packaging: add -L flag to curl for redirect support

[sakshitposting-irl]

Problem

The official install.sh script fails on Debian/Ubuntu with:

gpg: no valid OpenPGP data found

This occurs because packages.fluentbit.io/fluentbit.key now returns a 302 redirect to S3. Without the -L flag, curl stops at the redirect and returns an empty response, breaking GPG key import.

Solution

Added -L flag to curl command in the Ubuntu/Debian installation section to follow HTTP redirects.

Fixes the installation failure on Debian/Ubuntu platforms.

---

Testing

• Example configuration file for the change

  • [N/A] - This is a change to the installation script, not runtime configuration

• Debug log output from testing the change

# Before fix (without -L):
$ curl https://packages.fluentbit.io/fluentbit.key | gpg --dearmor
gpg: no valid OpenPGP data found.

# After fix (with -L):
$ curl -L https://packages.fluentbit.io/fluentbit.key | gpg --dearmor
# Successfully creates keyring file (3175 bytes)

# Full installation test on Ubuntu 24.04:
$ sudo ./install.sh
...
Installation completed. Happy Logging!

• Attached Valgrind output

  • [N/A] - This change only modifies the installation shell script, not C code

• Run local packaging test

  • [N/A] - This change only affects the installation script, not package building

• Set ok-package-test label

  • Requires maintainer action

Documentation

• Documentation required for this feature
  • Yes, the official documentation at https://docs.fluentbit.io/manual/installation/linux/ubuntu also needs updating with the -L flag

Backporting

• Backport to latest stable release.
  • Yes, this should be backported to 4.0 and 3.2 branches as the redirect affects all versions

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• Bug Fixes
  • Improved installation reliability on Debian/Ubuntu by ensuring the keyring setup process correctly handles URL redirects.

[coderabbitai]

Walkthrough

The install script's curl command for fetching the release key now includes the -L flag to follow HTTP redirects during the Debian/Ubuntu apt keyring setup process.

Changes

Cohort / File(s)	Summary
Curl redirect flag install.sh	Added -L flag to curl command to follow redirects when fetching the release key for Debian/Ubuntu apt setup

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A curl with a dash, -L now leads the way,
Following redirects through clouds that sway,
Release keys dance down their forwarded path,
No dead ends here, just smooth throughput's bath! 🔑

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately describes the main change: adding the -L flag to curl for redirect support in the installation script.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

install.sh (1)

139-139: Optional: Consider adding --max-redirs for defense-in-depth.

For added safety against redirect loops or chains, consider capping the number of redirects:

-curl -L $RELEASE_KEY | gpg --dearmor > /usr/share/keyrings/fluentbit-keyring.gpg
+curl -L --max-redirs 5 $RELEASE_KEY | gpg --dearmor > /usr/share/keyrings/fluentbit-keyring.gpg

This prevents edge cases where a misconfigured redirect target might lead to unexpected behavior. Not required for this fix, but a reasonable defensive measure.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a4c158d and 9992f8b.

📒 Files selected for processing (1)

• install.sh (1 hunks)

🔇 Additional comments (1)

install.sh (1)

139-139: ✓ Fix is correct and well-targeted.

Adding -L to curl follows HTTP redirects, which directly addresses the 302 redirect from packages.fluentbit.io to S3 that was causing the key import to fail. The change is minimal, focused, and has been tested successfully on Ubuntu 24.04. This is the only place in the script where an explicit curl invocation fetches a URL (RPM-based systems use rpm --import which handles redirects internally).

[patrick-stephens]

We should backport to 4.1 and 4.0 for people consuming that way although docs do just reference master.

[rafaelma]

This can be a security issue.

Not using -L guarantees that the gpg key has to be found in the address defined in the client repo.
Accepting a redirect when getting the repo gpg key does not guarantee that the client is talking with the correct/official repo.

Another important issue with redirects in repository addresses is that they break all systems using a proxy to allow the access to the repository from internal infrastructures.