Public key for the GitLab repository no working if OS is using a restrictive umask #397
Description
Hey,
I'm using this role in conjunction with https://github.com/dev-sec/ansible-collection-hardening/tree/master/roles/os_hardening.
os_hardening sets up a restrictive umask of 027, compared to the usual 022, meaning that others won't have read access.
The result is that the /usr/share/keyrings/runner_gitlab-runner-archive-keyring.gpg will not be readable by others, preventing apt update to work and download the package:
root@vps-0a440900:~# apt update
Hit:1 http://security.ubuntu.com/ubuntu noble-security InRelease
Hit:2 https://download.docker.com/linux/ubuntu noble InRelease
Hit:3 http://nova.clouds.archive.ubuntu.com/ubuntu noble InRelease
Hit:5 http://nova.clouds.archive.ubuntu.com/ubuntu noble-updates InRelease
Hit:6 http://nova.clouds.archive.ubuntu.com/ubuntu noble-backports InRelease
Hit:4 https://packages.gitlab.com/runner/gitlab-runner/ubuntu noble InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
root@vps-0a440900:~# chmod o-r /usr/share/keyrings/runner_gitlab-runner-archive-keyring.gpg
root@vps-0a440900:~# apt update
Hit:1 https://download.docker.com/linux/ubuntu noble InRelease
Hit:2 http://nova.clouds.archive.ubuntu.com/ubuntu noble InRelease
Hit:4 http://nova.clouds.archive.ubuntu.com/ubuntu noble-updates InRelease
Hit:5 http://nova.clouds.archive.ubuntu.com/ubuntu noble-backports InRelease
Hit:6 http://security.ubuntu.com/ubuntu noble-security InRelease
Hit:3 https://packages.gitlab.com/runner/gitlab-runner/ubuntu noble InRelease
Err:3 https://packages.gitlab.com/runner/gitlab-runner/ubuntu noble InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3F01618A51312F3F
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.gitlab.com/runner/gitlab-runner/ubuntu noble InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3F01618A51312F3F
W: Failed to fetch https://packages.gitlab.com/runner/gitlab-runner/ubuntu/dists/noble/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3F01618A51312F3F
W: Some index files failed to download. They have been ignored, or old ones used instead.
root@vps-0a440900:~# chmod o+r /usr/share/keyrings/runner_gitlab-runner-archive-keyring.gpg
root@vps-0a440900:~# apt update
Hit:1 http://nova.clouds.archive.ubuntu.com/ubuntu noble InRelease
Hit:2 https://download.docker.com/linux/ubuntu noble InRelease
Hit:3 http://nova.clouds.archive.ubuntu.com/ubuntu noble-updates InRelease
Hit:4 http://nova.clouds.archive.ubuntu.com/ubuntu noble-backports InRelease
Hit:5 http://security.ubuntu.com/ubuntu noble-security InRelease
Hit:6 https://packages.gitlab.com/runner/gitlab-runner/ubuntu noble InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
root@vps-0a440900:~#The script may be run with a custom umask or a file resource should be used to ensure others can read the GPG key.
Thanks for the work on this role, it's very helpful!