[__apt_key*] Deprecate __apt_key_uri and improve __apt_key

Previously this type was falling back to using the deprecated apt-key(8) by
checking for existence of files/directories on the controller host in
gencode-remote.

Adding `--use-deprecated-apt-key` as an explicit boolean serves two purposes:
1. It prevents fallbacks that might end up doing the wrong thing
   (as was the case)
2. It allows for a simple way to remove keys from the keyring that were
   previously added with apt-key(8) to /etc/apt/trusted.gpg

This parameter is added marked as deprecated as is only intended use is to
migrate to directory-based keyrings as recommended by Debian for a few releases.
It will be removed when Debian 11 stops being supported.

During the review process of this merge request, it was noted that the state of
PGP Key Servers is somewhat suboptimal, that the examples encouraged bad
practise (it is trivial to produce collisions for short key IDs), and that
this use does not require the Web of Trust, but instead only the public key
that is signing the repository.

That is why this also adds `--source` as an argument allowing for in-type or
in-manifest provision of such public keys by the type/manifest maintainer and
the use of Key Servers is still supported, but discouraged.
This commit is contained in:
evilham 2021-05-10 12:08:22 +02:00
parent 3a25b80466
commit c00c8c2012
8 changed files with 209 additions and 69 deletions

View file

@ -27,18 +27,25 @@ else
keyid="$__object_id" keyid="$__object_id"
fi fi
keydir="$(cat "$__object/parameter/keydir")" # From apt-key(8):
keyfile="$keydir/$__object_id.gpg" # Use of apt-key is deprecated, except for the use of apt-key del in
# maintainer scripts to remove existing keys from the main keyring.
if [ -d "$keydir" ] # If such usage of apt-key is desired the additional installation of
then # the GNU Privacy Guard suite (packaged in gnupg) is required.
if [ -f "$keyfile" ] if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
if apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK"
then echo present then echo present
else echo absent else echo absent
fi fi
else exit
# fallback to deprecated apt-key
apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \
&& echo present \
|| echo absent
fi fi
keydir="$(cat "$__object/parameter/keydir")"
keyfile="$keydir/$__object_id.gpg"
if [ -f "$keyfile" ]
then
echo present
exit
fi
echo absent

View file

@ -25,11 +25,7 @@ else
fi fi
state_should="$(cat "$__object/parameter/state")" state_should="$(cat "$__object/parameter/state")"
state_is="$(cat "$__object/explorer/state")" state_is="$(cat "$__object/explorer/state")"
method="$(cat "$__object/key_method")"
if [ "$state_should" = "$state_is" ]; then
# nothing to do
exit 0
fi
keydir="$(cat "$__object/parameter/keydir")" keydir="$(cat "$__object/parameter/keydir")"
keyfile="$keydir/$__object_id.gpg" keyfile="$keydir/$__object_id.gpg"
@ -37,30 +33,18 @@ keyfile="$keydir/$__object_id.gpg"
case "$state_should" in case "$state_should" in
present) present)
keyserver="$(cat "$__object/parameter/keyserver")" keyserver="$(cat "$__object/parameter/keyserver")"
# Using __download or __file as key source
if [ -f "$__object/parameter/uri" ]; then # Propagate messages if needed
uri="$(cat "$__object/parameter/uri")" if [ "${method}" = "uri" ] || [ "${method}" = "source" ]; then
if grep -Eq "^__(file|download)$keyfile" "$__messages_in"; then
if [ -d "$keydir" ]; then echo "added '$keyid'" >> "$__messages_out"
cat << EOF
curl -s -L \\
-o "$keyfile" \\
"$uri"
key="\$( cat "$keyfile" )"
if echo "\$key" | grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK'
then
echo "\$key" | gpg --dearmor > "$keyfile"
fi fi
exit 0
EOF elif [ "${state_is}" = "present" ]; then
else exit 0
# fallback to deprecated apt-key
echo "curl -s -L '$uri' | apt-key add -"
fi fi
elif [ -d "$keydir" ]; then # Using key servers to fetch the key
if [ ! -f "$__object/parameter/use-deprecated-apt-key" ]; then
# we need to kill gpg after 30 seconds, because gpg # we need to kill gpg after 30 seconds, because gpg
# can get stuck if keyserver is not responding. # can get stuck if keyserver is not responding.
# exporting env var and not exit 1, # exporting env var and not exit 1,
@ -100,13 +84,16 @@ EOF
echo "added '$keyid'" >> "$__messages_out" echo "added '$keyid'" >> "$__messages_out"
;; ;;
absent) absent)
if [ -f "$keyfile" ]; then # Removal for keys added from a keyserver without this flag
echo "rm '$keyfile'" # is done in the manifest
else if [ "$state_is" != "absent" ] && \
[ -f "$__object/parameter/use-deprecated-apt-key" ]; then
# fallback to deprecated apt-key # fallback to deprecated apt-key
echo "apt-key del \"$keyid\"" echo "apt-key del \"$keyid\""
fi
echo "removed '$keyid'" >> "$__messages_out" echo "removed '$keyid'" >> "$__messages_out"
# Propagate messages if needed
elif grep -Eq "^__file$keyfile" "$__messages_in"; then
echo "removed '$keyid'" >> "$__messages_out"
fi
;; ;;
esac esac

View file

@ -10,6 +10,14 @@ DESCRIPTION
----------- -----------
Manages the list of keys used by apt to authenticate packages. Manages the list of keys used by apt to authenticate packages.
This is done by placing the requested key in a file named
``$__object_id.gpg`` in the ``keydir`` directory.
This is supported by modern releases of Debian-based distributions.
In order of preference, exactly one of: ``source``, ``uri`` or ``keyid``
must be specified.
REQUIRED PARAMETERS REQUIRED PARAMETERS
------------------- -------------------
@ -18,21 +26,49 @@ None.
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
------------------- -------------------
keydir
keyring directory, defaults to ``/etc/apt/trusted.pgp.d``, which is
enabled system-wide by default.
source
path to a file containing the GPG key of the repository.
Using this is recommended as it ensures that the manifest/type manintainer
has validated the key.
If ``-``, the GPG key is read from the type's stdin.
state state
'present' or 'absent'. Defaults to 'present' 'present' or 'absent'. Defaults to 'present'
uri
the URI from which to download the key.
It is highly recommended that you only use protocols with TLS like HTTPS.
This uses ``__download`` but does not use checksums, if you want to ensure
that the key doesn't change, you are better off downloading it and using
``--source``.
DEPRECATED OPTIONAL PARAMETERS
------------------------------
keyid keyid
the id of the key to add. Defaults to __object_id the id of the key to download from the ``keyserver``.
This is to be used in absence of ``--source`` and ``--uri`` or together
with ``--use-deprecated-apt-key`` for key removal.
Defaults to ``$__object_id``.
keyserver keyserver
the keyserver from which to fetch the key. If omitted the default set the keyserver from which to fetch the key.
in ./parameter/default/keyserver is used. Defaults to ``pool.sks-keyservers.net``.
keydir
key save location, defaults to ``/etc/apt/trusted.pgp.d``
uri DEPRECATED BOOLEAN PARAMETERS
the URI from which to download the key -----------------------------
use-deprecated-apt-key
``apt-key(8)`` will last be available in Debian 11 and Ubuntu 22.04.
You can use this parameter to force usage of ``apt-key(8)``.
Please only use this parameter to *remove* keys from the keyring,
in order to prepare for removal of ``apt-key``.
Adding keys should be done without this parameter.
This parameter will be removed when Debian 11 stops being supported.
EXAMPLES EXAMPLES
@ -40,33 +76,39 @@ EXAMPLES
.. code-block:: sh .. code-block:: sh
# Add Ubuntu Archive Automatic Signing Key # add a key that has been verified by a type maintainer
__apt_key 437D05B5 __apt_key jitsi_meet_2021 \
# Same thing --source cdist-contrib/type/__jitsi_meet/files/apt_2021.gpg
__apt_key 437D05B5 --state present
# Get rid of it
__apt_key 437D05B5 --state absent
# same thing with human readable name and explicit keyid # remove an old, deprecated or expired key
__apt_key UbuntuArchiveKey --keyid 437D05B5 __apt_key jitsi_meet_2016 --state absent
# same thing with other keyserver # Get rid of a key that might have been added to
__apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com # /etc/apt/trusted.gpg with apt-key
__apt_key 0x40976EAF437D05B5 --use-deprecated-apt-key --state absent
# download key from the internet # add a key that we define in-line
__apt_key rabbitmq \ __apt_key jitsi_meet_2021 --source '-' <<EOF
--uri http://www.rabbitmq.com/rabbitmq-signing-key-public.asc -----BEGIN PGP PUBLIC KEY BLOCK-----
[...]
-----END PGP PUBLIC KEY BLOCK-----
EOF
# download or update key from the internet
__apt_key rabbitmq_2007 \
--uri https://www.rabbitmq.com/rabbitmq-signing-key-public.asc
AUTHORS AUTHORS
------- -------
Steven Armstrong <steven-cdist--@--armstrong.cc> Steven Armstrong <steven-cdist--@--armstrong.cc>
Ander Punnar <ander-at-kvlt-dot-ee> Ander Punnar <ander-at-kvlt-dot-ee>
Evilham <contact~~@~~evilham.com>
COPYING COPYING
------- -------
Copyright \(C) 2011-2019 Steven Armstrong and Ander Punnar. You can Copyright \(C) 2011-2021 Steven Armstrong, Ander Punnar and Evilham. You can
redistribute it and/or modify it under the terms of the GNU General Public redistribute it and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation, either version 3 of the License as published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version. License, or (at your option) any later version.

View file

@ -2,7 +2,105 @@
__package gnupg __package gnupg
if [ -f "$__object/parameter/uri" ] state_should="$(cat "${__object}/parameter/state")"
then __package curl
else __package dirmngr incompatible_args()
{
cat >> /dev/stderr <<-EOF
This type does not support --${1} and --${method} simultaneously.
EOF
exit 1
}
if [ -f "${__object}/parameter/source" ]; then
method="source"
src="$(cat "${__object}/parameter/source")"
if [ "${src}" = "-" ]; then
src="${__object}/stdin"
fi
fi
if [ -f "${__object}/parameter/uri" ]; then
if [ -n "${method}" ]; then
incompatible_args uri
fi
method="uri"
src="$(cat "${__object}/parameter/uri")"
fi
if [ -f "${__object}/parameter/keyid" ]; then
if [ -n "${method}" ]; then
incompatible_args keyid
fi
method="keyid"
fi
# Keep old default
if [ -z "${method}" ]; then
method="keyid"
fi
# Save this for later in gencode-remote
echo "${method}" > "${__object}/key_method"
# Required remotely (most likely already installed)
__package dirmngr
# We need this in case a key has to be dearmor'd
__package gnupg
export require="__package/gnupg"
if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
# This is required if apt-key(8) is to be used
if [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
incompatible_args use-deprecated-apt-key
fi
else
if [ "${state_should}" = "absent" ] && \
[ -f "${__object}/parameter/keyid" ]; then
cat >> /dev/stderr <<EOF
You can't reliably remove by keyid without --use-deprecated-apt-key.
This would very likely do something you do not intend.
EOF
exit 1
fi
fi
keydir="$(cat "${__object}/parameter/keydir")"
keyfile="${keydir}/${__object_id}.gpg"
keyfilecdist="${keyfile}.cdist"
if [ "${state_should}" != "absent" ]; then
# Ensure keydir exists
__directory "${keydir}" --state exists --mode 0755
fi
if [ "${state_should}" = "absent" ]; then
__file "${keyfile}" --state "absent"
__file "${keyfilecdist}" --state "absent"
elif [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
dearmor="$(cat <<-EOF
if [ '${state_should}' = 'present' ]; then
# Dearmor if necessary
if grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK' '${keyfilecdist}'; then
gpg --dearmor < '${keyfilecdist}' > '${keyfile}'
else
cp '${keyfilecdist}' '${keyfile}'
fi
# Ensure permissions
chown root '${keyfile}'
chmod 0444 '${keyfile}'
fi
EOF
)"
if [ "${method}" = "uri" ]; then
__download "${keyfilecdist}" \
--url "${src}" \
--onchange "${dearmor}"
require="__download${keyfilecdist}" \
__file "${keyfile}" \
--owner root \
--mode 0444 \
--state pre-exists
else
__file "${keyfilecdist}" --state "${state_should}" \
--mode 0444 \
--source "${src}" \
--onchange "${dearmor}"
fi
fi fi

View file

@ -0,0 +1 @@
use-deprecated-apt-key

View file

@ -0,0 +1,3 @@
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
Use this flag *only* to migrate to placing a keyring directly in the
/etc/apt/trusted.gpg.d/ directory with a descriptive name.

View file

@ -1,5 +1,6 @@
state keydir
keyid keyid
keyserver keyserver
keydir source
state
uri uri

View file

@ -0,0 +1 @@
Please migrate to using __apt_key key_id --uri URI.