Skip to content

Fix Salt repo Signed-By conflict with upstream Salt install #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kamwoods wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix Salt repo Signed-By conflict with upstream Salt install #19

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2512e15
Fix Salt repo Signed-By conflict with upstream Salt install
kamwoods May 8, 2026
63f2fca
Convert Salt apt source to DEB822 format
kamwoods May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 44 additions & 5 deletions bitcurator-cli.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ const fileExists = async (path) => {
const saltCheckVersion = async (path, value) => {
try {
const contents = await fs.readFile(path, 'utf8')
return contents.indexOf(value) === 0
return contents.indexOf(value) !== -1
} catch (err) {
if (err.code === 'ENOENT') {
return false
Expand All @@ -208,8 +208,45 @@ const saltCheckVersion = async (path, value) => {

const setupSalt = async () => {
if (cli['--dev'] === false) {
const aptSourceList = '/etc/apt/sources.list.d/saltstack.list'
const aptDebString = `deb [signed-by=/usr/share/keyrings/salt-archive-keyring.pgp, arch=amd64] https://packages.broadcom.com/artifactory/saltproject-deb/ stable main`
const aptKeyringDir = '/etc/apt/keyrings'
const aptKeyringPath = `${aptKeyringDir}/salt-archive-keyring.pgp`
// DEB822-format source file. Note the .sources extension (required for
// DEB822) rather than .list (which APT parses as one-line format).
const aptSourceList = '/etc/apt/sources.list.d/saltstack.sources'
const aptDebString = `Types: deb
URIs: https://packages.broadcom.com/artifactory/saltproject-deb/
Suites: stable
Components: main
Architectures: amd64
Signed-By: ${aptKeyringPath}
`

// Clean up any stale Salt repo source files at conflicting paths that
// would cause apt-get update to fail with "Conflicting values set for
// option Signed-By", or that would simply duplicate our repo entry.
// These can be left behind by previous installs (which used the .list
// one-line format under a different filename) or by users following
// the upstream Salt install instructions (which write salt.list or
// salt.sources). Either situation collides with our source file if
// both reference the same repo URL.
const conflictingSources = [
'/etc/apt/sources.list.d/saltstack.list',
'/etc/apt/sources.list.d/salt.list',
'/etc/apt/sources.list.d/salt.sources',
]
for (const path of conflictingSources) {
if (await fileExists(path)) {
console.log(`NOTICE: Removing conflicting Salt source file at ${path}`)
await fs.unlink(path)
}
}
// Also remove a stale keyring at the legacy location if one exists,
// so it cannot be referenced by any leftover configuration.
const legacyKeyring = '/usr/share/keyrings/salt-archive-keyring.pgp'
if (await fileExists(legacyKeyring)) {
console.log(`NOTICE: Removing legacy Salt keyring at ${legacyKeyring}`)
await fs.unlink(legacyKeyring)
}

const aptExists = await fileExists(aptSourceList)
const saltExists = await fileExists('/usr/bin/salt-call')
Expand All @@ -219,8 +256,9 @@ const setupSalt = async () => {
console.log('NOTICE: Fixing incorrect SaltStack version configuration.')
console.log('Installing and configuring SaltStack...')
await execAsync('apt-get remove -y --allow-change-held-packages salt-minion salt-common')
await mkdirp(aptKeyringDir)
await fs.writeFile(aptSourceList, aptDebString)
await execAsync(`wget -O /usr/share/keyrings/salt-archive-keyring.pgp https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public`)
await execAsync(`wget -O ${aptKeyringPath} https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public`)
await execAsync(`printf 'Package: salt-*\nPin: version ${saltstackVersion}.*\nPin-Priority: 1001' > /etc/apt/preferences.d/salt-pin-1001`)
await execAsync('apt-get update')
await execAsync('apt-get install -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -y --allow-change-held-packages salt-common', {
Expand All @@ -231,8 +269,9 @@ const setupSalt = async () => {
})
} else if (aptExists === false || saltExists === false) {
console.log('Installing and configuring SaltStack...')
await mkdirp(aptKeyringDir)
await fs.writeFile(aptSourceList, aptDebString)
await execAsync(`wget -O /usr/share/keyrings/salt-archive-keyring.pgp https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public`)
await execAsync(`wget -O ${aptKeyringPath} https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public`)
await execAsync(`printf 'Package: salt-*\nPin: version ${saltstackVersion}.*\nPin-Priority: 1001' > /etc/apt/preferences.d/salt-pin-1001`)
await execAsync('apt-get update')
await execAsync('apt-get install -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -y --allow-change-held-packages salt-common', {
Expand Down
Loading