diff --git a/files/rpm_gpg_import_check.sh b/files/rpm_gpg_import_check.sh new file mode 100644 index 00000000..81d50b76 --- /dev/null +++ b/files/rpm_gpg_import_check.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# shellcheck disable=SC2086 + +ACTION=$1 +GPG_HOMEDIR=$2 +GPG_KEY_PATH=$3 + +GPG_ARGS="--homedir $GPG_HOMEDIR --with-colons" +GPG_PUBKEY=gpg-pubkey-$(gpg ${GPG_ARGS} "${GPG_KEY_PATH}" 2>&1 | grep ^pub | cut -d':' -f5 | cut --characters=9-16 | tr '[:upper:]' '[:lower:]') + +if [ "${ACTION}" = "check" ]; then + # This will return 1 if there are differences between the key imported in the + # RPM database and the local keyfile. This means we need to purge the key and + # reimport it. + diff <(rpm -qi "${GPG_PUBKEY}" | gpg ${GPG_ARGS}) <(gpg ${GPG_ARGS} "${GPG_KEY_PATH}") +elif [ "${ACTION}" == "import" ]; then + (rpm -q "${GPG_PUBKEY}" && rpm -e --allmatches "${GPG_PUBKEY}") || true + rpm --import "${GPG_KEY_PATH}" +fi diff --git a/manifests/osfamily/redhat.pp b/manifests/osfamily/redhat.pp index 502aebdd..388adaf9 100644 --- a/manifests/osfamily/redhat.pp +++ b/manifests/osfamily/redhat.pp @@ -86,6 +86,7 @@ $legacy_gpg_path = "/etc/pki/rpm-gpg/RPM-${legacy_keyname}" $keyname = 'GPG-KEY-puppet-20250406' $gpg_path = "/etc/pki/rpm-gpg/RPM-${keyname}" + $gpg_homedir = '/root/.gnupg' $gpg_keys = "file://${legacy_gpg_path} file://${gpg_path}" @@ -103,17 +104,6 @@ source => "puppet:///modules/puppet_agent/${legacy_keyname}", } - # Given the path to a key, see if it is imported, if not, import it - $legacy_gpg_pubkey = "gpg-pubkey-$(echo $(${gpg_cmd} --with-colons ${legacy_gpg_path} 2>&1 | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr '[:upper:]' '[:lower:]'))" - - exec { "import-${legacy_keyname}": - path => '/bin:/usr/bin:/sbin:/usr/sbin', - command => "rpm --import ${legacy_gpg_path}", - unless => "rpm -q ${legacy_gpg_pubkey}", - require => File[$legacy_gpg_path], - logoutput => 'on_failure', - } - file { $gpg_path: ensure => present, owner => 0, @@ -122,12 +112,22 @@ source => "puppet:///modules/puppet_agent/${keyname}", } - # Given the path to a key, see if it is imported, if not, import it - $gpg_pubkey = "gpg-pubkey-$(echo $(${gpg_cmd} --with-colons ${gpg_path} 2>&1 | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr '[:upper:]' '[:lower:]'))" - exec { "import-${keyname}": + file { "${::env_temp_variable}/rpm_gpg_import_check.sh": + ensure => file, + source => 'puppet:///modules/puppet_agent/rpm_gpg_import_check.sh', + mode => '0755', + } + -> exec { "import-${legacy_keyname}": + path => '/bin:/usr/bin:/sbin:/usr/sbin', + command => "${::env_temp_variable}/rpm_gpg_import_check.sh import ${gpg_homedir} ${legacy_gpg_path}", + unless => "${::env_temp_variable}/rpm_gpg_import_check.sh check ${gpg_homedir} ${legacy_gpg_path}", + require => File[$legacy_gpg_path], + logoutput => 'on_failure', + } + -> exec { "import-${keyname}": path => '/bin:/usr/bin:/sbin:/usr/sbin', - command => "rpm --import ${gpg_path}", - unless => "rpm -q ${gpg_pubkey}", + command => "${::env_temp_variable}/rpm_gpg_import_check.sh import ${gpg_homedir} ${gpg_path}", + unless => "${::env_temp_variable}/rpm_gpg_import_check.sh check ${gpg_homedir} ${gpg_path}", require => File[$gpg_path], logoutput => 'on_failure', } diff --git a/manifests/osfamily/suse.pp b/manifests/osfamily/suse.pp index e7132346..b21636c7 100644 --- a/manifests/osfamily/suse.pp +++ b/manifests/osfamily/suse.pp @@ -85,22 +85,22 @@ source => "puppet:///modules/puppet_agent/${legacy_keyname}", } - # Given the path to a key, see if it is imported, if not, import it - $legacy_gpg_pubkey = "gpg-pubkey-$(echo $(gpg --homedir ${gpg_homedir} --with-colons ${legacy_gpg_path} 2>&1 | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr '[:upper:]' '[:lower:]'))" - $gpg_pubkey = "gpg-pubkey-$(echo $(gpg --homedir ${gpg_homedir} --with-colons ${gpg_path} 2>&1 | grep ^pub | awk -F ':' '{print \$5}' | cut --characters=9-16 | tr '[:upper:]' '[:lower:]'))" - - exec { "import-${legacy_keyname}": + file { "${::env_temp_variable}/rpm_gpg_import_check.sh": + ensure => file, + source => 'puppet:///modules/puppet_agent/rpm_gpg_import_check.sh', + mode => '0755', + } + -> exec { "import-${legacy_keyname}": path => '/bin:/usr/bin:/sbin:/usr/sbin', - command => "rpm --import ${legacy_gpg_path}", - unless => "rpm -q ${legacy_gpg_pubkey}", + command => "${::env_temp_variable}/rpm_gpg_import_check.sh import ${gpg_homedir} ${legacy_gpg_path}", + unless => "${::env_temp_variable}/rpm_gpg_import_check.sh check ${gpg_homedir} ${legacy_gpg_path}", require => File[$legacy_gpg_path], logoutput => 'on_failure', } - - exec { "import-${keyname}": + -> exec { "import-${keyname}": path => '/bin:/usr/bin:/sbin:/usr/sbin', - command => "rpm --import ${gpg_path}", - unless => "rpm -q ${gpg_pubkey}", + command => "${::env_temp_variable}/rpm_gpg_import_check.sh import ${gpg_homedir} ${gpg_path}", + unless => "${::env_temp_variable}/rpm_gpg_import_check.sh check ${gpg_homedir} ${gpg_path}", require => File[$gpg_path], logoutput => 'on_failure', } diff --git a/spec/classes/puppet_agent_osfamily_redhat_spec.rb b/spec/classes/puppet_agent_osfamily_redhat_spec.rb index e36e3265..e1c89363 100644 --- a/spec/classes/puppet_agent_osfamily_redhat_spec.rb +++ b/spec/classes/puppet_agent_osfamily_redhat_spec.rb @@ -15,6 +15,7 @@ :architecture => 'x64', :puppet_master_server => 'master.example.vm', :clientcert => 'foo.example.vm', + :env_temp_variable => '/tmp', } end diff --git a/spec/classes/puppet_agent_osfamily_suse_spec.rb b/spec/classes/puppet_agent_osfamily_suse_spec.rb index 080306fb..12d402b2 100644 --- a/spec/classes/puppet_agent_osfamily_suse_spec.rb +++ b/spec/classes/puppet_agent_osfamily_suse_spec.rb @@ -10,6 +10,7 @@ :operatingsystemmajrelease => '12', :architecture => 'x86_64', :puppet_master_server => 'master.example.vm', + :env_temp_variable => '/tmp', :clientcert => 'foo.example.vm', }