From: Javier Bértoli <jbertoli@curii.com>
Date: Tue, 15 Feb 2022 16:15:42 +0000 (-0300)
Subject: 18761: address review comments
X-Git-Url: https://git.arvados.org/arvados-formula.git/commitdiff_plain/aadb0b65a2ccbad9aab366aa53fd8fc3c4f1b229

18761: address review comments

Arvados-DCO-1.1-Signed-off-by: Javier Bértoli <jbertoli@curii.com>
---

diff --git a/arvados/files/default/arvados-archive-keyring.gpg b/arvados/files/default/arvados-archive-keyring.gpg
deleted file mode 100644
index 6c5c167..0000000
Binary files a/arvados/files/default/arvados-archive-keyring.gpg and /dev/null differ
diff --git a/arvados/osfamilymap.yaml b/arvados/osfamilymap.yaml
index 3434082..7df0f00 100644
--- a/arvados/osfamilymap.yaml
+++ b/arvados/osfamilymap.yaml
@@ -18,7 +18,9 @@ Debian:
   repo:
     url_base: 'http://apt.arvados.org'
     file: /etc/apt/sources.list.d/arvados.list
-    repo_keyring: /usr/share/keyrings/arvados-archive-keyring.gpg
+    keyring_file: /usr/share/keyrings/arvados-archive-keyring.gpg
+    keyring_source: 'http://apt.arvados.org/keyring.gpg'
+    keyring_source_hash: 53c2c84849ada21e383f55af0753adb321cc941e7efab94483e3a1703fcc66f1
 
 RedHat:
   repo:
diff --git a/arvados/repo/install.sls b/arvados/repo/install.sls
index c58fbe5..c22bbbc 100644
--- a/arvados/repo/install.sls
+++ b/arvados/repo/install.sls
@@ -4,7 +4,6 @@
 {#- Get the `tplroot` from `tpldir` #}
 {%- set tplroot = tpldir.split('/')[0] %}
 {%- from tplroot ~ "/map.jinja" import arvados with context %}
-{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}
 
 {%- if arvados.use_upstream_repo %}
   {%- if grains.get('os_family') == 'Debian' %}
@@ -20,11 +19,10 @@
 
 arvados-repo-install-pkgrepo-keyring-managed:
   file.managed:
-    - name: {{ arvados.repo.repo_keyring }}
-    - source: {{ files_switch(['arvados-archive-keyring.gpg'],
-                              lookup='arvados-repo-install-pkgrepo-keyring-managed'
-                 )
-              }}
+    - name: {{ arvados.repo.keyring_file }}
+    - source:
+      - {{ arvados.repo.keyring_source }}
+    - source_hash: sha256={{ arvados.repo.keyring_source_hash }}
     - require_in:
       - pkgrepo: arvados-repo-install-pkgrepo-managed
 
@@ -32,7 +30,7 @@ arvados-repo-install-pkgrepo-managed:
   pkgrepo.managed:
     - humanname: {{ arvados.repo.humanname }}
     - name: >-
-        deb [signed-by={{ arvados.repo.repo_keyring }} arch=amd64]
+        deb [signed-by={{ arvados.repo.keyring_file }} arch=amd64]
         {{ arvados.repo.url_base }}/{{ distro }} {{ release }} main
     - file: {{ arvados.repo.file }}
 
diff --git a/docs/README.apt.keyring.rst b/docs/README.apt.keyring.rst
deleted file mode 100644
index 94a5098..0000000
--- a/docs/README.apt.keyring.rst
+++ /dev/null
@@ -1,18 +0,0 @@
-.. _readme_apt_keyrings:
-
-apt repositories' keyrings
-==========================
-
-Debian family of OSes deprecated the use of `apt-key` to manage repositories' keys
-in favor of using `keyring files` which contain a binary OpenPGP format of the key
-(also known as "GPG key public ring")
-
-As arvados don't provide such key files, we created it pulling the
-official key from its site and install the resulting file.
-
-See https://doc.arvados.org/main/install/packages.html#debian for details
-
-.. code-block:: bash
-
-   $ curl -fsSL https://apt.arvados.org/pubkey.gpg | \
-       gpg --dearmor --output arvados-archive-keyring.gpg