131)
65da4ad 
### Rationale for this change

We're using the keybox format for keyring because we have multiple GPG keys. It seems that we should use the armored format for keyring.

libapt-pkg 2.9.16 or later shipped by Debian trixie rejects the keybox format files. So we should use the armored format.

### What changes are included in this PR?

Use `.asc` not `.gpg` for keyring.

### Are these changes tested?

Yes.

### Are there any user-facing changes?

Yes.
* GitHub Issue: #45118

Authored-by: Sutou Kouhei <kou@clear-code.com>
Signed-off-by: Sutou Kouhei <kou@clear-code.com>
@kou kou added this to the 19.0.0 milestone Dec 31, 2024
@kou
Copy link
Member Author

kou commented Dec 31, 2024

Issue resolved by pull request 45131
#45131

@kou kou closed this as completed Dec 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kou kou

Labels
Component: Packaging Type: bug
Projects
None yet
Milestone
19.0.0
Development

No branches or pull requests
2 participants
@kou @raulcd