I’m trying to add the InfluxDB (a time-series database) repository using cloud-init. The official documentation states that to install it manually, the public key must first be downloaded with wget
(or curl
):
wget -qO- https://repos.influxdata.com/influxdb.key | gpg --dearmor > /etc/apt/trusted.gpg.d/influxdb.gpg
echo "deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.gpg] https://repos.influxdata.com/ubuntu bionic stable" > /etc/apt/sources.list.d/influxdb.list
That works fine, and now I’d like to automate this with cloud-init.
My issue is that I don’t know how to fetch the key from the provided URL before using it. I’ve tried this:
apt:
sources:
influxdb:
source: 'deb https://repos.influxdata.com/ubuntu $RELEASE stable'
but then I get a GPG error saying that the repository isn’t signed.
I’ve tried the following combination of the keyserver
and keyid
keys without success:
keyserver: https://repos.influxdata.com/influxdb.key
keyserver: https://repos.influxdata.com
andkeyid: influxdb.key
keyserver: https://repos.influxdata.com
andkeyid: 05CE15085FC09D18E99EFB22684A14CF2582E0C5
How do I fetch the GPG key? I could use Runcmd
, but I’d rather not if there’s an alternative.
3
Answers
There are two possibilities:
Check if the key you want to import is part of the Ubuntu key server:
The key is present on the Ubuntu key server
If it's present, then you can simply add the key ID to you cloud-init file, and mark the repository as signed by the key:
Manually import the public key
If the key isn't present on the Ubuntu key server, it's possible to manually import it with a
runcmd
command:You need to add
keyserver
and set it to https://repos.influxdata.com/influxdb.keyYou can embed the full public key into your cloud-config file, inline.
(Adapted from this example in the cloud-init docs. See parts 2.8 signed-by and 2.9 raw key.)
The text from
-----BEGIN PGP PUBLIC KEY BLOCK-----
to-----END PGP PUBLIC KEY BLOCK-----
is the vendor’s full public key, downloaded from the same URL that they told you towget
. (In your case, https://repos.influxdata.com/influxdb.key.)Security warning: Do not omit
[signed-by=$KEY_FILE]
. If you do, cloud-init will install the key intotrusted.gpg.d/
, whereapt
will treat it as globally trusted. This makes your system less secure because if the 3rd-party vendor’s public key is compromised, it will affect packages other than the 3rd-party vendor’s. This is exactly whyapt-key add
was deprecated. If you include[signed-by=$KEY_FILE]
, though, cloud-init will properly store the key in a file somewhere off to the side and expand$KEY_FILE
into the full path.