NAP WAF on Bare Metal/VM Install Fails #1289
Description
Describe the bug
Following the directions in the new WAF install docs for Bare Metal/VM, seeing the following error:
sudo apt-get install app-protect
Hit:1 http://us.archive.ubuntu.com/ubuntu jammy InRelease
Hit:2 http://us.archive.ubuntu.com/ubuntu jammy-updates InRelease
Hit:3 http://us.archive.ubuntu.com/ubuntu jammy-backports InRelease
Hit:4 http://us.archive.ubuntu.com/ubuntu jammy-security InRelease
Get:5 https://pkgs.nginx.com/app-protect-security-updates/ubuntu jammy InRelease [1,709 B]
Err:5 https://pkgs.nginx.com/app-protect-security-updates/ubuntu jammy InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A5F6473795E778F4
Get:6 https://pkgs.nginx.com/app-protect/ubuntu jammy InRelease [2,660 B]
Get:7 https://pkgs.nginx.com/plus/ubuntu jammy InRelease [4,177 B]
Get:8 https://pkgs.nginx.com/app-protect/ubuntu jammy/nginx-plus amd64 Packages [11.9 kB]
Reading package lists... Done
W: GPG error: https://pkgs.nginx.com/app-protect-security-updates/ubuntu jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A5F6473795E778F4
E: The repository 'https://pkgs.nginx.com/app-protect-security-updates/ubuntu jammy InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
app-protect-compiler : PreDepends: app-protect-attack-signatures but it is not installable
PreDepends: app-protect-bot-signatures but it is not installable
PreDepends: app-protect-threat-campaigns but it is not installable
app-protect-engine : Depends: app-protect-geoip but it is not installable
E: Unable to correct problems, you have held broken packages.
The cause is that the step to install the signing key is missing in the new documentation. It looks like this is missing for all operating systems.
Since all signing key installation relies on the NGINX Plus installation steps instead of in the WAF docs, signing key installation needs to be introduced in the WAF docs before initial installation of WAF or signature updates will succeed. NOTE: This step is unique per OS, and needs to be somewhere before the sudo apt-get update step (Ubuntu example).
In the Ubuntu case, the missing step is:
wget -qO - https://cs.nginx.com/static/keys/app-protect-security-updates.key | \
gpg --dearmor | sudo tee /usr/share/keyrings/app-protect-security-updates.gpg >/dev/null
This step appears in the archved documentation here.
To reproduce
Steps to reproduce the behavior:
- Install WAF (for example, on Ubuntu) using the steps.
- When you get to the step to install the app protect package, the error above will be shown.
Expected behavior
WAF installation should succeed without errors.
Your environment
- Version/release of this project or specific commit
hash 3111b30 - Target deployment platform
NAP 5.9, Plus R35, Ubuntu 22.04.
Additional context
Add any other context about the problem here.
Sensitive Information
Remember to redact any sensitive information such as authentication credentials or license keys.