Kiwi needs to pre-download keys for dpkg/apt import as apt can only handle local files

[work-robot]

The documentation of the <repository><source><signing> element is a bit vague when it comes to locations of signing keys:
https://osinside.github.io/kiwi/image_description/elements.html#repository-source

Looking at the config XML validation of this element: https://github.com/OSInside/kiwi/blob/main/kiwi/xml_parse.py#L3001
It appears as if you can specify both local (file:) and remote (https etc.) schemas for the signing key URL.

But if you try this for apt, then the URL seems to get passed verbatim to gpg here: https://github.com/OSInside/kiwi/blob/main/kiwi/repository/apt.py#L228

which results in an invocation like:

gpg --no-options --no-default-keyring --no-auto-check-trustdb --trust-model always --keyring /var/cache/kiwi/apt-get/trusted-keybox.gpg --import --ignore-time-conflict http://localhost:8080/mykeyring.pgp

gpg seems to be unable to deal with the http schema:

70047 openat(AT_FDCWD, "http://localhost:8080/mykeyring.pgp", O_RDONLY) = -1 ENOENT (No such file or directory)
70047 write(2, "gpg: can't open 'http://localhos"..., 93) = 93

It is somewhat questionable if supporting the download of signing keys via remote schemas is a good idea. I was using HTTP for testing, and would like to use HTTPs to solve key rotation (always download the current signing key).

The workaround is of course to download the key in a wrapper script (or hook, if such a thing is available).

I'm not sure if this functionality is supposed to work and there's a lack of implementation in the apt repo type, or if the XML validation / documentation should state some restrictions.

[Conan-Kudo]

I'm not sure if this functionality is supposed to work and there's a lack of implementation in the apt repo type, or if the XML validation / documentation should state some restrictions.

It is supposed to work, but the dpkg/apt way of handling it needs some effort. It works properly for rpm/dnf, for example.