From: Javier Bértoli <jbertoli@curii.com>
Date: Mon, 14 Feb 2022 20:11:20 +0000 (-0300)
Subject: 18761: use repository keyring instead of key_id
X-Git-Url: https://git.arvados.org/arvados-formula.git/commitdiff_plain/96e114d93f94f56275bcddd03f03e29a00f7a3e3

18761: use repository keyring instead of key_id

Arvados-DCO-1.1-Signed-off-by: Javier Bértoli <jbertoli@curii.com>
---

diff --git a/arvados/files/default/arvados-archive-keyring.gpg b/arvados/files/default/arvados-archive-keyring.gpg
new file mode 100644
index 0000000..6c5c167
Binary files /dev/null and b/arvados/files/default/arvados-archive-keyring.gpg differ
diff --git a/arvados/osfamilymap.yaml b/arvados/osfamilymap.yaml
index 22516a4..3434082 100644
--- a/arvados/osfamilymap.yaml
+++ b/arvados/osfamilymap.yaml
@@ -18,7 +18,7 @@ Debian:
   repo:
     url_base: 'http://apt.arvados.org'
     file: /etc/apt/sources.list.d/arvados.list
-    key_url: 'http://apt.arvados.org/pubkey.gpg'
+    repo_keyring: /usr/share/keyrings/arvados-archive-keyring.gpg
 
 RedHat:
   repo:
diff --git a/arvados/repo/install.sls b/arvados/repo/install.sls
index cd42aaa..c58fbe5 100644
--- a/arvados/repo/install.sls
+++ b/arvados/repo/install.sls
@@ -4,6 +4,7 @@
 {#- Get the `tplroot` from `tpldir` #}
 {%- set tplroot = tpldir.split('/')[0] %}
 {%- from tplroot ~ "/map.jinja" import arvados with context %}
+{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}
 
 {%- if arvados.use_upstream_repo %}
   {%- if grains.get('os_family') == 'Debian' %}
@@ -16,12 +17,24 @@
     {%- else %}
       {%- set release = distro %}
     {%- endif %}
+
+arvados-repo-install-pkgrepo-keyring-managed:
+  file.managed:
+    - name: {{ arvados.repo.repo_keyring }}
+    - source: {{ files_switch(['arvados-archive-keyring.gpg'],
+                              lookup='arvados-repo-install-pkgrepo-keyring-managed'
+                 )
+              }}
+    - require_in:
+      - pkgrepo: arvados-repo-install-pkgrepo-managed
+
 arvados-repo-install-pkgrepo-managed:
   pkgrepo.managed:
     - humanname: {{ arvados.repo.humanname }}
-    - name: deb {{ arvados.repo.url_base }}/{{ distro }} {{ release }} main
+    - name: >-
+        deb [signed-by={{ arvados.repo.repo_keyring }} arch=amd64]
+        {{ arvados.repo.url_base }}/{{ distro }} {{ release }} main
     - file: {{ arvados.repo.file }}
-    - key_url: {{ arvados.repo.key_url }}
 
   {%- elif grains.get('os_family') == 'RedHat' %}
     {%- if arvados.release == 'testing' %}
diff --git a/docs/README.apt.keyring.rst b/docs/README.apt.keyring.rst
new file mode 100644
index 0000000..94a5098
--- /dev/null
+++ b/docs/README.apt.keyring.rst
@@ -0,0 +1,18 @@
+.. _readme_apt_keyrings:
+
+apt repositories' keyrings
+==========================
+
+Debian family of OSes deprecated the use of `apt-key` to manage repositories' keys
+in favor of using `keyring files` which contain a binary OpenPGP format of the key
+(also known as "GPG key public ring")
+
+As arvados don't provide such key files, we created it pulling the
+official key from its site and install the resulting file.
+
+See https://doc.arvados.org/main/install/packages.html#debian for details
+
+.. code-block:: bash
+
+   $ curl -fsSL https://apt.arvados.org/pubkey.gpg | \
+       gpg --dearmor --output arvados-archive-keyring.gpg
diff --git a/test/integration/repo/controls/repo_spec.rb b/test/integration/repo/controls/repo_spec.rb
index 601119f..49078c6 100644
--- a/test/integration/repo/controls/repo_spec.rb
+++ b/test/integration/repo/controls/repo_spec.rb
@@ -23,7 +23,23 @@ when 'debian', 'ubuntu'
     codename = 'bullseye'
   end
   repo_file = '/etc/apt/sources.list.d/arvados.list'
-  repo_url = "deb http://apt.arvados.org/#{codename} #{codename} main"
+  repo_keyring = '/usr/share/keyrings/arvados-archive-keyring.gpg'
+  repo_url = "deb [signed-by=/usr/share/keyrings/arvados-archive-keyring.gpg arch=amd64] http://apt.arvados.org/#{codename} #{codename} main"
+end
+
+control 'arvados repository keyring' do
+  title 'should be installed'
+
+  only_if('Requirement for Debian family') do
+    platform.family == 'debian'
+  end
+
+  describe file(repo_keyring) do
+    it { should exist }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0644' }
+  end
 end
 
 control 'arvados repository' do
diff --git a/test/integration/shell/controls/repo_spec.rb b/test/integration/shell/controls/repo_spec.rb
index a9dc3cb..0f097fe 100644
--- a/test/integration/shell/controls/repo_spec.rb
+++ b/test/integration/shell/controls/repo_spec.rb
@@ -23,7 +23,23 @@ when 'debian', 'ubuntu'
     codename = 'bullseye'
   end
   repo_file = '/etc/apt/sources.list.d/arvados.list'
-  repo_url = "deb http://apt.arvados.org/#{codename} #{codename}-dev main"
+  repo_keyring = '/usr/share/keyrings/arvados-archive-keyring.gpg'
+  repo_url = "deb [signed-by=/usr/share/keyrings/arvados-archive-keyring.gpg arch=amd64] http://apt.arvados.org/#{codename} #{codename}-dev main"
+end
+
+control 'arvados repository keyring' do
+  title 'should be installed'
+
+  only_if('Requirement for Debian family') do
+    platform.family == 'debian'
+  end
+
+  describe file(repo_keyring) do
+    it { should exist }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0644' }
+  end
 end
 
 control 'arvados repository' do