[__apt_key*] Deprecate __apt_key_uri and improve __apt_key
See: https://code.ungleich.ch/ungleich-public/cdist/-/merge_requests/994 Previously this type was falling back to using the deprecated apt-key(8) by checking for existence of files/directories on the controller host in gencode-remote. Adding `--use-deprecated-apt-key` as an explicit boolean serves two purposes: 1. It prevents fallbacks that might end up doing the wrong thing (as was the case) 2. It allows for a simple way to remove keys from the keyring that were previously added with apt-key(8) to /etc/apt/trusted.gpg This parameter is added marked as deprecated as is only intended use is to migrate to directory-based keyrings as recommended by Debian for a few releases. It will be removed when Debian 11 stops being supported. During the review process of this merge request, it was noted that the state of PGP Key Servers is somewhat suboptimal, that the examples encouraged bad practise (it is trivial to produce collisions for short key IDs), and that this use does not require the Web of Trust, but instead only the public key that is signing the repository. That is why this also adds `--source` as an argument allowing for in-type or in-manifest provision of such public keys by the type/manifest maintainer and the use of Key Servers is still supported, but discouraged.
This commit is contained in:
commit
0b05a8f5f7
8 changed files with 209 additions and 69 deletions
|
@ -27,18 +27,25 @@ else
|
|||
keyid="$__object_id"
|
||||
fi
|
||||
|
||||
keydir="$(cat "$__object/parameter/keydir")"
|
||||
keyfile="$keydir/$__object_id.gpg"
|
||||
|
||||
if [ -d "$keydir" ]
|
||||
then
|
||||
if [ -f "$keyfile" ]
|
||||
# From apt-key(8):
|
||||
# Use of apt-key is deprecated, except for the use of apt-key del in
|
||||
# maintainer scripts to remove existing keys from the main keyring.
|
||||
# If such usage of apt-key is desired the additional installation of
|
||||
# the GNU Privacy Guard suite (packaged in gnupg) is required.
|
||||
if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
|
||||
if apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK"
|
||||
then echo present
|
||||
else echo absent
|
||||
fi
|
||||
else
|
||||
# fallback to deprecated apt-key
|
||||
apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \
|
||||
&& echo present \
|
||||
|| echo absent
|
||||
exit
|
||||
fi
|
||||
|
||||
keydir="$(cat "$__object/parameter/keydir")"
|
||||
keyfile="$keydir/$__object_id.gpg"
|
||||
|
||||
if [ -f "$keyfile" ]
|
||||
then
|
||||
echo present
|
||||
exit
|
||||
fi
|
||||
echo absent
|
||||
|
|
|
@ -25,11 +25,7 @@ else
|
|||
fi
|
||||
state_should="$(cat "$__object/parameter/state")"
|
||||
state_is="$(cat "$__object/explorer/state")"
|
||||
|
||||
if [ "$state_should" = "$state_is" ]; then
|
||||
# nothing to do
|
||||
exit 0
|
||||
fi
|
||||
method="$(cat "$__object/key_method")"
|
||||
|
||||
keydir="$(cat "$__object/parameter/keydir")"
|
||||
keyfile="$keydir/$__object_id.gpg"
|
||||
|
@ -37,30 +33,18 @@ keyfile="$keydir/$__object_id.gpg"
|
|||
case "$state_should" in
|
||||
present)
|
||||
keyserver="$(cat "$__object/parameter/keyserver")"
|
||||
|
||||
if [ -f "$__object/parameter/uri" ]; then
|
||||
uri="$(cat "$__object/parameter/uri")"
|
||||
|
||||
if [ -d "$keydir" ]; then
|
||||
cat << EOF
|
||||
|
||||
curl -s -L \\
|
||||
-o "$keyfile" \\
|
||||
"$uri"
|
||||
|
||||
key="\$( cat "$keyfile" )"
|
||||
|
||||
if echo "\$key" | grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK'
|
||||
then
|
||||
echo "\$key" | gpg --dearmor > "$keyfile"
|
||||
# Using __download or __file as key source
|
||||
# Propagate messages if needed
|
||||
if [ "${method}" = "uri" ] || [ "${method}" = "source" ]; then
|
||||
if grep -Eq "^__(file|download)$keyfile" "$__messages_in"; then
|
||||
echo "added '$keyid'" >> "$__messages_out"
|
||||
fi
|
||||
|
||||
EOF
|
||||
else
|
||||
# fallback to deprecated apt-key
|
||||
echo "curl -s -L '$uri' | apt-key add -"
|
||||
exit 0
|
||||
elif [ "${state_is}" = "present" ]; then
|
||||
exit 0
|
||||
fi
|
||||
elif [ -d "$keydir" ]; then
|
||||
# Using key servers to fetch the key
|
||||
if [ ! -f "$__object/parameter/use-deprecated-apt-key" ]; then
|
||||
# we need to kill gpg after 30 seconds, because gpg
|
||||
# can get stuck if keyserver is not responding.
|
||||
# exporting env var and not exit 1,
|
||||
|
@ -100,13 +84,16 @@ EOF
|
|||
echo "added '$keyid'" >> "$__messages_out"
|
||||
;;
|
||||
absent)
|
||||
if [ -f "$keyfile" ]; then
|
||||
echo "rm '$keyfile'"
|
||||
else
|
||||
# Removal for keys added from a keyserver without this flag
|
||||
# is done in the manifest
|
||||
if [ "$state_is" != "absent" ] && \
|
||||
[ -f "$__object/parameter/use-deprecated-apt-key" ]; then
|
||||
# fallback to deprecated apt-key
|
||||
echo "apt-key del \"$keyid\""
|
||||
fi
|
||||
|
||||
echo "removed '$keyid'" >> "$__messages_out"
|
||||
# Propagate messages if needed
|
||||
elif grep -Eq "^__file$keyfile" "$__messages_in"; then
|
||||
echo "removed '$keyid'" >> "$__messages_out"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
|
|
@ -10,6 +10,14 @@ DESCRIPTION
|
|||
-----------
|
||||
Manages the list of keys used by apt to authenticate packages.
|
||||
|
||||
This is done by placing the requested key in a file named
|
||||
``$__object_id.gpg`` in the ``keydir`` directory.
|
||||
|
||||
This is supported by modern releases of Debian-based distributions.
|
||||
|
||||
In order of preference, exactly one of: ``source``, ``uri`` or ``keyid``
|
||||
must be specified.
|
||||
|
||||
|
||||
REQUIRED PARAMETERS
|
||||
-------------------
|
||||
|
@ -18,21 +26,49 @@ None.
|
|||
|
||||
OPTIONAL PARAMETERS
|
||||
-------------------
|
||||
keydir
|
||||
keyring directory, defaults to ``/etc/apt/trusted.pgp.d``, which is
|
||||
enabled system-wide by default.
|
||||
|
||||
source
|
||||
path to a file containing the GPG key of the repository.
|
||||
Using this is recommended as it ensures that the manifest/type manintainer
|
||||
has validated the key.
|
||||
If ``-``, the GPG key is read from the type's stdin.
|
||||
|
||||
state
|
||||
'present' or 'absent'. Defaults to 'present'
|
||||
|
||||
uri
|
||||
the URI from which to download the key.
|
||||
It is highly recommended that you only use protocols with TLS like HTTPS.
|
||||
This uses ``__download`` but does not use checksums, if you want to ensure
|
||||
that the key doesn't change, you are better off downloading it and using
|
||||
``--source``.
|
||||
|
||||
|
||||
DEPRECATED OPTIONAL PARAMETERS
|
||||
------------------------------
|
||||
keyid
|
||||
the id of the key to add. Defaults to __object_id
|
||||
the id of the key to download from the ``keyserver``.
|
||||
This is to be used in absence of ``--source`` and ``--uri`` or together
|
||||
with ``--use-deprecated-apt-key`` for key removal.
|
||||
Defaults to ``$__object_id``.
|
||||
|
||||
keyserver
|
||||
the keyserver from which to fetch the key. If omitted the default set
|
||||
in ./parameter/default/keyserver is used.
|
||||
the keyserver from which to fetch the key.
|
||||
Defaults to ``pool.sks-keyservers.net``.
|
||||
|
||||
keydir
|
||||
key save location, defaults to ``/etc/apt/trusted.pgp.d``
|
||||
|
||||
uri
|
||||
the URI from which to download the key
|
||||
DEPRECATED BOOLEAN PARAMETERS
|
||||
-----------------------------
|
||||
use-deprecated-apt-key
|
||||
``apt-key(8)`` will last be available in Debian 11 and Ubuntu 22.04.
|
||||
You can use this parameter to force usage of ``apt-key(8)``.
|
||||
Please only use this parameter to *remove* keys from the keyring,
|
||||
in order to prepare for removal of ``apt-key``.
|
||||
Adding keys should be done without this parameter.
|
||||
This parameter will be removed when Debian 11 stops being supported.
|
||||
|
||||
|
||||
EXAMPLES
|
||||
|
@ -40,33 +76,39 @@ EXAMPLES
|
|||
|
||||
.. code-block:: sh
|
||||
|
||||
# Add Ubuntu Archive Automatic Signing Key
|
||||
__apt_key 437D05B5
|
||||
# Same thing
|
||||
__apt_key 437D05B5 --state present
|
||||
# Get rid of it
|
||||
__apt_key 437D05B5 --state absent
|
||||
# add a key that has been verified by a type maintainer
|
||||
__apt_key jitsi_meet_2021 \
|
||||
--source cdist-contrib/type/__jitsi_meet/files/apt_2021.gpg
|
||||
|
||||
# same thing with human readable name and explicit keyid
|
||||
__apt_key UbuntuArchiveKey --keyid 437D05B5
|
||||
# remove an old, deprecated or expired key
|
||||
__apt_key jitsi_meet_2016 --state absent
|
||||
|
||||
# same thing with other keyserver
|
||||
__apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com
|
||||
# Get rid of a key that might have been added to
|
||||
# /etc/apt/trusted.gpg with apt-key
|
||||
__apt_key 0x40976EAF437D05B5 --use-deprecated-apt-key --state absent
|
||||
|
||||
# download key from the internet
|
||||
__apt_key rabbitmq \
|
||||
--uri http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
|
||||
# add a key that we define in-line
|
||||
__apt_key jitsi_meet_2021 --source '-' <<EOF
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
[...]
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
EOF
|
||||
|
||||
# download or update key from the internet
|
||||
__apt_key rabbitmq_2007 \
|
||||
--uri https://www.rabbitmq.com/rabbitmq-signing-key-public.asc
|
||||
|
||||
|
||||
AUTHORS
|
||||
-------
|
||||
Steven Armstrong <steven-cdist--@--armstrong.cc>
|
||||
Ander Punnar <ander-at-kvlt-dot-ee>
|
||||
Evilham <contact~~@~~evilham.com>
|
||||
|
||||
|
||||
COPYING
|
||||
-------
|
||||
Copyright \(C) 2011-2019 Steven Armstrong and Ander Punnar. You can
|
||||
Copyright \(C) 2011-2021 Steven Armstrong, Ander Punnar and Evilham. You can
|
||||
redistribute it and/or modify it under the terms of the GNU General Public
|
||||
License as published by the Free Software Foundation, either version 3 of the
|
||||
License, or (at your option) any later version.
|
||||
|
|
|
@ -2,7 +2,105 @@
|
|||
|
||||
__package gnupg
|
||||
|
||||
if [ -f "$__object/parameter/uri" ]
|
||||
then __package curl
|
||||
else __package dirmngr
|
||||
state_should="$(cat "${__object}/parameter/state")"
|
||||
|
||||
incompatible_args()
|
||||
{
|
||||
cat >> /dev/stderr <<-EOF
|
||||
This type does not support --${1} and --${method} simultaneously.
|
||||
EOF
|
||||
exit 1
|
||||
}
|
||||
|
||||
if [ -f "${__object}/parameter/source" ]; then
|
||||
method="source"
|
||||
src="$(cat "${__object}/parameter/source")"
|
||||
if [ "${src}" = "-" ]; then
|
||||
src="${__object}/stdin"
|
||||
fi
|
||||
fi
|
||||
if [ -f "${__object}/parameter/uri" ]; then
|
||||
if [ -n "${method}" ]; then
|
||||
incompatible_args uri
|
||||
fi
|
||||
method="uri"
|
||||
src="$(cat "${__object}/parameter/uri")"
|
||||
fi
|
||||
if [ -f "${__object}/parameter/keyid" ]; then
|
||||
if [ -n "${method}" ]; then
|
||||
incompatible_args keyid
|
||||
fi
|
||||
method="keyid"
|
||||
fi
|
||||
# Keep old default
|
||||
if [ -z "${method}" ]; then
|
||||
method="keyid"
|
||||
fi
|
||||
# Save this for later in gencode-remote
|
||||
echo "${method}" > "${__object}/key_method"
|
||||
|
||||
# Required remotely (most likely already installed)
|
||||
__package dirmngr
|
||||
# We need this in case a key has to be dearmor'd
|
||||
__package gnupg
|
||||
export require="__package/gnupg"
|
||||
|
||||
if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
|
||||
# This is required if apt-key(8) is to be used
|
||||
if [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
|
||||
incompatible_args use-deprecated-apt-key
|
||||
fi
|
||||
else
|
||||
if [ "${state_should}" = "absent" ] && \
|
||||
[ -f "${__object}/parameter/keyid" ]; then
|
||||
cat >> /dev/stderr <<EOF
|
||||
You can't reliably remove by keyid without --use-deprecated-apt-key.
|
||||
This would very likely do something you do not intend.
|
||||
EOF
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
keydir="$(cat "${__object}/parameter/keydir")"
|
||||
keyfile="${keydir}/${__object_id}.gpg"
|
||||
keyfilecdist="${keyfile}.cdist"
|
||||
if [ "${state_should}" != "absent" ]; then
|
||||
# Ensure keydir exists
|
||||
__directory "${keydir}" --state exists --mode 0755
|
||||
fi
|
||||
|
||||
if [ "${state_should}" = "absent" ]; then
|
||||
__file "${keyfile}" --state "absent"
|
||||
__file "${keyfilecdist}" --state "absent"
|
||||
elif [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
|
||||
dearmor="$(cat <<-EOF
|
||||
if [ '${state_should}' = 'present' ]; then
|
||||
# Dearmor if necessary
|
||||
if grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK' '${keyfilecdist}'; then
|
||||
gpg --dearmor < '${keyfilecdist}' > '${keyfile}'
|
||||
else
|
||||
cp '${keyfilecdist}' '${keyfile}'
|
||||
fi
|
||||
# Ensure permissions
|
||||
chown root '${keyfile}'
|
||||
chmod 0444 '${keyfile}'
|
||||
fi
|
||||
EOF
|
||||
)"
|
||||
|
||||
if [ "${method}" = "uri" ]; then
|
||||
__download "${keyfilecdist}" \
|
||||
--url "${src}" \
|
||||
--onchange "${dearmor}"
|
||||
require="__download${keyfilecdist}" \
|
||||
__file "${keyfile}" \
|
||||
--owner root \
|
||||
--mode 0444 \
|
||||
--state pre-exists
|
||||
else
|
||||
__file "${keyfilecdist}" --state "${state_should}" \
|
||||
--mode 0444 \
|
||||
--source "${src}" \
|
||||
--onchange "${dearmor}"
|
||||
fi
|
||||
fi
|
||||
|
|
1
cdist/conf/type/__apt_key/parameter/boolean
Normal file
1
cdist/conf/type/__apt_key/parameter/boolean
Normal file
|
@ -0,0 +1 @@
|
|||
use-deprecated-apt-key
|
|
@ -0,0 +1,3 @@
|
|||
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
|
||||
Use this flag *only* to migrate to placing a keyring directly in the
|
||||
/etc/apt/trusted.gpg.d/ directory with a descriptive name.
|
|
@ -1,5 +1,6 @@
|
|||
state
|
||||
keydir
|
||||
keyid
|
||||
keyserver
|
||||
keydir
|
||||
source
|
||||
state
|
||||
uri
|
||||
|
|
1
cdist/conf/type/__apt_key_uri/deprecated
Normal file
1
cdist/conf/type/__apt_key_uri/deprecated
Normal file
|
@ -0,0 +1 @@
|
|||
Please migrate to using __apt_key key_id --uri URI.
|
Loading…
Reference in a new issue