cloud-init

Cloud-init: Fetch apt key from remote file instead of from a key server

I'm trying to add the InfluxDB (a time-series database) repository using cloud-init. The official documentation states that to install it manually, the public key must first be downloaded with wget (or curl):

wget -qO- https://repos.influxdata.com/influxdb.key | gpg --dearmor > /etc/apt/trusted.gpg.d/influxdb.gpg
echo "deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.gpg] https://repos.influxdata.com/ubuntu bionic stable" > /etc/apt/sources.list.d/influxdb.list

That works fine, and now I'd like to automate this with cloud-init.

My issue is that I don't know how to fetch the key from the provided URL before using it. I've tried this:

apt:
  sources:
    influxdb:
      source: 'deb https://repos.influxdata.com/ubuntu $RELEASE stable'

but then I get a GPG error saying that the repository isn't signed.

I've tried the following combination of the keyserver and keyid keys without success:

How do I fetch the GPG key? I could use Runcmd, but I'd rather not if there's an alternative.

Solution

  • There are two possibilities:

    1. The key you want to import is present on the Ubuntu key server
    2. The key isn't present on the Ubuntu key server

    Check if the key you want to import is part of the Ubuntu key server:

    wget -qO- https://repos.influxdata.com/influxdb.key | gpg --with-fingerprint --with-colons | awk -F: '/^fpr/ { print $10 }'

    gpg --keyserver=keyserver.ubuntu.com --recv-keys 05CE15085FC09D18E99EFB22684A14CF2582E0C5

    The key is present on the Ubuntu key server

    If it's present, then you can simply add the key ID to you cloud-init file, and mark the repository as signed by the key:

    apt:
  sources:
    influxdb:
      keyid: 05CE15085FC09D18E99EFB22684A14CF2582E0C5
      source: 'deb [signed-by=$KEY_FILE] https://repos.influxdata.com/ubuntu $RELEASE stable'

    cloud-init, by default, will create the key file in /etc/apt/trusted.gpg.d/ and will name the file after the source name in the yaml. In this case, /etc/apt/trusted.gpg.d/influxdb.gpg. You could also add the optional filename: property and specify something like filename: influx_aptkey.gpg.

    Manually import the public key

    If the key isn't present on the Ubuntu key server, it's possible to manually import it with a runcmd command:

    # fetch Influx GPG public key, and store it in the keyring
runcmd:
  - wget -qO- https://repos.influxdata.com/influxdb.key | sudo gpg --dearmor -o /usr/share/keyrings/influxdb.gpg

# add Influx apt source by marking it as signed with the added key
# (note the [signed-by] option)
apt:
  sources:
    influxdb:
      source: 'deb [signed-by=/usr/share/keyrings/influxdb.gpg] https://repos.influxdata.com/ubuntu $RELEASE stable'