pr.yaml: add [trusted=yes] to focal-security apt source#336
Merged
Conversation
The 'Install OpenSSL 1.1 for .NET 5.0' step was failing on newer
GitHub-hosted Ubuntu runners with:
E: Package 'libssl1.1' has no installation candidate
Root cause: the focal Ubuntu archive signing key is not always
present on newer runner images. apt silently Ign's the source
('Ign:55 ... focal-security InRelease') and apt-get update succeeds
without it, so libssl1.1 isn't in the package index when install
runs.
Adding [trusted=yes] to the apt source line skips signature
verification, letting the source be used regardless of key
availability.
Validated in IComparable-Extensions#69 before promoting here.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the PR workflow to make the “Install OpenSSL 1.1 for .NET 5.0” step succeed on newer GitHub-hosted Ubuntu runners by altering how the focal-security APT source is added.
Changes:
- Adds
[trusted=yes]to thefocal-securityAPT source line to avoid failures caused by missing/unknown signing keys on some runner images. - Expands inline commentary in the workflow step to document the observed failure mode and validation reference.
This was referenced May 5, 2026
Merged
pr.yaml: GPG-verified focal-security install via signed-by=
Chris-Wolfgang/ICollection-Extensions#74
Merged
pr.yaml: GPG-verified focal-security install via signed-by=
Chris-Wolfgang/IEnumerable-Extensions#88
Merged
Merged
Merged
Merged
Merged
pr.yaml: GPG-verified focal-security install via signed-by=
Chris-Wolfgang/System.Mail-Extensions#68
Merged
Restores end-to-end APT signature verification for the libssl1.1 install step. Points apt at the Canonical archive keyring that already ships on GitHub-hosted Ubuntu runners (/usr/share/keyrings/ubuntu-archive-keyring.gpg). That keyring contains the same signing key Canonical uses across releases (focal, jammy, noble), so it can verify focal-security packages from a non-focal runner without [trusted=yes]. Resolves Copilot feedback on PR #336. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds `[trusted=yes]` to the `focal-security` apt source line in the "Install OpenSSL 1.1 for .NET 5.0" step.
Why
The step was failing on newer GitHub-hosted Ubuntu runners with `E: Package 'libssl1.1' has no installation candidate`. Root cause: the focal Ubuntu archive signing key isn't always present on newer runner images, so apt silently `Ign`'s the source (`Ign:55 ... focal-security InRelease`) and `apt-get update` succeeds without it.
`[trusted=yes]` skips GPG signature verification.
Validation
Tested in IComparable-Extensions#69 — fix confirmed working before promoting here.
Rollout
After this lands, the same one-line fix needs to propagate to ~16 other repos that have .NET 5.0 in their test matrix. A follow-up bulk PR will sync canonical pr.yaml downstream.
🤖 Generated with Claude Code