Problem creating a keyring in Ubuntu 22

[anselmic]

Describe the Bug

I'm using puppet to store a keyring to a file

Expected Behavior

The module creates a file, but it cannot be read by apt and apt-key

Steps to Reproduce

Steps to reproduce the behavior:

1. rm  /usr/share/keyrings/mykey.gpg

2. puppet agent -t 
...
Notice: /Stage[main]/Apt/Apt::Keyring[crio]/File[/usr/share/keyrings/mykey.gpg]/ensure: defined content as '{mtime}2024-10-15 18:37:31 UTC' (corrective)
Notice: Applied catalog in 4.07 seconds
...

3. # apt-key --keyring /usr/share/keyrings/mykey.gpg list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).     <==== NO Key listed

4. rm  /usr/share/keyrings/mykey.gpg

5. # curl -s http://myserver/mykey.asc | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/mykey.gpg --import && chmod 644 /usr/share/keyrings/mykey.gpg
gpg: keyring '/usr/share/keyrings/mykey.gpg' created
gpg: key XXXXXXXX: public key "XXXXXXXX" imported
gpg: Total number processed: 1
gpg:               imported: 1

6. # apt-key --keyring /usr/share/keyrings/mykey.gpg list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/usr/share/keyrings/mykey.gpg
-----------------------------------
pub   rsa4096 2020-12-28 [SC] [expires: 2024-12-27]
      XXXXXXXXXXXX
uid           XXXXXXXXXX
sub   rsa4096 2020-12-28 [E] [expires: 2024-12-27]

Environment

• Version 9.4.0
• Puppet 7.30.0
• Ubuntu 20.04 and 22.04

[kenyon]

It'll be easier to troubleshoot this if you provide the puppet code you're using. Also, there is no need to censor the key IDs, those are not secret.

If the key is in binary format, it needs to be named with a .gpg extension. If it's ASCII-armored, it needs to be named with a .asc extension. Also, if it's ASCII-armored, it needs to have Unix line endings (that is, do dos2unix on it).

[anselmic]

GM,

I am not sure it is a format problem, because the key had the .asc extension and I created it on Linux with

gpg --armor --export 3AA5C34371567BD2 > mykey.asc

However, I have changed my key from ASCII-armored to binary and it currently works. However, there are cases in which this is not possible. For example, I have the same problem with Wazuh. The key is ASCII-armored, but it does not have the .asc extension.

I am using the module with Foreman, the relevant conf is:

wazuh:
source: https://packages.wazuh.com/key/GPG-KEY-WAZUH
dir: "/usr/share/keyrings"
filename: wazuh.gpg

Again, if I download the key with curl and import with gpg it works, but not with puppet. It would be preferable to have an internal control of the key format, if possible, or to pass the information with an option.

Thank you!

[anselmic]

Update: the problem seems to be that if the original key is ASCII-armored, it is saved by puppet as ASCII independently of the keyring extension. So, if the latter is .gpg, it does not work because the system expects a binary file.

[kenyon]

The filename you use with puppet has to match the content of the file, so that the resulting file on the filesystem has the correct name. Puppet doesn't care about the content of the file, it just writes to disk whatever it is given. It is apt that requires the correct filename: https://manpages.debian.org/unstable/apt/apt-key.8.en.html#SUPPORTED_KEYRING_FILES

So I don't think there is a bug here.

[kenyon]

Indeed, https://packages.wazuh.com/key/GPG-KEY-WAZUH is ASCII-armored, so your code with wazuh.gpg is incorrect. You need to call it wazuh.asc.

[anselmic]

Thanks for your input. Things work now.
May I suggest to explain it better in the documentation? As it is, it is not clear at all.