Project

General

Profile

Actions
Copy link

Bug #45009

closed

https://download.ceph.com/keys/release.asc: ignored as the file has an unsupported filetype.

Added by Sebastian Wagner about 4 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
David Galloway
Category:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Crash signature (v1):
Crash signature (v2):

Description

https://download.ceph.com/keys/release.asc is a file format that is not understood by apt:

root@buster:~# wget https://download.ceph.com/keys/release.asc
root@buster:~# file release.asc 
release.asc: PGP public key block Public-Key (old)
root@buster:~# cp release.asc /etc/apt/trusted.gpg
root@buster:~# apt update
Hit:1 http://httpredir.debian.org/debian buster InRelease
Hit:2 https://download.ceph.com/debian-octopus buster InRelease
Err:2 https://download.ceph.com/debian-octopus buster InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E84AC2C0460F3994
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
W: http://httpredir.debian.org/debian/dists/buster/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file has an unsupported filetype.
W: https://download.ceph.com/debian-octopus/dists/buster/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file has an unsupported filetype.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://download.ceph.com/debian-octopus buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E84AC2C0460F3994
W: Failed to fetch https://download.ceph.com/debian-octopus/dists/buster/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E84AC2C0460F3994
W: Some index files failed to download. They have been ignored, or old ones used instead.

However, when converting this to GPG v4, it works:

root@buster:~# apt-key add release.asc
root@buster:~# file /etc/apt/trusted.gpg
/etc/apt/trusted.gpg: PGP/GPG key public ring (v4) created Tue Sep 15 20:56:41 2015 RSA (Encrypt or Sign) 4096 bits MPI=0xcbaa7e8ef94169f9...
root@buster:~# apt update
Hit:1 http://httpredir.debian.org/debian buster InRelease
Get:2 https://download.ceph.com/debian-octopus buster InRelease [8557 B]
Get:3 https://download.ceph.com/debian-octopus buster/main amd64 Packages [15.7 kB]
Fetched 24.2 kB in 4s (6765 B/s)
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
root@buster:~# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2015-09-15 [SC]
      08B7 3419 AC32 B4E9 66C1  A330 E84A C2C0 460F 3994
uid           [ unknown] Ceph.com (release key) <security@ceph.com>

This has an impact on cephadm, which needs to install gnupg on all cluster machines in order to convert the key to GPG v4.

Can we provide a key in the correct format?

Related issues 2 (0 open2 closed)

Related to Orchestrator - Bug #49436: cephadm bootstrap fails to create /etc/ceph directoryCan't reproduce

Actions
Blocks Orchestrator - Bug #44972: cephadm: add-repo on ubuntu brokenClosedAdam King

Actions
Actions
Copy link
 #1

Updated by Sebastian Wagner about 4 years ago

  • Blocks Bug #44972: cephadm: add-repo on ubuntu broken added
Actions
Copy link
 #2

Updated by David Galloway about 4 years ago

  • Assignee set to David Galloway

How do you convert it? I'm not finding anything that even indicates gpg has a version 4.

Actions
Copy link
 #3

Updated by Sebastian Wagner about 4 years ago 

apt-key add release.asc

automatically converts it to the correct format.

Actions
Copy link
 #4

Updated by David Galloway almost 4 years ago

Is the resulting /etc/apt/trusted.gpg file something that should be reused though? It's not ascii.

This works fine on Debian 10: wget -q -O- 'https://download.ceph.com/keys/release.asc' | sudo apt-key add - as our docs suggest.

I tried importing the key then exporting it using apt-key export but it just outputs the same public key block (minus Version: GnuPG v1)

Actions
Copy link
 #5

Updated by Sebastian Wagner almost 4 years ago

yes, `apt-key` works, but would require to add gnupg as a dependency for cephadm on all hosts.

Actions
Copy link
 #6

Updated by David Galloway almost 4 years ago

What I'm getting at is, is /etc/apt/trusted.gpg after apt converts the key portable? Can we just throw trusted.gpg on download.ceph.com and it'll work universally?

Actions
Copy link
 #7

Updated by Jon Spriggs almost 4 years ago

For those trying to follow along, I ended up doing this:

curl https://download.ceph.com/keys/release.asc | gpg --no-default-keyring --keyring /tmp/fix.gpg --import - && gpg --no-default-keyring --keyring /tmp/fix.gpg --export > /etc/apt/trusted.gpg.d/ceph.release.gpg && rm /tmp/fix.gpg

The key import itself works fine, it's just that the Debian repo it matches against can't process the type 1 GPG key.

The output files in /etc/apt/trusted.gpg.d/ (e.g. debian-archive-buster-stable.gpg) are also not ascii files, they're data blobs.

Actions
Copy link
 #8

Updated by David Galloway almost 4 years ago

Jon Spriggs wrote:

The output files in /etc/apt/trusted.gpg.d/ (e.g. debian-archive-buster-stable.gpg) are also not ascii files, they're data blobs.

Are the data blobs portable? Could I just upload those to download.ceph.com and have our tooling pull the new keys if the OS is using the newer GPG version?

Actions
Copy link
 #9

Updated by Mohammed Naser over 3 years ago

I am running into this issue on Debian buster. I'm happy to contribute the changes if someone wants to upload things on the Ceph side.

Actions
Copy link
 #10

Updated by David Galloway over 3 years ago

Mohammed Naser wrote:

I am running into this issue on Debian buster. I'm happy to contribute the changes if someone wants to upload things on the Ceph side.

I'd be happy to upload a patched key. I just still haven't gotten confirmation that a patched key is portable. i.e., if a key you've imported on your machine can be imported to any machine.

Actions
Copy link
 #11

Updated by Mohammed Naser over 3 years ago

Cool. I decided to run a little experiment in that case:

docker run -it --rm debian:buster
apt update
apt install curl gnupg
curl https://download.ceph.com/keys/release.asc | gpg --no-default-keyring --keyring /tmp/fix.gpg --import - && gpg --no-default-keyring --keyring /tmp/fix.gpg --export > /etc/apt/trusted.gpg.d/ceph.release.gpg && rm /tmp/fix.gpg
md5sum /etc/apt/trusted.gpg.d/ceph.release.gpg

The md5sum was 86c50270e710a52ba54922f8959bb253. I reran the same exact thing in another Docker container and ended up with the same md5sum. Now, to test the theory that it's portable, I uploaded that file here:

https://bashupload.com/rPoHl/nYBR_.gpg

I launched a new container again, but this time using the consumed key:

docker run -it --rm debian:buster
apt update
apt install curl
curl https://bashupload.com/rPoHl/nYBR_.gpg > /etc/apt/trusted.gpg.d/ceph.release.gpg
echo deb https://download.ceph.com/debian-octopus/ buster main | tee /etc/apt/sources.list.d/ceph.list
apt update
apt install librados2
apt info librados2

The result returns

# apt info librados2
Package: librados2
Version: 15.2.4-1~bpo10+1
Priority: optional
Section: libs
Source: ceph
Maintainer: Ceph Maintainers <ceph-maintainers@lists.ceph.com>
Installed-Size: 13.4 MB
Depends: libblkid1 (>= 2.17.2), libc6 (>= 2.28), libgcc1 (>= 1:3.0), libibverbs1 (>= 1.1.6), liblttng-ust0 (>= 2.5.0), librdmacm1 (>= 1.0.15), libssl1.1 (>= 1.1.0), libstdc++6 (>= 6), libudev1 (>= 183), zlib1g (>= 1:1.1.4)
Conflicts: librados
Replaces: librados
Homepage: http://ceph.com/
Download-Size: 3110 kB
APT-Manual-Installed: yes
APT-Sources: https://download.ceph.com/debian-octopus buster/main amd64 Packages
Description: RADOS distributed object store client library

N: There is 1 additional record. Please use the '-a' switch to see it

So, my little experiment confirms that it works and feel free to reproduce it with the instructions above. :)

Actions
Copy link
 #12

Updated by David Galloway over 3 years ago

Mohammed Naser wrote:

Cool. I decided to run a little experiment in that case:

Thanks so much for this!

@Sebastian I., can we have cephadm start using http://download.ceph.com/keys/release.gpg instead of release.asc?

Actions
Copy link
 #13

Updated by David Galloway over 3 years ago

  • Status changed from New to Fix Under Review
Actions
Copy link
 #15

Updated by Nathan Cutler over 3 years ago

David Galloway wrote:

@Sebastian I., can we have cephadm start using http://download.ceph.com/keys/release.gpg instead of release.asc?

I don't know the answer to that, but I tried simply replacing 'release.asc' with 'release.gpg' in the cephadm source code and that doesn't work.

Actions
Copy link
 #16

Updated by David Galloway over 3 years ago

  • Status changed from Fix Under Review to Need More Info

Okay, well I did what was asked. If there's another format I need to upload, let me know.

Actions
Copy link
 #17

Updated by Sebastian Wagner about 3 years ago

  • Related to Bug #49436: cephadm bootstrap fails to create /etc/ceph directory added
Actions
Copy link
 #19

Updated by Sebastian Wagner almost 3 years ago

  • Status changed from Need More Info to Closed

done

Actions
Copy link

Also available in: Atom PDF