add-google-cloud-ops-agent-repo.sh pushes key to deprecated apt-key trusted.gpg keystore

[sbconslt]

add-google-cloud-ops-agent-repo.sh as currently delivered invokes apt-key add - to store the gpg key for package signing, which stores the key to /etc/apt/trusted.gpg, a deprecated procedure.

Newly on Ubuntu 22.04, the presence of this signing key in this location throws a deprecation Warning during apt-get update. This is a risk to the automated orchestration of updates. (apt-get update && apt-get dist-upgrade -y that we sometimes emplace, for example, is blocked by it as the first command appears to the shell to not exit 0.)

I produced the following diff of the change that relocates the signing key to its own file /etc/apt/trusted.gpg.d/google-cloud-ops-agent.gpg:

224c224
<         | ${DRY_RUN} apt-key add -
---
>         > /etc/apt/trusted.gpg.d/google-cloud-ops-agent.gpg

I do not locate the add-google-cloud-ops-agent-repo.sh file in this repository, though, so have not formed a PR.

Please consider updating the install scripting accordingly. Thanks.

[braydonk]

Hi @sbconslt, we have been tracking this internally and are working on it.

[kakugirai]

Hi @braydonk , is there any update on when we might expect to see progress on this feature?

[cjac]

I was thinking I would take this one. can you assign to cjac, plz?

[github-actions]

This issue was marked stale due to lack of activity. It will be closed in 14 days.

[sbconslt]

Closing this issue would be a mistake, because the old apt-key trusted.gpg mechanism will eventually be removed.

[cjac]

Can I get this issue assigned to me plz

[cjac]

@jefferbrecht - can you get this assigned to me? I've been doing a lot of work on the migration off of apt-key and know how this goes.

[cjac]

@sbconslt - what do you think of this?
https://github.com/GoogleCloudDataproc/initialization-actions/blob/169e98e424d87833e10b7761130f08bfde4b4815/gpu/install_gpu_driver.sh#L1193

I've got an example of the correct way to create a repo, too...

https://github.com/LLC-Technologies-Collier/initialization-actions/blob/ac85cddd631aca8548e5d1204ed0fe4b338f0b91/templates/gpu/util_functions#L616

Does one of these approaches seem to be a good solution to you?

[cjac]

oh, I'll just create a PR

[cjac]

now that I grep the code for 'apt-key' I am finding none. Is this one already solved?

[sbconslt]

My patch was as you see in the original comment, just to send the key to /etc/apt/trusted.gpg.d/. The current shipping add-google-cloud-ops-agent-repo.sh still calls apt-key.

[cjac]

it looks like the source in the repo is using gpg --dearmor:

cjac@cjac:~/src/github/c9h/ops-agent$ grep -rsi 'dearmor' .
./integration_test/third_party_apps_test/applications/rabbitmq/debian_ubuntu/install:    sudo gpg --dearmor --output /etc/apt/trusted.gpg.d/rabbitmq.gpg
./integration_test/third_party_apps_test/applications/rabbitmq/debian_ubuntu/install:    sudo gpg --dearmor --output /etc/apt/trusted.gpg.d/rabbitmq-hostname.gpg
./integration_test/third_party_apps_test/applications/couchdb/debian_ubuntu/install:curl https://couchdb.apache.org/repo/keys.asc | gpg --dearmor | sudo tee /usr/share/keyrings/couchdb-archive-keyring.gpg >/dev/null 2>&1
./integration_test/third_party_apps_test/applications/vault/debian_ubuntu/install:  wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg >/dev/null
./integration_test/third_party_apps_test/applications/mongodb/debian_ubuntu/install:        --dearmor
./kokoro/scripts/test/go_test.Dockerfile:RUN wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg

[sbconslt]

I, like you, found that the add-google-could-ops-agent-repo.sh is not represented in repo here. The matches you have above are for other, unrelated repos.

[cjac]

is this the file you're speaking of?

https://github.com/GoogleCloudPlatform/getting-started-python/blob/main/gce/add-google-cloud-ops-agent-repo.sh

[sbconslt]

The current shipping version I'm pulling is https://dl.google.com/cloudagents/add-google-cloud-ops-agent-repo.sh based on the documentation page https://cloud.google.com/stackdriver/docs/solutions/agents/ops-agent/installation

[cjac]

okay, I've opened a bug against that public document to make sure we copy the new version of that script once my PR is merged. Please ping me again if it falls by the wayside again.

[braydonk]

That script is not the canonical version; I don't know why that is in that repo. The canonical version is internal (I believe this is for legacy technical reasons). Updating the script in that repo, as far as I know, will have no effect. I have no clue why it's there in the first place.

@cjac, could you please make a CL to the canonical version of the script? I can send you a message and show you where that is.

[cjac]

Okay, I think the last change will be accepted without prejudice. Will update the downstream GitHub repo nao

[sbconslt]

I do not yet find https://dl.google.com/cloudagents/add-google-cloud-ops-agent-repo.sh to have been updated, fwiw.

I did see that the PR in the other repo was closed so presumably something was applied somewhere.

[cjac]

Yes, I know that it is not yet peer reviewed by code owner and has not reached that url. Please stand by.

[cjac]

Take a look at this one.

https://github.com/LLC-Technologies-Collier/getting-started-python/blob/replace-apt-key-20241219/gce%2Fadd-google-cloud-ops-agent-repo.sh

[braydonk]

The script won't be updated at the download link til after the holidays; we're restricted from doing releases of any kind until the new year.

We'll also have to verify that we are able to switch off of apt-key; we tried to make the switch over a year ago and were unable to because it broke customer environments due to conflicts with OSConfig Agent. We'll have to verify that is fixed before we can safely update the script. I hope they'll have fixed that by now, given they are on the same apt-key deprecation removal clock that everyone else is.