salt: Salt pkgrepo.managed for PPA Does not Import Keys

Description of Issue/Question

Salt no longer imports keys when using pkgrepo.managed with a ppa repository.

Setup

Ubuntu 14.04 LTS
salt 2015.8.8.2 (Beryllium)
Master - minion setup

Steps to Reproduce Issue

Noticed when I was upgrading all my servers PHP packages to 7.

----------
          ID: php-pkgs
    Function: pkg.installed
      Result: False
     Comment: The following packages failed to install/update: php-pear, php7.0-gd, php7.0-intl, php7.0-cli, php7.0, php7.0-mcrypt, php7.0-fpm, php7.0-mysql, php7.0-curl, php7.0-json, php7.0-sqlite3
     Started: 01:07:47.464101
    Duration: 10235.009 ms
     Changes:

State that causes the issue:

php-repo:
  pkgrepo.managed:
    - humanname: PHP Repo
    - ppa: ondrej/php

List of keys after running the salt state:

/etc/apt/trusted.gpg
--------------------
pub   1024D/437D05B5 2004-09-12
uid                  Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub   2048g/79164387 2004-09-12

pub   1024D/FBB75451 2004-12-30
uid                  Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>

pub   4096R/C0B21F32 2012-05-11
uid                  Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>

pub   4096R/EFE21092 2012-05-11
uid                  Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

pub   4096R/68576280 2014-06-13
uid                  NodeSource <gpg@nodesource.com>
sub   4096R/AA01DA2C 2014-06-13

pub   1024D/548C16BF 2010-06-29
uid                  New Relic <support@newrelic.com>
sub   2048g/77E8EB9A 2010-06-29

pub   2048R/DE57BFBE 2014-06-24
uid                  SaltStack Packaging Team <packaging@saltstack.com>
sub   2048R/17928113 2014-06-24

/etc/apt/trusted.gpg.d/nginx-stable.gpg
---------------------------------------
pub   1024R/C300EE8C 2010-07-21
uid                  Launchpad Stable

As you can see, it is missing the key for the specific PPA.

Versions Report

Salt Version:
           Salt: 2015.8.8.2

Dependency Versions:
         Jinja2: 2.7.2
       M2Crypto: Not Installed
           Mako: 0.9.1
         PyYAML: 3.10
          PyZMQ: 14.0.1
         Python: 2.7.6 (default, Jun 22 2015, 17:58:13)
           RAET: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.0.4
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: 1.5
          gitdb: 0.5.4
      gitpython: 0.3.2 RC1
          ioflo: Not Installed
        libgit2: Not Installed
        libnacl: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.3.0
   mysql-python: 1.2.3
      pycparser: Not Installed
       pycrypto: 2.6.1
         pygit2: Not Installed
   python-gnupg: Not Installed
          smmap: 0.8.2
        timelib: Not Installed

System Versions:
           dist: Ubuntu 14.04 trusty
        machine: x86_64
        release: 3.13.0-83-generic
         system: Ubuntu 14.04 trusty

About this issue

Original URL
State: closed
Created 8 years ago
Reactions: 3
Comments: 31 (10 by maintainers)

Most upvoted comments

After lots of debugging, I have found that the problem seems to be with apt-add-repository provided by Ubuntu, so this isn’t really a problem with salt. apt-add-repository apparently breaks when it encounters non-unicode characters when executing without an UTF-8 locale: https://github.com/oerdnj/deb.sury.org/issues/56

So, the workaround I used was to ignore the PPA bit of pkgrepo, and adding the repository like any other repository:

ondrej-php-ppa:
  pkgrepo.managed:
    - name: deb http://ppa.launchpad.net/ondrej/php/ubuntu xenial main
    - dist: xenial
    - file: /etc/apt/sources.list.d/ondrej-ubuntu-php-xenial.list
    - keyserver: keyserver.ubuntu.com
    - keyid: E5267A6C
    - refresh_db: true

The result of this is almost exactly the same as using apt-add-repository, except that the imported key ends up in /etc/apt/trusted.gpg instead of a separate file. Using apt-add-repository would import that key into /etc/apt/trusted.gpg.d/ondrej_ubuntu_php.gpg instead, but I would say this is of minor importance.

dstensnes on Jun 6, 2017

Bigtime having this issue again. Should be fixed as it shouldn’t be a hard fix.

ZacharyDuBois on Jul 7, 2017

On ubuntu 16.04 with saltstack packages version “2016.11.5+ds-3”. Trying to add ppa:ondrej/php results in this:

root@saltmaster:/srv/salt/fs# salt minion1 state.apply webserver
minion1:
----------
          ID: ondrej-php-ppa
    Function: pkgrepo.managed
      Result: False
     Comment: Failed to configure repo 'ondrej-php-ppa': Unable to add PPA 'ondrej/php'. '['apt-add-repository', '-y', 'ppa:ondrej/php']' exited with status 1: 'gpg: keyring `/tmp/tmpdlfjtc8z/secring.gpg' created
              gpg: keyring `/tmp/tmpdlfjtc8z/pubring.gpg' created
              gpg: requesting key E5267A6C from hkp server keyserver.ubuntu.com
              gpg: /tmp/tmpdlfjtc8z/trustdb.gpg: trustdb created
              gpg: key E5267A6C: public key "Launchpad PPA for Ond\xc5\x99ej Surý" imported
              gpg: Total number processed: 1
              gpg:               imported: 1  (RSA: 1)'
     Started: 11:55:17.987772
    Duration: 1746.782 ms
     Changes:   

Summary for minion1
------------
Succeeded: 0
Failed:    1
------------
Total states run:     1
Total run time:   1.747 s


-------------------------------------------
Summary
-------------------------------------------
# of minions targeted: 1
# of minions returned: 1
# of minions that did not return: 0
# of minions with errors: 1
-------------------------------------------
ERROR: Minions returned with non-zero exit code
root@saltmaster:/srv/salt/fs#

So apparently it imports the key to a file “/tmp/tmpdlfjtc8z/trustdb.gpg” and forgets about it?

my saltstate file:

# vim: expandtab ts=2 sw=2 softtabstop=2

ondrej-php-ppa:
  pkgrepo.managed:
    - ppa: ondrej/php
    - refresh_db: true

Resulting “apt-key list” output:

root@minion1:~# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   1024D/437D05B5 2004-09-12
uid                  Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub   2048g/79164387 2004-09-12

pub   4096R/C0B21F32 2012-05-11
uid                  Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>

pub   4096R/EFE21092 2012-05-11
uid                  Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

pub   1024D/FBB75451 2004-12-30
uid                  Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>

pub   2048R/DE57BFBE 2014-06-24
uid                  SaltStack Packaging Team <packaging@saltstack.com>
sub   2048R/17928113 2014-06-24

root@minion1:~#

Saltstack versions report:

root@minion1:~# salt-minion --versions-report
Salt Version:
           Salt: 2016.11.4
 
Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: 2.4.2
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.8
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: 1.0.3
   msgpack-pure: Not Installed
 msgpack-python: 0.4.6
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.12 (default, Nov 19 2016, 06:48:10)
   python-gnupg: Not Installed
         PyYAML: 3.11
          PyZMQ: 15.2.0
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.1.4
 
System Versions:
           dist: Ubuntu 16.04 xenial
        machine: x86_64
        release: 4.4.0-78-generic
         system: Linux
        version: Ubuntu 16.04 xenial
 
root@minion1:~#

dstensnes on Jun 6, 2017

I wanted to report that I’m seeing this issue as well.

(root) ~ # salt --versions
Salt Version:
           Salt: 2019.2.2
 
Dependency Versions:
           cffi: 1.5.2
       cherrypy: 3.5.0
       dateutil: 2.4.2
      docker-py: Not Installed
          gitdb: 0.6.4
      gitpython: 1.0.1
          ioflo: Not Installed
         Jinja2: 2.8
        libgit2: 0.24.0
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: 1.0.3
   msgpack-pure: Not Installed
 msgpack-python: 0.4.6
   mysql-python: Not Installed
      pycparser: 2.14
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: 0.24.0
         Python: 2.7.12 (default, Oct  8 2019, 14:14:10)
   python-gnupg: 0.3.8
         PyYAML: 3.11
          PyZMQ: 15.2.0
           RAET: Not Installed
          smmap: 0.9.0
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.1.4
 
System Versions:
           dist: Ubuntu 16.04 xenial
         locale: UTF-8
        machine: x86_64
        release: 4.15.0-1050-aws
         system: Linux
        version: Ubuntu 16.04 xenial

State:

# manage our salt repository
/etc/apt/sources.list.d/salt-stack.list:
  pkgrepo.managed:
    - name: deb http://repo.saltstack.com/apt/debian/9/amd64/latest stretch main
    - file: /etc/apt/sources.list.d/salt-stack.list
    - keyurl: salt://salt-minion/files/SALTSTACK-GPG-KEY.pub

After running this state, package still show as unauthenticated. The key does not show up when running apt-key list on the target minion. apt update shows the repository as unauthenticated.

After running wget -O - https://repo.saltstack.com/apt/debian/9/amd64/latest/SALTSTACK-GPG-KEY.pub | apt-key add - using a cmd.run call, apt update returns successfully, and I’m able to manage packages in this repository.

Minion versions:

    Salt Version:
               Salt: 2016.11.2
     
    Dependency Versions:
               cffi: Not Installed
           cherrypy: Not Installed
           dateutil: 2.5.3
              gitdb: Not Installed
          gitpython: Not Installed
              ioflo: Not Installed
             Jinja2: 2.8
            libgit2: Not Installed
            libnacl: Not Installed
           M2Crypto: Not Installed
               Mako: Not Installed
       msgpack-pure: Not Installed
     msgpack-python: 0.4.8
       mysql-python: Not Installed
          pycparser: Not Installed
           pycrypto: 2.6.1
             pygit2: Not Installed
             Python: 2.7.13 (default, Sep 26 2018, 18:42:22)
       python-gnupg: Not Installed
             PyYAML: 3.12
              PyZMQ: 16.0.2
               RAET: Not Installed
              smmap: Not Installed
            timelib: Not Installed
            Tornado: 4.4.3
                ZMQ: 4.2.1
     
    System Versions:
               dist: debian 9.4 
            machine: x86_64
            release: 4.19.29
             system: Linux
            version: debian 9.4

Linuturk on Oct 26, 2019

Can confirm for salt-minion 2017.7.4.

[salt.loaded.int.module.cmdmod:1715][ERROR ][19226] Command ‘[‘apt-add-repository’, ‘-y’, ‘ppa:ondrej/php’]’ failed with return code: 1 [salt.loaded.int.module.cmdmod:1717][ERROR ][19226] stdout: ‘ascii’ codec can’t decode byte 0xc5 in position 92: ordinal not in range(128)

Manually executing apt-add-repository works fine.

rapli on Mar 19, 2018

This workaround has been working for us for a while:

php_ppa:
  pkgrepo.managed:
    - humanname: PHP Repo
    - ppa: ondrej/php
    - keyid: E5267A6C
    - keyserver: keyserver.ubuntu.com

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4F4EA0AAE5267A6C:
    cmd.run:
        - unless: 'apt-key list | grep Launchpad'
        - order: first

php7.1:
  pkg:
    - installed
    - require:
      - pkgrepo: php_ppa
    - pkgs:
      - php7.1-cli
      - php7.1-mysql
      - php7.1-curl
      - php7.1-mcrypt
      - php7.1-xmlrpc
      - php7.1-gd
      - php7.1-imagick
      - php7.1-memcached
      - php7.1-intl
      - php7.1-dev
      - php7.1-mbstring 
      - php7.1-xml
      - php7.1-zip

jv2222 on Sep 3, 2017

Still an issue.

RhvsW on Sep 2, 2017