[Bug]: aptpkg repo ASC files unsupported #68464
Description
What happened?
I'm currently salting our Unified Streaming setup. The instructions from Unified are straight forward.
It's just that their referenced keyfile contains two keys in armored format. It's not possible to use gpg --dearmor on this keyfile and use the dearmored keyfile for saltstack.
unified-streaming-repo:
pkgrepo.managed:
- humanname: Unified Streaming
- name: "deb [signed-by=/etc/apt/keyrings/unified-streaming.asc] https://stable.apt.unified-streaming.com noble multiverse"
- dist: "noble"
- file: /etc/apt/sources.list.d/unified-streaming.list
- aptkey: false
- key_url: salt://files/etc/apt/keyrings/unified-streaming.asc
When I use this, I get those in the journal:
Nov 17 14:29:50 cachetest1 salt-minion[132390]: [ERROR ] Detected an ASCII armored key /var/cache/salt/minion/files/557-new-cache-servers/roles/cdn_cache/files/etc/apt/keyrings/unified-streaming.asc and the gpg binary is not available. Not decrypting the key.
Nov 17 14:29:50 cachetest1 salt-minion[132390]: [ERROR ] Failed to configure repo 'deb [signed-by=/etc/apt/keyrings/unified-streaming.asc] https://stable.apt.unified-streaming.com noble multiverse': Error: Could not add key: /var/cache/salt/minion/files/files/etc/apt/keyrings/unified-streaming.asc
However, when manually placing the ASC file with the package list, APT works fine with it.
Could you please implement the behavior like apt-secure is using?
ASCII-armored keys must use an extension of .asc, and unarmored keys an extension of .gpg.
So it would be beneficial to not dearmor ASCII Keys and just continue saving them as <key>.asc by saltstack.
Workaround
I'm currently just placing the key via file.managed before pkgrepo.managed.
unified-streaming-repo:
pkgrepo.managed:
- humanname: Unified Streaming
- name: "deb [signed-by=/etc/apt/keyrings/unified-streaming.asc] https://stable.apt.unified-streaming.com noble multiverse"
- dist: "noble"
- file: /etc/apt/sources.list.d/unified-streaming.list
- aptkey: false
- require:
- file: unified-streaming-repo
# We needed to manually install the key. Saltstack as of 3007
# is not able to install ASC (text) based keys.
# Unified delivers multiple keys. We must use the ASC format.
file.managed:
- name: /etc/apt/keyrings/unified-streaming.asc
- source: salt://files/etc/apt/keyrings/unified-streaming.asc
Type of salt install
Official deb
Major version
3007.x
What supported OS are you seeing the problem on? Can select multiple. (If bug appears on an unsupported OS, please open a GitHub Discussion instead)
ubuntu-24.04
salt --versions-report output
Salt Version:
Salt: 3007.5
Python Version:
Python: 3.10.17 (main, Jun 9 2025, 20:41:48) [GCC 11.2.0]
Dependency Versions:
cffi: 1.16.0
cherrypy: unknown
cryptography: 42.0.5
dateutil: 2.8.2
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 3.1.6
libgit2: 1.7.1
looseversion: 1.3.0
M2Crypto: Not Installed
Mako: Not Installed
msgpack: 1.0.7
msgpack-pure: Not Installed
mysql-python: Not Installed
packaging: 24.0
pycparser: 2.22
pycrypto: Not Installed
pycryptodome: 3.19.1
pygit2: 1.13.1
python-gnupg: 0.5.2
PyYAML: 6.0.1
PyZMQ: 25.1.2
relenv: 0.19.3
smmap: Not Installed
timelib: 0.3.0
Tornado: 6.4.2
ZMQ: 4.3.4
Salt Package Information:
Package Type: onedir
System Versions:
dist: ubuntu 22.04.4 jammy
locale: utf-8
machine: x86_64
release: 5.15.0-156-generic
system: Linux
version: Ubuntu 22.04.4 jammy