Fix Ubuntu 24.04 NO_PUBKEY: per-repo GPG keyring provisioning

CHANGELOG.rst

@@ -1,5 +1,10 @@
 zoomdata-formula
 ================
+26.1.0 (2026-March-26)
+
+- Ubuntu 24.04 (Noble) support: use modern APT keyring (signed-by + gpg --dearmor),
+  scoped to Ubuntu 24.04 and later; older Ubuntu/Debian systems retain existing behavior
+
 25.4.0 (2025-December-15)
 
 - New quarter release (2025.3) no significant changes

VERSION

@@ -1 +1 @@
-25.4.0
+26.1.0

pillar.example

@@ -26,6 +26,13 @@ zoomdata:
   # URL to the GnuPG public key for the repo/pkgs verification.
   # Put ``None`` or empty string to skip GnuPG check (for internal repos).
   gpgkey: 'https://composer-repo.logianalytics.com/ZOOMDATA-GPG-KEY.pub'
+  # Per-repository GPG key URL overrides (Ubuntu 24.04+).
+  # When a repository uses a different signing key than the global ``gpgkey``,
+  # specify its key URL here keyed by the repository name.
+  # Example:
+  #gpgkeys:
+  #  tools: 'https://dev-repo.zoomdata.com/tools-GPG-KEY.pub'
+  #  '26.1': 'https://dev-repo.zoomdata.com/26.1-GPG-KEY.pub'
   # Repository branch from which the packages would be installed.
   # This would be overridden by ``ZOOMDATA_RELEASE`` environment variable.
   release: '7.5'

zoomdata/defaults.yaml

@@ -12,6 +12,16 @@ zoomdata:
   # Defaults which could be overridden in Pillar
   base_url: 'http://composer-repo.logianalytics.com'
   gpgkey: 'https://composer-repo.logianalytics.com/ZOOMDATA-GPG-KEY.pub'
+  # Per-repository GPG key URL overrides used on Ubuntu 24.04+ (noble and later)
+  # where each repository is verified against its own dedicated keyring file.
+  # Map repository names to their GPG key URLs here when a repository is signed
+  # with a different key than the global ``gpgkey`` above.  Falls back to
+  # ``gpgkey`` for any repository not listed.
+  # Example:
+  #   gpgkeys:
+  #     tools: 'https://example-repo.com/tools-GPG-KEY.pub'
+  #     '26.1': 'https://example-repo.com/26.1-GPG-KEY.pub'
+  gpgkeys: {}
   release: '6.9'
   repositories:
     - tools

zoomdata/osfamily_map.yaml

@@ -25,7 +25,7 @@ Debian:
   repo_entry: 'deb %(base_url)s/%(repo)s/%(repo_type)s/%(os_type)s %(os)s
                %(components)s'
   {% if grains['os'] == 'Ubuntu' and grains['osmajorrelease']|int >= 24 %}
-  repo_keyfile: '/usr/share/keyrings/zoomdata-archive-keyring.gpg'
+  repo_keyfile: '/usr/share/keyrings/zoomdata-%(repo)s-keyring.gpg'
   {% else %}
   repo_keyfile: {{ salt['file.join'](zoomdata.config_dir,
                                      salt['file.basename'](zoomdata.gpgkey)) }}

zoomdata/repo.sls

@@ -24,31 +24,11 @@
 # FIXME: provision and check sum for repo GnuPG pub key
 
   {%- if grains['os_family'] == 'Debian'
-     and zoomdata.gpgkey %}
+     and zoomdata.gpgkey
+     and not use_modern_keyring %}
 
 # FIXME: due to a bug in Salt 2017.7.2,
 # some file downloads and remote hash verifications are broken
-  {%- if use_modern_keyring %}
-
-zoomdata-gpg-key-download:
-  file.managed:
-    - name: /tmp/zoomdata-gpg-key.asc
-    - user: root
-    - group: root
-    - mode: 0644
-    - contents: |
-        {{ salt['http.query'](zoomdata.gpgkey)['body']|indent(8) }}
-
-zoomdata-gpg-key:
-  cmd.run:
-    - name: mkdir -p /usr/share/keyrings && gpg --dearmor -o {{ zoomdata.repo_keyfile }} /tmp/zoomdata-gpg-key.asc
-    - onchanges:
-      - file: zoomdata-gpg-key-download
-    - require:
-      - file: zoomdata-gpg-key-download
-
-  {%- else %}
-
 zoomdata-gpg-key:
   file.managed:
     - name: {{ zoomdata.repo_keyfile }}
@@ -61,8 +41,6 @@ zoomdata-gpg-key:
 
   {%- endif %}
 
-  {%- endif %}
-
 {%- else %}
 
 zoomdata-repo-is-mission:
@@ -90,7 +68,30 @@ zoomdata-repo-is-mission:
     }) %}
 
     {%- if zoomdata.gpgkey and use_modern_keyring %}
-    {%- set _signed_by = '[signed-by=' ~ zoomdata.repo_keyfile ~ '] ' %}
+    {#- Per-repo key URL: use gpgkeys dict if a specific key is configured for
+        this repo, otherwise fall back to the global gpgkey. #}
+    {%- set _repo_keyurl = (zoomdata.gpgkeys|default({}, true)).get(repo, zoomdata.gpgkey) %}
+    {%- set _repo_keyfile = zoomdata.repo_keyfile|format(**zoomdata) %}
+    {%- set _signed_by = '[signed-by=' ~ _repo_keyfile ~ '] ' %}
+
+zoomdata-gpg-key-download-{{ repo }}:
+  file.managed:
+    - name: /tmp/zoomdata-{{ repo }}-gpg-key.asc
+    - user: root
+    - group: root
+    - mode: 0644
+    - contents: |
+        {{ salt['http.query'](_repo_keyurl)['body']|indent(8) }}
+
+zoomdata-gpg-key-{{ repo }}:
+  cmd.run:
+    - name: mkdir -p /usr/share/keyrings && gpg --dearmor -o {{ _repo_keyfile }} /tmp/zoomdata-{{ repo }}-gpg-key.asc
+    - creates: {{ _repo_keyfile }}
+    - onchanges:
+      - file: zoomdata-gpg-key-download-{{ repo }}
+    - require:
+      - file: zoomdata-gpg-key-download-{{ repo }}
+
     {%- else %}
     {%- set _signed_by = '' %}
     {%- endif %}
@@ -103,7 +104,7 @@ zoomdata-repo-is-mission:
     {%- if zoomdata.gpgkey %}
     {%- if use_modern_keyring %}
     - require:
-      - cmd: zoomdata-gpg-key
+      - cmd: zoomdata-gpg-key-{{ repo }}
     {%- else %}
     - key_url: file://{{ zoomdata.repo_keyfile }}
     - require: