-
Notifications
You must be signed in to change notification settings - Fork 193
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
(MODULES-10996) Improve GPG key import check
The puppet GPG signing key with ID 4528b6cd9e61ef26 had a subkey in it until February 2021. This caused GPG checks on systems with RPM versions that do not support subkeys[1] (SLES 11 and EL 5) to fail. We added this GPG key in the puppet_agent module in January, and included it in the 4.4.0 release of the module. We discovered the subkey issue in February and promptly removed the subkey from the existing key. The new key is available since version 4.5.0 of the puppet_agent module. This module imports GPG keys based on their ID. Since in our case both the good key and the bad key have the same ID, the module will not import the correct key if the bad one is already installed (or any other key with the same ID for that matter). To circumvent this, we now specifically compare the contents of the GPG key from the RPM database with the contents of the GPG key laid by Puppet in `/etc/pki/rpm-gpg`. If any differences are found, the imported key is purged and reimported, which should ensure that the key shipped in the module is identical to the from the RPM database. [1] https://technosorcery.net/blog/2010/10/pitfalls-with-rpm-and-gpg/
- Loading branch information
1 parent
64e6530
commit c793fd0
Showing
6 changed files
with
89 additions
and
86 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
#!/bin/bash | ||
# shellcheck disable=SC2086 | ||
|
||
ACTION=$1 | ||
GPG_HOMEDIR=$2 | ||
GPG_KEY_PATH=$3 | ||
|
||
GPG_ARGS="--homedir $GPG_HOMEDIR --with-colons" | ||
GPG_BIN=$(command -v gpg || command -v gpg2) | ||
|
||
if [ -z "${GPG_BIN}" ]; then | ||
echo Could not find a suitable gpg command, exiting... | ||
exit 1 | ||
fi | ||
|
||
GPG_PUBKEY=gpg-pubkey-$("${GPG_BIN}" ${GPG_ARGS} "${GPG_KEY_PATH}" 2>&1 | grep ^pub | cut -d':' -f5 | cut --characters=9-16 | tr '[:upper:]' '[:lower:]') | ||
|
||
if [ "${ACTION}" = "check" ]; then | ||
# This will return 1 if there are differences between the key imported in the | ||
# RPM database and the local keyfile. This means we need to purge the key and | ||
# reimport it. | ||
diff <(rpm -qi "${GPG_PUBKEY}" | "${GPG_BIN}" ${GPG_ARGS}) <("${GPG_BIN}" ${GPG_ARGS} "${GPG_KEY_PATH}") | ||
elif [ "${ACTION}" = "import" ]; then | ||
(rpm -q "${GPG_PUBKEY}" && rpm -e --allmatches "${GPG_PUBKEY}") || true | ||
rpm --import "${GPG_KEY_PATH}" | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
c793fd0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@GabrielNagy , this code places a permanent file into /tmp filesystem which is either tmpfs or cleaned regularly, so file will be re-created again and again causing unnecessary configuration drift. IMHO, a better place for this helper should be somewhere in /usr/local/bin/ or /opt/puppetlabs/bin/
c793fd0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @vchepkov, indeed
/opt/puppetlabs
sounds like a more suitable place. When implementing this I followed the same pattern as the other scripts (likeinstall_puppet.ps1
,osx_install.sh
, etc), but failed to notice that the GPG check here would be executed on each run, whereas the other scripts get executed only if an upgrade is required.