1

I think the title describes the gist of it so to elaborate, if I have a user-data file with the following, autoinstall will fail at the apt-config stage (before reaching the autoinstall yes/no question):

#cloud-config
#https://canonical-subiquity.readthedocs-hosted.com/en/latest/reference/autoinstall-reference.html
autoinstall:
    apt:
        sources:
            ros:
                source: deb [signed-by=$KEY_FILE] https://<artifactory-url>/ros/ $RELEASE main
                key: |
                    -----BEGIN PGP PUBLIC KEY BLOCK-----
                    Version: GnuPG v1


                [snip]
                -----END PGP PUBLIC KEY BLOCK-----
        gazebo:
            source: deb [signed-by=$KEY_FILE] https://&lt;artifactory-url&gt;/gazebo/ $RELEASE main
            key: |
                -----BEGIN PGP PUBLIC KEY BLOCK-----
                Version: GnuPG v1

                [snip]
                -----END PGP PUBLIC KEY BLOCK-----

As soon as I remove the [signed-by=$KEY_FILE] block from each source autoinstall will complete! Though apt update sensibly tells me I should have a signed-by section in my sources and not have it globally trusted in /etc/apt/trusted.gpg.d.

I haven't been able to find descriptions of similar issues anywhere, could anybody recommend some next steps to try or what I might be missing? " and ' have been tried around source, as has adding/removing the trailing / out of desperation!

Grizzly
  • 113
  • See the Website in the comment, which stated that the apt section follows the format detailed in the curtin documentation. Comparing your snippet to the Configuration section shows a missing localrepository: line – eyoung100 Jan 13 '25 at 20:58
  • I'm not sure I follow, the closest equivalent I can find to localrepository in any of the docs is localrepokey in the curtin docs which is a standin where I am using ros and gazebo in the above example such that ros.sources and gazebo.sources are generated. Where are you finding localrepository? – Grizzly Jan 14 '25 at 11:46
  • Build your file according to the example, then alter the example to match your sites. If the PGP keys lead to a local repository, that line is missing. – eyoung100 Jan 14 '25 at 21:35

1 Answers1

1

Using the 24.04.1 server ISO (subiquity 24.08.1) I got the following options to work. I am using the docker repo to test.

1. Set the Signed-By option to the path where curtin will create the keyfile.

#cloud-config
autoinstall:
  apt:
    sources:
      docker:
        source: |
          Types: deb
          URIs: https://download.docker.com/linux/ubuntu
          Suites: noble
          Components: stable
          Signed-By: /etc/apt/trusted.gpg.d/docker.asc
        key: |
          -----BEGIN PGP PUBLIC KEY BLOCK-----


      mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
      [snip]
      -----END PGP PUBLIC KEY BLOCK-----

2. Set the Signed-By option to the fingerprint of the key.

#cloud-config
autoinstall:
  apt:
    sources:
      docker:
        source: |
          Types: deb
          URIs: https://download.docker.com/linux/ubuntu
          Suites: noble
          Components: stable
          Signed-By: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
        key: |
          -----BEGIN PGP PUBLIC KEY BLOCK-----


      mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
      [snip]
      -----END PGP PUBLIC KEY BLOCK-----

3. Use late-commands to install the repo yourself. This has the benefit of putting the key file in the recommended directory /etc/apt/keyrings. The downside is packages from the repo can not be installed using the packages autoinstall setting.

#cloud-config
autoinstall:
  late-commands:
    - |
      cat << 'EOF' > /target/etc/apt/keyrings/docker.asc
      -----BEGIN PGP PUBLIC KEY BLOCK-----


  mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
  [snip]
  -----END PGP PUBLIC KEY BLOCK-----
  EOF
  cat &lt;&lt; EOF &gt; /target/etc/apt/sources.list.d/docker.sources
  Types: deb
  URIs: https://download.docker.com/linux/ubuntu
  Suites: noble
  Components: stable
  Signed-By: /etc/apt/keyrings/docker.asc
  EOF
  curtin in-target --target=/target -- apt-get update

4. Embed the key with the repository. Watch out that blank lines need a . to work.

#cloud-config
autoinstall:
  apt:
    sources:
      docker:
        source: |
          Types: deb
          URIs: https://download.docker.com/linux/ubuntu
          Suites: noble
          Components: stable
          Signed-By:
           -----BEGIN PGP PUBLIC KEY BLOCK-----
           .
           mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
           [snip]
           -----END PGP PUBLIC KEY BLOCK-----

Other notes

  • The autoinstall apt configuration is really just passed to curtin to configure, so the curtin documentation is also useful.
  • You have to use the apt deb822 format with Ubuntu 24.04 and newer. It looks like curtin will convert the "one-line" format into the deb822 format and discard any options set in the "one-line" while doing the conversion.
  • With versions older than 24.04 the apt "one-line" format has to be used.
  • manpage for sources.list. This has more information about the deb822 and one-line formats, and the signed-by option.
Andrew Lowther
  • 7,286
  • Thanks Andrew solution 1 here has solved my issue! I had moved away from deb822 format earlier in my toying with autoinstall because it would cause a different failure but it works now, won't ever be sure what the earlier issue was! Solution 2 may not work for me where I'm in an air-gapped environment so I don't think I can use key fingerprints. Solution 3 may be preferable where our local mirrors are all https with custom ca-certs so I can't use packages at install time anyway! Cheers! – Grizzly Jan 16 '25 at 12:14