apt setup script swallowing errors from wget #10057
Description
Describe the bug
wget -qO- ... | sudo tee causes any errors from wget to be swallowed up, causing an empty keyring file to be configured.
For us, the local Ubuntu setup did not have ca-certificates installed, which caused wget to error out because of a authentication errors (untrusted certificate). However, the -q flag and the pipe into tee prevented the error from showing up or halting the script.
Steps to reproduce the behavior
- On an Ubuntu system with no
ca-certificatesinstalled run the apt setup script.
(EDIT: I ran thiss on a fresh installation of 22.04 with updated packages, so I guess the default system's CA certificates should be somewhat older to reproduce) - The output will list errors about a missing public key (
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23F3D4EA75716059), but not aboutwgetfailing.
Expected vs actual behavior
I expected to see the underlying error from wget. I only saw errors about the missing public key.
Logs
$ wget https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null && sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
--2024-12-10 15:00:08-- https://cli.github.com/packages/githubcli-archive-keyring.gpg
Resolving cli.github.com (cli.github.com)... 185.199.109.153, 185.199.108.153, 185.199.111.153, ...
Connecting to cli.github.com (cli.github.com)|185.199.109.153|:443... connected.
ERROR: cannot verify cli.github.com's certificate, issued by ‘CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US’:
Unable to locally verify the issuer's authority.
To connect to cli.github.com insecurely, use `--no-check-certificate'.
$ (type -p wget >/dev/null || (sudo apt update && sudo apt-get install wget -y)) && sudo mkdir -p -m 755 /etc/apt/keyrings && wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null && sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null && sudo apt update && sudo apt install gh -y
Hit:1 http://archive.ubuntu.com/ubuntu jammy InRelease
Hit:2 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
Hit:3 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Hit:4 https://cli.github.com/packages stable InRelease
Hit:5 http://security.ubuntu.com/ubuntu jammy-security InRelease
Err:4 https://cli.github.com/packages stable InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23F3D4EA75716059
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://cli.github.com/packages stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23F3D4EA75716059
W: Failed to fetch https://cli.github.com/packages/dists/stable/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23F3D4EA75716059
W: Some index files failed to download. They have been ignored, or old ones used instead.
[...]