Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"install" gh cli failing due to untrusted deb package #58

Closed
RichUnibuddy opened this issue Sep 11, 2024 · 3 comments
Closed

"install" gh cli failing due to untrusted deb package #58

RichUnibuddy opened this issue Sep 11, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@RichUnibuddy
Copy link

Orb version:

Tested on 2.4.0, likely to be all recent versions

What happened:

Downloading the GitHub CLI from "https://github.com/cli/cli/releases/download/v/gh__linux_amd64.deb"...
Installing the GitHub CLI...
+ sudo apt install ./gh-cli.deb
Reading package lists... Error!
E: Invalid archive signature
E: Internal error, could not locate member control.tar.{zstlz4gzxzbz2lzma}
E: Could not read meta data from /home/circleci/project/gh-cli.deb
E: The package lists or status file could not be parsed or opened.
+ set +x
Something went wrong installing the GH CLI. Please try again or open an issue.

Exited with code exit status 1

Expected behavior:

cli should install and be available to the orb

Additional Information:

This appears to be related to this upstream issue:
cli/cli#9569

the downloaded deb can be installed if --allow-unauthenticated were used (work around!)

e.g. sudo apt-get --allow-unauthenticated install gh-cli.deb

fix proposed here - e7026ea
@RichUnibuddy RichUnibuddy added the bug Something isn't working label Sep 11, 2024
@RichUnibuddy RichUnibuddy mentioned this issue Sep 11, 2024
Closed
@williammartin
Copy link

williammartin commented Sep 12, 2024
edited
Loading

Hey @RichUnibuddy, sorry for the inconvenience from the GitHub CLI.

I don't think that the error you're seeing here relates to cli/cli#9569.

The reason I say this is because:

  • Downloading the GitHub CLI from "https://github.com/cli/cli/releases/download/v/gh__linux_amd64.deb" <--- this message is missing the version strings after v and between gh_ and _linux.
  • This is downloading the .deb from our releases page and not using the apt repository
  • There's no reference to our keyring in this repository so I don't really see how this would have worked previously

What I think's happening here is that curl https://github.com/cli/cli/releases/download/v/gh__linux_amd64.deb -o gh-cli.deb is grabbing a 404 Not Found page and then apt install is just getting very confused because it's not a real archive.

I suspect there is something else going on here about the version being passed through correctly, though honestly I don't know enough about CicleCI and orbs to be sure.

Good luck!

@RichUnibuddy
Copy link
Author

hi, that makes sense, and makes me think a default version param (I'm not setting anything explicitly) is not being passed to the install job. I'll take another look to see what I find. That's for the pointer!

@RichUnibuddy
Copy link
Author

Not had a chance to reassess given the information above, so I'll mark closed and I'll see if I can resolve it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@williammartin @RichUnibuddy