matthijs/cdist
1
0
Fork 0
forked from ungleich-public/cdist
Code Issues Pull requests Projects Releases Wiki Activity

Use gpg key, fallback to deprecated apt-key

Browse source 
Fixes #762
This commit is contained in:
ander 2019-05-25 15:58:39 +02:00 committed by Darko Poljak
commit 1d57305d35
6 changed files with 114 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

18
cdist/conf/type/__apt_key/explorer/state
View file

@ -27,6 +27,18 @@ else
keyid="$__object_id" keyid="$__object_id"
fi fi
apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \ keydir="$(cat "$__object/parameter/keydir")"
&& echo present \ keyfile="$keydir/$__object_id.gpg"
|| echo absent
if [ -d "$keydir" ]
then
if [ -f "$keyfile" ]
then echo present
else echo absent
fi
else
# fallback to deprecated apt-key
apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \
&& echo present \
|| echo absent
fi

76
cdist/conf/type/__apt_key/gencode-remote
View file

@ -31,12 +31,84 @@ if [ "$state_should" = "$state_is" ]; then
exit 0 exit 0
fi fi
keydir="$(cat "$__object/parameter/keydir")"
keyfile="$keydir/$__object_id.gpg"
case "$state_should" in case "$state_should" in
present) present)
keyserver="$(cat "$__object/parameter/keyserver")" keyserver="$(cat "$__object/parameter/keyserver")"
echo "apt-key adv --keyserver \"$keyserver\" --recv-keys \"$keyid\""
if [ -f "$__object/parameter/uri" ]; then
uri="$(cat "$__object/parameter/uri")"
if [ -d "$keydir" ]; then
cat << EOF
curl -s -L \\
-o "$keyfile" \\
"$uri"
if grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK' \\
"$keyfile"
then
cat "$keyfile" \\
| gpg --export > "$keyfile"
fi
EOF
else
# fallback to deprecated apt-key
echo "curl -s -L '$uri' | apt-key add -"
fi
elif [ -d "$keydir" ]; then
tmp='/tmp/cdist_apt_key_tmp'
# we need to kill gpg after 30 seconds, because gpg
# can get stuck if keyserver is not responding.
# exporting env var and not exit 1,
# because we need to clean up and kill dirmngr.
cat << EOF
mkdir -m 700 -p "$tmp"
if timeout 30s \\
gpg --homedir "$tmp" \\
--keyserver "$keyserver" \\
--recv-keys "$keyid"
then
gpg --homedir "$tmp" \\
--export "$keyid" \\
> "$keyfile"
else
export GPG_GOT_STUCK=1
fi
GNUPGHOME="$tmp" gpgconf --kill dirmngr
rm -rf "$tmp"
if [ -n "\$GPG_GOT_STUCK" ]
then
echo "GPG GOT STUCK - no response from keyserver after 30 seconds" >&2
exit 1
fi
EOF
else
# fallback to deprecated apt-key
echo "apt-key adv --keyserver \"$keyserver\" --recv-keys \"$keyid\""
fi
echo "added '$keyid'" >> "$__messages_out"
;; ;;
absent) absent)
echo "apt-key del \"$keyid\"" if [ -f "$keyfile" ]; then
echo "rm '$keyfile'"
else
# fallback to deprecated apt-key
echo "apt-key del \"$keyid\""
fi
echo "removed '$keyid'" >> "$__messages_out"
;; ;;
esac esac

17
cdist/conf/type/__apt_key/man.rst
View file

@ -28,6 +28,12 @@ keyserver
the keyserver from which to fetch the key. If omitted the default set the keyserver from which to fetch the key. If omitted the default set
in ./parameter/default/keyserver is used. in ./parameter/default/keyserver is used.
keydir
key save location, defaults to ``/etc/apt/trusted.pgp.d``
uri
the URI from which to download the key
EXAMPLES EXAMPLES
-------- --------
@ -47,15 +53,20 @@ EXAMPLES
# same thing with other keyserver # same thing with other keyserver
__apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com __apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com
# download key from the internet
__apt_key rabbitmq \
--uri http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
AUTHORS AUTHORS
------- -------
Steven Armstrong <steven-cdist--@--armstrong.cc> Steven Armstrong <steven-cdist--@--armstrong.cc>
Ander Punnar <ander-at-kvlt-dot-ee>
COPYING COPYING
------- -------
Copyright \(C) 2011-2014 Steven Armstrong. You can redistribute it Copyright \(C) 2011-2019 Steven Armstrong and Ander Punnar. You can
and/or modify it under the terms of the GNU General Public License as redistribute it and/or modify it under the terms of the GNU General Public
published by the Free Software Foundation, either version 3 of the License as published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version. License, or (at your option) any later version.

8
cdist/conf/type/__apt_key/manifest Executable file
View file

@ -0,0 +1,8 @@
#!/bin/sh -e
__package gnupg
if [ -f "$__object/parameter/uri" ]
then __package curl
else __package dirmngr
fi

1
cdist/conf/type/__apt_key/parameter/default/keydir Normal file
View file

@ -0,0 +1 @@
/etc/apt/trusted.gpg.d

2
cdist/conf/type/__apt_key/parameter/optional
View file

@ -1,3 +1,5 @@
state state
keyid keyid
keyserver keyserver
keydir
uri