repo:
url_base: 'http://apt.arvados.org'
file: /etc/apt/sources.list.d/arvados.list
- key_url: 'http://apt.arvados.org/pubkey.gpg'
+ repo_keyring: /usr/share/keyrings/arvados-archive-keyring.gpg
RedHat:
repo:
{#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split('/')[0] %}
{%- from tplroot ~ "/map.jinja" import arvados with context %}
+{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}
{%- if arvados.use_upstream_repo %}
{%- if grains.get('os_family') == 'Debian' %}
{%- else %}
{%- set release = distro %}
{%- endif %}
+
+arvados-repo-install-pkgrepo-keyring-managed:
+ file.managed:
+ - name: {{ arvados.repo.repo_keyring }}
+ - source: {{ files_switch(['arvados-archive-keyring.gpg'],
+ lookup='arvados-repo-install-pkgrepo-keyring-managed'
+ )
+ }}
+ - require_in:
+ - pkgrepo: arvados-repo-install-pkgrepo-managed
+
arvados-repo-install-pkgrepo-managed:
pkgrepo.managed:
- humanname: {{ arvados.repo.humanname }}
- - name: deb {{ arvados.repo.url_base }}/{{ distro }} {{ release }} main
+ - name: >-
+ deb [signed-by={{ arvados.repo.repo_keyring }} arch=amd64]
+ {{ arvados.repo.url_base }}/{{ distro }} {{ release }} main
- file: {{ arvados.repo.file }}
- - key_url: {{ arvados.repo.key_url }}
{%- elif grains.get('os_family') == 'RedHat' %}
{%- if arvados.release == 'testing' %}
--- /dev/null
+.. _readme_apt_keyrings:
+
+apt repositories' keyrings
+==========================
+
+Debian family of OSes deprecated the use of `apt-key` to manage repositories' keys
+in favor of using `keyring files` which contain a binary OpenPGP format of the key
+(also known as "GPG key public ring")
+
+As arvados don't provide such key files, we created it pulling the
+official key from its site and install the resulting file.
+
+See https://doc.arvados.org/main/install/packages.html#debian for details
+
+.. code-block:: bash
+
+ $ curl -fsSL https://apt.arvados.org/pubkey.gpg | \
+ gpg --dearmor --output arvados-archive-keyring.gpg
codename = 'bullseye'
end
repo_file = '/etc/apt/sources.list.d/arvados.list'
- repo_url = "deb http://apt.arvados.org/#{codename} #{codename} main"
+ repo_keyring = '/usr/share/keyrings/arvados-archive-keyring.gpg'
+ repo_url = "deb [signed-by=/usr/share/keyrings/arvados-archive-keyring.gpg arch=amd64] http://apt.arvados.org/#{codename} #{codename} main"
+end
+
+control 'arvados repository keyring' do
+ title 'should be installed'
+
+ only_if('Requirement for Debian family') do
+ platform.family == 'debian'
+ end
+
+ describe file(repo_keyring) do
+ it { should exist }
+ it { should be_owned_by 'root' }
+ it { should be_grouped_into 'root' }
+ its('mode') { should cmp '0644' }
+ end
end
control 'arvados repository' do
codename = 'bullseye'
end
repo_file = '/etc/apt/sources.list.d/arvados.list'
- repo_url = "deb http://apt.arvados.org/#{codename} #{codename}-dev main"
+ repo_keyring = '/usr/share/keyrings/arvados-archive-keyring.gpg'
+ repo_url = "deb [signed-by=/usr/share/keyrings/arvados-archive-keyring.gpg arch=amd64] http://apt.arvados.org/#{codename} #{codename}-dev main"
+end
+
+control 'arvados repository keyring' do
+ title 'should be installed'
+
+ only_if('Requirement for Debian family') do
+ platform.family == 'debian'
+ end
+
+ describe file(repo_keyring) do
+ it { should exist }
+ it { should be_owned_by 'root' }
+ it { should be_grouped_into 'root' }
+ its('mode') { should cmp '0644' }
+ end
end
control 'arvados repository' do