[BUG][3006.0] Missing salt-archive-keyring.gpg on repo.saltproject.io

[bensteinberg]

Description

I can't use salt-cloud to spin up a new Debian bullseye EC2 instance; install_debian_onedir_deps() fails because https://repo.saltproject.io/salt/py3/debian/11/amd64/latest/salt-archive-keyring.gpg is not present.

Setup

The salt master is an EC2 instance; it and its minions use onedir packaging. The cloud profile in question uses the current Debian AMI for bullseye on amd64 in us-east-1, ami-0fec2c2e2017f4e7b.

Steps to Reproduce the behavior

When I run

sudo salt-cloud -l debug --out=json -p my_ec2_profile my-new-minion

the bootstrap process fails with

[DEBUG   ]  * ERROR: https://repo.saltproject.io/salt/py3/debian/11/amd64/latest/salt-archive-keyring.gpg failed to download to /tmp/salt-gpg-4VCcseAA.pub
 * ERROR: Failed to run install_debian_onedir_deps()!!!

Expected behavior

Until a week or so ago, the previous command would result in a new minion, my-new-minion, running Debian bullseye.

Versions Report

salt --versions-report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

Salt Version:
          Salt: 3005.1

Dependency Versions:
          cffi: 1.14.6
      cherrypy: unknown
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: 4.0.9
     gitpython: 3.1.27
        Jinja2: 3.1.0
       libgit2: Not Installed
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.9.8
        pygit2: Not Installed
        Python: 3.9.16 (main, Jan  6 2023, 22:49:58)
  python-gnupg: 0.4.8
        PyYAML: 5.4.1
         PyZMQ: 23.2.0
         smmap: 5.0.0
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4

System Versions:
          dist: debian 11 bullseye
        locale: utf-8
       machine: x86_64
       release: 5.10.0-21-amd64
        system: Linux
       version: Debian GNU/Linux 11 bullseye

Additional context

I see that https://repo.saltproject.io/salt/py3/debian/11/amd64/3005/salt-archive-keyring.gpg is present (3005 instead of latest), but I haven't figured out how to tell the bootstrap script to use that keyring URL.

[bensteinberg]

I see that the files in https://repo.saltproject.io/salt/py3/debian/11/amd64/latest/ are timestamped 2023-04-18 22:57:50+00:00, so perhaps the salt-archive-keyring.gpg file or symlink was removed then.

[bensteinberg]

After running sudo salt-cloud -u just now to upgrade the bootstrap script to version 2023.04.06, I can successfully spin up a new minion. I note from my command line history that I last attempted to upgrade the bootstrap script on April 21, and did not get a new, working version. I also note that there are probably lots of people who do not routinely upgrade the bootstrap script, so it might make sense to restore salt-archive-keyring.gpg.

[garethgreenaway]

Since updating the bootstrap script version that salt-cloud was using resolved the issue, we'll close this one out. Thanks!

[bensteinberg]

Although the new bootstrap script solved the immediate problem -- not being able to spin up a new minion -- I almost immediately ran into #64111 -- so I can't use 3006 at the moment, will have to downgrade the minions I already upgraded, and can't spin up new 3005.1 minions. That is, I'm not sure this ticket should be closed.

[arnoldasb]

For some reason we had 0750 permissions on /etc/apt/keyrings folder, it took us hours of searching for solutions.

Following apt update error:

The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 64CBBC8173D76B3F

So make sure you check permissions:

chmod 755 /etc/apt/keyrings
chmod 644 /etc/apt/keyrings/salt-archive-keyring-2023.gpg