Use keyring for apt repository; update dependency versions #713
Conversation
h-haaks
force-pushed
the
apt-key-to-keyring
branch
from
cd2517c
to
fbf4431
Compare
h-haaks
force-pushed
the
apt-key-to-keyring
branch
from
fbf4431
to
cdbda75
Compare
| 'Debian' => "https://${repo_domain}/apt/debian", | ||
| 'Ubuntu' => "https://${repo_domain}/apt/ubuntu", | ||
| default => undef | ||
| } | ||
| $_keyring_location = "https://www.mongodb.org/static/pgp/server-${version}.asc" |
There was a problem hiding this comment.
This seems to redirect to: https://pgp.mongodb.com/server-${version}.asc
There was a problem hiding this comment.
I copied that from the mongodb docs...
https://www.mongodb.com/docs/v5.0/tutorial/install-mongodb-on-ubuntu/#install-mongodb-community-edition
Isn't it best to keep it according to docs?
manifests/repo/apt.pp
Outdated
| include apt | ||
|
|
||
| if($mongodb::repo::ensure == 'present' or $mongodb::repo::ensure == true) { | ||
| if($ensure == 'present') { | ||
| # The apt module does not implement gpg --dearmor |
There was a problem hiding this comment.
IIRC apt expect file with name ending with .gpg to be in the binary OpenPGP format, and files with name ending with .asc to use the ASCII armored format. Downloading the .asc file and saving it in a file with the .asc extension should work, alternatively saving the .pub file with the .gpg should also work. The archive module seems not necessary.
There was a problem hiding this comment.
Thanks I'll give it a try
There was a problem hiding this comment.
Tried using
$keyring_file = split($keyring_location, '/')[-1]
apt::source { 'mongodb':
location => $repo_location,
release => $mongodb::repo::release,
repos => $mongodb::repo::repos,
key => {
dir => '/usr/share/keyrings',
name => "mongodb-${keyring_file}",
source => $keyring_location,
},
comment => $comment,
}
with .asc and .pub. and saving .pub as .gpg
All of them fail with
Notice: /Stage[main]/Apt::Update/Exec[apt_update]/returns: Reading package lists...
Notice: /Stage[main]/Apt::Update/Exec[apt_update]/returns: W: GPG error: https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B00A0BD1E2C63C11
Notice: /Stage[main]/Apt::Update/Exec[apt_update]/returns: E: The repository 'https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 Release' is not signed.
There was a problem hiding this comment.
Figured it out.
There is a bug in the apt module I think.
When adding signed-by in the sources.list the module does not add the missing '/' when concatenating 'dir' and 'name' ...
Changing 'dir' to '/usr/share/keyrings/' solved that :)
h-haaks
force-pushed
the
apt-key-to-keyring
branch
from
cdbda75
to
1b4e448
Compare
|
the minimal puppetlabs/apt version probably needs to be updated as well? https://github.com/voxpupuli/puppet-mongodb/blob/master/metadata.json#L55 |
Thanks |
bastelfreak
changed the title
Pull Request (PR) description
The usage of apt-key is deprecated. Switching to apt-keyring