Skip to content

install: set umask to 022 before writing the GPG key to avoid permission issues #10426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

install: set umask to 022 before writing the GPG key to avoid permission issues #10426

wants to merge 1 commit into from
+1 −1

Conversation

fukawi2
Copy link

@fukawi2 fukawi2 commented Jun 3, 2025

On hosts with a "non-standard" umask (for security), the key file can be created with unexpencted permissions which on some distributions (Ubuntu 24.04 confirmed) causes errors suggesting that NO_PUBKEY is available. Refer to #10161

Fixes #10161

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

  • [N/A] Example configuration file for the change
  • Debug log output from testing the change
  • [N/A] Attached Valgrind output that shows no leaks or memory corruption was found

Set umask to 077 and create a test file to demonstrate resulting permissions (rw-------):

$ umask 077
$ touch test
$ ll test
-rw------- 1 phs phs 0 Jun  3 14:09 test
$ rm test

Run the old command, demonstrate same permissions are set:

$ curl $RELEASE_KEY | gpg --dearmor > key-with-umask077.gpg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3175  100  3175    0     0   4161      0 --:--:-- --:--:-- --:--:--  4161
$ ll
total 4.0K
drwxr-xr-x  2 phs  phs    80 Jun  3 14:09 .
drwxrwxrwt 14 root root  320 Jun  3 14:08 ..
-rw-------  1 phs  phs  2.3K Jun  3 14:09 key-with-umask077.gpg

Wrapped in the subshell + umask gives expected permissions which avoid the apt error on 24.04:

$ (umask 022 ; curl $RELEASE_KEY | gpg --dearmor > key-with-umask022.gpg)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3175  100  3175    0     0  10748      0 --:--:-- --:--:-- --:--:-- 10762
$ ll
total 8.0K
drwxr-xr-x  2 phs  phs    80 Jun  3 14:09 .
drwxrwxrwt 14 root root  320 Jun  3 14:08 ..
-rw-r--r--  1 phs  phs  2.3K Jun  3 14:09 key-with-umask022.gpg
-rw-------  1 phs  phs  2.3K Jun  3 14:09 key-with-umask077.gpg

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

  • [N/A] Run local packaging test showing all targets (including any new ones) build.
  • [N/A] Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

  • [N/A] Documentation required for this feature

Backporting

  • [N/A] Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

@fukawi2
Set umask to 022 before writing the GPG key to avoid permission issues
772c60d 
On hosts with a "non-standard" umask (for security), the key file can be created with unexpencted permissions which on
some distributions (Ubuntu 24.04 confirmed) causes errors suggesting that NO_PUBKEY is available.
Refer to fluent#10161
@patrick-stephens
Copy link
Contributor

Changes look ok to me but you'll have to satisfy the DCO check and also ensure the commit follows the contribution guidelines.

I don't think this will impact existing systems that do not require the umask but can we just do a quick test and document it here?

@patrick-stephens patrick-stephens changed the title Set umask to 022 before writing the GPG key to avoid permission issues install: set umask to 022 before writing the GPG key to avoid permission issues Jun 4, 2025
@patrick-stephens
Copy link
Contributor

@fukawi2 can you also provide a docs PR for those folks who will be doing this manually rather than via the install script?

@fukawi2
Copy link
Author

fukawi2 commented Jun 6, 2025

Acknowledging your comments - will action ASAP 👍

@fukawi2 fukawi2 closed this Aug 1, 2025
@fukawi2
Copy link
Author

fukawi2 commented Aug 1, 2025

Yeah, I obviously don't have the capacity to follow up here sorry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@niedbalski niedbalski Awaiting requested review from niedbalski niedbalski is a code owner

@patrick-stephens patrick-stephens Awaiting requested review from patrick-stephens patrick-stephens is a code owner

@celalettin1286 celalettin1286 Awaiting requested review from celalettin1286 celalettin1286 is a code owner

Assignees

@patrick-stephens patrick-stephens

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unable to run apt update. Get error NO_PUBKEY 9F9DDC083888C1CD
2 participants
@fukawi2 @patrick-stephens