I was installing elasticsearch following this guide, but elasticsearch is not really the part of this question.
In the first step, I need to add the key:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
and got the following message:
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
The installation process was fine, but since it's deprecated, I'm looking for the new usage that replaces apt-key. (I have no problem installing the package.) From man apt-key I saw
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
...
Binary keyring files intended to be used with any apt version should
therefore always be created with gpg --export.
but it didn't say the alternative to apt-key add. I tried
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --export
but didn't work. So what do I use after the pipe of wget when apt-key is removed?
Adding a key to /etc/apt/trusted.gpg.d is insecure because it adds the key for all repositories. This is exactly why apt-key had to be deprecated.
Short version
Do similar to what Signal does.
If you want to use the key at https://example.com/EXAMPLE.gpg for a repository listed in /etc/apt/sources.list.d/EXAMPLE.list, use:
sudo mkdir -p /etc/apt/keyrings/
wget -O- https://example.com/EXAMPLE.gpg |
gpg --dearmor |
sudo tee /etc/apt/keyrings/EXAMPLE.gpg > /dev/null
echo "deb [signed-by=/etc/apt/keyrings/EXAMPLE.gpg] https://example.com/apt stable main" |
sudo tee /etc/apt/sources.list.d/EXAMPLE.list
# Optional (you can find the email address / ID using `apt-key list`)
sudo apt-key del support#example.com
Long version
While the deprecation notice recommends adding the key to /etc/apt/trusted.gpg.d, this is an insecure solution. To quote this article from Linux Uprising:
The reason for this change is that when adding an OpenPGP key that's used to sign an APT repository to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d, the key is unconditionally trusted by APT on all other repositories configured on the system that don't have a signed-by (see below) option, even the official Debian / Ubuntu repositories. As a result, any unofficial APT repository which has its signing key added to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d can replace any package on the system. So this change was made for security reasons (your security).
The proper solution is explained in that Linux Uprising article and on the Debian Wiki: Store the key in /etc/apt/keyrings/ (or /usr/share/keyrings/ if you're the package maintainer), and then reference the key in the apt source list.
Therefore, the appropriate method is as follows:
Download the key from https://example.com/EXAMPLE.gpg and store it in /etc/apt/keyrings/EXAMPLE.gpg.
The Debian wiki explains that you should dearmor the key (i.e. convert it from base64 to binary) for compatibility with older software. The > /dev/null simply stops the binary key from being displayed in your terminal.
wget -O- https://example.com/EXAMPLE.gpg |
gpg --dearmor |
sudo tee /etc/apt/keyrings/EXAMPLE.gpg > /dev/null
Optionally, you can verify that the file you downloaded is indeed a PGP key by running file /etc/apt/keyrings/EXAMPLE.gpg and inspecting the output.
Add the key to the source file that is used by the repository.
Find the appropriate file in /etc/apt/sources.list.d/ and edit it so that it links to the keyring you just added.
If the file doesn't exist, you can make one.
In the end, it should look something like this:
deb [signed-by=/etc/apt/keyrings/EXAMPLE.gpg] https://example.com/apt stable main
Remove the key from apt-key, if it was added before.
Run sudo apt-key list to list all the keys, and find the one that was previously added.
Using the key's email address or fingerprint, run sudo apt-key del support#example.com.
Using the newer DEB822 format
In step 2, instead of using the one-line format for sources in sources.list.d, you can also use the newer multi-line format called DEB822. This format is easier to read for humans and computers, and has been available in apt since 2015. Debian and Ubuntu plan to use DEB822 as the default format starting late 2023. Repolib's documentation has a nice comparison and covers the motivation behind the new format.. Note that some external tools that parse the source files themselves instead of wrapping around apt do not fully support this format yet.
To switch to this format, let's say you have the following one-line format source file /etc/apt/sources.list.d/example.list:
deb [signed-by=/etc/apt/keyrings/EXAMPLE.gpg] https://example.com/apt stable main
Comment out this line, and create a new file, /etc/apt/sources.list.d/example.sources, containing:
Types: deb
URIs: https://example.com/apt
Suites: stable
Components: main
Signed-By: /etc/apt/keyrings/EXAMPLE.gpg
Run sudo apt update, and if you see example.com/apt correctly being updated, you can remove the old /etc/apt/sources.list.d/example.list.
Additional resources
Debian wiki: Instructions to connect to a third-party repository
AskUbuntu: What commands (exactly) should replace the deprecated apt-key?
Unix SE:
How to add a third-party repo. and key in Debian?
man 5 sources.list in Ubuntu 22.04 or later
!!Deprecated & insecure!!
answer found here :
https://suay.site/?p=526
in short :
retrieve the key and add the key :
curl -s URL | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/NAME.gpg --import
authorize the user _apt :
sudo chown _apt /etc/apt/trusted.gpg.d/NAME.gpg
As mentioned in current accepted answer, adding a key to /etc/apt/trusted.gpg.d is insecure because it adds the key for all repositories. This is why apt-key is giving this warning.
You can use a simpler solution like following:
curl -fsSL https://example.com/EXAMPLE.gpg | sudo gpg --dearmor -o /usr/share/keyrings/EXAMPLE.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/EXAMPLE.gpg] \
https://example.com/apt stable main" \
| sudo tee -a /etc/apt/sources.list.d/EXAMPLE.list > /dev/null
sudo apt update
sudo apt install <package-name>
MX Linux has a utility script called "MX Fix GPG keys" that takes care of this. Since it's just a bash script it most likely works fine with any other Debian based distro.
It's here https://github.com/MX-Linux/checkaptgpg
I got his warning when trying to install nodejs and npm in Ubuntu 20.04
To be more precise:
Instead of this:
curl -sSL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - \
echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list \
Use this:
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | tee /usr/share/keyrings/yarn.gpg >/dev/null \
echo "deb [signed-by=/usr/share/keyrings/yarn.gpg] https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list \
So the full installtion script looked like this:
apt-get install -y nodejs \
apt-get install -y npm gnupg2 \
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | tee /usr/share/keyrings/yarn.gpg >/dev/null \
echo "deb [signed-by=/usr/share/keyrings/yarn.gpg] https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list \
Another sample snippet, resolving the issue using updated deb822 format:
{ echo 'Types: deb'
echo 'URIs: https://dl.k6.io/deb'
echo 'Suites: stable'
echo 'Components: main'
echo 'Signed-By:'
set -eo pipefail
KEY=C5AD17C747E3415A3642D57D77C6C491D6AC1D69
curl -fsSL "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x$KEY" \
| sed -e 's/^$/./g;s/^/ /g'
} | sudo tee /etc/apt/sources.list.d/k6.sources
sudo apt-get update && sudo apt-get install k6
In this case, I'm installing k6.io CLI on Ubuntu 22.04 LTS. Adapt as you see fit.
Notice the .sources — not .list!
The benefit of deb822 is that the package-signing pubkey gets put inline in the sources-file (and validates only this repo's packages — which is more secure than trusting it with all other repos).
Being inline in the file saves another | sudo tee hoop:
Types: deb
URIs: https://dl.k6.io/deb
Suites: stable
Components: main
Signed-By:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Hockeypuck 2.1.0-189-g15ebf24
Comment: Hostname:
.
xsFNBGBLRGQBEADCqEcl4YKYLAW8p/rEzBrDLi8fewyqPTLFWosWeu1a4fKzPcW8
ggl/pjRcXxAxgCt1EhX9bjOrzavdnfnKLYuNkwR0vLWZtNEhAsOovsDzFF6n+WsN
jtxL9nBZZ/7tgImxMUds8EXotx3R0Le5kbW0QWaWK8NDNayUChGF4ijM1dcacefA
1ObrQvEKMybdFMxQM+oQjLeIe8TARaoATeLXh/LprNHqDWSAqE3KogChAMykp10i
...
Had to whip up the above, because their official instructions got broken yet again.
Experienced this error recently while trying to install Jenkins on my EC2 instance. However, I was able to resolve it by following the steps below:
Add a repository key to your system by running:
"wget -q -O - https://pkg.jenkins.io/debian-stable/jenkins.io.key |sudo gpg --dearmor -o /usr/share/keyrings/jenkins.gpg"
You may have to replace jenkins with the package/software you want to install.
Attach the Debian package repo address to the server's sources.list by running:
"sudo sh -c 'echo deb [signed-by=/usr/share/keyrings/jenkins.gpg] http://pkg.jenkins.io/debian-stable binary/ > /etc/apt/sources.list.d/jenkins.list'"
Run:
"apt update"
So apt will use the newly created repo.
Go on to attempt/reattempt your installation.
Hope this helps :).
Source: https://www.digitalocean.com/community/tutorials/how-to-install-jenkins-on-ubuntu-22-04
Related
I'm currently getting into linux and want to write a bash script which sets up a new machine just the way I want it to be.
In order to do that I want to install differnt things on it etc.
What I'm trying to achieve here is to have a setting at the top of the bash script which will make apt accept all [y/n] questions asked during the execution of the script
Question example I want to automatically accept:
After this operation, 1092 kB of additional disk space will be used. Do you want to continue? [Y/n]
I just started creating the file so here is what i have so far:
#!/bin/bash
# Constants
# Set apt to accept all [y/n] questions
>> some setting here <<
# Update and upgrade apt
apt update;
apt full-upgrade;
# Install terminator
apt install terminator
apt is meant to be used interactively. If you want to automate things, look at apt-get, and in particular its -y option:
-y, --yes, --assume-yes
Automatic yes to prompts; assume "yes" as answer to all prompts and run non-interactively. If an undesirable
situation, such as changing a held package, trying to install an
unauthenticated package or removing an essential package occurs then
apt-get will abort. Configuration Item: APT::Get::Assume-Yes.
See also man apt-get for many more options.
With apt:
apt -o Apt::Get::Assume-Yes=true install <package>
See: man apt and man apt.conf
If you indeed want to set it up once at the top of the file as you say and then forget about it, you can use the APT_CONFIG environment variable. See apt.conf.
echo "APT::Get::Assume-Yes=yes" > /tmp/_tmp_apt.conf
export APT_CONFIG=/tmp/_tmp_apt.conf
apt-get update
apt-get install terminator
...
You can set up API assume yes permanently as follow:
echo "APT::Get::Assume-Yes \"true\";\nAPT::Get::allow \"true\";" | sudo tee -a /etc/apt/apt.conf.d/90_no_prompt
Another easy way to set it at the top of the your script is to use the command alias apt-get="apt-get --assume-yes", which causes all subsequent invocations of apt-get to include the --assume-yes argument. For example apt-get upgrade would automatically get converted to apt-get --assume-yes upgrade" by bash.
Please note, that this may cause errors, because some apt-get subcommands do not accept the --assume-yes argument. For example apt-get help would be converted to apt-get --assume-yes help which returns an error, because the help subcommand can't be used together with --assume-yes.
I am trying to set up GOPATH GOROOT in my AWS EC2 Ubuntu 20.04 user data, but it never worked, every time I connect to the AWS EC2 and view the log in /var/log/cloud-init-output.log it always says
go: not found, but if I key in the echo part it will work.
I am trying to set up multiple EC2 with this basis, so I can't key in every instance myself.
The CloudFormation yaml user data part is below:
UserData:
Fn::Base64: |
#!/bin/bash
wget https://dl.google.com/go/go1.14.4.linux-amd64.tar.gz
tar -C /usr/local -zxvf go1.14.4.linux-amd64.tar.gz
mkdir -p ~/go/{bin,pkg,src}
echo 'export GOPATH=$HOME/go' >> ~/.bashrc
echo 'export GOROOT=/usr/local/go' >> ~/.bashrc
echo 'export PATH=$PATH:$GOPATH/bin:$GOROOT/bin' >> ~/.bashrc
echo 'export GO111MODULE=auto' >> ~/.bashrc
source ~/.bashrc
apt -y update
apt -y install mongodb wget git
systemctl start mongodb
apt -y install git gcc cmake autoconf libtool pkg-config libmnl-dev libyaml-dev
go get -u github.com/sirupsen/logrus
cd ~
git clone --recursive https://github.com/williamlin0504/free5gcWithOCF.git
cd free5gcWithOCF
make
And here is the error inside /var/log/cloud-init-output.log
Error while user data runs
Is there anyone is familiar with this, please I need some help~
In your error message, in the Makefile at line 30 there is a program bin/amf being used
This program appears to be a shell script with a problem in line 1
The nature of the problem is "go: not found"
If you have the bare word "go" in line 1 of the shell script and the path cannot find it then this is what will happen
Probably you need to alter the last line of your userdata shell script to say
PATH=/usr/local/go/bin:$PATH make
I know you have a source command earlier in the script that is supposed to set this up but it doesn't do what you think it does
When I run any Ansible command the response is always abort. For example:
ansible --version
# Or:
ansible-playbook -i production site.yml --diff --check
Response:
[1] 78576 abort ansible --version
Any idea why or how to fix? I updated Ansible but error remained the same. Things used to work in the past but it's been a few months since I've used Ansible.
I found the solution to my problem here. It's a problem with OpenSSL:
https://nbari.com/post/python-quit-unexpectedly-macos/
The steps to fix:
brew reinstall openssl
cd /usr/local/lib
sudo ln -s /usr/local/opt/openssl/lib/libssl.dylib libssl.dylib
sudo ln -s /usr/local/opt/openssl/lib/libcrypto.dylib libcrypto.dylib
This looks like something specific on your system which has been misconfigured.
re-trace your steps which could’ve led to this error
Try to reinstall Python / Ansible
use ‘ps aux | grep ansible’ to see if there are other Ansible processes running
virtualenv?
worst case ; reinstall system
I am getting the following error while running command "apt-get update":
E: Type 'gpg' is not known on line 1 in source list /etc/apt/sources.list.d/openvpn-as-repo.list
E: The list of sources could not be read.
Can someone please help me solve this error?
The below answer is taken from: https://askubuntu.com/questions/96967/how-do-i-fix-this-e-type-is-not-known-on-line-in-source-list-update
The error indicates a malformed entry in a source file, which causes the update process to abort. To fix it, you have to either fix the entry (if you know what the right entry should look like) or remove it altogether (that's what I'm going to describe, as it's the fastest way to enable you to update your system again).
First, you need to open the file containing the bad entry. The filename is given in the error message, in your example /etc/apt/sources.list.d/some-ppa.list. Open a terminal, and type
sudo nano /etc/apt/sources.list.d/some-ppa.list
and press Enter. After entering your password, you should now see the file opened in the text editor nano.
Now you need to locate the malformed entry. It should be on the line number given in the error message - in your case that would be line 1.
This line should be incomplete and start with the unknown type the update process is complaining about (here ain). Just delete the whole line, and save/close the file with Ctrl+X.
That's it. You should now be able to successfully run the update process.
It seems something went wrong. Redo these commands again.
# wget must be available. If wget is not installed and apt update is broken skip apt update in the next line.
sudo apt update && sudo apt -y install ca-certificates wget net-tools
wget -qO - https://as-repository.openvpn.net/as-repo-public.gpg | sudo apt-key add -
sudo sh -c 'echo "deb http://as-repository.openvpn.net/as/debian bionic main">/etc/apt/sources.list.d/openvpn-as-repo.list'
sudo apt update && sudo apt -y install openvpn-as
Hi I am using etcd version as follows
{"etcdserver":"3.2.7","etcdcluster":"3.2.0"}
I need to get the version history of the key but for me only curl command are working if I do
etcdctl get --prefix --rev=4 foo
I get:
-bash: etcdctl: command not found
I am able to run the etcdctl with v2 but with v3 I am getting this error.
on ubuntu machine run below to get etcdctl :
--
apt install etcd-client
You need to install etcd Binaries
]# wget "https://github.com/coreos/etcd/releases/download/v3.3.9/etcd-v3.3.9-linux-amd64.tar.gz"
]# tar -xvf etcd-v3.3.9-linux-amd64.tar.gz
]# sudo mv etcd-v3.3.9-linux-amd64/etcd* /usr/local/bin/
]# export ETCDCTL_API=3
Then you can execute your etcdl command
Eg:
]# /usr/local/bin/etcdctl --endpoints <EnpointIP>:<PORT> --cert=/<location>/<crt>.pem --key=/<location>/<keyFile>.pem --cacert=/<location>/ca.pem member list
How can I locate my cert file?
If ETCD running as a container follow the below step.
1. login to instance where ETCD running.
2. docker ps -a | grep etcd
3. docker inspect <ContainerID> | grep etc