Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[BUG] pkgrepo.managed does not update keys #66982

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
OrangeDog opened this issue Oct 18, 2024 · 1 comment
Open

[BUG] pkgrepo.managed does not update keys #66982

OrangeDog opened this issue Oct 18, 2024 · 1 comment
Labels
Bug broken, incorrect, or confusing behavior needs-triage

Comments

@OrangeDog
Copy link
Contributor

OrangeDog commented Oct 18, 2024
edited
Loading

Description
The pkgrepo.managed state (with aptkey: false) only ever manages the keyring if there are also changes being made to the sources file.

Setup
e.g.

zabbix repo:
  pkgrepo.managed:
    - name: >
        deb [arch=amd64 signed-by=/etc/apt/keyrings/zabbix-archive-keyring.gpg]
        http://repo.zabbix.com/zabbix/6.4/{{ grains['os']|lower }}
        {{ grains['oscodename'] }} main
    - file: /etc/apt/sources.list.d/zabbix.list
    - key_url: https://repo.zabbix.com/zabbix-official-repo.key
    - aptkey: false

or

zabbix repo:
  pkgrepo.managed:
    - name: >
        deb [arch=amd64 signed-by=/etc/apt/keyrings/zabbix-archive-keyring.gpg]
        http://repo.zabbix.com/zabbix/6.4/{{ grains['os']|lower }}
        {{ grains['oscodename'] }} main
    - file: /etc/apt/sources.list.d/zabbix.list
    - keyid: 4C3D6F2CC75F5146754FC374D913219AB5333005
    - keyserver: keyserver.ubuntu.com
    - aptkey: false

Steps to Reproduce the behavior
Do any of these, and re-run the state:

  1. Delete /etc/apt/keyrings/zabbix-archive-keyring.gpg
  2. Change the key_url
  3. Update the content at the key_url
  4. Change the keyid

In every case, the state does nothing and reports no changes.
The only way to update the keyring is to make a change that requires it to change the .list file.

Expected behavior
The state should ensure that the keyring is configured with the latest data as described by its parameters.

Versions Report

salt-call --versions 
Salt Version:
          Salt: 3006.9

Python Version:
        Python: 3.10.14 (main, Jun 26 2024, 11:44:37) [GCC 11.2.0]

Dependency Versions:
          cffi: 1.14.6
      cherrypy: 18.6.1
  cryptography: 42.0.5
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.4
       libgit2: Not Installed
  looseversion: 1.0.2
      M2Crypto: 0.38.0
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 22.0
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.19.1
        pygit2: Not Installed
  python-gnupg: 0.4.8
        PyYAML: 6.0.1
         PyZMQ: 23.2.0
        relenv: 0.17.0
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4

System Versions:
          dist: ubuntu 24.04.1 noble
        locale: utf-8
       machine: x86_64
       release: 6.8.0-47-generic
        system: Linux
       version: Ubuntu 24.04.1 noble
@OrangeDog OrangeDog added Bug broken, incorrect, or confusing behavior needs-triage labels Oct 18, 2024
@sir-ragna
Copy link

I looked a bit into this. pkgrepo.managed used aptpkg and for these modifications, I believe it uses pkg.modrepo.

In the documentation there is a note about a known issue:

Due to the way keys are stored for APT, there is a known issue where the key won't be updated unless another change is made at the same time. Keys should be properly added on initial configuration.
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.aptpkg.html#salt.modules.aptpkg.mod_repo

When looking at the source, I see that it is using pkg.add_repo_key to actually add the key. When manually calling this, the key is installed every time.

sudo salt-call pkg.add_repo_key https://apt.releases.hashicorp.com/gpg aptkey=False keydir=/etc/apt/keyrings/ keyfile=hashicorp.pgp

I don't really understand why this line isn't getting called.

salt/salt/modules/aptpkg.py

Line 2522 in f906ca5

if not add_repo_key(path=str(fn_), aptkey=False, **func_kwargs):

Somewhere I feel like it should be possible to add an extra check to see if this fn_ path variable exists or not.

@didiermfb didiermfb mentioned this issue Apr 14, 2025
Merged
19 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug broken, incorrect, or confusing behavior needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@OrangeDog @sir-ragna