9

I'm using Salt (SaltStack) to install packages in Ubuntu 18.04. I want to install a formula for docker, for example. When I apply docker state, I get an error that a package can't be installed, because the package repository that is used in a formula isn't signed.

ID: docker package
Function: pkg.installed
Name: docker-engine
Result: False
Comment: An error was encountered while installing package(s): E: Failed to fetch https://apt.dockerproject.org/repo/dists/ubuntu-bionic/InRelease  403  Forbidden [IP: 13.33.98.216 443]
              E: The repository 'https://apt.dockerproject.org/repo ubuntu-bionic InRelease' is not signed.

Same happens when I'm using another formula.

I found out that if I would install a package manually through a command-line, I would use a --allow-unauthenticated option.

But what is the way to solve this issue while using Salt and salt-formulas? How can I install a package from a not signed repository?

Sufiyan Ghori
  • 18,164
  • 14
  • 82
  • 110
Vitali Plagov
  • 722
  • 1
  • 12
  • 31

2 Answers2

2

Disabling package verification is a very bad idea in any scenario. The Docker repository is perfectly compliant with Ubuntu package signing standards and publishes a GPG key to verify them. It can be added to the system manually:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

But this is not the primary problem here - it's that the Salt rule you're referring to is outdated and sets an incorrect Docker repo URL - in recent installation script they've changed it from https://apt.dockerproject.org/repo to https://download.docker.com/linux/ubuntu/ and while the old mirror seems to be working, the signature files for new releases don't seem to be available there, which confuses apt.

So using Ansible (sorry, I don't know Salt):

- apt_key:
    url: https://download.docker.com/linux/ubuntu/gpg

- apt_repository:
    repo: 'deb https://download.docker.com/linux/ubuntu/ bionic stable'

- apt: name=docker-ce
kravietz
  • 10,667
  • 2
  • 35
  • 27
1

You can use skip_verify to avoid GPG verification check (e.g., --allow-unauthenticated, or --force-bad-verify),

httpd:
  pkg.installed:
    - fromrepo: mycustomrepo
    - skip_verify: True
Sufiyan Ghori
  • 18,164
  • 14
  • 82
  • 110