parent
c58ae44409
commit
1d57305d35
6 changed files with 114 additions and 8 deletions
|
@ -27,6 +27,18 @@ else
|
||||||
keyid="$__object_id"
|
keyid="$__object_id"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \
|
keydir="$(cat "$__object/parameter/keydir")"
|
||||||
|
keyfile="$keydir/$__object_id.gpg"
|
||||||
|
|
||||||
|
if [ -d "$keydir" ]
|
||||||
|
then
|
||||||
|
if [ -f "$keyfile" ]
|
||||||
|
then echo present
|
||||||
|
else echo absent
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# fallback to deprecated apt-key
|
||||||
|
apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \
|
||||||
&& echo present \
|
&& echo present \
|
||||||
|| echo absent
|
|| echo absent
|
||||||
|
fi
|
||||||
|
|
|
@ -31,12 +31,84 @@ if [ "$state_should" = "$state_is" ]; then
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
keydir="$(cat "$__object/parameter/keydir")"
|
||||||
|
keyfile="$keydir/$__object_id.gpg"
|
||||||
|
|
||||||
case "$state_should" in
|
case "$state_should" in
|
||||||
present)
|
present)
|
||||||
keyserver="$(cat "$__object/parameter/keyserver")"
|
keyserver="$(cat "$__object/parameter/keyserver")"
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/uri" ]; then
|
||||||
|
uri="$(cat "$__object/parameter/uri")"
|
||||||
|
|
||||||
|
if [ -d "$keydir" ]; then
|
||||||
|
cat << EOF
|
||||||
|
|
||||||
|
curl -s -L \\
|
||||||
|
-o "$keyfile" \\
|
||||||
|
"$uri"
|
||||||
|
|
||||||
|
if grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK' \\
|
||||||
|
"$keyfile"
|
||||||
|
then
|
||||||
|
cat "$keyfile" \\
|
||||||
|
| gpg --export > "$keyfile"
|
||||||
|
fi
|
||||||
|
|
||||||
|
EOF
|
||||||
|
else
|
||||||
|
# fallback to deprecated apt-key
|
||||||
|
echo "curl -s -L '$uri' | apt-key add -"
|
||||||
|
fi
|
||||||
|
elif [ -d "$keydir" ]; then
|
||||||
|
tmp='/tmp/cdist_apt_key_tmp'
|
||||||
|
|
||||||
|
# we need to kill gpg after 30 seconds, because gpg
|
||||||
|
# can get stuck if keyserver is not responding.
|
||||||
|
# exporting env var and not exit 1,
|
||||||
|
# because we need to clean up and kill dirmngr.
|
||||||
|
cat << EOF
|
||||||
|
|
||||||
|
mkdir -m 700 -p "$tmp"
|
||||||
|
|
||||||
|
if timeout 30s \\
|
||||||
|
gpg --homedir "$tmp" \\
|
||||||
|
--keyserver "$keyserver" \\
|
||||||
|
--recv-keys "$keyid"
|
||||||
|
then
|
||||||
|
gpg --homedir "$tmp" \\
|
||||||
|
--export "$keyid" \\
|
||||||
|
> "$keyfile"
|
||||||
|
else
|
||||||
|
export GPG_GOT_STUCK=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
GNUPGHOME="$tmp" gpgconf --kill dirmngr
|
||||||
|
|
||||||
|
rm -rf "$tmp"
|
||||||
|
|
||||||
|
if [ -n "\$GPG_GOT_STUCK" ]
|
||||||
|
then
|
||||||
|
echo "GPG GOT STUCK - no response from keyserver after 30 seconds" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
EOF
|
||||||
|
else
|
||||||
|
# fallback to deprecated apt-key
|
||||||
echo "apt-key adv --keyserver \"$keyserver\" --recv-keys \"$keyid\""
|
echo "apt-key adv --keyserver \"$keyserver\" --recv-keys \"$keyid\""
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "added '$keyid'" >> "$__messages_out"
|
||||||
;;
|
;;
|
||||||
absent)
|
absent)
|
||||||
|
if [ -f "$keyfile" ]; then
|
||||||
|
echo "rm '$keyfile'"
|
||||||
|
else
|
||||||
|
# fallback to deprecated apt-key
|
||||||
echo "apt-key del \"$keyid\""
|
echo "apt-key del \"$keyid\""
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "removed '$keyid'" >> "$__messages_out"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
|
@ -28,6 +28,12 @@ keyserver
|
||||||
the keyserver from which to fetch the key. If omitted the default set
|
the keyserver from which to fetch the key. If omitted the default set
|
||||||
in ./parameter/default/keyserver is used.
|
in ./parameter/default/keyserver is used.
|
||||||
|
|
||||||
|
keydir
|
||||||
|
key save location, defaults to ``/etc/apt/trusted.pgp.d``
|
||||||
|
|
||||||
|
uri
|
||||||
|
the URI from which to download the key
|
||||||
|
|
||||||
|
|
||||||
EXAMPLES
|
EXAMPLES
|
||||||
--------
|
--------
|
||||||
|
@ -47,15 +53,20 @@ EXAMPLES
|
||||||
# same thing with other keyserver
|
# same thing with other keyserver
|
||||||
__apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com
|
__apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com
|
||||||
|
|
||||||
|
# download key from the internet
|
||||||
|
__apt_key rabbitmq \
|
||||||
|
--uri http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
|
||||||
|
|
||||||
|
|
||||||
AUTHORS
|
AUTHORS
|
||||||
-------
|
-------
|
||||||
Steven Armstrong <steven-cdist--@--armstrong.cc>
|
Steven Armstrong <steven-cdist--@--armstrong.cc>
|
||||||
|
Ander Punnar <ander-at-kvlt-dot-ee>
|
||||||
|
|
||||||
|
|
||||||
COPYING
|
COPYING
|
||||||
-------
|
-------
|
||||||
Copyright \(C) 2011-2014 Steven Armstrong. You can redistribute it
|
Copyright \(C) 2011-2019 Steven Armstrong and Ander Punnar. You can
|
||||||
and/or modify it under the terms of the GNU General Public License as
|
redistribute it and/or modify it under the terms of the GNU General Public
|
||||||
published by the Free Software Foundation, either version 3 of the
|
License as published by the Free Software Foundation, either version 3 of the
|
||||||
License, or (at your option) any later version.
|
License, or (at your option) any later version.
|
||||||
|
|
8
cdist/conf/type/__apt_key/manifest
Executable file
8
cdist/conf/type/__apt_key/manifest
Executable file
|
@ -0,0 +1,8 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
__package gnupg
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/uri" ]
|
||||||
|
then __package curl
|
||||||
|
else __package dirmngr
|
||||||
|
fi
|
1
cdist/conf/type/__apt_key/parameter/default/keydir
Normal file
1
cdist/conf/type/__apt_key/parameter/default/keydir
Normal file
|
@ -0,0 +1 @@
|
||||||
|
/etc/apt/trusted.gpg.d
|
|
@ -1,3 +1,5 @@
|
||||||
state
|
state
|
||||||
keyid
|
keyid
|
||||||
keyserver
|
keyserver
|
||||||
|
keydir
|
||||||
|
uri
|
||||||
|
|
Loading…
Reference in a new issue