From 88fe019bdc1de8b1a0389b7ffa9282350261f3af Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:12:44 +0000 Subject: [PATCH 1/4] Initial plan From 305bf990adcddfdcbfebacc4ff552a3448cee198 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:19:18 +0000 Subject: [PATCH 2/4] Fix Ubuntu 24.04 gpg --dearmor failing with 'cannot open /dev/tty' Add --batch --yes flags to gpg --dearmor command so it runs non-interactively when Salt applies states without a controlling terminal. On Ubuntu 24.04, gpg fails with 'cannot open /dev/tty: No such device or address' without these flags, preventing the keyring file from being created and blocking all subsequent apt repo and package installation states. Co-authored-by: srikanthinsight <141009540+srikanthinsight@users.noreply.github.com> --- zoomdata/repo.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zoomdata/repo.sls b/zoomdata/repo.sls index b008581..e9e3fcc 100644 --- a/zoomdata/repo.sls +++ b/zoomdata/repo.sls @@ -41,7 +41,7 @@ zoomdata-gpg-key-download: zoomdata-gpg-key: cmd.run: - - name: mkdir -p /usr/share/keyrings && gpg --dearmor -o {{ zoomdata.repo_keyfile }} /tmp/zoomdata-gpg-key.asc + - name: mkdir -p /usr/share/keyrings && gpg --batch --yes --dearmor -o {{ zoomdata.repo_keyfile }} /tmp/zoomdata-gpg-key.asc - onchanges: - file: zoomdata-gpg-key-download - require: From 05869b2fa36067519338ca3af51b2ebbfb88e29c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:36:19 +0000 Subject: [PATCH 3/4] Fix tools repo component and signed-by for Ubuntu 24.04 Two fixes for non-release repos (tools) on Ubuntu Noble: 1. Support per-repository component configuration: for non-release repos, check for a repo-specific 'components' key (e.g. zoomdata.tools.components) before falling back to default_components. Also add explicit components: [stable] to tools section in defaults.yaml, making it overridable via Pillar for repos that use different component names on Ubuntu 24.04. 2. Apply [signed-by=...] only to the release repo: the downloaded keyring contains only the release repo GPG key. Applying signed-by to non-release repos (tools) that use a different key would escalate their GPG warning to a hard error on Ubuntu 24.04. Restrict the signed-by option and its cmd require to the release repo only; the Ubuntu 22.04 key_url path is unchanged for all repos. Co-authored-by: srikanthinsight <141009540+srikanthinsight@users.noreply.github.com> --- zoomdata/defaults.yaml | 2 ++ zoomdata/repo.sls | 19 ++++++++++++++----- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/zoomdata/defaults.yaml b/zoomdata/defaults.yaml index 7251e23..30f5d24 100644 --- a/zoomdata/defaults.yaml +++ b/zoomdata/defaults.yaml @@ -71,6 +71,8 @@ zoomdata: tools: packages: - zoomdata-zdmanage + components: + - stable # Comment added to each file modified by the formula header: | diff --git a/zoomdata/repo.sls b/zoomdata/repo.sls index e9e3fcc..19f9cbc 100644 --- a/zoomdata/repo.sls +++ b/zoomdata/repo.sls @@ -74,11 +74,18 @@ zoomdata-repo-is-mission: {%- endif %} {%- for repo in repositories %} - {#- Populate configured components only for release repo #} + {#- Populate configured components only for release repo. + For non-release repos (e.g. tools), use their own components + if configured, otherwise fall back to the global default. #} {%- if repo == zoomdata.release %} {%- set components = zoomdata.components %} {%- else %} - {%- set components = default_components %} + {%- set repo_cfg = zoomdata.get(repo) %} + {%- if repo_cfg is mapping and repo_cfg.get('components') %} + {%- set components = repo_cfg['components'] %} + {%- else %} + {%- set components = default_components %} + {%- endif %} {%- endif %} {%- if grains['os_family'] == 'Debian' %} @@ -89,7 +96,9 @@ zoomdata-repo-is-mission: 'components': components|join(' '), }) %} - {%- if zoomdata.gpgkey and use_modern_keyring %} + {#- Apply signed-by only for the release repo whose GPG key is in the keyring. + Non-release repos (e.g. tools) may be signed with a different key. #} + {%- if zoomdata.gpgkey and use_modern_keyring and repo == zoomdata.release %} {%- set _signed_by = '[signed-by=' ~ zoomdata.repo_keyfile ~ '] ' %} {%- else %} {%- set _signed_by = '' %} @@ -101,10 +110,10 @@ zoomdata-repo-is-mission: - file: {{ zoomdata.repo_file|format(**zoomdata) }} - clean_file: True {%- if zoomdata.gpgkey %} - {%- if use_modern_keyring %} + {%- if use_modern_keyring and repo == zoomdata.release %} - require: - cmd: zoomdata-gpg-key - {%- else %} + {%- elif not use_modern_keyring %} - key_url: file://{{ zoomdata.repo_keyfile }} - require: - file: zoomdata-gpg-key From 05249a3f6e3a1ec902b3f17e130fcf59094f3126 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:54:58 +0000 Subject: [PATCH 4/4] Fix Ubuntu 24.04 tools repo failing with 'not signed' error apt on Ubuntu 24.04 returns exit code 100 for ANY repo with an unrecognized GPG key, even without [signed-by=...]. The tools repo uses key 64CBBC8173D76B3F which is not in the downloaded keyring. Add [trusted=yes] support per-repo: non-release repos with trusted:true in their config get [trusted=yes] in their apt sources entry on Ubuntu 24.04+, bypassing GPG verification for repos whose key we don't manage. Set tools.trusted=true by default in defaults.yaml. Users can override per-repo via Pillar. - defaults.yaml: add trusted:true to tools section - repo.sls: move repo_cfg lookup to top of for loop; add elif branch for [trusted=yes] when repo_cfg.get('trusted') is set Co-authored-by: srikanthinsight <141009540+srikanthinsight@users.noreply.github.com> --- zoomdata/defaults.yaml | 1 + zoomdata/repo.sls | 14 +++++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/zoomdata/defaults.yaml b/zoomdata/defaults.yaml index 30f5d24..7ff7e2b 100644 --- a/zoomdata/defaults.yaml +++ b/zoomdata/defaults.yaml @@ -73,6 +73,7 @@ zoomdata: - zoomdata-zdmanage components: - stable + trusted: true # Comment added to each file modified by the formula header: | diff --git a/zoomdata/repo.sls b/zoomdata/repo.sls index 19f9cbc..a1a4e5a 100644 --- a/zoomdata/repo.sls +++ b/zoomdata/repo.sls @@ -74,13 +74,16 @@ zoomdata-repo-is-mission: {%- endif %} {%- for repo in repositories %} + {#- Look up per-repo configuration dict (e.g. zoomdata.tools) for this repo. + The release repo itself is not a dict key so falls back to an empty dict. #} + {%- set repo_cfg = zoomdata.get(repo, {}) %} + {#- Populate configured components only for release repo. For non-release repos (e.g. tools), use their own components if configured, otherwise fall back to the global default. #} {%- if repo == zoomdata.release %} {%- set components = zoomdata.components %} {%- else %} - {%- set repo_cfg = zoomdata.get(repo) %} {%- if repo_cfg is mapping and repo_cfg.get('components') %} {%- set components = repo_cfg['components'] %} {%- else %} @@ -96,10 +99,15 @@ zoomdata-repo-is-mission: 'components': components|join(' '), }) %} - {#- Apply signed-by only for the release repo whose GPG key is in the keyring. - Non-release repos (e.g. tools) may be signed with a different key. #} + {#- Build the apt options string for this repo entry: + - Release repo on Ubuntu 24.04+: use [signed-by=...] with downloaded keyring. + - Non-release repo on Ubuntu 24.04+ with trusted:true: use [trusted=yes] to + allow repos signed with a different key not in the keyring (e.g. tools). + - Otherwise: no options (Ubuntu 22.04 uses key_url instead). #} {%- if zoomdata.gpgkey and use_modern_keyring and repo == zoomdata.release %} {%- set _signed_by = '[signed-by=' ~ zoomdata.repo_keyfile ~ '] ' %} + {%- elif use_modern_keyring and repo_cfg is mapping and repo_cfg.get('trusted') %} + {%- set _signed_by = '[trusted=yes] ' %} {%- else %} {%- set _signed_by = '' %} {%- endif %}