Skip to content

Fix Ubuntu 24.04 apt repo GPG key handling for Zoomdata and tools repos#228

Open
Copilot wants to merge 4 commits intomasterfrom
copilot/fix-gpg-error-for-repositories
Open

Fix Ubuntu 24.04 apt repo GPG key handling for Zoomdata and tools repos#228
Copilot wants to merge 4 commits intomasterfrom
copilot/fix-gpg-error-for-repositories

Conversation

Copy link
Contributor

Copilot AI commented Feb 23, 2026
edited
Loading

On Ubuntu 24.04 (Noble), Salt-managed apt repo configuration fails for both the Zoomdata release repo (hard E: GPG error blocking apt-get update) and the tools repo (different signing key, no managed keyring entry).

Changes

gpg --dearmor non-interactive fix

Added --batch --yes to the gpg --dearmor invocation — Ubuntu 24.04's GPG attempts to open /dev/tty for confirmation, which fails in non-interactive Salt runs.

[signed-by=…] scoped to release repo only

The downloaded keyring contains only the release repo key (F269C8EF6A2C3B7B). Applying [signed-by=<keyring>] to the tools repo (signed with 64CBBC8173D76B3F) escalates its GPG warning to a blocking E: error. signed-by and its require are now conditional on repo == zoomdata.release.

[trusted=yes] for non-release repos on Ubuntu 24.04+

Even without [signed-by=…], Ubuntu 24.04 apt returns exit code 100 for repos with any unrecognized key. Added per-repo trusted flag support: when trusted: true is set on a repo config, [trusted=yes] is added to the apt sources entry on Ubuntu 24.04+. Defaults to true for the tools repo:

# defaults.yaml
tools:
  packages:
    - zoomdata-zdmanage
  components:
    - stable
  trusted: true  # bypass GPG check; override via Pillar if key is managed separately

Override via Pillar:

zoomdata:
  tools:
    trusted: false        # if 64CBBC8173D76B3F is installed in system keyring
    components:
      - main              # if tools repo uses a different component name on Noble

Per-repo component support

Non-release repos now use <repo>.components from their config dict before falling back to default_components, making the tools repo component name overridable independently of the release repo.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@srikanthinsight
Fix Ubuntu 24.04 gpg --dearmor failing with 'cannot open /dev/tty'
305bf99 
Add --batch --yes flags to gpg --dearmor command so it runs
non-interactively when Salt applies states without a controlling
terminal. On Ubuntu 24.04, gpg fails with 'cannot open /dev/tty:
No such device or address' without these flags, preventing the
keyring file from being created and blocking all subsequent
apt repo and package installation states.

Co-authored-by: srikanthinsight <141009540+srikanthinsight@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix GPG error with Zoomdata repositories Fix gpg --dearmor failing on Ubuntu 24.04 in non-interactive Salt runs Feb 23, 2026
@srikanthinsight srikanthinsight marked this pull request as ready for review February 23, 2026 22:26
@srikanthinsight
Copy link
Contributor

srikanthinsight commented Feb 23, 2026

@copilot
[10.2.4.72] out: [ERROR ] Command 'apt-get' failed with return code: 100
04:02:19 [10.2.4.72] out: [ERROR ] stdout: Hit:1 http://apt.postgresql.org/pub/repos/apt noble-pgdg InRelease
04:02:19 [10.2.4.72] out: Hit:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble InRelease
04:02:19 [10.2.4.72] out: Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates InRelease
04:02:19 [10.2.4.72] out: Hit:4 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-backports InRelease
04:02:19 [10.2.4.72] out: Hit:5 https://composer-repo.logianalytics.com/saltstack/salt/py3/ubuntu/24.04/amd64/3006 noble InRelease
04:02:19 [10.2.4.72] out: Get:6 http://dev-repo.zoomdata.com/26.1/apt/ubuntu noble InRelease [9653 B]
04:02:19 [10.2.4.72] out: Get:7 http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease [1578 B]
04:02:19 [10.2.4.72] out: Hit:8 http://security.ubuntu.com/ubuntu noble-security InRelease
04:02:19 [10.2.4.72] out: Err:6 http://dev-repo.zoomdata.com/26.1/apt/ubuntu noble InRelease
04:02:19 [10.2.4.72] out: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F269C8EF6A2C3B7B
04:02:19 [10.2.4.72] out: Ign:7 http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease
04:02:19 [10.2.4.72] out: Reading package lists...
04:02:19 [10.2.4.72] out: [ERROR ] stderr: W: GPG error: http://dev-repo.zoomdata.com/26.1/apt/ubuntu noble InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F269C8EF6A2C3B7B
04:02:19 [10.2.4.72] out: E: The repository 'http://dev-repo.zoomdata.com/26.1/apt/ubuntu noble InRelease' is not signed.
04:02:19 [10.2.4.72] out: W: GPG error: http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 64CBBC8173D76B3F
04:02:19 [10.2.4.72] out: W: Skipping acquire of configured file 'stable/binary-amd64/Packages' as repository 'http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease' doesn't have the component 'stable' (component misspelt in sources.list?)
04:02:19 [10.2.4.72] out: W: Skipping acquire of configured file 'stable/i18n/Translation-en' as repository 'http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease' doesn't have the component 'stable' (component misspelt in sources.list?)
04:02:19 [10.2.4.72] out: W: Skipping acquire of configured file 'stable/dep11/Components-amd64.yml' as repository 'http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease' doesn't have the component 'stable' (component misspelt in sources.list?)
04:02:19 [10.2.4.72] out: W: Skipping acquire of configured file 'stable/cnf/Commands-amd64' as repository 'http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease' doesn't have the component 'stable' (component misspelt in sources.list?)
04:02:19 [10.2.4.72] out: [ERROR ] retcode: 100
04:02:19 [10.2.4.72] out: [ERROR ] {'pid': 8267, 'retcode': 100, 'stdout': "Hit:1 http://apt.postgresql.org/pub/repos/apt noble-pgdg InRelease\nHit:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble InRelease\nHit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates InRelease\nHit:4 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-backports InRelease\nHit:5 https://composer-repo.logianalytics.com/saltstack/salt/py3/ubuntu/24.04/amd64/3006 noble InRelease\nGet:6 http://dev-repo.zoomdata.com/26.1/apt/ubuntu noble InRelease [9653 B]\nGet:7 http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease [1578 B]\nHit:8 http://security.ubuntu.com/ubuntu noble-security InRelease\nErr:6 http://dev-repo.zoomdata.com/26.1/apt/ubuntu noble InRelease\n The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F269C8EF6A2C3B7B\nIgn:7 http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease\nReading package lists...", 'stderr': "W: GPG error: http://dev-repo.zoomdata.com/26.1/apt/ubuntu noble InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F269C8EF6A2C3B7B\nE: The repository 'http://dev-repo.zoomdata.com/26.1/apt/ubuntu noble InRelease' is not signed.\nW: GPG error: http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 64CBBC8173D76B3F\nW: Skipping acquire of configured file 'stable/binary-amd64/Packages' as repository 'http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease' doesn't have the component 'stable' (component misspelt in sources.list?)\nW: Skipping acquire of configured file 'stable/i18n/Translation-en' as repository 'http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease' doesn't have the component 'stable' (component misspelt in sources.list?)\nW: Skipping acquire of configured file 'stable/dep11/Components-amd64.yml' as repository 'http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease' doesn't have the component 'stable' (component misspelt in sources.list?)\nW: Skipping acquire of configured file 'stable/cnf/Commands-amd64' as repository 'http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease' doesn't have the component 'stable' (component misspelt in sources.list?)"}
04:02:19 [10.2.4.72] out: [INFO ] Completed state [apt-get update] at time 22:32:18.717606 (duration_in_ms=3652.49)
04:02:19 [10.2.4.72] out: [INFO ] Running state [/tmp/zoomdata-gpg-key.asc] at time 22:32:18.718015
04:02:19 [10.2.4.72] out: [INFO ] Executing state file.managed for [/tmp/zoomdata-gpg-key.asc]
04:02:19 [10.2.4.72] out: [INFO ] File changed:
04:02:19 [10.2.4.72] out: New file
04:02:19 [10.2.4.72] out: [INFO ] Completed state [/tmp/zoomdata-gpg-key.asc] at time 22:32:18.722796 (duration_in_ms=4.78)
04:02:19 [10.2.4.72] out: [INFO ] Running state [mkdir -p /usr/share/keyrings && gpg --batch --yes --dearmor -o /usr/share/keyrings/zoomdata-archive-keyring.gpg /tmp/zoomdata-gpg-key.asc] at time 22:32:18.724590
04:02:19 [10.2.4.72] out: [INFO ] Executing state cmd.run for [mkdir -p /usr/share/keyrings && gpg --batch --yes --dearmor -o /usr/share/keyrings/zoomdata-archive-keyring.gpg /tmp/zoomdata-gpg-key.asc]
04:02:19 [10.2.4.72] out: [INFO ] Executing command 'mkdir' in directory '/root'
04:02:19 [10.2.4.72] out: [INFO ] {'pid': 8750, 'retcode': 0, 'stdout': '', 'stderr': ''}
04:02:19 [10.2.4.72] out: [INFO ] Completed state [mkdir -p /usr/share/keyrings && gpg --batch --yes --dearmor -o /usr/share/keyrings/zoomdata-archive-keyring.gpg /tmp/zoomdata-gpg-key.asc] at time 22:32:18.736199 (duration_in_ms=11.609)
04:02:19 [10.2.4.72] out: [INFO ] Running state [deb [signed-by=/usr/share/keyrings/zoomdata-archive-keyring.gpg] http://dev-repo.zoomdata.com/26.1/apt/ubuntu noble stable] at time 22:32:18.737600
04:02:19 [10.2.4.72] out: [INFO ] Executing state pkgrepo.managed for [deb [signed-by=/usr/share/keyrings/zoomdata-archive-keyring.gpg] http://dev-repo.zoomdata.com/26.1/apt/ubuntu noble stable]
04:02:19 [10.2.4.72] out: [INFO ] Package repo 'deb [signed-by=/usr/share/keyrings/zoomdata-archive-keyring.gpg] http://dev-repo.zoomdata.com/26.1/apt/ubuntu noble stable' already configured
04:02:19 [10.2.4.72] out: [INFO ] Completed state [deb [signed-by=/usr/share/keyrings/zoomdata-archive-keyring.gpg] http://dev-repo.zoomdata.com/26.1/apt/ubuntu noble stable] at time 22:32:18.741923 (duration_in_ms=4.323)
04:02:19 [10.2.4.72] out: [INFO ] Running state [deb [signed-by=/usr/share/keyrings/zoomdata-archive-keyring.gpg] http://dev-repo.zoomdata.com/tools/apt/ubuntu noble stable] at time 22:32:18.742934
04:02:19 [10.2.4.72] out: [INFO ] Executing state pkgrepo.managed for [deb [signed-by=/usr/share/keyrings/zoomdata-archive-keyring.gpg] http://dev-repo.zoomdata.com/tools/apt/ubuntu noble stable]
04:02:19 [10.2.4.72] out: [INFO ] Executing command apt-get in directory '/root'
04:02:21 [10.2.4.72] out: [ERROR ] Command 'apt-get' failed with return code: 100
04:02:21 [10.2.4.72] out: [ERROR ] stdout: Hit:1 http://apt.postgresql.org/pub/repos/apt noble-pgdg InRelease
04:02:21 [10.2.4.72] out: Hit:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble InRelease
04:02:21 [10.2.4.72] out: Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates InRelease
04:02:21 [10.2.4.72] out: Hit:4 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-backports InRelease
04:02:21 [10.2.4.72] out: Get:5 http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease [1578 B]
04:02:21 [10.2.4.72] out: Get:6 http://dev-repo.zoomdata.com/26.1/apt/ubuntu noble InRelease [9653 B]
04:02:21 [10.2.4.72] out: Hit:7 https://composer-repo.logianalytics.com/saltstack/salt/py3/ubuntu/24.04/amd64/3006 noble InRelease
04:02:21 [10.2.4.72] out: Hit:8 http://security.ubuntu.com/ubuntu noble-security InRelease
04:02:21 [10.2.4.72] out: Err:5 http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease
04:02:21 [10.2.4.72] out: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 64CBBC8173D76B3F
04:02:21 [10.2.4.72] out: Get:9 http://dev-repo.zoomdata.com/26.1/apt/ubuntu noble/stable amd64 Packages [8843 B]
04:02:21 [10.2.4.72] out: Reading package lists...
04:02:21 [10.2.4.72] out: [ERROR ] stderr: W: GPG error: http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 64CBBC8173D76B3F
04:02:21 [10.2.4.72] out: E: The repository 'http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease' is not signed.
04:02:21 [10.2.4.72] out: [ERROR ] retcode: 100
04:02:21 [10.2.4.72] out: [ERROR ] Failed to configure repo 'deb [signed-by=/usr/share/keyrings/zoomdata-archive-keyring.gpg] http://dev-repo.zoomdata.com/tools/apt/ubuntu noble stable': W: GPG error: http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 64CBBC8173D76B3F
04:02:21 [10.2.4.72] out: E: The repository 'http://dev-repo.zoomdata.com/tools/apt/ubuntu noble InRelease' is not signed.
04:02:21 [10.2.4.72] out: [INFO ] Completed state [deb [signed-by=/usr/share/keyrings/zoomdata-archive-keyring.gpg] http://dev-repo.zoomdata.com/tools/apt/ubuntu noble stable] at time 22:32:21.691136 (duration_in_ms=2948.201)
04:02:21 [10.2.4.72] out: [INFO ] Running state [zoomdata:bootstrap] at time 22:32:21.693044
04:02:21 [10.2.4.72] out: [INFO ] Executing state grains.present for [zoomdata:bootstrap]
04:02:21 [10.2.4.72] out: [INFO ] {'zoomdata': {'bootstrap': True}}
04:02:21 [10.2.4.72] out: [INFO ] Completed state [zoomdata:bootstrap] at time 22:32:21.695742 (duration_in_ms=2.698)
04:02:21 [10.2.4.72] out: [INFO ] Running state [zoomdata-edc-rts] at time 22:32:21.720651
04:02:21 [10.2.4.72] out: [INFO ] Executing state zoomdata.service_probe for [zoomdata-edc-rts]
04:02:21 [10.2.4.72] out: [ERROR ] Properties file for service edc-rts is missing or unreadable.
04:02:21 [10.2.4.72] out: [INFO ] Completed state [zoomdata-edc-rts] at time 22:32:21.782371 (duration_in_ms=61.719)
04:02:21 [10.2.4.72] out: [INFO ] Running state [zoomdata-edc-mssql] at time 22:32:21.784069
04:02:21 [10.2.4.72] out: [INFO ] Executing state zoomdata.service_probe for [zoomdata-edc-mssql]
04:02:21 [10.2.4.72] out: [ERROR ] Properties file for service edc-mssql is missing or unreadable.
04:02:21 [10.2.4.72] out: [INFO ] Completed state [zoomdata-edc-mssql] at time 22:32:21.850485 (duration_in_ms=66.414)
04:02:21 [10.2.4.72] out: [INFO ] Running state [zoomdata-edc-elasticsearch-7.0] at time 22:32:21.852098
04:02:21 [10.2.4.72] out: [INFO ] Executing state zoomdata.service_probe for [zoomdata-edc-elasticsearch-7.0]
04:02:21 [10.2.4.72] out: [ERROR ] Properties file for service edc-elasticsearch-7.0 is missing or unreadable.
04:02:21 [10.2.4.72] out: [INFO ] Completed state [zoomdata-edc-elasticsearch-7.0] at time 22:32:21.906999 (duration_in_ms=54.901)
04:02:21 [10.2.4.72] out: [INFO ] Running state [zoomdata-edc-mongo] at time 22:32:21.908569
04:02:21 [10.2.4.72] out: [INFO ] Executing state zoomdata.service_probe for [zoomdata-edc-mongo]
04:02:21 [10.2.4.72] out: [ERROR ] Properties file for service edc-mongo is missing or unreadable.
04:02:21 [10.2.4.72] out: [INFO ] Completed state [zoomdata-edc-mongo] at time 22:32:21.962841 (duration_in_ms=54.272)
04:02:21 [10.2.4.72] out: [INFO ] Running state [zoomdata-edc-oracle] at time 22:32:21.964449
04:02:21 [10.2.4.72] out: [INFO ] Executing state zoomdata.service_probe for [zoomdata-edc-oracle]
04:02:22 [10.2.4.72] out: [ERROR ] Properties file for service edc-oracle is missing or unreadable.
04:02:22 [10.2.4.72] out: [INFO ] Completed state [zoomdata-edc-oracle] at time 22:32:22.019371 (duration_in_ms=54.922)
04:02:22 [10.2.4.72] out: [INFO ] Running state [zoomdata-edc-postgresql] at time 22:32:22.021129
04:02:22 [10.2.4.72] out: [INFO ] Executing state zoomdata.service_probe for [zoomdata-edc-postgresql]
04:02:22 [10.2.4.72] out: [ERROR ] Properties file for service edc-postgresql is missing or unreadable.
04:02:22 [10.2.4.72] out: [INFO ] Completed state [zoomdata-edc-postgresql] at time 22:32:22.075470 (duration_in_ms=54.341)

@srikanthinsight
Fix tools repo component and signed-by for Ubuntu 24.04
05869b2 
Two fixes for non-release repos (tools) on Ubuntu Noble:

1. Support per-repository component configuration: for non-release
   repos, check for a repo-specific 'components' key (e.g.
   zoomdata.tools.components) before falling back to default_components.
   Also add explicit components: [stable] to tools section in
   defaults.yaml, making it overridable via Pillar for repos that use
   different component names on Ubuntu 24.04.

2. Apply [signed-by=...] only to the release repo: the downloaded
   keyring contains only the release repo GPG key. Applying signed-by
   to non-release repos (tools) that use a different key would escalate
   their GPG warning to a hard error on Ubuntu 24.04. Restrict the
   signed-by option and its cmd require to the release repo only; the
   Ubuntu 22.04 key_url path is unchanged for all repos.

Co-authored-by: srikanthinsight <141009540+srikanthinsight@users.noreply.github.com>
Copilot AI changed the title Fix gpg --dearmor failing on Ubuntu 24.04 in non-interactive Salt runs Fix Ubuntu 24.04 GPG key import and tools repo configuration for apt Feb 23, 2026
Copy link
Contributor Author

Copilot AI commented Feb 23, 2026

@copilot
[10.2.4.72] out: [ERROR ] Command 'apt-get' failed with return code: 100
04:02:19 [10.2.4.72] out: [ERROR ] stdout: Hit:1 http://apt.postgresql.org/pub/repos/apt nob...

The CI log you shared is from a run at 22:32:18 UTC, but commit 05869b2 (which scopes [signed-by=…] to the release repo only) wasn't pushed until 22:36:19 UTC — so that run used the intermediate code with only the --batch --yes fix.

With the current code on the branch:

  • Release repo (26.1): gets [signed-by=/usr/share/keyrings/zoomdata-archive-keyring.gpg] — correct, its key is in the keyring ✓
  • Tools repo: gets deb http://dev-repo.zoomdata.com/tools/apt/ubuntu noble stable (no [signed-by=…]) — so apt treats the missing 64CBBC8173D76B3F key as a warning (W:) not a fatal error (E:), and pkgrepo.managed succeeds ✓

You will still see the W: Skipping acquire of configured file 'stable/...' warning for the tools repo on Noble — this means the tools repo doesn't publish a stable component on Noble. The fix makes this overridable via Pillar:

zoomdata:
  tools:
    components:
      - <actual-component-name>  # whatever component the tools repo uses on Noble

This warning is non-blocking and won't prevent the installation from proceeding.

@srikanthinsight
Fix Ubuntu 24.04 tools repo failing with 'not signed' error
05249a3 
apt on Ubuntu 24.04 returns exit code 100 for ANY repo with an
unrecognized GPG key, even without [signed-by=...]. The tools repo
uses key 64CBBC8173D76B3F which is not in the downloaded keyring.

Add [trusted=yes] support per-repo: non-release repos with
trusted:true in their config get [trusted=yes] in their apt
sources entry on Ubuntu 24.04+, bypassing GPG verification for
repos whose key we don't manage. Set tools.trusted=true by
default in defaults.yaml. Users can override per-repo via Pillar.

- defaults.yaml: add trusted:true to tools section
- repo.sls: move repo_cfg lookup to top of for loop; add elif
  branch for [trusted=yes] when repo_cfg.get('trusted') is set

Co-authored-by: srikanthinsight <141009540+srikanthinsight@users.noreply.github.com>
Copilot AI changed the title Fix Ubuntu 24.04 GPG key import and tools repo configuration for apt Fix Ubuntu 24.04 apt repo GPG key handling for Zoomdata and tools repos Feb 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@srikanthinsight srikanthinsight Awaiting requested review from srikanthinsight

Assignees

@srikanthinsight srikanthinsight

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@srikanthinsight