[Bug 1553121] Re: Xenial preseed fails to load key for 3rd party repo with apt-setup/local0/key

Lawren Quigley-Jones lquigley at athenium.com
Thu Aug 11 15:58:50 UTC 2016 

The SHA1 vs SHA256 is an issue but I don't believe it's coming into play
with this bug.  I did have to change my signing process but now I'm
signing my Release.gpg with SHA256 and I'm still unable to add a local
repo via `d-i apt-setup/local0/repository`.

I install local packages during installation using `d-i pkgsel/include` so the netboot installation fails with the following error:
WARNING: The following packages cannot be authenticated!

It appears to me that the key import occurs after the verification but I
might be missing something:

Aug 10 17:09:36 base-installer: Get:17 http://apt.local.server.com/apt ./ Packages [54.6 kB]
Aug 10 17:09:36 base-installer: Fetched 1494 kB in 2s (500 kB/s)
Aug 10 17:09:36 base-installer: Reading package lists...
Aug 10 17:09:37 base-installer: 
Aug 10 17:09:37 base-installer: W
Aug 10 17:09:37 base-installer: : 
Aug 10 17:09:37 base-installer: GPG error: http://apt.local.server.com/apt ./ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1234567890ABCDEFG
Aug 10 17:09:37 base-installer: 
Aug 10 17:09:37 base-installer: W
Aug 10 17:09:37 base-installer: : 
Aug 10 17:09:37 base-installer: The repository 'http://apt.local.server.com/apt ./ Release' is not signed. 
Aug 10 17:09:37 base-installer: 
Aug 10 17:09:37 base-installer: W
Aug 10 17:09:37 base-installer: : 
Aug 10 17:09:37 base-installer: There is no public key available for the following key IDs:
Aug 10 17:09:37 base-installer: 1234567890ABCDEFG  
Aug 10 17:09:37 base-installer: 
[...]
Aug 10 17:17:28 main-menu[239]: (process:23053): 2016-08-10 17:17:15 URL:http://apt.local.server.com/server.com.key [1185/1185] -> "/target/tmp/key0.pub" [1]
Aug 10 17:17:28 main-menu[239]: (process:23053): OK

I can install my local packages if I `chroot /target`.  All I have to do
is edit my /etc/apt/sources.list and comment out my local0 repo and
`apt-get update` and then uncomment it and `apt-get update` again.

At this point the md5's have been imported however this gets done and my
packages in my local repo install without a hitch.  Based on this
behavior it seems like the installer is skipping a step when it imports
the Release file for local0.

I can verify that I am able to see my key when I `apt-key list` both
before and after my `apt-get update`.

I can confirm that setting local0 to xenial main and using local1 for my
local repo does bypass this bug.  I can also confirm that this all works
in trusty.

I hope this is useful.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to base-installer in Ubuntu.
https://bugs.launchpad.net/bugs/1553121

Title:
  Xenial preseed fails to load key for 3rd party repo with apt-
  setup/local0/key

Status in apt-setup package in Ubuntu:
  Confirmed
Status in base-installer package in Ubuntu:
  Confirmed

Bug description:
  I have an automated preseed installation that uses these lines to add
  custom repos during the installation:

  d-i apt-setup/local0/repository string deb http://jschule.github.io/ubuntu/ /
  d-i apt-setup/local0/comment string JTS local repository
  d-i apt-setup/local0/source boolean false
  d-i apt-setup/local0/key string http://jschule.github.io/ubuntu/repo.key

  d-i apt-setup/local1/repository string deb http://dl.google.com/linux/chrome/deb/ stable main
  d-i apt-setup/local1/comment string Google Chrome Browser
  d-i apt-setup/local1/source boolean false
  d-i apt-setup/local1/key string http://dl.google.com/linux/linux_signing_key.pub

  (seehttps://github.com/jschule/ubuntu/blob/d46f1cef49ed71dc4bfe317119cccd3f39097ef4/preseed/jts.txt
  for complete preseed file that causes the problem).

  In xenial the installation fails because the GPG key for the local0
  repo is not loaded into the system so that it can be used (see
  screenshot). Strangely, "chroot /target apt-key list" shows the key
  9E62229E to be installed.

  Just to be sure that there is no problem with my repo and key I
  started the Xenial live CD and installed my repo there manually. All
  works well. IMHO this shows that the problem is clearly related to the
  automated installation with preseed.

  Maybe this is related to #1512347, that was the only thing I could
  find on Launchpad that is in the same area.

  If you want to reproduce this then you can checkout the scripts from
  https://github.com/jschule/ubuntu/tree/gh-pages/qemu and run "./run.sh
  xenial" to start my installation.

  I found a very ugly workaround by changing the apt-setup lines to
  this:

  d-i apt-setup/local0/repository string deb http://archive.canonical.com/ubuntu trusty partner
  d-i apt-setup/local0/source boolean false

  d-i apt-setup/local1/repository string deb http://jschule.github.io/ubuntu/ /
  d-i apt-setup/local1/comment string JTS local repository
  d-i apt-setup/local1/source boolean false
  d-i apt-setup/local1/key string http://jschule.github.io/ubuntu/repo.key

  d-i apt-setup/local2/repository string deb http://dl.google.com/linux/chrome/deb/ stable main
  d-i apt-setup/local2/comment string Google Chrome Browser
  d-i apt-setup/local2/source boolean false
  d-i apt-setup/local2/key string http://dl.google.com/linux/linux_signing_key.pub

  I suppose that the workaround works because now the local0 repo is one
  where the signing key is already part of Ubuntu. I just hope that
  there is no package in the trusty partner repo that is not also in the
  xenial partner repo.

  For me it is very important that you fix this bug before 16.04 is
  released so that I can continue to use Ubuntu with an automated setup.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt-setup/+bug/1553121/+subscriptions

More information about the foundations-bugs mailing list