[BUG] vault-formula does not verify software signature

[dehnert]

Your setup

Formula commit hash / release tag

commit 27205e8 (HEAD, tag: v1.3.1)

Versions reports (master & minion)

Master version:

salt -V
Salt Version:
          Salt: 3007.1
 
Python Version:
        Python: 3.10.14 (main, Apr  3 2024, 21:30:09) [GCC 11.2.0]
 
Dependency Versions:
          cffi: 1.16.0
      cherrypy: unknown
      dateutil: 2.8.2
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.4
       libgit2: Not Installed
  looseversion: 1.3.0
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.7
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 23.1
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.19.1
        pygit2: Not Installed
  python-gnupg: 0.5.2
        PyYAML: 6.0.1
         PyZMQ: 25.1.2
        relenv: 0.16.0
         smmap: Not Installed
       timelib: 0.3.0
       Tornado: 6.3.3
           ZMQ: 4.3.4
 
Salt Package Information:
  Package Type: onedir
 
System Versions:
          dist: ubuntu 24.04 noble
        locale: utf-8
       machine: x86_64
       release: 6.8.0-36-generic
        system: Linux
       version: Ubuntu 24.04 noble

Minion version:

# salt-call -V
Salt Version:
          Salt: 3004.1
 
Dependency Versions:
          cffi: Not Installed
      cherrypy: Not Installed
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.0.3
       libgit2: Not Installed
      M2Crypto: 0.38.0
          Mako: Not Installed
       msgpack: 1.0.3
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: Not Installed
      pycrypto: Not Installed
  pycryptodome: 3.11.0
        pygit2: Not Installed
        Python: 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0]
  python-gnupg: Not Installed
        PyYAML: 5.4.1
         PyZMQ: 22.3.0
         smmap: Not Installed
       timelib: Not Installed
       Tornado: 4.5.3
           ZMQ: 4.3.4
 
System Versions:
          dist: ubuntu 22.04 Jammy Jellyfish
        locale: iso8859-1
       machine: x86_64
       release: 5.15.0-107-generic
        system: Linux
       version: Ubuntu 22.04 Jammy Jellyfish

Pillar / config used

The pillar includes:

vault:
  version: 1.17.1
  platform: linux_amd64
  dev_mode: False
  verify_download: True
  hashicorp_gpg_key: |
    [...]

---

Bug details

Describe the bug

When I run state.apply, I get a bunch of output, including:

          ID: vault-package-gpg-cmd-run-verify
    Function: cmd.run
        Name: gpg2 --verify /opt/vault/1.17.1_SHA256SUMS.sig /opt/vault/1.17.1_SHA256SUMS
      Result: False
     Comment: Command "gpg2 --verify /opt/vault/1.17.1_SHA256SUMS.sig /opt/vault/1.17.1_SHA256SUMS" run
     Started: 04:53:27.370829
    Duration: 10.673 ms
     Changes:   
              ----------
              pid:
                  995952
              retcode:
                  2
              stderr:
                  gpg: Signature made Wed Jun 26 00:08:45 2024 UTC
                  gpg:                using RSA key 374EC75B485913604A831CC7C820C6D5CD27AB87
                  gpg: Can't check signature: No public key
              stdout:

This suggests that the download wasn't successfully validated. However, vault --version shows the new Vault binary has been installed, and systemctl status vault.service suggests the service has been restarted using the new binary.

Steps to reproduce the bug

Expected behaviour

verify_download: True should result in an incorrect GPG key blocking installing the new Vault binary and the service should not restart.

Attempts to fix the bug

Putting the new key in my pillar and then re-running did successfully verify the binary, so I think I got the right binary, but given how security-critical Vault (and Salt) are, I expect a failed verification to fail the install completely.

I haven't attempted to add the relevant dependencies myself.

Additional context