Merge branch '__apt_key' into 'master'
__apt_key improvements See merge request ungleich-public/cdist!779
This commit is contained in:
commit
811ed151fc
6 changed files with 114 additions and 8 deletions
|
@ -27,6 +27,18 @@ else
|
|||
keyid="$__object_id"
|
||||
fi
|
||||
|
||||
keydir="$(cat "$__object/parameter/keydir")"
|
||||
keyfile="$keydir/$__object_id.gpg"
|
||||
|
||||
if [ -d "$keydir" ]
|
||||
then
|
||||
if [ -f "$keyfile" ]
|
||||
then echo present
|
||||
else echo absent
|
||||
fi
|
||||
else
|
||||
# fallback to deprecated apt-key
|
||||
apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \
|
||||
&& echo present \
|
||||
|| echo absent
|
||||
fi
|
||||
|
|
|
@ -31,12 +31,84 @@ if [ "$state_should" = "$state_is" ]; then
|
|||
exit 0
|
||||
fi
|
||||
|
||||
keydir="$(cat "$__object/parameter/keydir")"
|
||||
keyfile="$keydir/$__object_id.gpg"
|
||||
|
||||
case "$state_should" in
|
||||
present)
|
||||
keyserver="$(cat "$__object/parameter/keyserver")"
|
||||
|
||||
if [ -f "$__object/parameter/uri" ]; then
|
||||
uri="$(cat "$__object/parameter/uri")"
|
||||
|
||||
if [ -d "$keydir" ]; then
|
||||
cat << EOF
|
||||
|
||||
curl -s -L \\
|
||||
-o "$keyfile" \\
|
||||
"$uri"
|
||||
|
||||
if grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK' \\
|
||||
"$keyfile"
|
||||
then
|
||||
cat "$keyfile" \\
|
||||
| gpg --export > "$keyfile"
|
||||
fi
|
||||
|
||||
EOF
|
||||
else
|
||||
# fallback to deprecated apt-key
|
||||
echo "curl -s -L '$uri' | apt-key add -"
|
||||
fi
|
||||
elif [ -d "$keydir" ]; then
|
||||
tmp='/tmp/cdist_apt_key_tmp'
|
||||
|
||||
# we need to kill gpg after 30 seconds, because gpg
|
||||
# can get stuck if keyserver is not responding.
|
||||
# exporting env var and not exit 1,
|
||||
# because we need to clean up and kill dirmngr.
|
||||
cat << EOF
|
||||
|
||||
mkdir -m 700 -p "$tmp"
|
||||
|
||||
if timeout 30s \\
|
||||
gpg --homedir "$tmp" \\
|
||||
--keyserver "$keyserver" \\
|
||||
--recv-keys "$keyid"
|
||||
then
|
||||
gpg --homedir "$tmp" \\
|
||||
--export "$keyid" \\
|
||||
> "$keyfile"
|
||||
else
|
||||
export GPG_GOT_STUCK=1
|
||||
fi
|
||||
|
||||
GNUPGHOME="$tmp" gpgconf --kill dirmngr
|
||||
|
||||
rm -rf "$tmp"
|
||||
|
||||
if [ -n "\$GPG_GOT_STUCK" ]
|
||||
then
|
||||
echo "GPG GOT STUCK - no response from keyserver after 30 seconds" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
EOF
|
||||
else
|
||||
# fallback to deprecated apt-key
|
||||
echo "apt-key adv --keyserver \"$keyserver\" --recv-keys \"$keyid\""
|
||||
fi
|
||||
|
||||
echo "added '$keyid'" >> "$__messages_out"
|
||||
;;
|
||||
absent)
|
||||
if [ -f "$keyfile" ]; then
|
||||
echo "rm '$keyfile'"
|
||||
else
|
||||
# fallback to deprecated apt-key
|
||||
echo "apt-key del \"$keyid\""
|
||||
fi
|
||||
|
||||
echo "removed '$keyid'" >> "$__messages_out"
|
||||
;;
|
||||
esac
|
||||
|
|
|
@ -28,6 +28,12 @@ keyserver
|
|||
the keyserver from which to fetch the key. If omitted the default set
|
||||
in ./parameter/default/keyserver is used.
|
||||
|
||||
keydir
|
||||
key save location, defaults to ``/etc/apt/trusted.pgp.d``
|
||||
|
||||
uri
|
||||
the URI from which to download the key
|
||||
|
||||
|
||||
EXAMPLES
|
||||
--------
|
||||
|
@ -47,15 +53,20 @@ EXAMPLES
|
|||
# same thing with other keyserver
|
||||
__apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com
|
||||
|
||||
# download key from the internet
|
||||
__apt_key rabbitmq \
|
||||
--uri http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
|
||||
|
||||
|
||||
AUTHORS
|
||||
-------
|
||||
Steven Armstrong <steven-cdist--@--armstrong.cc>
|
||||
Ander Punnar <ander-at-kvlt-dot-ee>
|
||||
|
||||
|
||||
COPYING
|
||||
-------
|
||||
Copyright \(C) 2011-2014 Steven Armstrong. You can redistribute it
|
||||
and/or modify it under the terms of the GNU General Public License as
|
||||
published by the Free Software Foundation, either version 3 of the
|
||||
Copyright \(C) 2011-2019 Steven Armstrong and Ander Punnar. You can
|
||||
redistribute it and/or modify it under the terms of the GNU General Public
|
||||
License as published by the Free Software Foundation, either version 3 of the
|
||||
License, or (at your option) any later version.
|
||||
|
|
8
cdist/conf/type/__apt_key/manifest
Executable file
8
cdist/conf/type/__apt_key/manifest
Executable file
|
@ -0,0 +1,8 @@
|
|||
#!/bin/sh -e
|
||||
|
||||
__package gnupg
|
||||
|
||||
if [ -f "$__object/parameter/uri" ]
|
||||
then __package curl
|
||||
else __package dirmngr
|
||||
fi
|
1
cdist/conf/type/__apt_key/parameter/default/keydir
Normal file
1
cdist/conf/type/__apt_key/parameter/default/keydir
Normal file
|
@ -0,0 +1 @@
|
|||
/etc/apt/trusted.gpg.d
|
|
@ -1,3 +1,5 @@
|
|||
state
|
||||
keyid
|
||||
keyserver
|
||||
keydir
|
||||
uri
|
||||
|
|
Loading…
Reference in a new issue