(MODULES-8583) Improve rpm importing of the puppet GPG key

SLES 15 uses gpg 2.2, which changed some of its key output formatting and is noisier about missing commands. This change normalizes the text parsing of gpg keys, using the --with-colons option, that is recommended in the man page for use in scripts. The updated parsing pipelines work with older and newer versions of gpg.
puppetlabs · Feb 12, 2019 · 8b6f7dd · 8b6f7dd
1 parent df20490
commit 8b6f7dd
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 10 deletions.
diff --git a/manifests/osfamily/redhat.pp b/manifests/osfamily/redhat.pp
@@ -81,10 +81,12 @@
   }
 
   # Given the path to a key, see if it is imported, if not, import it
+  $legacy_gpg_pubkey = "gpg-pubkey-$(echo $(gpg --with-colons ${legacy_gpg_path} 2>&1) | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr [:upper:] [:lower:]))"
+
   exec {  "import-${legacy_keyname}":
     path      => '/bin:/usr/bin:/sbin:/usr/sbin',
     command   => "rpm --import ${legacy_gpg_path}",
-    unless    => "rpm -q gpg-pubkey-`echo $(gpg --throw-keyids < ${legacy_gpg_path}) | cut --characters=11-18 | tr '[:upper:]' '[:lower:]'`",
+    unless    => "rpm -q ${legacy_gpg_pubkey}",
     require   => File[$legacy_gpg_path],
     logoutput => 'on_failure',
   }
@@ -98,10 +100,11 @@
   }
 
   # Given the path to a key, see if it is imported, if not, import it
+  $gpg_pubkey = "gpg-pubkey-$(echo $(gpg --with-colons ${gpg_path} 2>&1) | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr [:upper:] [:lower:]))"
   exec {  "import-${keyname}":
     path      => '/bin:/usr/bin:/sbin:/usr/sbin',
     command   => "rpm --import ${gpg_path}",
-    unless    => "rpm -q gpg-pubkey-`echo $(gpg --throw-keyids < ${gpg_path}) | cut --characters=11-18 | tr '[:upper:]' '[:lower:]'`",
+    unless    => "rpm -q ${gpg_pubkey}",
     require   => File[$gpg_path],
     logoutput => 'on_failure',
   }

diff --git a/manifests/osfamily/suse.pp b/manifests/osfamily/suse.pp
@@ -45,21 +45,21 @@
       }
 
       # Given the path to a key, see if it is imported, if not, import it
-      $legacy_gpg_pubkey = "gpg-pubkey-$(echo $(gpg --homedir ${gpg_homedir} --throw-keyids < ${legacy_gpg_path})"
-      $gpg_pubkey = "gpg-pubkey-$(echo $(gpg --homedir ${gpg_homedir} --throw-keyids < ${gpg_path})"
+      $legacy_gpg_pubkey = "gpg-pubkey-$(echo $(gpg --homedir ${gpg_homedir} --with-colons ${legacy_gpg_path} 2>&1) | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr [:upper:] [:lower:])"
+      $gpg_pubkey        = "gpg-pubkey-$(echo $(gpg --homedir ${gpg_homedir} --with-colons ${gpg_path} 2>&1) | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr [:upper:] [:lower:])"
 
       exec { "import-${legacy_keyname}":
         path      => '/bin:/usr/bin:/sbin:/usr/sbin',
         command   => "rpm --import ${legacy_gpg_path}",
-        unless    => "rpm -q ${legacy_gpg_pubkey} | cut --characters=11-18 | tr [:upper:] [:lower:])",
+        unless    => "rpm -q ${legacy_gpg_pubkey}",
         require   => File[$legacy_gpg_path],
         logoutput => 'on_failure',
       }
 
       exec { "import-${keyname}":
         path      => '/bin:/usr/bin:/sbin:/usr/sbin',
         command   => "rpm --import ${gpg_path}",
-        unless    => "rpm -q ${gpg_pubkey} | cut --characters=11-18 | tr [:upper:] [:lower:])",
+        unless    => "rpm -q ${gpg_pubkey}",
         require   => File[$gpg_path],
         logoutput => 'on_failure',
       }

diff --git a/spec/classes/puppet_agent_osfamily_redhat_spec.rb b/spec/classes/puppet_agent_osfamily_redhat_spec.rb
@@ -27,15 +27,15 @@
       it { is_expected.to contain_exec('import-GPG-KEY-puppetlabs').with({
         'path'      => '/bin:/usr/bin:/sbin:/usr/sbin',
         'command'   => 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs',
-        'unless'    => "rpm -q gpg-pubkey-`echo $(gpg --throw-keyids < /etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs) | cut --characters=11-18 | tr '[:upper:]' '[:lower:]'`",
+        'unless'    => "rpm -q gpg-pubkey-$(echo $(gpg --with-colons /etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs 2>&1) | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr [:upper:] [:lower:]))",
         'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs]',
         'logoutput' => 'on_failure',
       }) }
 
       it { is_expected.to contain_exec('import-GPG-KEY-puppet').with({
         'path'      => '/bin:/usr/bin:/sbin:/usr/sbin',
         'command'   => 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet',
-        'unless'    => "rpm -q gpg-pubkey-`echo $(gpg --throw-keyids < /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet) | cut --characters=11-18 | tr '[:upper:]' '[:lower:]'`",
+        'unless'    => "rpm -q gpg-pubkey-$(echo $(gpg --with-colons /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet 2>&1) | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr [:upper:] [:lower:]))",
         'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet]',
         'logoutput' => 'on_failure',
       }) }

diff --git a/spec/classes/puppet_agent_osfamily_suse_spec.rb b/spec/classes/puppet_agent_osfamily_suse_spec.rb
@@ -55,15 +55,15 @@
           it { is_expected.to contain_exec('import-GPG-KEY-puppet').with({
             'path'      => '/bin:/usr/bin:/sbin:/usr/sbin',
             'command'   => 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet',
-            'unless'    => 'rpm -q gpg-pubkey-$(echo $(gpg --homedir /root/.gnupg --throw-keyids < /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet) | cut --characters=11-18 | tr [:upper:] [:lower:])',
+            'unless'    => "rpm -q gpg-pubkey-$(echo $(gpg --homedir /root/.gnupg --with-colons /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet 2>&1) | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr [:upper:] [:lower:])",
             'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet]',
             'logoutput' => 'on_failure',
           }) }
 
           it { is_expected.to contain_exec('import-GPG-KEY-puppetlabs').with({
             'path'      => '/bin:/usr/bin:/sbin:/usr/sbin',
             'command'   => 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs',
-            'unless'    => 'rpm -q gpg-pubkey-$(echo $(gpg --homedir /root/.gnupg --throw-keyids < /etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs) | cut --characters=11-18 | tr [:upper:] [:lower:])',
+            'unless'    => "rpm -q gpg-pubkey-$(echo $(gpg --homedir /root/.gnupg --with-colons /etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs 2>&1) | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr [:upper:] [:lower:])",
             'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs]',
             'logoutput' => 'on_failure',
           }) }