[MDEV-20654] Repo Configuration Tool failing on Ubuntu 16.04 LTS (Xenial) Created: 2019-09-23  Updated: 2020-08-25  Resolved: 2019-10-01

Status: Closed
Project: MariaDB Server
Component/s: Configuration, Packaging
Affects Version/s: 10.3.18, 10.4.8
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Juan Assignee: Daniel Bartholomew
Resolution: Fixed Votes: 0
Labels: None
Environment:

Ubuntu Xenial (16.04 LTS)


 Description   

Running repo configuration fails:

root@Ubuntu-1604-164:~# curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version=mariadb-10.4
 
[info] Repository file successfully written to /etc/apt/sources.list.d/mariadb.list
 
[info] Adding trusted package signing keys...
 
Executing: /tmp/tmp.WgLyivN1lu/gpg.1.sh --keyserver
 
hkp://keys.gnupg.net:80
 
--recv-keys
 
0x8167EE24
 
0xE3C94F49
 
0xcbcb082a1bb943db
 
0xf1656f24c74cd1d8
 
0x135659e928c12247
 
gpg: requesting key 8167EE24 from hkp server keys.gnupg.net
 
gpg: requesting key E3C94F49 from hkp server keys.gnupg.net
 
gpg: requesting key 1BB943DB from hkp server keys.gnupg.net
 
gpg: requesting key C74CD1D8 from hkp server keys.gnupg.net
 
gpg: requesting key 28C12247 from hkp server keys.gnupg.net
 
gpg: key 8167EE24: public key "MariaDBManager" imported
 
gpg: key E3C94F49: public key "MariaDB Enterprise Signing Key <signing-key@mariadb.com>" imported
 
gpgkeys: key 135659E928C12247 can't be retrieved
 
gpg: key 1BB943DB: public key "MariaDB Package Signing Key <package-signing-key@mariadb.org>" imported
 
gpg: key C74CD1D8: public key "MariaDB Signing Key <signing-key@mariadb.org>" imported
 
gpg: Total number processed: 4
 
gpg:               imported: 4  (RSA: 3)
 
gpg: keyserver communications error: keyserver helper general error
 
gpg: keyserver communications error: unknown pubkey algorithm
 
gpg: keyserver receive failed: unknown pubkey algorithm
 
[error] Failed to add trusted package signing keys.

This might not be such a problem, except that directions for installing with dpkg on the KB seem to be about 7 years old judging from the versions mentioned, so not directly applicable.

 Comments   
Comment by Geoff Montee (Inactive) [ 2019-09-24 ]

This might not be such a problem, except that directions for installing with dpkg on the KB seem to be about 7 years old judging from the versions mentioned, so not directly applicable.

I've updated that documentation section with some new details that work for MariaDB 10.4 on Ubuntu Bionic:

https://mariadb.com/kb/en/library/installing-mariadb-deb-files/#installing-mariadb-with-dpkg

Comment by Geoff Montee (Inactive) [ 2019-09-24 ]

It looks like the root cause of the problem is this:

gpg: keyserver communications error: keyserver helper general error
 
gpg: keyserver communications error: unknown pubkey algorithm
 
gpg: keyserver receive failed: unknown pubkey algorithm

This can be reproduced by executing the following on Ubuntu Xenial:

sudo apt-key adv --keyserver hkp://keys.gnupg.net:80 --recv-keys 0x8167EE24 0xE3C94F49 0xcbcb082a1bb943db 0xf1656f24c74cd1d8 0x135659e928c12247

As far as I can tell, it seems to be a problem with the keys.gnupg.net key server. The above command seems to fail every time that I run it on Ubuntu Xenial, but not always on the same key.

If I replace the key server with keyserver.ubuntu.com, then it works every time. For example:

sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0x8167EE24 0xE3C94F49 0xcbcb082a1bb943db 0xf1656f24c74cd1d8 0x135659e928c12247

Comment by Daniel Bartholomew [ 2019-09-25 ]

Just tried this on an Ubuntu Xenial VM and it didn't fail:

buildbot@ubuntu-xenial-amd64:~$ sudo apt-key adv --keyserver hkp://keys.gnupg.net:80 --recv-keys 0x8167EE24 0xE3C94F49 0xcbcb082a1bb943db 0xf1656f24c74cd1d8 0x135659e928c12247
 
Executing: /tmp/tmp.SSTP9RNH53/gpg.1.sh --keyserver
 
hkp://keys.gnupg.net:80
 
--recv-keys
 
0x8167EE24
 
0xE3C94F49
 
0xcbcb082a1bb943db
 
0xf1656f24c74cd1d8
 
0x135659e928c12247
 
gpg: requesting key 8167EE24 from hkp server keys.gnupg.net
 
gpg: requesting key E3C94F49 from hkp server keys.gnupg.net
 
gpg: requesting key 1BB943DB from hkp server keys.gnupg.net
 
gpg: requesting key C74CD1D8 from hkp server keys.gnupg.net
 
gpg: requesting key 28C12247 from hkp server keys.gnupg.net
 
gpg: key 8167EE24: public key "MariaDBManager" imported
 
gpg: key E3C94F49: public key "MariaDB Enterprise Signing Key <signing-key@mariadb.com>" imported
 
gpg: key 1BB943DB: public key "MariaDB Package Signing Key <package-signing-key@mariadb.org>" imported
 
gpg: key C74CD1D8: public key "MariaDB Signing Key <signing-key@mariadb.org>" imported
 
gpg: key 28C12247: public key "MariaDB Maxscale <maxscale@googlegroups.com>" imported
 
gpg: Total number processed: 5
 
gpg:               imported: 5  (RSA: 4)
 
buildbot@ubuntu-xenial-amd64:~$

Same thing with Bionic:

buildbot@ubuntu-bionic-amd64:~$ sudo apt-key adv --keyserver hkp://keys.gnupg.net:80 --recv-keys 0x8167EE24 0xE3C94F49 0xcbcb082a1bb943db 0xf1656f24c74cd1d8 0x135659e928c12247
 
Executing: /tmp/apt-key-gpghome.qnlNWvNnZJ/gpg.1.sh --keyserver hkp://keys.gnupg.net:80 --recv-keys 0x8167EE24 0xE3C94F49 0xcbcb082a1bb943db 0xf1656f24c74cd1d8 0x135659e928c12247
 
gpg: key 135659E928C12247: public key "MariaDB Maxscale <maxscale@googlegroups.com>" imported
 
gpg: key F1656F24C74CD1D8: 6 signatures not checked due to missing keys
 
gpg: key F1656F24C74CD1D8: public key "MariaDB Signing Key <signing-key@mariadb.org>" imported
 
gpg: key CBCB082A1BB943DB: 32 signatures not checked due to missing keys
 
gpg: key CBCB082A1BB943DB: public key "MariaDB Package Signing Key <package-signing-key@mariadb.org>" imported
 
gpg: key CE1A3DD5E3C94F49: 3 signatures not checked due to missing keys
 
gpg: key CE1A3DD5E3C94F49: public key "MariaDB Enterprise Signing Key <signing-key@mariadb.com>" imported
 
gpg: key 70E4618A8167EE24: public key "MariaDBManager" imported
 
gpg: Total number processed: 5
 
gpg:               imported: 5
 
buildbot@ubuntu-bionic-amd64:~$

I also tried the command using keyserver.ubuntu.com and it succeeded on both xenial and bionic.

My only guess as to why you're seeing errors and I'm not is the generic and ephemeral "network issues" somewhere.

We actually switched from using keyserver.ubuntu.com to using keys.gnupg.net just a couple months ago because keyserver.ubuntu.com was misbehaving (see MDEV-20221 for details). What seems to be clear from both issues is that the traditional 'sudo apt-key adv --recv-keys ...' way of importing keys, especially multiple keys like we do, is too fragile and breaks in unpredictable and impossible-to-reliably-reproduce ways.

I think a better and more robust solution would be for the script to download a gpg keyfile with all the correct keys directly from downloads.mariadb.com and place it under /etc/apt/trusted.gpg.d/. I'll update the repo setup scripts to do just that.

Comment by Daniel Bartholomew [ 2019-09-25 ]

I've uploaded a new version of the mariadb_repo_setup script with the new functionality in place. Instead of using 'apt-key adv --recv-keys ...' it downloads a keyring file from downloads.mariadb.com, verifies it, and then puts it in the correct place. Then the rest of the script functions as it usually does.

I've tested the updated script on Ubuntu 18.04 bionic and 16.04 xenial; and on Debian 8 jessie, 9 stretch, and 10 buster, which are all of the Ubuntu/Debian variants the script supports. This will be a much more reliable way to import the GPG keys on these systems.

Generated at Thu Feb 08 09:01:09 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.