From db49ebaaacc09da13fbbde3fe1303957d157170f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= <javier@netmanagers.com.ar>
Date: Fri, 4 Feb 2022 19:37:05 -0300
Subject: [PATCH] feat(debian): use repository keyring instead of key_id

---
 .../files/default/docker-archive-keyring.gpg  | Bin 0 -> 2760 bytes
 docker/osfamilymap.yaml                       |   5 +-
 docker/software/package/repo/clean.sls        |   7 +++
 docker/software/package/repo/install.sls      |  14 +++++
 docs/README.apt.keyring.rst                   |  18 +++++++
 .../package/controls/repository.rb            |  48 ++++++++++++++++++
 6 files changed, 90 insertions(+), 2 deletions(-)
 create mode 100644 docker/files/default/docker-archive-keyring.gpg
 create mode 100644 docs/README.apt.keyring.rst
 create mode 100644 test/integration/package/controls/repository.rb

diff --git a/docker/files/default/docker-archive-keyring.gpg b/docker/files/default/docker-archive-keyring.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..e5dc8cfda8e5d37f69956520048140c9baab9803
GIT binary patch
literal 2760
zcmV;(3ODtc0u2OMt=cL95CGv?mVEyU+3FP&iF2?(b<6@*g&o7k_7E+vfpyDoj$zjA
zGV5WMs<5X`yaKG4`1D^?%Ti#*<GBm2<-D>f9W@2In1<xHj@po#SlRuuZ(gb9iB;j>
z#V#$cv(vuM$1G5W?m=#;?M(Cxek`gIB|ZeE>e*?4HA0Yo?Le89KO(!1UAgKnfVKJp
ze7*UXLf?I!keb9u+BFqeeB``A$gwvu)M9q}dT8YU+=NzEb9$;fT&a6fycOmt+QBrl
zSljK4NaNyiOYqwZ!pA8r^c00OKI|6ITnqr2;lfcg2)^}~s|^iuXkp-Z9zw?u9f%Gl
zIKx%?805>Gz6o0*0IGj52V2<jnG*P^vl)-(^<IaM64-5$?i(QkbzhV8?ekX7SQ<pW
zS>W@R3^r4ggg+8qe2>{F;knjCB39B|n)&}Ia))TWmVOS1zJD$Q<&mo|g~V`#5B$6N
zxLlw5L@k&9cvMyuB<WrP{}%URoq#zZO~k_+w=}eg6%eCTtB)Jqq&nc!nL%#fRyXJ?
z0U31aj}yI*YmQ^BobOOvQl;39lWSRBi=-Yoal}XgbT7%>!wfYMH5Y?I18^yQU0Cn<
zQ+Vm-4&d0rzki{yJhx4HVp!v=n%$Eu4}XG1@@3Rpmx4E2z!ZF5gVt7hXhF3JhQ)dC
z^v|>E6|i%rp_>2^0RRECD@1Q&Yh`jEQe|vqVRL05C__acWMyJ0AUtGmV{2t{KxA)Y
zYh`jSV{dIfi2^qS69EbUAq4_ht>?f38!rV52?z%R1r-Vj2nz)k0s{d60v-VZ7k~f?
z2@s8efIJSr&4{we5B?+>qpu&7G$uCr{9l#Rccf8iLHFK8*j}rX=-CG)$dc?$piG&n
zyvm)ljwUsM!bnCjBbuvmg?VD7{XegYqwDC-jwi9@5G?Wk0W>(My&0lUwT?!h+_)r;
ziSkkZTf)_`7M(d9Eygf&;f2K#dl0cev@e`hmk(<eEU2#@ou5y{8$@TB`Q7H}`kZ%>
zZtk3Hs%->NGPyLrr#y%lgx{LEI^lyjO4KBwd}kap{2xYFqV-F2>Yq<t5{Q*)*R?(>
zG-gdq-7QDsOB?=ysoxG@7KH&vE_?hnRc?txWkz9<=VtFx@Ut8hfLi2;JwF@<K<Fyz
z5Xud;em<noPmu*N<aL_3+>%ZMK$zRb;~8!vOdFX75Fk8*e>XpOrG|YsSZ2f#t_(HJ
z+2iiq+kTKEd{!m%PjyDuMW8T;FZ!)Cg>O6x2SR3fyfZ=kBSDUz=aV8M^lA(&u0B2M
z-aM5?LcHpf3Iqah6nv_W(wZrA8IAR4qXOaf%g7n?TNrw7a0Kc^OVl3Z8#a2R3m+9$
z8(5MM+x77e+YoN$TgPo5x1IH2GV6I8ege0YQtX?0EQiH**C+5Ml4{T8)OO+-<Y05X
z7ys6n$Mt^*LT}Pi9`XbFxH=XT@)_;kuOH=WqpWUNL87?EqRw`y*r-{WnIL}Zau#Z3
zhf6w=e5Sbq4Fp)N+A0AM0OxqWQub~yg-zR)q+?Y@GAFkGsW{wADQ^gVS5Quo+E1L2
zMq_*f89cg9`};*RVn`&w_(~_rxh?T>PfE3sg1Paga|nw;9NrvW?<GR3EIv_ALt@)}
zoxNsYK09$k;L}f5T%WLOKvp^y3DKcNNXH9Z!&b~=|2?k3U`w1ZxWN*4bT&nZ8|*`c
zI+^anr&{f1q*?w5hH-hG!&n$KS|EJsilC+X<lBE&sR}yIl#JwOc6VY<LNoN@7c=C~
zX-m(~T%<n~_}fCU_Mlm3<9B5@j5eu&f4iLt!VzjwI^5bQak`WZ>0Q{d=P|r_7drn!
z8&M^%eloEvv)?t~lG>1q+=qlCndr6=1Yy(%>dfgbh&%TXeRWyM$f8?S{8ygGsA8pS
zM?IBQwFu-HaGRib&`sVMSJXjhuE(AOvYeGL$vD)^dqADy%5oai-WdX=OaMym$#l_A
z7d>5VEn*PN1N}x~{PYrGX`90HOmI4|Rc$_R*_6<i=>1pBoGZVu(m<g47->O4MgBSA
z3G&qBk^c}(l#fx^d_Tr93{<%g;efsvX)qQ8<7p74rQ;AUmvbi*yka|wYGA+9!(&uJ
z3tZ#|GLLIrw5-@~{uvdM_93`x8jgYT%ZPhr3MqBNEu`I@f@nl~3G(!ilEW9!nGG{5
zNIRRPhlryvj{p$?00D^vJ_Hy62mlEM0$8ouDgqk<0x1a)je&qX4!_Na!CfE(8370Y
z1_c6Gt=cL83JDN?psB<1bNtxVU=ROn3Hco$6RNCn?dy%AGv~v}na?1gs^YJhXA)JR
zJ_hRT#t5-)YKUBmhDT{(!zP43W=13FLVlQQY&Uywe9iI|Dk@tr8RUEXt!L9asCk14
z$moeFun}{2z@`Y8KUEy#Y?ttc*0nt%%r%bCd4pClxDY!t`M2qFddF+NHq%TDA5Z73
zoZ<)UWl<6+4{!S>HvV2YFUNmbNfe7l7outUhag5HvTFpov<ZFt7)B51?`y26seeBA
zUGuvnfwMTKWtKMo57bxw4(CO%r~7d&AG~Li<jVh@9=JlV@go$2UOTXq+@%Sx=}g&h
z&Iy3M2W)jhqBVF6`ehKj40X^8I9HfMG~$1&3`F<-+%%){`r9IS!h|jIIJ~s!y8YOp
zXq#TdB0Yiu${wq=4~8wMqUHg>{9)%SU3wB^qK~XMv`AX!x<6%-nu+;S&pdG~rCcpO
z05M&Fwf!q>>kU>E8(Zk`CG@{MMFpYoH>2^}r{N(ze}#nyK^=2d^FwnaCSIuyoty8V
z$MgLSEc6&fC;Zgt2oP+BME)7IvYQ`*`)m(a>t+0)T%TWxv;Hw42=h!wN&j`JBw0E>
z50`dHHM+RTjBnAsX^_gE8Q9$kh)YxA+2aP#nvkSPSGK0POS-qBfqQ0U`6_z!bL?8k
zW-GmuFEE@S55O+}&SbUnxDWqc+d9(t{vtC%96$nq3|U&n$e6E6Na09qb+{@cv1jZ|
z3ANPz<FdPmFRfY3#T64~jNJL7<ZqVr2N~zVCi_*aR&W<}M1TFWCWk8gz`w@TgSA(3
zL?tv`#>BC8hPZX%fd!AicAGHUi1CEtQTkg6rlJ&izkT=Qe0t#FL~*@%Q@afty20kH
zP@b&1>Szr#R<^(R$ZDQ+tX1BmAvCn7XbkFG{bvJsln04BkS2;}7+r)m!j=C|-@2Mb
zZaVA|!c_0vpuO@|Zgh7CYc|rUFc^1cmciEIZ-OsoUfh8=!gs&KS$I6fh;IjUD`52-
z$hYta7J<<pbiPx+O;4z_DE!MJVBfRE`$k%FxW_nA`#gdSp!WU1d#4TE<TAy=x5Gyp
z2MZzobPayMI=b(@AG2X?=s_|TC#2SLtbD?oJeQHHutW-|39*7VDHBHvF0a@U<5bWy
z%PbFA#f9UEe|Sy~c?whE%8v69I$c96yxo|$P0S5kzSc+naDw!s<JUhB3y#vqADvB<
zvEbuChX&I8vv)p%t)IfrjgL(~+k;q-lUa(cOJzPNaO(s)Y=Vr#ZqLq)EL@~K&6#>u
zKyfV{PWt21mmL1oc+`{DV3Y`cYIUjP(OqJCF?#$b(-lq(eagmRKXj;3eca9O(@<N)
O|AZlpzxLROJ-XfM=roc5

literal 0
HcmV?d00001

diff --git a/docker/osfamilymap.yaml b/docker/osfamilymap.yaml
index 7dc31097..e9025a7d 100644
--- a/docker/osfamilymap.yaml
+++ b/docker/osfamilymap.yaml
@@ -41,12 +41,13 @@ Debian:
       - git
       - procps
     docker:
+      {%- set repo_keyring = '/usr/share/keyrings/docker-archive-keyring.gpg' %}
       repo:
                 {%- if 'oscodename' in grains %}
-        name: deb [arch=amd64] https://download.docker.com/linux/{{ grains.os|lower }} {{ grains.oscodename }} stable
+        name: 'deb [signed-by={{ repo_keyring }} arch=amd64] https://download.docker.com/linux/{{ grains.os|lower }} {{ grains.oscodename }} stable'
                 {%- endif %}
         file: /etc/apt/sources.list.d/docker.list
-        key_url: "https://download.docker.com/linux/{{ grains.os|lower }}/gpg"
+      repo_keyring: {{ repo_keyring }}
 
 RedHat:
   pkg:
diff --git a/docker/software/package/repo/clean.sls b/docker/software/package/repo/clean.sls
index 59a31ecc..a80824d1 100644
--- a/docker/software/package/repo/clean.sls
+++ b/docker/software/package/repo/clean.sls
@@ -5,9 +5,16 @@
 {%- from tplroot ~ "/map.jinja" import data as d with context %}
 
     {%- if 'repo' in d.pkg.docker and d.pkg.docker.repo %}
+        {%- from tplroot ~ "/files/macros.jinja" import format_kwargs with context %}
 
 docker-software-package-repo-absent:
   pkgrepo.absent:
     - name: {{ d.pkg.docker.repo.name }}
 
+        {% if grains.os_family == 'Debian' %}
+docker-software-package-repo-keyring-absent:
+  file.absent:
+    - name: {{ d.pkg.docker.repo_keyring }}
+        {%- endif %}
+
     {%- endif %}
diff --git a/docker/software/package/repo/install.sls b/docker/software/package/repo/install.sls
index 52827090..c23a6d8f 100644
--- a/docker/software/package/repo/install.sls
+++ b/docker/software/package/repo/install.sls
@@ -3,10 +3,24 @@
 
 {%- set tplroot = tpldir.split('/')[0] %}
 {%- from tplroot ~ "/map.jinja" import data as d with context %}
+{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}
 
     {%- if 'repo' in d.pkg.docker and d.pkg.docker.repo %}
         {%- from tplroot ~ "/files/macros.jinja" import format_kwargs with context %}
 
+{% if grains.os_family == 'Debian' %}
+docker-software-package-repo-keyring-managed:
+  file.managed:
+    - name: {{ d.pkg.docker.repo_keyring }}
+    - source: {{ files_switch(['docker-archive-keyring.gpg'],
+                              lookup='docker-software-package-repo-keyring-managed'
+                 )
+              }}
+    - require_in:
+      - pkgrepo: docker-software-package-repo-managed
+{%- endif %}
+
+
 docker-software-package-repo-managed:
   pkgrepo.managed:
     {{- format_kwargs(d.pkg.docker.repo) }}
diff --git a/docs/README.apt.keyring.rst b/docs/README.apt.keyring.rst
new file mode 100644
index 00000000..4575ade1
--- /dev/null
+++ b/docs/README.apt.keyring.rst
@@ -0,0 +1,18 @@
+.. _readme_apt_keyrings:
+
+apt repositories' keyrings
+==========================
+
+Debian family of OSes deprecated the use of `apt-key` to manage repositories' keys
+in favor of using `keyring files` which contain a binary OpenPGP format of the key
+(also known as "GPG key public ring")
+
+As docker don't provide such key files, we created them following the
+official recomendations in their sites and install the resulting files.
+
+See https://docs.docker.com/engine/install/debian/#install-using-the-repository for details
+
+.. code-block:: bash
+
+   $ curl -fsSL https://download.docker.com/linux/debian/gpg | \
+       gpg --dearmor --output docker-archive-keyring.gpg
diff --git a/test/integration/package/controls/repository.rb b/test/integration/package/controls/repository.rb
new file mode 100644
index 00000000..04a1b60f
--- /dev/null
+++ b/test/integration/package/controls/repository.rb
@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+case platform.name
+when 'centos'
+  repo_file = '/etc/yum.repos.d/docker-ce.repo'
+  # rubocop:disable Metrics/LineLength
+  repo_url = "https://download.docker.com/linux/#{platform.name}/$releasever/$basearch/stable"
+  # rubocop:enable Metrics/LineLength
+when 'debian', 'ubuntu'
+  # Inspec does not provide a `codename` matcher, so we add ours
+  finger_codename = {
+    'ubuntu-18.04' => 'bionic',
+    'ubuntu-20.04' => 'focal',
+    'debian-9' => 'stretch',
+    'debian-10' => 'buster',
+    'debian-11' => 'bullseye'
+  }
+  codename = finger_codename[system.platform[:finger]]
+
+  repo_keyring = '/usr/share/keyrings/docker-archive-keyring.gpg'
+  repo_file = '/etc/apt/sources.list.d/docker.list'
+  # rubocop:disable Metrics/LineLength
+  repo_url = "deb [signed-by=#{repo_keyring} arch=amd64] https://download.docker.com/linux/#{platform.name} #{codename} stable"
+  # rubocop:enable Metrics/LineLength
+end
+
+control 'Docker repository keyring' do
+  title 'should be installed'
+
+  only_if('Requirement for Debian family') do
+    os.debian?
+  end
+
+  describe file(repo_keyring) do
+    it { should exist }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0644' }
+  end
+end
+
+control 'Docker repository' do
+  impact 1
+  title 'should be configured'
+  describe file(repo_file) do
+    its('content') { should include repo_url }
+  end
+end