Distrobuilder source gpg verification keys

Hi!

I’m trying to try making a custom image to host a web server when a container is started from that image. I’m running the snap distrobuilder on Ubuntu Bionic Beaver. I tried the example from the github readme of creating a custom image from the ubuntu.yaml in doc/examples which worked fine. When building my own image it would be better to use ubuntu-http as a downloader. The start of my yaml file looks as follows:

image:
  description: |-
    An image to host a webserver
  distribution: ubuntu
  architecture: x86_64
  release: "18.04"
    
source:
  downloader: ubuntu-http
  url: http://archive.ubuntu.com/ubuntu
  keys:
    - 0x437D05B5
  keyserver: hkp://keyserver.ubuntu.com

But I keep getting the error:
Error: Error while downloading source: Failed to verify:

I tried adding the ubuntu-keyrings-package.pgp to my ubuntu host pgp and managed to get the key id (the one under keys) from the fingerprint but still not able to verify.
when trying to use http://keyserver... and https://keyserver... I instead get the error:

Error: Error while downloading source: Failed to run: gpg --homedir /tmp/distrobuilder.807347396 --keyserver https://keyserver.ubuntu.com --recv-keys 0x437D05B5: gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

My guess is that it has something to do with not using the correct keys for the release that I’m after but I haven’t been able to find out how I can find what key to use.

Anybody have any idea how to find the correct key or if there is any other issue?

GPG can be a bit annoying sometimes, an alternative is to include the entire gpg key in the yaml as we do for our production ones (see https://github.com/lxc/lxc-ci).

it does not seem likely:

gpg --homedir /tmp --keyserver keyserver.ubuntu.com --recv-keys 0x437D05B5
gpg: key 40976EAF437D05B5: 60 signatures not checked due to missing keys
gpg: clef 40976EAF437D05B5 : « Ubuntu Archive Automatic Signing Key ftpmaster@ubuntu.com » n’est pas modifiée
gpg: Quantité totale traitée : 1
gpg: non modifiées : 1

gpg --homedir /tmp --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x437D05B5
gpg: key 40976EAF437D05B5: 60 signatures not checked due to missing keys
gpg: clef 40976EAF437D05B5 : « Ubuntu Archive Automatic Signing Key ftpmaster@ubuntu.com » n’est pas modifiée
gpg: Quantité totale traitée : 1
gpg: non modifiées : 1

gpg --homedir /tmp --keyserver https://keyserver.ubuntu.com --recv-keys 0x437D05B5
gpg: aucune donnée OpenPGP valable n’a été trouvée.
gpg: Quantité totale traitée : 0

it seems to me that some url parsing code is trying very hard to securise http connections …even to the point of replacing hkp: by https:

Thank you for your response! That worked as well even though that was not the only issue in this case.

Thanks for answering! Yes I think that you have to use either hkp or hkps seems to work as well. If the particular installation is not configured in another way. They are the define schemes according to gpg man docs, specifically:

The format of the name is a URI: ‘scheme:[//]keyservername[:port]’ The scheme is the type of keyserver: “hkp” for the HTTP (or compatible) keyservers, “ldap” for the LDAP keyservers, or “mailto” for the Graff email keyserver. Note that your particular installation of GnuPG may have other keyserver types available as well.

I first downloaded the SHA256SUMS and SHA256SUMS.gpg from http://cdimage.ubuntu.com/releases/18.04/release/

Did a verification trial to see that I had the keys:
gpg --keyid-format long --verify SHA256SUMS SHA256SUMS.gpg

From there I got the fingerprints which I added to the keys: label.
I then encountered the error:

Error: Error while downloading source: Error downloading Ubuntu image: Error while downloading checksum: Could not find checksum

Read through the source code of distrobuilder and found that if the variant: is not core but default and the release: on the image: is specified with numbers the ubuntu-http downloader will look in the ubuntu-base directory of the specified url to get the SHA256SUMS for verification when using an http address. So changed the url to http://cdimage.ubuntu.com/ubuntu-base

Configuration that now works:

image:
  description: |-
    An image to host a webserver
  distribution: "ubuntu"
  architecture: amd64
  release: 18.04.3
    
source:
  downloader: ubuntu-http
  url: http://cdimage.ubuntu.com/ubuntu-base
  keys:
    - 0x46181433FBB75451
    - 0xD94AA3F0EFE21092
  keyserver: hkps://keyserver.ubuntu.com

Suppose the SHA256SUMS and SHA256SUMS.gpg should really be downloaded from http://cdimage.ubuntu.com/ubuntu-base/releases/18.04/release/ but they seem to be pointing at the same keys.

Thanks for reporting back about your problem, just for the sake of completeness, if you replace hkps by hkp with everything else unchanged can your reproduce the initial problem ? If yes, that should probably be an issue for distrobuilder on github.

No, using hkp works fine. Also using no scheme at all, keyserver.ubuntu.com , also works. But I think that’s interpreted as hkp://

coming back to your first post I realize I did not read it carefully enough :frowning:

No worries, it was a pretty long post :slight_smile: