puppetlabs-docker icon indicating copy to clipboard operation
puppetlabs-docker copied to clipboard

Published 20 hours ago verified publisher icon puppetlabs

Please migrate away from apt::key

Open zeha opened this issue 3 years ago • 5 comments

Use Case

Compatibility with future Ubuntu and Debian versions (Ubuntu > 22.04, Debian > 11).

Describe the Solution You Would Like

Apt::key is deprecated, as it uses the deprecated apt-key(8) program under the hood.

Please switch to dropping files into /etc/apt/trusted.gpg.d instead.

Describe Alternatives You've Considered

Maybe apt::key could be switched to do this transparently, but I guess thats unlikely because it would need gpg? (And one point of removing apt-key is ... to make gpg optional.)

Additional Context

zeha avatar Aug 19 '21 11:08 zeha

Here is the related bug report on the apt module: https://tickets.puppetlabs.com/browse/MODULES-9695

kenyon avatar Aug 19 '21 17:08 kenyon

I was informed today that dropping an ascii-armored key into trusted.gpg.d should also work.

zeha avatar Aug 20 '21 00:08 zeha

Please switch to dropping files into /etc/apt/trusted.gpg.d instead.

Actually, this is not the recommended solution either as putting keyrings in /etc/apt/trusted.gpg.d makes them valid for every configured repositories.

Recommendation is to put keyring files in /usr/share/keyrings/ and use the signed-by option on the sources.list entry. See the OpenPGP Key distribution section in Instructions to connect to a third-party repository for details:

The key MUST be downloaded over a secure mechanism like HTTPS to a location only writable by root, which SHOULD be /usr/share/keyrings. The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add.

The apt::source defined type from puppetlabs-apt supports setting signed-by (through the keyring parameter) since version 8.1.0.

johanfleury avatar Aug 26 '21 16:08 johanfleury

@johanfleury is there a mechanism to automatically install the gpg key in the correct folder using apt module or de we have to do it using archive for example ? I found below example but I was wondering maybe something was done since then:

archive { '/tmp/deriv-archive-keyring.gpg':
--
source          => 'https://deriv.example.com/pubkey.gpg',
extract         => true,
extract_path    => '/usr/share/keyrings/',
extract_command => 'gpg --dearmor < %s > deriv-archive-keyring.gpg',
creates         => '/usr/share/keyrings/deriv-archive-keyring.gpg',
}
 
apt::source { 'foo'
...
keyring => '/usr/share/keyrings/deriv-archive-keyring.gpg', # Use this when puppetlabs-apt#991 is merged
}

meskaya avatar Apr 08 '22 14:04 meskaya

I guess you’re referring to MODULES-9695 in which I gave this example. I made a bunch of suggestions in this ticket, but creating a PR is just too much work for me (especially as the PR will effectively be a copy/paste of archive code).

I ended up creating a class to manage apt keyrings, here is the full code:

# @summary
#   Download and dearmor a GPG keyring in /usr/share/keyrings/
#
define profile::base::apt::keyring(
  Enum['present', 'absent'] $ensure   = 'present',
  String                    $filename = "${title}-keyring.gpg",
  Optional[String]          $source   = undef,
  Optional[String]          $content  = undef,
) {
  if !($content or $source) {
    crit('No content nor source specified')
  } elsif ($content and $source) {
    fail("Profile::Base::Apt::Keyring['${title}']: Can't use 'source' and 'content' at the same time.")
  }

  if $content or $source =~ /^puppet:/ {
    file { "/tmp/${filename}":
      ensure  => file,
      owner   => 'root',
      group   => 'root',
      mode    => '0644',
      content => $content,
      notify  => Exec["gpg --dearmor ${filename}"],
    }

    exec { "gpg --dearmor ${filename}":
      provider    => 'shell',
      cwd         => '/usr/share/keyrings/',
      command     => "gpg --dearmor < /tmp/${filename} > ${filename}",
      refreshonly => true,
    }
  }

  if $source {
    archive { "/tmp/${filename}":
      ensure          => $ensure,
      source          => $source,
      extract         => true,
      extract_path    => '/usr/share/keyrings/',
      extract_command => "gpg --dearmor < %s > ${filename}",
      creates         => "/usr/share/keyrings/${filename}",
    }
  }
}

johanfleury avatar Apr 10 '22 13:04 johanfleury

Hello! 👋

This issue has been open for a while and has had no recent activity. We've labelled it with attention-needed so that we can get a clear view of which issues need our attention.

If you are waiting on a response from us we will try and address your comments on a future Community Day.

Alternatively, if it is no longer relevant to you please close the issue with a comment.

github-actions[bot] avatar Oct 03 '22 02:10 github-actions[bot]