diff --git a/cdist/conf/type/__apt_key/explorer/state b/cdist/conf/type/__apt_key/explorer/state
index 38f1bd3c..8ab268c1 100755
--- a/cdist/conf/type/__apt_key/explorer/state
+++ b/cdist/conf/type/__apt_key/explorer/state
@@ -27,18 +27,25 @@ else
keyid="$__object_id"
fi
+# From apt-key(8):
+# Use of apt-key is deprecated, except for the use of apt-key del in
+# maintainer scripts to remove existing keys from the main keyring.
+# If such usage of apt-key is desired the additional installation of
+# the GNU Privacy Guard suite (packaged in gnupg) is required.
+if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
+ if apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK"
+ then echo present
+ else echo absent
+ fi
+ exit
+fi
+
keydir="$(cat "$__object/parameter/keydir")"
keyfile="$keydir/$__object_id.gpg"
-if [ -d "$keydir" ]
+if [ -f "$keyfile" ]
then
- if [ -f "$keyfile" ]
- then echo present
- else echo absent
- fi
-else
- # fallback to deprecated apt-key
- apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \
- && echo present \
- || echo absent
+ echo present
+ exit
fi
+echo absent
diff --git a/cdist/conf/type/__apt_key/gencode-remote b/cdist/conf/type/__apt_key/gencode-remote
index 0c96ff67..17dc9bfc 100755
--- a/cdist/conf/type/__apt_key/gencode-remote
+++ b/cdist/conf/type/__apt_key/gencode-remote
@@ -25,11 +25,7 @@ else
fi
state_should="$(cat "$__object/parameter/state")"
state_is="$(cat "$__object/explorer/state")"
-
-if [ "$state_should" = "$state_is" ]; then
- # nothing to do
- exit 0
-fi
+method="$(cat "$__object/key_method")"
keydir="$(cat "$__object/parameter/keydir")"
keyfile="$keydir/$__object_id.gpg"
@@ -37,30 +33,18 @@ keyfile="$keydir/$__object_id.gpg"
case "$state_should" in
present)
keyserver="$(cat "$__object/parameter/keyserver")"
-
- if [ -f "$__object/parameter/uri" ]; then
- uri="$(cat "$__object/parameter/uri")"
-
- if [ -d "$keydir" ]; then
- cat << EOF
-
-curl -s -L \\
- -o "$keyfile" \\
- "$uri"
-
-key="\$( cat "$keyfile" )"
-
-if echo "\$key" | grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK'
-then
- echo "\$key" | gpg --dearmor > "$keyfile"
-fi
-
-EOF
- else
- # fallback to deprecated apt-key
- echo "curl -s -L '$uri' | apt-key add -"
+ # Using __download or __file as key source
+ # Propagate messages if needed
+ if [ "${method}" = "uri" ] || [ "${method}" = "source" ]; then
+ if grep -Eq "^__(file|download)$keyfile" "$__messages_in"; then
+ echo "added '$keyid'" >> "$__messages_out"
fi
- elif [ -d "$keydir" ]; then
+ exit 0
+ elif [ "${state_is}" = "present" ]; then
+ exit 0
+ fi
+ # Using key servers to fetch the key
+ if [ ! -f "$__object/parameter/use-deprecated-apt-key" ]; then
# we need to kill gpg after 30 seconds, because gpg
# can get stuck if keyserver is not responding.
# exporting env var and not exit 1,
@@ -100,13 +84,16 @@ EOF
echo "added '$keyid'" >> "$__messages_out"
;;
absent)
- if [ -f "$keyfile" ]; then
- echo "rm '$keyfile'"
- else
+ # Removal for keys added from a keyserver without this flag
+ # is done in the manifest
+ if [ "$state_is" != "absent" ] && \
+ [ -f "$__object/parameter/use-deprecated-apt-key" ]; then
# fallback to deprecated apt-key
echo "apt-key del \"$keyid\""
+ echo "removed '$keyid'" >> "$__messages_out"
+ # Propagate messages if needed
+ elif grep -Eq "^__file$keyfile" "$__messages_in"; then
+ echo "removed '$keyid'" >> "$__messages_out"
fi
-
- echo "removed '$keyid'" >> "$__messages_out"
;;
esac
diff --git a/cdist/conf/type/__apt_key/man.rst b/cdist/conf/type/__apt_key/man.rst
index 234bc715..e35eaa0f 100644
--- a/cdist/conf/type/__apt_key/man.rst
+++ b/cdist/conf/type/__apt_key/man.rst
@@ -10,6 +10,14 @@ DESCRIPTION
-----------
Manages the list of keys used by apt to authenticate packages.
+This is done by placing the requested key in a file named
+``$__object_id.gpg`` in the ``keydir`` directory.
+
+This is supported by modern releases of Debian-based distributions.
+
+In order of preference, exactly one of: ``source``, ``uri`` or ``keyid``
+must be specified.
+
REQUIRED PARAMETERS
-------------------
@@ -18,21 +26,49 @@ None.
OPTIONAL PARAMETERS
-------------------
+keydir
+ keyring directory, defaults to ``/etc/apt/trusted.pgp.d``, which is
+ enabled system-wide by default.
+
+source
+ path to a file containing the GPG key of the repository.
+ Using this is recommended as it ensures that the manifest/type manintainer
+ has validated the key.
+ If ``-``, the GPG key is read from the type's stdin.
+
state
'present' or 'absent'. Defaults to 'present'
+uri
+ the URI from which to download the key.
+ It is highly recommended that you only use protocols with TLS like HTTPS.
+ This uses ``__download`` but does not use checksums, if you want to ensure
+ that the key doesn't change, you are better off downloading it and using
+ ``--source``.
+
+
+DEPRECATED OPTIONAL PARAMETERS
+------------------------------
keyid
- the id of the key to add. Defaults to __object_id
+ the id of the key to download from the ``keyserver``.
+ This is to be used in absence of ``--source`` and ``--uri`` or together
+ with ``--use-deprecated-apt-key`` for key removal.
+ Defaults to ``$__object_id``.
keyserver
- the keyserver from which to fetch the key. If omitted the default set
- in ./parameter/default/keyserver is used.
+ the keyserver from which to fetch the key.
+ Defaults to ``pool.sks-keyservers.net``.
-keydir
- key save location, defaults to ``/etc/apt/trusted.pgp.d``
-uri
- the URI from which to download the key
+DEPRECATED BOOLEAN PARAMETERS
+-----------------------------
+use-deprecated-apt-key
+ ``apt-key(8)`` will last be available in Debian 11 and Ubuntu 22.04.
+ You can use this parameter to force usage of ``apt-key(8)``.
+ Please only use this parameter to *remove* keys from the keyring,
+ in order to prepare for removal of ``apt-key``.
+ Adding keys should be done without this parameter.
+ This parameter will be removed when Debian 11 stops being supported.
EXAMPLES
@@ -40,33 +76,39 @@ EXAMPLES
.. code-block:: sh
- # Add Ubuntu Archive Automatic Signing Key
- __apt_key 437D05B5
- # Same thing
- __apt_key 437D05B5 --state present
- # Get rid of it
- __apt_key 437D05B5 --state absent
+ # add a key that has been verified by a type maintainer
+ __apt_key jitsi_meet_2021 \
+ --source cdist-contrib/type/__jitsi_meet/files/apt_2021.gpg
- # same thing with human readable name and explicit keyid
- __apt_key UbuntuArchiveKey --keyid 437D05B5
+ # remove an old, deprecated or expired key
+ __apt_key jitsi_meet_2016 --state absent
- # same thing with other keyserver
- __apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com
+ # Get rid of a key that might have been added to
+ # /etc/apt/trusted.gpg with apt-key
+ __apt_key 0x40976EAF437D05B5 --use-deprecated-apt-key --state absent
- # download key from the internet
- __apt_key rabbitmq \
- --uri http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
+ # add a key that we define in-line
+ __apt_key jitsi_meet_2021 --source '-' <<EOF
+ -----BEGIN PGP PUBLIC KEY BLOCK-----
+ [...]
+ -----END PGP PUBLIC KEY BLOCK-----
+ EOF
+
+ # download or update key from the internet
+ __apt_key rabbitmq_2007 \
+ --uri https://www.rabbitmq.com/rabbitmq-signing-key-public.asc
AUTHORS
-------
Steven Armstrong <steven-cdist--@--armstrong.cc>
Ander Punnar <ander-at-kvlt-dot-ee>
+Evilham <contact~~@~~evilham.com>
COPYING
-------
-Copyright \(C) 2011-2019 Steven Armstrong and Ander Punnar. You can
+Copyright \(C) 2011-2021 Steven Armstrong, Ander Punnar and Evilham. You can
redistribute it and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
diff --git a/cdist/conf/type/__apt_key/manifest b/cdist/conf/type/__apt_key/manifest
index 010357cd..889a764a 100755
--- a/cdist/conf/type/__apt_key/manifest
+++ b/cdist/conf/type/__apt_key/manifest
@@ -2,7 +2,105 @@
__package gnupg
-if [ -f "$__object/parameter/uri" ]
-then __package curl
-else __package dirmngr
+state_should="$(cat "${__object}/parameter/state")"
+
+incompatible_args()
+{
+ cat >> /dev/stderr <<-EOF
+ This type does not support --${1} and --${method} simultaneously.
+ EOF
+ exit 1
+}
+
+if [ -f "${__object}/parameter/source" ]; then
+ method="source"
+ src="$(cat "${__object}/parameter/source")"
+ if [ "${src}" = "-" ]; then
+ src="${__object}/stdin"
+ fi
+fi
+if [ -f "${__object}/parameter/uri" ]; then
+ if [ -n "${method}" ]; then
+ incompatible_args uri
+ fi
+ method="uri"
+ src="$(cat "${__object}/parameter/uri")"
+fi
+if [ -f "${__object}/parameter/keyid" ]; then
+ if [ -n "${method}" ]; then
+ incompatible_args keyid
+ fi
+ method="keyid"
+fi
+# Keep old default
+if [ -z "${method}" ]; then
+ method="keyid"
+fi
+# Save this for later in gencode-remote
+echo "${method}" > "${__object}/key_method"
+
+# Required remotely (most likely already installed)
+__package dirmngr
+# We need this in case a key has to be dearmor'd
+__package gnupg
+export require="__package/gnupg"
+
+if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
+ # This is required if apt-key(8) is to be used
+ if [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
+ incompatible_args use-deprecated-apt-key
+ fi
+else
+ if [ "${state_should}" = "absent" ] && \
+ [ -f "${__object}/parameter/keyid" ]; then
+ cat >> /dev/stderr <<EOF
+You can't reliably remove by keyid without --use-deprecated-apt-key.
+This would very likely do something you do not intend.
+EOF
+ exit 1
+ fi
+fi
+
+keydir="$(cat "${__object}/parameter/keydir")"
+keyfile="${keydir}/${__object_id}.gpg"
+keyfilecdist="${keyfile}.cdist"
+if [ "${state_should}" != "absent" ]; then
+ # Ensure keydir exists
+ __directory "${keydir}" --state exists --mode 0755
+fi
+
+if [ "${state_should}" = "absent" ]; then
+ __file "${keyfile}" --state "absent"
+ __file "${keyfilecdist}" --state "absent"
+elif [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
+ dearmor="$(cat <<-EOF
+ if [ '${state_should}' = 'present' ]; then
+ # Dearmor if necessary
+ if grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK' '${keyfilecdist}'; then
+ gpg --dearmor < '${keyfilecdist}' > '${keyfile}'
+ else
+ cp '${keyfilecdist}' '${keyfile}'
+ fi
+ # Ensure permissions
+ chown root '${keyfile}'
+ chmod 0444 '${keyfile}'
+ fi
+ EOF
+ )"
+
+ if [ "${method}" = "uri" ]; then
+ __download "${keyfilecdist}" \
+ --url "${src}" \
+ --onchange "${dearmor}"
+ require="__download${keyfilecdist}" \
+ __file "${keyfile}" \
+ --owner root \
+ --mode 0444 \
+ --state pre-exists
+ else
+ __file "${keyfilecdist}" --state "${state_should}" \
+ --mode 0444 \
+ --source "${src}" \
+ --onchange "${dearmor}"
+ fi
fi
diff --git a/cdist/conf/type/__apt_key/parameter/boolean b/cdist/conf/type/__apt_key/parameter/boolean
new file mode 100644
index 00000000..7263e1b2
--- /dev/null
+++ b/cdist/conf/type/__apt_key/parameter/boolean
@@ -0,0 +1 @@
+use-deprecated-apt-key
diff --git a/cdist/conf/type/__apt_key/parameter/deprecated/use-deprecated-apt-key b/cdist/conf/type/__apt_key/parameter/deprecated/use-deprecated-apt-key
new file mode 100644
index 00000000..d18ebe57
--- /dev/null
+++ b/cdist/conf/type/__apt_key/parameter/deprecated/use-deprecated-apt-key
@@ -0,0 +1,3 @@
+apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
+Use this flag *only* to migrate to placing a keyring directly in the
+/etc/apt/trusted.gpg.d/ directory with a descriptive name.
diff --git a/cdist/conf/type/__apt_key/parameter/optional b/cdist/conf/type/__apt_key/parameter/optional
index de647375..975d1fd8 100644
--- a/cdist/conf/type/__apt_key/parameter/optional
+++ b/cdist/conf/type/__apt_key/parameter/optional
@@ -1,5 +1,6 @@
-state
+keydir
keyid
keyserver
-keydir
+source
+state
uri
diff --git a/cdist/conf/type/__apt_key_uri/deprecated b/cdist/conf/type/__apt_key_uri/deprecated
new file mode 100644
index 00000000..05550587
--- /dev/null
+++ b/cdist/conf/type/__apt_key_uri/deprecated
@@ -0,0 +1 @@
+Please migrate to using __apt_key key_id --uri URI.