Bootstrap script fails to download GPG key but continues installing

[st3fan]

Description of Issue/Question

On Debian 12, when running

curl -o bootstrap-salt.sh -L https://bootstrap.saltproject.io
chmod 755 bootstrap-salt.sh
./bootstrap-salt.sh -A x.x.x.x

Salt is succesfully installed and works well. However, I noticed that in the middle of the output of bootstrap-salt.sh the following is printed:

ERROR: https://repo.saltproject.io/salt/py3/debian/11/amd64/latest/salt-archive-keyring.gpg
   failed to download to /tmp/salt-gpg-AWMFO6V3.pub

When the GPG key(ring) cannot be downloaded and the Salt packages cannot be verified, installation should probably abort and inform the user of this issue.

Manually fetching salt-archive-keyring.gpg results in the following error:

$ curl https://repo.saltproject.io/salt/py3/debian/11/amd64/latest/salt-archive-keyring.gpg

<?xml version="1.0" encoding="UTF-8"?>
<Error>
  <Code>NoSuchKey</Code>
  <Message>The specified key does not exist.</Message>
  <Key>salt/py3/debian/11/amd64/latest/salt-archive-keyring.gpg</Key>
  <RequestId>G37BEE0RW1VECTEM</RequestId>. <HostId>H60lLZiaFgKSH1mfHbLISEl9udElboU1M4NRaiRUq15hH+Takn2fbY5hqJXU4MWdc9YqHi2ynjb1iMcVKkgHew==</HostId></Error>

The root cause of this is likely a misconfiguration of some sort on repo.saltproject.io but in theory it could also have been a legit attack.

Setup

Debian 12.4 / AMD64

Steps to Reproduce Issue

Clean install of Debian 12.4 on AMD64. Then run the following:

curl -o bootstrap-salt.sh -L https://bootstrap.saltproject.io
chmod 755 bootstrap-salt.sh
./bootstrap-salt.sh -A x.x.x.x

This will result in a ERROR: https://repo.saltproject.io/salt/py3/debian/11/amd64/latest/salt-archive-keyring.gpg failed to download to /tmp/salt-gpg-AWMFO6V3.pub during bootstrapping.

Full log:

 *  INFO: Running version: 2024.01.04
 *  INFO: Executed by: /bin/sh
 *  INFO: Command line: './bootstrap-salt.sh -A 192.168.2.100'

 *  INFO: System Information:
 *  INFO:   CPU:          GenuineIntel
 *  INFO:   CPU Arch:     x86_64
 *  INFO:   OS Name:      Linux
 *  INFO:   OS Version:   6.1.0-17-amd64
 *  INFO:   Distribution: Debian 12

 *  INFO: Installing minion
 *  INFO: Found function install_debian_onedir_deps
 *  INFO: Found function config_salt
 *  INFO: Found function preseed_master
 *  INFO: Found function install_debian_onedir
 *  INFO: Found function install_debian_restart_daemons
 *  INFO: Found function daemons_running_onedir
 *  INFO: Found function install_debian_check_services
 *  INFO: Running install_debian_onedir_deps()
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
procps is already the newest version (2:4.0.2-3).
pciutils is already the newest version (1:3.9.0-4).
The following additional packages will be installed:
  libyaml-0-2
The following NEW packages will be installed:
  libyaml-0-2 python3-yaml
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 173 kB of archives.
After this operation, 660 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 libyaml-0-2 amd64 0.2.5-1 [53.6 kB]
Get:2 http://deb.debian.org/debian bookworm/main amd64 python3-yaml amd64 6.0-3+b2 [119 kB]
Fetched 173 kB in 0s (1,502 kB/s)
                                 Selecting previously unselected package libyaml-0-2:amd64.
(Reading database ... 33340 files and directories currently installed.)
Preparing to unpack .../libyaml-0-2_0.2.5-1_amd64.deb ...
Unpacking libyaml-0-2:amd64 (0.2.5-1) ...
Selecting previously unselected package python3-yaml.
Preparing to unpack .../python3-yaml_6.0-3+b2_amd64.deb ...
Unpacking python3-yaml (6.0-3+b2) ...
Setting up libyaml-0-2:amd64 (0.2.5-1) ...
Setting up python3-yaml (6.0-3+b2) ...
Processing triggers for libc-bin (2.36-9+deb12u4) ...
Reading package lists...
Building dependency tree...
Reading state information...
wget is already the newest version (1.21.3-1+b2).
ca-certificates is already the newest version (20230311).
The following additional packages will be installed:
  dirmngr gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client
  gpg-wks-server gpgconf gpgsm libassuan0 libksba8 libnpth0 pinentry-curses
Suggested packages:
  pinentry-gnome3 tor parcimonie xloadimage scdaemon pinentry-doc
The following NEW packages will be installed:
  apt-transport-https dirmngr gnupg gnupg-l10n gnupg-utils gnupg2 gpg
  gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm libassuan0 libksba8
  libnpth0 pinentry-curses
0 upgraded, 16 newly installed, 0 to remove and 0 not upgraded.
Need to get 8,352 kB of archives.
After this operation, 16.5 MB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 apt-transport-https all 2.6.1 [25.2 kB]
Get:2 http://deb.debian.org/debian bookworm/main amd64 libassuan0 amd64 2.5.5-5 [48.5 kB]
Get:3 http://deb.debian.org/debian bookworm/main amd64 gpgconf amd64 2.2.40-1.1 [564 kB]
Get:4 http://deb.debian.org/debian bookworm/main amd64 libksba8 amd64 1.6.3-2 [128 kB]
Get:5 http://deb.debian.org/debian bookworm/main amd64 libnpth0 amd64 1.6-3 [19.0 kB]
Get:6 http://deb.debian.org/debian bookworm/main amd64 dirmngr amd64 2.2.40-1.1 [792 kB]
Get:7 http://deb.debian.org/debian bookworm/main amd64 gnupg-l10n all 2.2.40-1.1 [1,093 kB]
Get:8 http://deb.debian.org/debian bookworm/main amd64 gnupg-utils amd64 2.2.40-1.1 [927 kB]
Get:9 http://deb.debian.org/debian bookworm/main amd64 gpg amd64 2.2.40-1.1 [949 kB]
Get:10 http://deb.debian.org/debian bookworm/main amd64 pinentry-curses amd64 1.2.1-1 [77.4 kB]
Get:11 http://deb.debian.org/debian bookworm/main amd64 gpg-agent amd64 2.2.40-1.1 [695 kB]
Get:12 http://deb.debian.org/debian bookworm/main amd64 gpg-wks-client amd64 2.2.40-1.1 [541 kB]
Get:13 http://deb.debian.org/debian bookworm/main amd64 gpg-wks-server amd64 2.2.40-1.1 [531 kB]
Get:14 http://deb.debian.org/debian bookworm/main amd64 gpgsm amd64 2.2.40-1.1 [671 kB]
Get:15 http://deb.debian.org/debian bookworm/main amd64 gnupg all 2.2.40-1.1 [846 kB]
Get:16 http://deb.debian.org/debian bookworm/main amd64 gnupg2 all 2.2.40-1.1 [445 kB]
Fetched 8,352 kB in 0s (25.5 MB/s)
                                  Selecting previously unselected package apt-transport-https.
(Reading database ... 33385 files and directories currently installed.)
Preparing to unpack .../00-apt-transport-https_2.6.1_all.deb ...
Unpacking apt-transport-https (2.6.1) ...
Selecting previously unselected package libassuan0:amd64.
Preparing to unpack .../01-libassuan0_2.5.5-5_amd64.deb ...
Unpacking libassuan0:amd64 (2.5.5-5) ...
Selecting previously unselected package gpgconf.
Preparing to unpack .../02-gpgconf_2.2.40-1.1_amd64.deb ...
Unpacking gpgconf (2.2.40-1.1) ...
Selecting previously unselected package libksba8:amd64.
Preparing to unpack .../03-libksba8_1.6.3-2_amd64.deb ...
Unpacking libksba8:amd64 (1.6.3-2) ...
Selecting previously unselected package libnpth0:amd64.
Preparing to unpack .../04-libnpth0_1.6-3_amd64.deb ...
Unpacking libnpth0:amd64 (1.6-3) ...
Selecting previously unselected package dirmngr.
Preparing to unpack .../05-dirmngr_2.2.40-1.1_amd64.deb ...
Unpacking dirmngr (2.2.40-1.1) ...
Selecting previously unselected package gnupg-l10n.
Preparing to unpack .../06-gnupg-l10n_2.2.40-1.1_all.deb ...
Unpacking gnupg-l10n (2.2.40-1.1) ...
Selecting previously unselected package gnupg-utils.
Preparing to unpack .../07-gnupg-utils_2.2.40-1.1_amd64.deb ...
Unpacking gnupg-utils (2.2.40-1.1) ...
Selecting previously unselected package gpg.
Preparing to unpack .../08-gpg_2.2.40-1.1_amd64.deb ...
Unpacking gpg (2.2.40-1.1) ...
Selecting previously unselected package pinentry-curses.
Preparing to unpack .../09-pinentry-curses_1.2.1-1_amd64.deb ...
Unpacking pinentry-curses (1.2.1-1) ...
Selecting previously unselected package gpg-agent.
Preparing to unpack .../10-gpg-agent_2.2.40-1.1_amd64.deb ...
Unpacking gpg-agent (2.2.40-1.1) ...
Selecting previously unselected package gpg-wks-client.
Preparing to unpack .../11-gpg-wks-client_2.2.40-1.1_amd64.deb ...
Unpacking gpg-wks-client (2.2.40-1.1) ...
Selecting previously unselected package gpg-wks-server.
Preparing to unpack .../12-gpg-wks-server_2.2.40-1.1_amd64.deb ...
Unpacking gpg-wks-server (2.2.40-1.1) ...
Selecting previously unselected package gpgsm.
Preparing to unpack .../13-gpgsm_2.2.40-1.1_amd64.deb ...
Unpacking gpgsm (2.2.40-1.1) ...
Selecting previously unselected package gnupg.
Preparing to unpack .../14-gnupg_2.2.40-1.1_all.deb ...
Unpacking gnupg (2.2.40-1.1) ...
Selecting previously unselected package gnupg2.
Preparing to unpack .../15-gnupg2_2.2.40-1.1_all.deb ...
Unpacking gnupg2 (2.2.40-1.1) ...
Setting up libksba8:amd64 (1.6.3-2) ...
Setting up apt-transport-https (2.6.1) ...
Setting up libnpth0:amd64 (1.6-3) ...
Setting up libassuan0:amd64 (2.5.5-5) ...
Setting up gnupg-l10n (2.2.40-1.1) ...
Setting up gpgconf (2.2.40-1.1) ...
Setting up gpg (2.2.40-1.1) ...
Setting up gnupg-utils (2.2.40-1.1) ...
Setting up pinentry-curses (1.2.1-1) ...
Setting up gpg-agent (2.2.40-1.1) ...
Created symlink /etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket → /usr/lib/systemd/user/gpg-agent-browser.socket.
Created symlink /etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket → /usr/lib/systemd/user/gpg-agent-extra.socket.
Created symlink /etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket → /usr/lib/systemd/user/gpg-agent-ssh.socket.
Created symlink /etc/systemd/user/sockets.target.wants/gpg-agent.socket → /usr/lib/systemd/user/gpg-agent.socket.
Setting up gpgsm (2.2.40-1.1) ...
Setting up dirmngr (2.2.40-1.1) ...
Created symlink /etc/systemd/user/sockets.target.wants/dirmngr.socket → /usr/lib/systemd/user/dirmngr.socket.
Setting up gpg-wks-server (2.2.40-1.1) ...
Setting up gpg-wks-client (2.2.40-1.1) ...
Setting up gnupg (2.2.40-1.1) ...
Setting up gnupg2 (2.2.40-1.1) ...
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for libc-bin (2.36-9+deb12u4) ...
 * ERROR: https://repo.saltproject.io/salt/py3/debian/11/amd64/latest/salt-archive-keyring.gpg failed to download to /tmp/salt-gpg-AWMFO6V3.pub
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
Get:4 https://repo.saltproject.io/salt/py3/debian/11/amd64/latest bullseye InRelease [1,588 B]
Get:5 https://repo.saltproject.io/salt/py3/debian/11/amd64/latest bullseye/main amd64 Packages [6,968 B]
Fetched 8,556 B in 2s (5,181 B/s)
Reading package lists...
 *  INFO: Running install_debian_onedir()
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  bsdmainutils dctrl-tools debconf-utils ncal net-tools salt-common
Suggested packages:
  calendar whois vacation mailutils debtags
The following NEW packages will be installed:
  bsdmainutils dctrl-tools debconf-utils ncal net-tools salt-common
  salt-minion
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Need to get 33.9 MB of archives.
After this operation, 157 MB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 ncal amd64 12.1.8 [19.7 kB]
Get:2 http://deb.debian.org/debian bookworm/main amd64 bsdmainutils all 12.1.8 [5,952 B]
Get:3 http://deb.debian.org/debian bookworm/main amd64 dctrl-tools amd64 2.24-3+b1 [104 kB]
Get:4 http://deb.debian.org/debian bookworm/main amd64 debconf-utils all 1.5.82 [56.9 kB]
Get:5 http://deb.debian.org/debian bookworm/main amd64 net-tools amd64 2.10-0.1 [243 kB]
Get:6 https://repo.saltproject.io/salt/py3/debian/11/amd64/latest bullseye/main amd64 salt-common amd64 3006.6 [33.4 MB]
Get:7 https://repo.saltproject.io/salt/py3/debian/11/amd64/latest bullseye/main amd64 salt-minion amd64 3006.6 [83.9 kB]
Fetched 33.9 MB in 3s (9,873 kB/s)
                                  Selecting previously unselected package ncal.
(Reading database ... 33649 files and directories currently installed.)
Preparing to unpack .../0-ncal_12.1.8_amd64.deb ...
Unpacking ncal (12.1.8) ...
Selecting previously unselected package bsdmainutils.
Preparing to unpack .../1-bsdmainutils_12.1.8_all.deb ...
Unpacking bsdmainutils (12.1.8) ...
Selecting previously unselected package dctrl-tools.
Preparing to unpack .../2-dctrl-tools_2.24-3+b1_amd64.deb ...
Unpacking dctrl-tools (2.24-3+b1) ...
Selecting previously unselected package debconf-utils.
Preparing to unpack .../3-debconf-utils_1.5.82_all.deb ...
Unpacking debconf-utils (1.5.82) ...
Selecting previously unselected package net-tools.
Preparing to unpack .../4-net-tools_2.10-0.1_amd64.deb ...
Unpacking net-tools (2.10-0.1) ...
Selecting previously unselected package salt-common.
Preparing to unpack .../5-salt-common_3006.6_amd64.deb ...
Adding group salt....done
Adding system user salt....done
Unpacking salt-common (3006.6) ...
Selecting previously unselected package salt-minion.
Preparing to unpack .../6-salt-minion_3006.6_amd64.deb ...
Unpacking salt-minion (3006.6) ...
Setting up net-tools (2.10-0.1) ...
Setting up ncal (12.1.8) ...
Setting up salt-common (3006.6) ...
Setting up debconf-utils (1.5.82) ...
Setting up bsdmainutils (12.1.8) ...
Setting up dctrl-tools (2.24-3+b1) ...
Setting up salt-minion (3006.6) ...
Created symlink /etc/systemd/system/multi-user.target.wants/salt-minion.service → /lib/systemd/system/salt-minion.service.
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for libc-bin (2.36-9+deb12u4) ...
 *  INFO: Running install_debian_check_services()
 *  INFO: Running install_debian_restart_daemons()
 *  INFO: Running daemons_running_onedir()
 *  INFO: Salt installed!

Versions and Systems

(salt --versions-report, bootstrap-salt.sh -v, system type and version,
cloud/VM provider as appropriate.)

[dmurphy18]

@st3fan Why are you doing this
curl https://repo.saltproject.io/salt/py3/debian/11/amd64/latest/salt-archive-keyring.gpg

when there exists
https://repo.saltproject.io/salt/py3/debian/12/amd64/latest/SALT-PROJECT-GPG-PUBKEY-2023.gpg

Note: the name SALT-PROJECT-GPG-PUBKEY-2023.gpg, and that exists for Debian 11 too.

Working on bettering the support for Debian 12 in the bootstrap script, see #1987 and #1940

Will look at erroring out if gpg key fails to download, as I clean up the script

Closing this since it will be addressed in the PR and issue above.

Note: the keys have changed for Salt 3006 (latest) to a SHA-256 key.
Please reopen if there is additional information you feel is needed.