I’m trying to try making a custom image to host a web server when a container is started from that image. I’m running the snap distrobuilder on Ubuntu Bionic Beaver. I tried the example from the github readme of creating a custom image from the ubuntu.yaml in doc/examples which worked fine. When building my own image it would be better to use ubuntu-http as a downloader. The start of my yaml file looks as follows:
image:
description: |-
An image to host a webserver
distribution: ubuntu
architecture: x86_64
release: "18.04"
source:
downloader: ubuntu-http
url: http://archive.ubuntu.com/ubuntu
keys:
- 0x437D05B5
keyserver: hkp://keyserver.ubuntu.com
But I keep getting the error: Error: Error while downloading source: Failed to verify:
I tried adding the ubuntu-keyrings-package.pgp to my ubuntu host pgp and managed to get the key id (the one under keys) from the fingerprint but still not able to verify.
when trying to use http://keyserver... and https://keyserver... I instead get the error:
Error: Error while downloading source: Failed to run: gpg --homedir /tmp/distrobuilder.807347396 --keyserver https://keyserver.ubuntu.com --recv-keys 0x437D05B5: gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
My guess is that it has something to do with not using the correct keys for the release that I’m after but I haven’t been able to find out how I can find what key to use.
Anybody have any idea how to find the correct key or if there is any other issue?
GPG can be a bit annoying sometimes, an alternative is to include the entire gpg key in the yaml as we do for our production ones (see https://github.com/lxc/lxc-ci).
Thanks for answering! Yes I think that you have to use either hkp or hkps seems to work as well. If the particular installation is not configured in another way. They are the define schemes according to gpg man docs, specifically:
The format of the name is a URI: ‘scheme:[//]keyservername[:port]’ The scheme is the type of keyserver: “hkp” for the HTTP (or compatible) keyservers, “ldap” for the LDAP keyservers, or “mailto” for the Graff email keyserver. Note that your particular installation of GnuPG may have other keyserver types available as well.
Did a verification trial to see that I had the keys: gpg --keyid-format long --verify SHA256SUMS SHA256SUMS.gpg
From there I got the fingerprints which I added to the keys: label.
I then encountered the error:
Error: Error while downloading source: Error downloading Ubuntu image: Error while downloading checksum: Could not find checksum
Read through the source code of distrobuilder and found that if the variant: is not core but default and the release: on the image: is specified with numbers the ubuntu-http downloader will look in the ubuntu-base directory of the specified url to get the SHA256SUMS for verification when using an http address. So changed the url to http://cdimage.ubuntu.com/ubuntu-base
Configuration that now works:
image:
description: |-
An image to host a webserver
distribution: "ubuntu"
architecture: amd64
release: 18.04.3
source:
downloader: ubuntu-http
url: http://cdimage.ubuntu.com/ubuntu-base
keys:
- 0x46181433FBB75451
- 0xD94AA3F0EFE21092
keyserver: hkps://keyserver.ubuntu.com
Suppose the SHA256SUMS and SHA256SUMS.gpg should really be downloaded from http://cdimage.ubuntu.com/ubuntu-base/releases/18.04/release/ but they seem to be pointing at the same keys.
Thanks for reporting back about your problem, just for the sake of completeness, if you replace hkps by hkp with everything else unchanged can your reproduce the initial problem ? If yes, that should probably be an issue for distrobuilder on github.