ddev icon indicating copy to clipboard operation
ddev copied to clipboard
verified publisher icon ddev

Container test for expiring Debian package keys no longer works (apt-key), monitor debian repositories and keys

Open rfay opened this issue 1 year ago • 3 comments

Expected Behavior

  • https://github.com/ddev/ddev/issues/5795 surprised us, and we should have been notified by our own tests
  • We would be best to monitor upstream Debian repositories as well, so we don't get surprised by things like https://github.com/ddev/ddev/issues/5620

Actual Behavior

The test is https://github.com/ddev/ddev/blob/6302f01c85c4e1c5bce9372353e4aa114eef81b8/containers/ddev-dbserver/test/image_general.bats#L15-L31 but it uses apt-key, which doesn't look at /usr/share/keyrings

Steps To Reproduce

No response

Anything else?

We should be able to rewrite that test.

rfay avatar Feb 12 '24 20:02 rfay

Here's an incomplete idea from ChatGPT for a script.

rfay avatar Mar 24 '24 13:03 rfay

I guess if we've had the nginx.org key expire on us we need to prioritize this.

rfay avatar Jun 20 '24 15:06 rfay 

cd /usr/share/keyrings
for item in *.gpg; do 
  gpg --keyring /usr/share/keyrings/$item --list-keys; 
done | less

There are keys marked "expires" and "expired". In general, we want to catch "expires" ones before they get too close. I think in that case we can ignore the "expired"

The advantage of doing this during the container tests is that it happens against the keys we actually have in use.

But it would be cool to be able to test using uptimerobot or newmonitor.thefays.us/icinga2 to check them in place.

rfay avatar Jul 08 '24 16:07 rfay