Apt signature verification fails on Debian Trixie

[satwell]

Description of Issue/Question

Salt bootstrap fails on Debian Trixie. (Trixie is not yet released, but is expected to be released as Debian 13 some time in 2025.)

The issue is that bootstrap sets Signed-By: /etc/apt/keyrings/salt-archive-keyring.pgp in /etc/apt/sources.list.d/salt.sources. That .pgp file is ascii-armored, but the latest version of apt used in Trixie only supports dearmoring keys if they're in .asc files. It assumes any other filenames contain binary keys. You can see the current apt key handling logic here.

Setup

No special configs, just trying to install stable salt on a fresh Debian Trixie install.

Steps to Reproduce Issue

Install log from an install attempt on trixie:

root@trixie:/tmp# ./bootstrap-salt.sh -D stable
 *  INFO: Running version: 2024.11.29
 *  INFO: Executed by: /bin/sh
 *  INFO: Command line: './bootstrap-salt.sh -D stable'

 *  INFO: System Information:
 *  INFO:   CPU:          GenuineIntel
 *  INFO:   CPU Arch:     x86_64
 *  INFO:   OS Name:      Linux
 *  INFO:   OS Version:   6.1.0-28-amd64
 *  INFO:   Distribution: Debian 13.0

 * DEBUG: Binaries will be searched using the following $PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/u
sr/bin:/sbin:/bin
 *  INFO: Installing minion
 * DEBUG: install_debian_13_onedir_deps not found....
 * DEBUG: install_debian_13_0_onedir_deps not found....
 * DEBUG: install_debian_13_deps not found....
 * DEBUG: install_debian_13_0_deps not found....
 *  INFO: Found function install_debian_onedir_deps
 * DEBUG: DEPS_INSTALL_FUNC=install_debian_onedir_deps
 * DEBUG: config_debian_13_onedir_salt not found....
 * DEBUG: config_debian_13_0_onedir_salt not found....
 * DEBUG: config_debian_13_salt not found....
 * DEBUG: config_debian_13_0_salt not found....
 * DEBUG: config_debian_onedir_salt not found....
 * DEBUG: config_debian_salt not found....
 *  INFO: Found function config_salt
 * DEBUG: CONFIG_SALT_FUNC=config_salt
 * DEBUG: preseed_debian_13_onedir_master not found....
 * DEBUG: preseed_debian_13_0_onedir_master not found....
 * DEBUG: preseed_debian_13_master not found....
 * DEBUG: preseed_debian_13_0_master not found....                                               [38/9851]
 * DEBUG: preseed_debian_onedir_master not found....
 * DEBUG: preseed_debian_master not found....
 *  INFO: Found function preseed_master
 * DEBUG: PRESEED_MASTER_FUNC=preseed_master
 * DEBUG: INSTALL_FUNC_NAMES=install_debian_13_onedir install_debian_13_0_onedir install_debian_onedir
 * DEBUG: install_debian_13_onedir not found....
 * DEBUG: install_debian_13_0_onedir not found....
 *  INFO: Found function install_debian_onedir
 * DEBUG: INSTALL_FUNC=install_debian_onedir
 * DEBUG: install_debian_13_onedir_post not found....
 * DEBUG: install_debian_13_0_onedir_post not found....
 * DEBUG: install_debian_13_post not found....
 * DEBUG: install_debian_13_0_post not found....
 * DEBUG: install_debian_onedir_post not found....
 * DEBUG: install_debian_post not found....
 * DEBUG: POST_INSTALL_FUNC=null
 * DEBUG: install_debian_13_onedir_restart_daemons not found....
 * DEBUG: install_debian_13_0_onedir_restart_daemons not found....
 * DEBUG: install_debian_13_restart_daemons not found....
 * DEBUG: install_debian_13_0_restart_daemons not found....
 * DEBUG: install_debian_onedir_restart_daemons not found....
 *  INFO: Found function install_debian_restart_daemons
 * DEBUG: STARTDAEMONS_INSTALL_FUNC=install_debian_restart_daemons
 * DEBUG: daemons_running_debian_13_onedir not found....
 * DEBUG: daemons_running_debian_13_0_onedir not found....
 * DEBUG: daemons_running_debian_13 not found....
 * DEBUG: daemons_running_debian_13_0 not found....
 * DEBUG: daemons_running_debian_onedir not found....
 * DEBUG: daemons_running_debian not found....
 *  INFO: Found function daemons_running_onedir
 * DEBUG: DAEMONS_RUNNING_FUNC=daemons_running_onedir
 * DEBUG: install_debian_13_onedir_check_services not found....
 * DEBUG: install_debian_13_0_onedir_check_services not found....
 * DEBUG: install_debian_13_check_services not found....
 * DEBUG: install_debian_13_0_check_services not found....
 * DEBUG: install_debian_onedir_check_services not found....
 *  INFO: Found function install_debian_check_services
 * DEBUG: CHECK_SERVICES_FUNC=install_debian_check_services
 *  INFO: Running install_debian_onedir_deps()
 * DEBUG: install_debian_onedir_git_deps() entry
Hit:1 http://deb.debian.org/debian trixie InRelease
Hit:2 http://deb.debian.org/debian trixie-updates InRelease
Hit:3 http://deb.debian.org/debian-security trixie-security InRelease
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
procps is already the newest version (2:4.0.4-6).
pciutils is already the newest version (1:3.13.0-1+b1).
python3-yaml is already the newest version (6.0.2-1+b1).
sudo is already the newest version (1.9.16p1-1).
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
 * DEBUG: __install_saltstack_debian_onedir_repository() entry
Reading package lists...
Building dependency tree...
Reading state information...
wget is already the newest version (1.24.5-2+b1).
gnupg2 is already the newest version (2.2.45-2).
apt-transport-https is already the newest version (2.9.16).
ca-certificates is already the newest version (20240203).
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
Hit:1 http://deb.debian.org/debian trixie InRelease
Hit:2 http://deb.debian.org/debian trixie-updates InRelease
Hit:3 http://deb.debian.org/debian-security trixie-security InRelease
Get:4 https://packages.broadcom.com/artifactory/saltproject-deb stable InRelease [3,427 B]
Err:4 https://packages.broadcom.com/artifactory/saltproject-deb stable InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 64CBBC8
173D76B3F
Reading package lists...
 * ERROR: Failed to run install_debian_onedir_deps()!!!
 * DEBUG: Removing the logging pipe /tmp/bootstrap-salt.logpipe
 * DEBUG: Removing the temporary apt error file /tmp/apt_error.sCCSPv

Versions and Systems

root@trixie:/tmp# apt policy apt
apt:
  Installed: 2.9.16
  Candidate: 2.9.16
  Version table:
 *** 2.9.16 500
        500 http://deb.debian.org/debian trixie/main amd64 Packages
        100 /var/lib/dpkg/status
root@trixie:/tmp# ./bootstrap-salt.sh -v
./bootstrap-salt.sh -- Version 2024.11.29

[dmurphy18]

@satwell In future, please show more information, like the version of bootstrap-salt.sh script you are using.

The current script is making use of the key provided for Salt, see https://docs.saltproject.io/salt/install-guide/en/latest/topics/install-by-operating-system/linux-deb.html, and

# Download public key
curl -fsSL https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public | sudo tee /etc/apt/keyrings/salt-archive-keyring.pgp

So got to change Salt to support Trixie first before can update the bootstrap script.
However the good news is that with the current updating of pipelines (since had to drop the old pipelines using AWS), and the move to building using containers, etc on GitHub, have a Debian 13 container in development, see https://github.com/saltstack/salt-ci-containers/pkgs/container/salt-ci-containers%2Ftesting/307184890?tag=debian-13
So Salt will be addressing this issue, and will adjust bootstrap script once that handling of the asc public key is done.