using two keys for one apt source fails

[ubuntu-server-builder]

This bug was originally filed in Launchpad as LP: #1005975

Launchpad details

affected_projects = []
assignee = vnovikov
assignee_name = Vladimir Novikov
date_closed = None
date_created = 2012-05-29T15:43:08.771710+00:00
date_fix_committed = None
date_fix_released = None
id = 1005975
importance = low
is_complete = False
lp_url = https://bugs.launchpad.net/cloud-init/+bug/1005975
milestone = None
owner = tomvn
owner_name = Tom vN
private = False
status = confirmed
submitter = tomvn
submitter_name = Tom vN
tags = []
duplicates = []

Launchpad user Tom vN(tomvn) wrote on 2012-05-29T15:43:08.771710+00:00

My use case is the Apache built Cassandra repos which require two keys to be added to apt-key.

the utils.getkeybyid function doesn't use quotes around the key for this command:
$ gpg --keyserver ${ks} --recv $k >/dev/null &&

which works just fine for adding two keys from the same key server, using Cassandra as the example:
$ gpg --keyserver pgp.mit.edu --recv F758CE318D77295D 2B5C1B00

The function then switches to using quotes for the rest of the commands:
$ armour=$(gpg --export --armour "${k}") &&
$ gpg --batch --yes --delete-keys "${k}"

As these commands are in the utils.getkeybyid function they only delete and then return the public key block for the first key. The second one gets ignored by the delete and the export, so I end up with it not in my apt-key and still in gpg.

Remove the quotes around the ${k} and these commands complete correctly and return the correct public key block, which then results in both keys getting added to the apt-key.
So, unless there's a good reason to quote the ${k} it seems to be more flexible without them.

[ubuntu-server-builder]

Launchpad user Scott Moser(smoser) wrote on 2012-05-29T19:22:25.445617+00:00

Thanks for the bug report.
I think you can work around this by populating 'key' with the results of 'gpg --export --armour F758CE318D77295D 2B5C1B00', right?

Rather than removing the quotes, I think I'd rather split the cloud-config 'keyid' entry on space and make getkeybyid take a list of keyids explicitly.

[ubuntu-server-builder]

Launchpad user Tom vN(tomvn) wrote on 2012-05-30T12:21:15.444041+00:00

Correct, without the quotes the command you mentioned returns a combined public key block for both keys and 'key' then works correctly, ultimately resulting in both keys in apt-key. That's why I suggested the removal of the quotes.
I'd imagine splitting will work just as well, the only reason I suggested removing the quotes was consistency, as the gpg recv command just a few lines higher in the function already does not use quotes.
I guess if you go with splitting and stick with the quotes around the '${k}' you should quote the gpg recv '${k}' also for the sake of consistency.
I look forward to your fix, and for anyone else running into this problem I've worked around it in cloud-init by specifying the same repository twice, but putting the second repos file in /tmp/ as below. That way it works with the current version of cloud-init in ubuntu 12.04.

apt_sources:

• source: "deb http://www.apache.org/dist/cassandra/debian 10x main"
  filename: cassandra.list
  keyserver: pgp.mit.edu
  keyid: F758CE318D77295D
• source: "deb http://www.apache.org/dist/cassandra/debian 10x main"
  filename: /tmp/cloud-init-apt-key-workaround
  keyserver: pgp.mit.edu
  keyid: 2B5C1B00