Installing CLI without apt-key

[yarcod]

Currently the installation instructions on the download page includes:

wget -qO - https://releases.jfrog.io/artifactory/jfrog-gpg-public/jfrog_public_gpg.key | sudo apt-key add - [...]

But given that apt-key is being deprecated, with 22.04 being the last supported version, this needs to be updated. This process can normally be done manually by downloading the key to /usr/share/keyrings¹ and adding a signed-by reference to the public key. However, doing that I end up with:

"Failed to update apt cache: GPG error: https://releases.jfrog.io/artifactory/jfrog-debs xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6B219DCCD7639232. The repository 'https://releases.jfrog.io/artifactory/jfrog-debs xenial InRelease' is not signed."

when the repo list has a signed-by part. This is solved by removing the signed-by part, but sometimes (I can't seem to reproduce when) this results in another error where apt reports something like "Updates with this method cannot be made securely" and aborts the whole update process.

Even when adding the public key via gpg --keyserver keyserver.ubuntu.com --recv-key 6B219DCCD7639232 it still gives the above error message. I'm guessing this is due to the repository actually not being signed, and that it does not make a difference whether the public key is fetched. My question is, do you have a suggested way to do this securely, without apt-key?

Footnotes

1. curl -sS https://releases.jfrog.io/artifactory/jfrog-gpg-public/jfrog_public_gpg.key | sudo tee /usr/share/keyrings/jfrog.asc && echo "deb [signed-by=/usr/share/keyrings/jfrog.asc] https://releases.jfrog.io/artifactory/jfrog-debs xenial contrib" > /etc/apt/source.list.d/jfrog.list ↩

[klaegera]

I just ran into this. For me, the issue was that https://releases.jfrog.io/artifactory/jfrog-gpg-public/jfrog_public_gpg.key uses CRLF line endings. Using:

wget -qO - https://releases.jfrog.io/artifactory/jfrog-gpg-public/jfrog_public_gpg.key | tr -d '\015' | ...

makes everything work as expected.

[yarcod]

Thanks a lot for your response @klaegera ! That does indeed seem to be the issue, and removing all \r from the file made it work perfectly for me. Awesome!

Still, while this is good work-around, the issue remains.

[eyalbe4]

The scripts used to create the debian and rpm installers of jfrog-cli are managed here, in case someone would like to attempt improving them through a pull request.

[kenyon]

@eyalbe4 this is a problem with https://releases.jfrog.io/artifactory/jfrog-gpg-public/jfrog_public_gpg.key — dos2unix needs to be run on that file. This is not something that can be fixed in https://github.com/jfrog/jfrog-cli/tree/dev/build/deb_rpm/v2-jf because the public key is not managed there.

This is a problem for anyone running Ubuntu 22.04 or later, since they will be fetching and storing https://releases.jfrog.io/artifactory/jfrog-gpg-public/jfrog_public_gpg.key on the filesystem, as this is now the correct way to install gpg keys for APT. So the downloaded key is used directly rather than processing it by gpg first. It's very non-obvious that the problem is that the key is in the wrong format.

[kenyon]

This fixes the problem in APT: https://salsa.debian.org/apt-team/apt/-/merge_requests/309