feat(debian): use repository keyring instead of key_id

saltstack-formulas · Feb 8, 2022 · db49eba · db49eba
1 parent 119939d
commit db49eba
Show file tree

Hide file tree

Showing 6 changed files with 90 additions and 2 deletions.
diff --git a/docker/files/default/docker-archive-keyring.gpg b/docker/files/default/docker-archive-keyring.gpg
diff --git a/docker/osfamilymap.yaml b/docker/osfamilymap.yaml
@@ -41,12 +41,13 @@ Debian:
       - git
       - procps
     docker:
+      {%- set repo_keyring = '/usr/share/keyrings/docker-archive-keyring.gpg' %}
       repo:
                 {%- if 'oscodename' in grains %}
-        name: deb [arch=amd64] https://download.docker.com/linux/{{ grains.os|lower }} {{ grains.oscodename }} stable
+        name: 'deb [signed-by={{ repo_keyring }} arch=amd64] https://download.docker.com/linux/{{ grains.os|lower }} {{ grains.oscodename }} stable'
                 {%- endif %}
         file: /etc/apt/sources.list.d/docker.list
-        key_url: "https://download.docker.com/linux/{{ grains.os|lower }}/gpg"
+      repo_keyring: {{ repo_keyring }}
 
 RedHat:
   pkg:

diff --git a/docker/software/package/repo/clean.sls b/docker/software/package/repo/clean.sls
@@ -5,9 +5,16 @@
 {%- from tplroot ~ "/map.jinja" import data as d with context %}
 
     {%- if 'repo' in d.pkg.docker and d.pkg.docker.repo %}
+        {%- from tplroot ~ "/files/macros.jinja" import format_kwargs with context %}
 
 docker-software-package-repo-absent:
   pkgrepo.absent:
     - name: {{ d.pkg.docker.repo.name }}
 
+        {% if grains.os_family == 'Debian' %}
+docker-software-package-repo-keyring-absent:
+  file.absent:
+    - name: {{ d.pkg.docker.repo_keyring }}
+        {%- endif %}
+
     {%- endif %}
diff --git a/docker/software/package/repo/install.sls b/docker/software/package/repo/install.sls
@@ -3,10 +3,24 @@
 
 {%- set tplroot = tpldir.split('/')[0] %}
 {%- from tplroot ~ "/map.jinja" import data as d with context %}
+{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}
 
     {%- if 'repo' in d.pkg.docker and d.pkg.docker.repo %}
         {%- from tplroot ~ "/files/macros.jinja" import format_kwargs with context %}
 
+{% if grains.os_family == 'Debian' %}
+docker-software-package-repo-keyring-managed:
+  file.managed:
+    - name: {{ d.pkg.docker.repo_keyring }}
+    - source: {{ files_switch(['docker-archive-keyring.gpg'],
+                              lookup='docker-software-package-repo-keyring-managed'
+                 )
+              }}
+    - require_in:
+      - pkgrepo: docker-software-package-repo-managed
+{%- endif %}
+
+
 docker-software-package-repo-managed:
   pkgrepo.managed:
     {{- format_kwargs(d.pkg.docker.repo) }}

diff --git a/docs/README.apt.keyring.rst b/docs/README.apt.keyring.rst
@@ -0,0 +1,18 @@
+.. _readme_apt_keyrings:
+
+apt repositories' keyrings
+==========================
+
+Debian family of OSes deprecated the use of `apt-key` to manage repositories' keys
+in favor of using `keyring files` which contain a binary OpenPGP format of the key
+(also known as "GPG key public ring")
+
+As docker don't provide such key files, we created them following the
+official recomendations in their sites and install the resulting files.
+
+See https://docs.docker.com/engine/install/debian/#install-using-the-repository for details
+
+.. code-block:: bash
+
+   $ curl -fsSL https://download.docker.com/linux/debian/gpg | \
+       gpg --dearmor --output docker-archive-keyring.gpg
diff --git a/test/integration/package/controls/repository.rb b/test/integration/package/controls/repository.rb
@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+case platform.name
+when 'centos'
+  repo_file = '/etc/yum.repos.d/docker-ce.repo'
+  # rubocop:disable Metrics/LineLength
+  repo_url = "https://download.docker.com/linux/#{platform.name}/$releasever/$basearch/stable"
+  # rubocop:enable Metrics/LineLength
+when 'debian', 'ubuntu'
+  # Inspec does not provide a `codename` matcher, so we add ours
+  finger_codename = {
+    'ubuntu-18.04' => 'bionic',
+    'ubuntu-20.04' => 'focal',
+    'debian-9' => 'stretch',
+    'debian-10' => 'buster',
+    'debian-11' => 'bullseye'
+  }
+  codename = finger_codename[system.platform[:finger]]
+
+  repo_keyring = '/usr/share/keyrings/docker-archive-keyring.gpg'
+  repo_file = '/etc/apt/sources.list.d/docker.list'
+  # rubocop:disable Metrics/LineLength
+  repo_url = "deb [signed-by=#{repo_keyring} arch=amd64] https://download.docker.com/linux/#{platform.name} #{codename} stable"
+  # rubocop:enable Metrics/LineLength
+end
+
+control 'Docker repository keyring' do
+  title 'should be installed'
+
+  only_if('Requirement for Debian family') do
+    os.debian?
+  end
+
+  describe file(repo_keyring) do
+    it { should exist }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0644' }
+  end
+end
+
+control 'Docker repository' do
+  impact 1
+  title 'should be configured'
+  describe file(repo_file) do
+    its('content') { should include repo_url }
+  end
+end