From 8ab8c46cf4337511e449dd42413562069fa820de Mon Sep 17 00:00:00 2001 From: Rob Braden Date: Fri, 2 Sep 2016 11:29:54 -0700 Subject: [PATCH 1/3] (RE-7976) Add new GPG key for RPMs --- files/RPM-GPG-KEY-puppet | 29 +++++++++++++++++++ manifests/osfamily/redhat.pp | 25 ++++++++++++++-- .../puppet_agent_osfamily_redhat_spec.rb | 21 ++++++++++++-- 3 files changed, 71 insertions(+), 4 deletions(-) create mode 100644 files/RPM-GPG-KEY-puppet diff --git a/files/RPM-GPG-KEY-puppet b/files/RPM-GPG-KEY-puppet new file mode 100644 index 000000000..db53cb0e7 --- /dev/null +++ b/files/RPM-GPG-KEY-puppet @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFe2Iz4BEADqbv/nWmR26bsivTDOLqrfBEvRu9kSfDMzYh9Bmik1A8Z036Eg +h5+TZD8Rrd5TErLQ6eZFmQXk9yKFoa9/C4aBjmsL/u0yeMmVb7/66i+x3eAYGLzV +FyunArjtefZyxq0B2mdRHE8kwl5XGl8015T5RGHCTEhpX14O9yigI7gtliRoZcl3 +hfXtedcvweOf9VrV+t5LF4PrZejom8VcB5CE2pdQ+23KZD48+Cx/sHSLHDtahOTQ +5HgwOLK7rBll8djFgIqP/UvhOqnZGIsg4MzTvWd/vwanocfY8BPwwodpX6rPUrD2 +aXPsaPeM3Q0juDnJT03c4i0jwCoYPg865sqBBrpOQyefxWD6UzGKYkZbaKeobrTB +xUKUlaz5agSK12j4N+cqVuZUBAWcokXLRrcftt55B8jz/Mwhx8kl6Qtrnzco9tBG +T5JN5vXMkETDjN/TqfB0D0OsLTYOp3jj4hpMpG377Q+6D71YuwfAsikfnpUtEBxe +NixXuKAIqrgG8trfODV+yYYWzfdM2vuuYiZW9pGAdm8ao+JalDZss3HL7oVYXSJp +MIjjhi78beuNflkdL76ACy81t2TvpxoPoUIG098kW3xd720oqQkyWJTgM+wV96bD +ycmRgNQpvqHYKWtZIyZCTzKzTTIdqg/sbE/D8cHGmoy0eHUDshcE0EtxsQARAQAB +tEhQdXBwZXQsIEluYy4gUmVsZWFzZSBLZXkgKFB1cHBldCwgSW5jLiBSZWxlYXNl +IEtleSkgPHJlbGVhc2VAcHVwcGV0LmNvbT6JAj4EEwECACgFAle2Iz4CGwMFCQlm +AYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEH9DgoDvjTSfIN0P/jcCRzK8 +WIdhcNz5dkj7xRZb8Oft2yDfenQmzb1SwGGa96IwJFcjF4Nq7ymcDUqunS2DEDb2 +gCucsqmW1ubkaggsYbc9voz/SQwhsQpBjfWbuyOX9DWmW6av/aB1F85wP79gyfqT +uidTGxQE6EhDbLe7tuvxOHfM1bKsUtI+0n9TALLLHfXUEdtaXCwMlJuO1IIn1PWa +H7HzyEjw6OW/cy73oM9nuErBIio1O60slPLOW2XNhdWZJCRWkcXyuumRjoepz7WN +1JgsLOTcB7rcQaBP3pDN0O/Om5dlDQ6oYitoJs/F0gfEgwK68Uy8k8sUR+FLLJqM +o0CwOg6CeWU4ShAEd1xZxVYW6VOOKlz9x9dvjIVDn2SlTBDmLS99ySlQS57rjGPf +GwlRUnuZP4OeSuoFNNJNb9PO6XFSP66eNHFbEpIoBU7phBzwWpTXNsW+kAcY8Rno +8GzKR/2FRsxe5Nhfh8xy88U7BA0tqxWdqpk/ym+wDcgHBfSRt0dPFnbaHAiMRlgX +J/NPHBQtkoEdQTKA+ICxcNTUMvsPDQgZcU1/ViLMN+6kZaGNDVcPeMgDvqxu0e/T +b3uYiId38HYbHmD6rDrOQL/2VPPXbdGbxDGQUgX1DfdOuFXw1hSTilwI1KdXxUXD +sCsZbchgliqGcI1l2En62+6pI2x5XQqqiJ7+ +=HpaX +-----END PGP PUBLIC KEY BLOCK----- diff --git a/manifests/osfamily/redhat.pp b/manifests/osfamily/redhat.pp index adc3ff8b3..a1360b38d 100644 --- a/manifests/osfamily/redhat.pp +++ b/manifests/osfamily/redhat.pp @@ -43,13 +43,34 @@ } } - $keyname = 'RPM-GPG-KEY-puppetlabs' + $legacy_keyname = 'RPM-GPG-KEY-puppetlabs' + $legacy_gpg_path = "/etc/pki/rpm-gpg/${legacy_keyname}" + $keyname = 'RPM-GPG-KEY-puppet' $gpg_path = "/etc/pki/rpm-gpg/${keyname}" + $gpg_keys = "file://${legacy_gpg_path} + file://${gpg_path}" file { ['/etc/pki', '/etc/pki/rpm-gpg']: ensure => directory, } + file { $legacy_gpg_path: + ensure => present, + owner => 0, + group => 0, + mode => '0644', + source => "puppet:///modules/puppet_agent/${legacy_keyname}", + } + + # Given the path to a key, see if it is imported, if not, import it + exec { "import-${legacy_keyname}": + path => '/bin:/usr/bin:/sbin:/usr/sbin', + command => "rpm --import ${legacy_gpg_path}", + unless => "rpm -q gpg-pubkey-`echo $(gpg --throw-keyids < ${legacy_gpg_path}) | cut --characters=11-18 | tr [A-Z] [a-z]`", + require => File[$legacy_gpg_path], + logoutput => 'on_failure', + } + file { $gpg_path: ensure => present, owner => 0, @@ -72,7 +93,7 @@ descr => "Puppet Labs ${::puppet_agent::collection} Repository", enabled => true, gpgcheck => '1', - gpgkey => "file://${gpg_path}", + gpgkey => "${gpg_keys}", sslcacert => $_sslcacert_path, sslclientcert => $_sslclientcert_path, sslclientkey => $_sslclientkey_path, diff --git a/spec/classes/puppet_agent_osfamily_redhat_spec.rb b/spec/classes/puppet_agent_osfamily_redhat_spec.rb index cb23ac0b3..dc8ea67bc 100644 --- a/spec/classes/puppet_agent_osfamily_redhat_spec.rb +++ b/spec/classes/puppet_agent_osfamily_redhat_spec.rb @@ -28,6 +28,14 @@ 'logoutput' => 'on_failure', }) } + it { is_expected.to contain_exec('import-RPM-GPG-KEY-puppet').with({ + 'path' => '/bin:/usr/bin:/sbin:/usr/sbin', + 'command' => 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet', + 'unless' => 'rpm -q gpg-pubkey-`echo $(gpg --throw-keyids < /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet) | cut --characters=11-18 | tr [A-Z] [a-z]`', + 'require' => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet]', + 'logoutput' => 'on_failure', + }) } + ['/etc/pki', '/etc/pki/rpm-gpg'].each do |path| it { is_expected.to contain_file(path).with({ 'ensure' => 'directory', @@ -42,13 +50,22 @@ 'source' => 'puppet:///modules/puppet_agent/RPM-GPG-KEY-puppetlabs', }) } + it { is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet').with({ + 'ensure' => 'present', + 'owner' => '0', + 'group' => '0', + 'mode' => '0644', + 'source' => 'puppet:///modules/puppet_agent/RPM-GPG-KEY-puppet', + }) } + + context 'when FOSS' do it { is_expected.not_to contain_yumrepo('puppetlabs-pepackages').with_ensure('absent') } it { is_expected.to contain_yumrepo('pc_repo').with({ 'baseurl' => "https://yum.puppetlabs.com/#{urlbit}/PC1/x64", 'enabled' => 'true', 'gpgcheck' => '1', - 'gpgkey' => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs', + 'gpgkey' => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs\n file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet", }) } it { is_expected.to contain_class("puppet_agent::osfamily::redhat") } @@ -87,7 +104,7 @@ 'baseurl' => "https://master.example.vm:8140/packages/4.0.0/#{repodir}", 'enabled' => 'true', 'gpgcheck' => '1', - 'gpgkey' => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs', + 'gpgkey' => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs\n file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet", 'sslcacert' => '/etc/puppetlabs/puppet/ssl/certs/ca.pem', 'sslclientcert' => '/etc/puppetlabs/puppet/ssl/certs/foo.example.vm.pem', 'sslclientkey' => '/etc/puppetlabs/puppet/ssl/private_keys/foo.example.vm.pem', From 30d76b3165e92b7092691706597f5db8cc941824 Mon Sep 17 00:00:00 2001 From: Morgan Rhodes Date: Tue, 6 Sep 2016 11:45:39 -0700 Subject: [PATCH 2/3] (RE-7976) Add new GPG key for deb* systems --- manifests/osfamily/debian.pp | 6 +++++- spec/classes/puppet_agent_osfamily_debian_spec.rb | 14 ++++++++++++-- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/manifests/osfamily/debian.pp b/manifests/osfamily/debian.pp index af8b1cede..d17e42443 100644 --- a/manifests/osfamily/debian.pp +++ b/manifests/osfamily/debian.pp @@ -77,12 +77,16 @@ } } + apt::key { 'legacy key': + id => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30', + server => 'pgp.mit.edu', + } apt::source { 'pc_repo': location => $source, repos => $::puppet_agent::collection, key => { - 'id' => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30', + 'id' => '6F6B15509CF8E59E6E469F327F438280EF8D349F', 'server' => 'pgp.mit.edu', }, notify => Notify['pc_repo_force'], diff --git a/spec/classes/puppet_agent_osfamily_debian_spec.rb b/spec/classes/puppet_agent_osfamily_debian_spec.rb index 744616c0a..8f1854d31 100644 --- a/spec/classes/puppet_agent_osfamily_debian_spec.rb +++ b/spec/classes/puppet_agent_osfamily_debian_spec.rb @@ -85,11 +85,16 @@ 'content' => apt_settings.join(''), }) } + it { is_expected.to contain_apt__key('legacy key').with({ + 'id' => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30', + 'server' => 'pgp.mit.edu', + }) } + it { is_expected.to contain_apt__source('pc_repo').with({ 'location' => 'https://master.example.vm:8140/packages/4.0.0/debian-7-x86_64', 'repos' => 'PC1', 'key' => { - 'id' => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30', + 'id' => '6F6B15509CF8E59E6E469F327F438280EF8D349F', 'server' => 'pgp.mit.edu', }, }) } @@ -102,11 +107,16 @@ it { is_expected.not_to contain_apt__setting('conf-pe-repo') } it { is_expected.not_to contain_apt__setting('list-puppet-enterprise-installer') } + it { is_expected.to contain_apt__key('legacy key').with({ + 'id' => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30', + 'server' => 'pgp.mit.edu', + }) } + it { is_expected.to contain_apt__source('pc_repo').with({ 'location' => 'http://apt.puppetlabs.com', 'repos' => 'PC1', 'key' => { - 'id' => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30', + 'id' => '6F6B15509CF8E59E6E469F327F438280EF8D349F', 'server' => 'pgp.mit.edu', }, }) } From 480b93e8b6faad25b161e11b0fb4249030644a06 Mon Sep 17 00:00:00 2001 From: Morgan Rhodes Date: Tue, 6 Sep 2016 11:46:03 -0700 Subject: [PATCH 3/3] (RE-7976) Add new GPG key for SuSE --- manifests/osfamily/suse.pp | 29 +++++++++++++++---- .../puppet_agent_osfamily_suse_spec.rb | 8 +++++ 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/manifests/osfamily/suse.pp b/manifests/osfamily/suse.pp index 689683a67..471fe3c68 100644 --- a/manifests/osfamily/suse.pp +++ b/manifests/osfamily/suse.pp @@ -16,9 +16,11 @@ } '11', '12': { # Import the GPG key - $keyname = 'RPM-GPG-KEY-puppetlabs' - $gpg_path = "/etc/pki/rpm-gpg/${keyname}" - $gpg_homedir = '/root/.gnupg' + $legacy_keyname = 'RPM-GPG-KEY-puppetlabs' + $legacy_gpg_path = "/etc/pki/rpm-gpg/${legacy_keyname}" + $keyname = 'RPM-GPG-KEY-puppet' + $gpg_path = "/etc/pki/rpm-gpg/${keyname}" + $gpg_homedir = '/root/.gnupg' file { ['/etc/pki', '/etc/pki/rpm-gpg']: ensure => directory, @@ -32,9 +34,27 @@ source => "puppet:///modules/puppet_agent/${keyname}", } + file { $legacy_gpg_path: + ensure => present, + owner => 0, + group => 0, + mode => '0644', + source => "puppet:///modules/puppet_agent/${legacy_keyname}", + } + # Given the path to a key, see if it is imported, if not, import it + $legacy_gpg_pubkey = "gpg-pubkey-$(echo $(gpg --homedir ${gpg_homedir} --throw-keyids < ${legacy_gpg_path})" $gpg_pubkey = "gpg-pubkey-$(echo $(gpg --homedir ${gpg_homedir} --throw-keyids < ${gpg_path})" - exec { "import-${keyname}": + + exec { "import-${legacy_keyname}": + path => '/bin:/usr/bin:/sbin:/usr/sbin', + command => "rpm --import ${legacy_gpg_path}", + unless => "rpm -q ${legacy_gpg_pubkey} | cut --characters=11-18 | tr [A-Z] [a-z])", + require => File[$legacy_gpg_path], + logoutput => 'on_failure', + } + + exec { "import-${keyname}": path => '/bin:/usr/bin:/sbin:/usr/sbin', command => "rpm --import ${gpg_path}", unless => "rpm -q ${gpg_pubkey} | cut --characters=11-18 | tr [A-Z] [a-z])", @@ -42,7 +62,6 @@ logoutput => 'on_failure', } - # Set up a zypper repository by creating a .repo file which mimics a ini file $pe_server_version = pe_build_version() $source = "${::puppet_agent::source}/${pe_server_version}/${::platform_tag}" diff --git a/spec/classes/puppet_agent_osfamily_suse_spec.rb b/spec/classes/puppet_agent_osfamily_suse_spec.rb index b98eaef62..fea68675d 100644 --- a/spec/classes/puppet_agent_osfamily_suse_spec.rb +++ b/spec/classes/puppet_agent_osfamily_suse_spec.rb @@ -170,6 +170,14 @@ 'source' => 'puppet:///modules/puppet_agent/RPM-GPG-KEY-puppetlabs', }) } + it { is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet').with({ + 'ensure' => 'present', + 'owner' => '0', + 'group' => '0', + 'mode' => '0644', + 'source' => 'puppet:///modules/puppet_agent/RPM-GPG-KEY-puppet', + }) } + { 'name' => 'pc_repo', 'enabled' => '1',