Update Install Documentation for Debian/Ubuntu

[christopwner]

The current install documentation for Debian/Ubuntu, found here, suggests adding key through apt-key adv which is deprecated for security reasons.

Please provide new install documentation to install using gpg with /usr/share/keyring instead as demonstration in this stackoverflow post

[oleiade]

Thanks for reporting it @christopwner. Good catch!

This article is mentioned by the stack overflow you've posted, and clear and detailed information and instructions on how to update our instructions.

TLDR version: we should replace the installation instructions with the following:

sudo gpg --no-default-keyring --keyring /usr/share/keyrings/k6-archive-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys C5AD17C747E3415A3642D57D77C6C491D6AC1D69
echo "deb [signed-by=/usr/share/keyrings/k6-archive-keyring.gpg] https://dl.k6.io/deb stable main" | sudo tee /etc/apt/sources.list.d/k6.list
sudo apt-get update
sudo apt-get install k6

We should also probably add a warning message for anyone who wants to upgrade from using apt-key to this method instead.

[oleiade]

For reference, here's a Dockerfile demonstrating the new instructions work:

FROM ubuntu:latest

RUN apt-get update && apt-get install -y gpg ca-certificates dirmngr
RUN dirmngr
RUN gpg --no-default-keyring --keyring /usr/share/keyrings/k6-archive-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys C5AD17C747E3415A3642D57D77C6C491D6AC1D69
RUN echo "deb [signed-by=/usr/share/keyrings/k6-archive-keyring.gpg] https://dl.k6.io/deb stable main" | tee /etc/apt/sources.list.d/k6.list
RUN apt-get update
RUN apt-get install k6

[MattDodsonEnglish]

Thanks for reporting this @christopwner !

I think we've fixed the docs with #640 and #646.

[ulidtko]

Doesn't work on 22.04 LTS.

gpg: failed to create temporary file '/root/.gnupg/.#lk0x00005608f9b13300.pasocon.23079': No such file or directory
gpg: connecting dirmngr at '/root/.gnupg/S.dirmngr' failed: No such file or directory
gpg: keyserver receive failed: No dirmngr

I guess sudo gpg is a bad idea™ or something.

This approach worked for me:

{ echo 'Types: deb'
  echo 'URIs: https://dl.k6.io/deb'
  echo 'Suites: stable'
  echo 'Components: main'
  echo 'Signed-By:'
  set -eo pipefail
  KEY=C5AD17C747E3415A3642D57D77C6C491D6AC1D69
  curl -fsSL "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x$KEY" \
    | sed -e 's/^$/./g;s/^/ /g' 
} | sudo tee /etc/apt/sources.list.d/k6.sources

sudo apt-get update && sudo apt-get install k6

— using the updated deb822 format: *.sources not *.list.

[imiric]

@ulidtko Please see the Troubleshooting page about that issue.

sudo gpg is used because the keyring is referenced in the k6.list file. We could also create it with a non-privileged user, but then it couldn't be in a system-wide location as /usr/share/keyrings/.

You would also get that error if you run it without sudo, if the user you run it as hasn't run gpg before. So you need to run gpg at least once to create the $GNUPGHOME directory (the No dirmngr error is misleading).

Thanks for the heads up on the deb822 format. It would make things slightly better, assuming it's well supported in all modern Debian derivatives. We'll need to look into it, and possibly host the k6.sources file with the embedded key, instead of having to use that unsightly command 😄.