Missing Signed-By in the sources.list(5) for Ubuntu 24 LTS

[Autoflow]

We just upgraded Uyuni to Podman 2024.10 to take advantage of Ubuntu 24.04 LTS.
After adding the channels of Ubuntu 24.04 by using spacewalk-common-channels everything looked fine.

But now when manually running apt update on 24.04 systems we got following notice:

N: Missing Signed-By in the sources.list(5) entry for 'http://HOST:443/rhn/manager/download'
N: Missing Signed-By in the sources.list(5) entry for 'http://HOST:443/rhn/manager/download'

Is this a known problem?

[rhar78]

I came across the same problem.

I apologize if I am out turn adding my comments to this question, but I am using a workaround. (Also, I am following this thread because I would like to see an official answer for this question.)

My workaround:

The official Channels Uyuni provides are sourced from Canonical. Therefore from /etc/apt/sources.list.d/ubuntu.sources I have taken the line:
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

and add it to the end of each stanza (Channel) in the Uyuni sources file /etc/apt/sources.list.d/susemanager:channels.sources, for example:

Types: deb
URIs: https://<HOST>:443/rhn/manager/download
Suites: ubuntu-2404-amd64-main-uyuni/
Components:
Trusted: yes
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

...etc...

I realize this is a manual modification to a file which clearly reads:
# Do not edit this file, changes will be overwritten

So it's a hacky short term solution. I am hoping there is an official solution provided soon that doesn't require this manual editing. I gather this really should be set by default (by Uyuni) when the Channel is created or when the Minion links to the Channel.

Thanks.

[mcalmer]

As Uyuni re-generate the metadata, the signature cannot be re-used. You need to setup your own GPG signing key.
Follow the docs:
https://www.uyuni-project.org/uyuni-docs/en/uyuni/administration/repo-metadata.html

I am not sure about Ubuntu 24.04 as the format of the source file has changed. But I hope that this was adapted as well.

[Autoflow]

Thanks @mcalmer.
Now when trying to generate a gpg key (mgrctl exec -- gpg --gen-key) i get following error:

gpg (GnuPG) 2.4.4; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: cannot open '/dev/tty': No such device or address

Any ideas?

[mcalmer]

Maybe mgrctl exec -t -- gpg --gen-key (maybe also -ti) Not so sure what it support t : tty i: interactive

You can also try mgrctl term and you get a shell where you can exec gpg command and the other commands directly

[rhar78]

I made the following the recommended changes:

  # mgrctl exec -ti -- gpg --gen-key
  # mgrctl exec -- mgr-sign-metadata-ctl enable 9D816729
  # mgrctl exec -- mgr-sign-metadata-ctl check-config
  # mgrctl exec -- mgr-sign-metadata-ctl regen-metadata`

and found in my very next update via the UI, Uyuni rightfully removes the custom changes I made to "/etc/apt/sources.list.d/susemanager:channels.sources" on the minion (shown in the UI's output below).

However the "Signed-By: " line is not being added by Uyuni to the susemanager:channels.sources file on Ubuntu 24.04. At least not on the test instance I am running.

Unless I'm also missing something this suggests that the steps (above) did not necessarily resolve the original post and that this is still an issue.

Output from update from UI:

This action will be executed after 11/27/24 5:47:00 AM AEST
This action's status is: Completed.
The client completed this action on 11/27/24 5:47:22 AM AEST
Client execution returned
----------
          ID: sync_states
    Function: saltutil.states
        Name: sync_states
      Result: true
     Comment: No updates to sync
     Started: 06:43:30.565551
    Duration: 195.024
         SLS: util.syncstates
     Changed: {}
----------
          ID: mgr_absent_ca_package
    Function: pkg.removed
        Name: rhn-org-trusted-ssl-cert
      Result: true
     Comment: All specified packages are already absent
     Started: 06:43:31.430451
    Duration: 0.752
         SLS: certs
     Changed: {}
----------
          ID: mgr_ca_cert
    Function: file.managed
        Name: /usr/local/share/ca-certificates/susemanager/RHN-ORG-TRUSTED-SSL-CERT.crt
      Result: true
     Comment: File /usr/local/share/ca-certificates/susemanager/RHN-ORG-TRUSTED-SSL-CERT.crt is in the correct state
     Started: 06:43:31.433041
    Duration: 47.524
         SLS: certs
     Changed: {}
----------
          ID: mgr_update_ca_certs
    Function: cmd.run
        Name: /usr/sbin/update-ca-certificates
      Result: true
     Comment: State was not run because none of the onchanges reqs changed
     Started: 06:43:31.481388
    Duration: 0.005
         SLS: certs
     Changed: {}
----------
          ID: mgr_proxy_ca_cert_symlink
    Function: file.symlink
        Name: /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
      Result: true
     Comment: onlyif condition is false
     Started: 06:43:31.481467
    Duration: 373.222
         SLS: certs
     Changed: {}
----------
          ID: mgr_debian_repo_keyring
    Function: file.managed
        Name: /usr/share/keyrings/mgr-archive-keyring.gpg
      Result: true
     Comment: File /usr/share/keyrings/mgr-archive-keyring.gpg updated
     Started: 06:43:31.854795
    Duration: 30.341
         SLS: channels.gpg-keys
     Changed: diff: New file
              mode: '0644'
              
----------
          ID: mgr_deploy_tools_uyuni_key
    Function: file.managed
        Name: /etc/pki/rpm-gpg/uyuni-tools-gpg-pubkey-0d20833e.key
      Result: true
     Comment: File /etc/pki/rpm-gpg/uyuni-tools-gpg-pubkey-0d20833e.key is in the correct state
     Started: 06:43:31.885259
    Duration: 21.62
         SLS: channels.gpg-keys
     Changed: {}
----------
          ID: mgr_deploy_suse_addon_key
    Function: file.managed
        Name: /etc/pki/rpm-gpg/suse-addon-97a636db0bad8ecc.key
      Result: true
     Comment: File /etc/pki/rpm-gpg/suse-addon-97a636db0bad8ecc.key is in the correct state
     Started: 06:43:31.906984
    Duration: 20.681
         SLS: channels.gpg-keys
     Changed: {}
----------
          ID: mgrchannels_repo
    Function: file.managed
        Name: /etc/apt/sources.list.d/susemanager:channels.sources
      Result: true
     Comment: File /etc/apt/sources.list.d/susemanager:channels.sources updated
     Started: 06:43:31.927862
    Duration: 88.198
         SLS: channels
     Changed: diff: "--- 
              +++ 
              @@ -7,7 +7,6 @@
               Suites: ubuntu-2404-amd64-main-uyuni/
               Components:
               Trusted: yes
              -Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
              \
                  \ 
               
               Types: deb
              @@ -15,7 +14,6 @@
               Suites: ubuntu-24.04-pool-amd64-uyuni/
               Components:
               Trusted: yes
              -Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
              \
                  \ 
               
               Types: deb
              @@ -23,7 +21,6 @@
               Suites: ubuntu-2404-amd64-uyuni-client/
               Components:
               Trusted: yes
              -Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
              \
                  \ 
               
               Types: deb
              @@ -31,7 +28,6 @@
               Suites: ubuntu-2404-amd64-universe-uyuni/
               Components:
               Trusted: yes
              -Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
              \
                  \ 
               
               Types: deb
              @@ -39,7 +35,6 @@
               Suites: ubuntu-2404-amd64-main-updates-uyuni/
               Components:
               Trusted: yes
              -Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
              \
                  \ 
               
               Types: deb
              @@ -47,7 +42,6 @@
               Suites: ubuntu-2404-amd64-main-security-uyuni/
               Components:
               Trusted: yes
              -Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
              \
                  \ 
               
               Types: deb
              @@ -55,7 +49,6 @@
               Suites: ubuntu-2404-amd64-main-backports-uyuni/
               Components:
               Trusted: yes
              -Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
              \
                  \ 
               
               Types: deb
              @@ -63,7 +56,6 @@
               Suites: ubuntu-2404-amd64-universe-updates-uyuni/
               Components:
               Trusted: yes
              -Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
              \
                  \ 
               
               Types: deb
              @@ -71,7 +63,6 @@
               Suites: ubuntu-2404-amd64-universe-security-uyuni/
               Components:
               Trusted: yes
              -Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
              \
                  \ 
               
               Types: deb
              @@ -79,6 +70,5 @@
               Suites: ubuntu-2404-amd64-universe-backports-uyuni/
               Components:
               Trusted: yes
              -Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
              \
                  \ 
               
              "
              
----------
          ID: mgrchannels_repo_remove_old_channels_list
    Function: file.absent
        Name: /etc/apt/sources.list.d/susemanager:channels.list
      Result: true
     Comment: File /etc/apt/sources.list.d/susemanager:channels.list is not present
     Started: 06:43:32.016144
    Duration: 0.356
         SLS: channels
     Changed: {}
----------
          ID: aptauth_conf
    Function: file.managed
        Name: /etc/apt/auth.conf.d/susemanager.conf
      Result: true
     Comment: File /etc/apt/auth.conf.d/susemanager.conf is in the correct state
     Started: 06:43:32.016546
    Duration: 60.143
         SLS: channels
     Changed: {}
----------
          ID: install_gnupg_debian
    Function: pkg.installed
        Name: install_gnupg_debian
      Result: true
     Comment: All specified packages are already installed
     Started: 06:43:32.076798
    Duration: 0.612
         SLS: channels
     Changed: {}
----------
          ID: pkg_installed
    Function: pkg.installed
        Name: pkg_installed
      Result: true
     Comment: 1 targeted package was installed/updated.
     Started: 06:43:32.077621
    Duration: 2984.752
         SLS: packages.pkginstall
     Changed: needrestart:
                  old: 3.6-7ubuntu4.3
                  new: 3.6-7ubuntu4.4