Description of the bug
Cannot enable esm-infra when using pro client in airgap env with a local mirror configured with a GPG key
- Local mirror URL:
https://landscape-d-api.<REDACTED>/repository/standalone/ubuntu
- Local mirror GPG key file:
/etc/apt/trusted.gpg.d/custom.gpg
- Local pro airgap server:
https://ubuntu-pro-contracting-d.<REDACTED>
Expected behavior
sudo pro enable esm-infra works as expected
Current behavior
sudo pro enable esm-infra fails. debug logs here: https://pastebin.ubuntu.com/p/WytZyKM4Cc/
Relevant logs:
Error updating apt cache: W:Updating from such a repository can't be done securely, and is therefore disabled by default., W:See apt-secure(8) manpage for repository creation and user configuration details., W:GPG error: https://landscape-d-api.<REDACTED>/repository/standalone/ubuntu noble-infra-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY <REDACTED>, E:The repository 'https://landscape-d-api.<REDACTED>/repository/standalone/ubuntu noble-infra-security InRelease' is not signed.
To Reproduce
Configure a local mirror using https://charmhub.io/pro-airgapped-server
cat /etc/ubuntu-advantage/uaclient.conf
contract_url: https://ubuntu-pro-contracting-d.<REDACTED>
log_level: debug
ubuntu-pro-contracting-d.<REDACTED> references a local mirror on landscape
sudo pro attach <TOKEN>
sudo pro --debug enable esm-infra
Additional information:
The following file is generated by pro client
cat /etc/apt/sources.list.d/ubuntu-esm-infra.sources
# Written by ubuntu-pro-client
Types: deb
URIs: https://landscape-d-api.<REDACTED>/repository/standalone/ubuntu
Suites: noble-infra-security
Components: main
Signed-By: /usr/share/keyrings/ubuntu-pro-esm-infra.gpg
However, the GPG key is not the correct one. It is the one used for upstream resources.
Replacing it with the custom GPG key of the local mirror
Signed-By: /etc/apt/trusted.gpg.d/custom.gpg
And then esm-infra can be enabled
Is there a way we can add a setting to customize GPG key on the pro client ? And also on the pro-client-operator as well ?
System information:
- Ubuntu 24.04
- Pro client: 37.1ubuntu0~24.04
Workaround
Configure apt to ignore all potential GPG keys in source files and trust all repositories
Edit: Workaround doesn't work
Description of the bug
Cannot enable esm-infra when using pro client in airgap env with a local mirror configured with a GPG key
https://landscape-d-api.<REDACTED>/repository/standalone/ubuntu/etc/apt/trusted.gpg.d/custom.gpghttps://ubuntu-pro-contracting-d.<REDACTED>Expected behavior
sudo pro enable esm-infraworks as expectedCurrent behavior
sudo pro enable esm-infrafails. debug logs here: https://pastebin.ubuntu.com/p/WytZyKM4Cc/Relevant logs:
To Reproduce
Configure a local mirror using https://charmhub.io/pro-airgapped-server
ubuntu-pro-contracting-d.<REDACTED>references a local mirror on landscapeAdditional information:
The following file is generated by pro client
However, the GPG key is not the correct one. It is the one used for upstream resources.
Replacing it with the custom GPG key of the local mirror
And then esm-infra can be enabled
Is there a way we can add a setting to customize GPG key on the pro client ? And also on the pro-client-operator as well ?
System information:
Workaround
Configure apt to ignore all potential GPG keys in source files and trust all repositoriesEdit: Workaround doesn't work