Evil Ham
c00c8c2012
Previously this type was falling back to using the deprecated apt-key(8) by checking for existence of files/directories on the controller host in gencode-remote. Adding `--use-deprecated-apt-key` as an explicit boolean serves two purposes: 1. It prevents fallbacks that might end up doing the wrong thing (as was the case) 2. It allows for a simple way to remove keys from the keyring that were previously added with apt-key(8) to /etc/apt/trusted.gpg This parameter is added marked as deprecated as is only intended use is to migrate to directory-based keyrings as recommended by Debian for a few releases. It will be removed when Debian 11 stops being supported. During the review process of this merge request, it was noted that the state of PGP Key Servers is somewhat suboptimal, that the examples encouraged bad practise (it is trivial to produce collisions for short key IDs), and that this use does not require the Web of Trust, but instead only the public key that is signing the repository. That is why this also adds `--source` as an argument allowing for in-type or in-manifest provision of such public keys by the type/manifest maintainer and the use of Key Servers is still supported, but discouraged.
99 lines
3 KiB
Bash
Executable file
99 lines
3 KiB
Bash
Executable file
#!/bin/sh -e
|
|
#
|
|
# 2011-2014 Steven Armstrong (steven-cdist at armstrong.cc)
|
|
#
|
|
# This file is part of cdist.
|
|
#
|
|
# cdist is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# cdist is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
if [ -f "$__object/parameter/keyid" ]; then
|
|
keyid="$(cat "$__object/parameter/keyid")"
|
|
else
|
|
keyid="$__object_id"
|
|
fi
|
|
state_should="$(cat "$__object/parameter/state")"
|
|
state_is="$(cat "$__object/explorer/state")"
|
|
method="$(cat "$__object/key_method")"
|
|
|
|
keydir="$(cat "$__object/parameter/keydir")"
|
|
keyfile="$keydir/$__object_id.gpg"
|
|
|
|
case "$state_should" in
|
|
present)
|
|
keyserver="$(cat "$__object/parameter/keyserver")"
|
|
# Using __download or __file as key source
|
|
# Propagate messages if needed
|
|
if [ "${method}" = "uri" ] || [ "${method}" = "source" ]; then
|
|
if grep -Eq "^__(file|download)$keyfile" "$__messages_in"; then
|
|
echo "added '$keyid'" >> "$__messages_out"
|
|
fi
|
|
exit 0
|
|
elif [ "${state_is}" = "present" ]; then
|
|
exit 0
|
|
fi
|
|
# Using key servers to fetch the key
|
|
if [ ! -f "$__object/parameter/use-deprecated-apt-key" ]; then
|
|
# we need to kill gpg after 30 seconds, because gpg
|
|
# can get stuck if keyserver is not responding.
|
|
# exporting env var and not exit 1,
|
|
# because we need to clean up and kill dirmngr.
|
|
cat << EOF
|
|
|
|
gpgtmphome="\$( mktemp -d )"
|
|
|
|
if timeout 30s \\
|
|
gpg --homedir "\$gpgtmphome" \\
|
|
--keyserver "$keyserver" \\
|
|
--recv-keys "$keyid"
|
|
then
|
|
gpg --homedir "\$gpgtmphome" \\
|
|
--export "$keyid" \\
|
|
> "$keyfile"
|
|
else
|
|
export GPG_GOT_STUCK=1
|
|
fi
|
|
|
|
GNUPGHOME="\$gpgtmphome" gpgconf --kill dirmngr
|
|
|
|
rm -rf "\$gpgtmphome"
|
|
|
|
if [ -n "\$GPG_GOT_STUCK" ]
|
|
then
|
|
echo "GPG GOT STUCK - no response from keyserver after 30 seconds" >&2
|
|
exit 1
|
|
fi
|
|
|
|
EOF
|
|
else
|
|
# fallback to deprecated apt-key
|
|
echo "apt-key adv --keyserver \"$keyserver\" --recv-keys \"$keyid\""
|
|
fi
|
|
|
|
echo "added '$keyid'" >> "$__messages_out"
|
|
;;
|
|
absent)
|
|
# Removal for keys added from a keyserver without this flag
|
|
# is done in the manifest
|
|
if [ "$state_is" != "absent" ] && \
|
|
[ -f "$__object/parameter/use-deprecated-apt-key" ]; then
|
|
# fallback to deprecated apt-key
|
|
echo "apt-key del \"$keyid\""
|
|
echo "removed '$keyid'" >> "$__messages_out"
|
|
# Propagate messages if needed
|
|
elif grep -Eq "^__file$keyfile" "$__messages_in"; then
|
|
echo "removed '$keyid'" >> "$__messages_out"
|
|
fi
|
|
;;
|
|
esac
|