skip to Main Content

I’m trying to add the InfluxDB (a time-series database) repository using cloud-init. The official documentation states that to install it manually, the public key must first be downloaded with wget (or curl):

wget -qO- https://repos.influxdata.com/influxdb.key | gpg --dearmor > /etc/apt/trusted.gpg.d/influxdb.gpg
echo "deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.gpg] https://repos.influxdata.com/ubuntu bionic stable" > /etc/apt/sources.list.d/influxdb.list

That works fine, and now I’d like to automate this with cloud-init.

My issue is that I don’t know how to fetch the key from the provided URL before using it. I’ve tried this:

apt:
  sources:
    influxdb:
      source: 'deb https://repos.influxdata.com/ubuntu $RELEASE stable'

but then I get a GPG error saying that the repository isn’t signed.

I’ve tried the following combination of the keyserver and keyid keys without success:

  • keyserver: https://repos.influxdata.com/influxdb.key
  • keyserver: https://repos.influxdata.com and keyid: influxdb.key
  • keyserver: https://repos.influxdata.com and keyid: 05CE15085FC09D18E99EFB22684A14CF2582E0C5

How do I fetch the GPG key? I could use Runcmd, but I’d rather not if there’s an alternative.

3

Answers


  1. Chosen as BEST ANSWER

    There are two possibilities:

    1. The key you want to import is present on the Ubuntu key server
    2. The key isn't present on the Ubuntu key server

    Check if the key you want to import is part of the Ubuntu key server:

    • Get the key ID from the public key
    wget -qO- https://repos.influxdata.com/influxdb.key | gpg --with-fingerprint --with-colons | awk -F: '/^fpr/ { print $10 }'
    
    • Check if it can be retrieved from the Ubuntu keyserver
    gpg --keyserver=keyserver.ubuntu.com --recv-keys 05CE15085FC09D18E99EFB22684A14CF2582E0C5
    

    The key is present on the Ubuntu key server

    If it's present, then you can simply add the key ID to you cloud-init file, and mark the repository as signed by the key:

    apt:
      sources:
        influxdb:
          keyid: 05CE15085FC09D18E99EFB22684A14CF2582E0C5
          source: 'deb [signed-by=$KEY_FILE] https://repos.influxdata.com/ubuntu $RELEASE stable'
    

    Manually import the public key

    If the key isn't present on the Ubuntu key server, it's possible to manually import it with a runcmd command:

    # fetch Influx GPG public key, and store it in the keyring
    runcmd:
      - wget -qO- https://repos.influxdata.com/influxdb.key | sudo gpg --dearmor -o /usr/share/keyrings/influxdb.gpg
    
    # add Influx apt source by marking it as signed with the added key
    # (note the [signed-by] option)
    apt:
      sources:
        influxdb:
          source: 'deb [signed-by=/usr/share/keyrings/influxdb.gpg] https://repos.influxdata.com/ubuntu $RELEASE stable'
    
    

  2. You need to add keyserver and set it to https://repos.influxdata.com/influxdb.key

    Login or Signup to reply.
  3. You can embed the full public key into your cloud-config file, inline.

    apt:
      sources:
        influxdb:
          source: 'deb [signed-by=$KEY_FILE] https://repos.influxdata.com/ubuntu $RELEASE stable'
          key: | # The value needs to start with -----BEGIN PGP PUBLIC KEY BLOCK-----
             -----BEGIN PGP PUBLIC KEY BLOCK-----
             Version: GnuPG v1
    
             mQINBFYJmwQBEADCw7mob8Vzk+DmkYyiv0dTU/xgoSlp4SQwrTzat8MB8jxmx60l
             QjmhqEyuB8ho4zzZF9KV+gJWrG6Rj4t69JMTJWM7jFz+0B1PC7kJfNM+VcBmkTnj
             [snip]
             -----END PGP PUBLIC KEY BLOCK-----
    

    (Adapted from this example in the cloud-init docs. See parts 2.8 signed-by and 2.9 raw key.)

    The text from -----BEGIN PGP PUBLIC KEY BLOCK----- to -----END PGP PUBLIC KEY BLOCK----- is the vendor’s full public key, downloaded from the same URL that they told you to wget. (In your case, https://repos.influxdata.com/influxdb.key.)

    Security warning: Do not omit [signed-by=$KEY_FILE]. If you do, cloud-init will install the key into trusted.gpg.d/, where apt will treat it as globally trusted. This makes your system less secure because if the 3rd-party vendor’s public key is compromised, it will affect packages other than the 3rd-party vendor’s. This is exactly why apt-key add was deprecated. If you include [signed-by=$KEY_FILE], though, cloud-init will properly store the key in a file somewhere off to the side and expand $KEY_FILE into the full path.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search