forked from ungleich-public/cdist
Evil Ham
c00c8c2012
Previously this type was falling back to using the deprecated apt-key(8) by checking for existence of files/directories on the controller host in gencode-remote. Adding `--use-deprecated-apt-key` as an explicit boolean serves two purposes: 1. It prevents fallbacks that might end up doing the wrong thing (as was the case) 2. It allows for a simple way to remove keys from the keyring that were previously added with apt-key(8) to /etc/apt/trusted.gpg This parameter is added marked as deprecated as is only intended use is to migrate to directory-based keyrings as recommended by Debian for a few releases. It will be removed when Debian 11 stops being supported. During the review process of this merge request, it was noted that the state of PGP Key Servers is somewhat suboptimal, that the examples encouraged bad practise (it is trivial to produce collisions for short key IDs), and that this use does not require the Web of Trust, but instead only the public key that is signing the repository. That is why this also adds `--source` as an argument allowing for in-type or in-manifest provision of such public keys by the type/manifest maintainer and the use of Key Servers is still supported, but discouraged.
106 lines
2.6 KiB
Bash
Executable file
106 lines
2.6 KiB
Bash
Executable file
#!/bin/sh -e
|
|
|
|
__package gnupg
|
|
|
|
state_should="$(cat "${__object}/parameter/state")"
|
|
|
|
incompatible_args()
|
|
{
|
|
cat >> /dev/stderr <<-EOF
|
|
This type does not support --${1} and --${method} simultaneously.
|
|
EOF
|
|
exit 1
|
|
}
|
|
|
|
if [ -f "${__object}/parameter/source" ]; then
|
|
method="source"
|
|
src="$(cat "${__object}/parameter/source")"
|
|
if [ "${src}" = "-" ]; then
|
|
src="${__object}/stdin"
|
|
fi
|
|
fi
|
|
if [ -f "${__object}/parameter/uri" ]; then
|
|
if [ -n "${method}" ]; then
|
|
incompatible_args uri
|
|
fi
|
|
method="uri"
|
|
src="$(cat "${__object}/parameter/uri")"
|
|
fi
|
|
if [ -f "${__object}/parameter/keyid" ]; then
|
|
if [ -n "${method}" ]; then
|
|
incompatible_args keyid
|
|
fi
|
|
method="keyid"
|
|
fi
|
|
# Keep old default
|
|
if [ -z "${method}" ]; then
|
|
method="keyid"
|
|
fi
|
|
# Save this for later in gencode-remote
|
|
echo "${method}" > "${__object}/key_method"
|
|
|
|
# Required remotely (most likely already installed)
|
|
__package dirmngr
|
|
# We need this in case a key has to be dearmor'd
|
|
__package gnupg
|
|
export require="__package/gnupg"
|
|
|
|
if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
|
|
# This is required if apt-key(8) is to be used
|
|
if [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
|
|
incompatible_args use-deprecated-apt-key
|
|
fi
|
|
else
|
|
if [ "${state_should}" = "absent" ] && \
|
|
[ -f "${__object}/parameter/keyid" ]; then
|
|
cat >> /dev/stderr <<EOF
|
|
You can't reliably remove by keyid without --use-deprecated-apt-key.
|
|
This would very likely do something you do not intend.
|
|
EOF
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
keydir="$(cat "${__object}/parameter/keydir")"
|
|
keyfile="${keydir}/${__object_id}.gpg"
|
|
keyfilecdist="${keyfile}.cdist"
|
|
if [ "${state_should}" != "absent" ]; then
|
|
# Ensure keydir exists
|
|
__directory "${keydir}" --state exists --mode 0755
|
|
fi
|
|
|
|
if [ "${state_should}" = "absent" ]; then
|
|
__file "${keyfile}" --state "absent"
|
|
__file "${keyfilecdist}" --state "absent"
|
|
elif [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
|
|
dearmor="$(cat <<-EOF
|
|
if [ '${state_should}' = 'present' ]; then
|
|
# Dearmor if necessary
|
|
if grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK' '${keyfilecdist}'; then
|
|
gpg --dearmor < '${keyfilecdist}' > '${keyfile}'
|
|
else
|
|
cp '${keyfilecdist}' '${keyfile}'
|
|
fi
|
|
# Ensure permissions
|
|
chown root '${keyfile}'
|
|
chmod 0444 '${keyfile}'
|
|
fi
|
|
EOF
|
|
)"
|
|
|
|
if [ "${method}" = "uri" ]; then
|
|
__download "${keyfilecdist}" \
|
|
--url "${src}" \
|
|
--onchange "${dearmor}"
|
|
require="__download${keyfilecdist}" \
|
|
__file "${keyfile}" \
|
|
--owner root \
|
|
--mode 0444 \
|
|
--state pre-exists
|
|
else
|
|
__file "${keyfilecdist}" --state "${state_should}" \
|
|
--mode 0444 \
|
|
--source "${src}" \
|
|
--onchange "${dearmor}"
|
|
fi
|
|
fi
|