From 96e114d93f94f56275bcddd03f03e29a00f7a3e3 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Javier=20B=C3=A9rtoli?= Date: Mon, 14 Feb 2022 17:11:20 -0300 Subject: [PATCH 1/1] 18761: use repository keyring instead of key_id MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Arvados-DCO-1.1-Signed-off-by: Javier Bértoli --- .../files/default/arvados-archive-keyring.gpg | Bin 0 -> 1916 bytes arvados/osfamilymap.yaml | 2 +- arvados/repo/install.sls | 17 +++++++++++++++-- docs/README.apt.keyring.rst | 18 ++++++++++++++++++ test/integration/repo/controls/repo_spec.rb | 18 +++++++++++++++++- test/integration/shell/controls/repo_spec.rb | 18 +++++++++++++++++- 6 files changed, 68 insertions(+), 5 deletions(-) create mode 100644 arvados/files/default/arvados-archive-keyring.gpg create mode 100644 docs/README.apt.keyring.rst diff --git a/arvados/files/default/arvados-archive-keyring.gpg b/arvados/files/default/arvados-archive-keyring.gpg new file mode 100644 index 0000000000000000000000000000000000000000..6c5c167a990821dbbe01ab776603a367bdd92996 GIT binary patch literal 1916 zcmai#XE+;*9>ygSk*JzQ35`*kV>gXadsWp#rL}5=>nIWu$wjT8A*y<7RSwltx74PB z+QcX^4@GOVM$~?Ct(sNWx%WBGJzvgqzrUaUzu)`*X#if3-2!7#Pp&ZqCi47E`3I?xbydgfq z+=`23GoY(MPz3Da>sZziN^DYJpDo9D0*Gze#*5y>kek z@|eGTQZQuQ!iwwo^lU6Si=>he1b5fkyPZC3SMH4YCr`O~Q#*$MfCEsgV}d7n`{D=) z6Ji)H*gGr$gK!G)#|B{i5jXuJ5C((@g12vQ0M^+1zd3ar-rtA{um=eNU>ryhX;96y z(lbA7Z6T*{zsg+^7Xkk8&5vN9$8mZfP=XW81LcMQxh}z=+&n;#2#^y1lmY-n<2YbY z{y)O`R**AXivTWU1f_+|Nt=)4H+8(R&a`pCc|w+3@NF|AGlC%Pug8@wKInUJE2gb#D3}3O7VAY8~!Fm*3TzB?C?-9rNa3ZC-Z39?|U(*lMWl zM){LpxYG`H2OoS)4cov|bZU?GK?4JWdpX|L7pnG4=(=IHOmmwx-Ro-FE!JB}`}Cph z&$WhTL_ChQ%9v4O;cD#8OoG_e411!mbw}ohn2~ycepWtYUPHBaNFLAB&Ia0q6whRg zGsN2$b9NGuCGE+5Ch>iAA(jJ_%q@9^v=f+e_bkJwA#$8(KaeW@s}vBjMO!b~HIE`b z`}i@=YVM*BDt+Hvn>(Jjt+s-N0HfW->YH1?%}l@TsEo05w2+9&%QTi{ z?|l${>2&YQE*3NDsMNi=OlJ?VDxrIR7qJ_wBdFAvpB|vX6LRSquRU|GTx!hp)U`WA zrBT|btht5Ny@X$rmOAYSdMR6h%wq2wc$OlwP?m#_xZ%v#c5J5AJ6T2rAkRexa>#&z zPF`N*b7Q%FHSnkY(-FJ&4*Ma20~cF&t}#8ic(l?Q+wCDD4+^T zvuL;aU|YJETGTh5F#H27weBj$KQ{QcS~AJ5EJL{2DBq-d0#RZXXR#V`MaFhf zDh46EF%=7SP5Nwzu1DO1s|*;2r%4~sv%n{Dt%U(-1jut;OAnf2Sk~4JMJHUlxShfIP ztaGiV!nC=8%G2Sdosh?s3;$VCD&Pu8>|7-%82I~x0ZLr>bJ^z1AwP`XnAFW~Z@()Y za6wS+Q@T*>%SgWU{8P^FIri#JVA8PD5YKU2SW7rm8j9?_!U*de=Wg?W4SwWSp2;qw!MZqdR<+T2lMJpjAaogQCZ_a z&|BlHxFDE{F9(_aJRs8sglP+83Q4=TN>JYsh@ZMY6XDu3eQvb4g2TaHFTK(B6+x!) paw{qO(GjnrXbH^0c(Qg9%=Ae4f@^av>pQ5}0KzKA-Y3Fn{{~- + deb [signed-by={{ arvados.repo.repo_keyring }} arch=amd64] + {{ arvados.repo.url_base }}/{{ distro }} {{ release }} main - file: {{ arvados.repo.file }} - - key_url: {{ arvados.repo.key_url }} {%- elif grains.get('os_family') == 'RedHat' %} {%- if arvados.release == 'testing' %} diff --git a/docs/README.apt.keyring.rst b/docs/README.apt.keyring.rst new file mode 100644 index 0000000..94a5098 --- /dev/null +++ b/docs/README.apt.keyring.rst @@ -0,0 +1,18 @@ +.. _readme_apt_keyrings: + +apt repositories' keyrings +========================== + +Debian family of OSes deprecated the use of `apt-key` to manage repositories' keys +in favor of using `keyring files` which contain a binary OpenPGP format of the key +(also known as "GPG key public ring") + +As arvados don't provide such key files, we created it pulling the +official key from its site and install the resulting file. + +See https://doc.arvados.org/main/install/packages.html#debian for details + +.. code-block:: bash + + $ curl -fsSL https://apt.arvados.org/pubkey.gpg | \ + gpg --dearmor --output arvados-archive-keyring.gpg diff --git a/test/integration/repo/controls/repo_spec.rb b/test/integration/repo/controls/repo_spec.rb index 601119f..49078c6 100644 --- a/test/integration/repo/controls/repo_spec.rb +++ b/test/integration/repo/controls/repo_spec.rb @@ -23,7 +23,23 @@ when 'debian', 'ubuntu' codename = 'bullseye' end repo_file = '/etc/apt/sources.list.d/arvados.list' - repo_url = "deb http://apt.arvados.org/#{codename} #{codename} main" + repo_keyring = '/usr/share/keyrings/arvados-archive-keyring.gpg' + repo_url = "deb [signed-by=/usr/share/keyrings/arvados-archive-keyring.gpg arch=amd64] http://apt.arvados.org/#{codename} #{codename} main" +end + +control 'arvados repository keyring' do + title 'should be installed' + + only_if('Requirement for Debian family') do + platform.family == 'debian' + end + + describe file(repo_keyring) do + it { should exist } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + its('mode') { should cmp '0644' } + end end control 'arvados repository' do diff --git a/test/integration/shell/controls/repo_spec.rb b/test/integration/shell/controls/repo_spec.rb index a9dc3cb..0f097fe 100644 --- a/test/integration/shell/controls/repo_spec.rb +++ b/test/integration/shell/controls/repo_spec.rb @@ -23,7 +23,23 @@ when 'debian', 'ubuntu' codename = 'bullseye' end repo_file = '/etc/apt/sources.list.d/arvados.list' - repo_url = "deb http://apt.arvados.org/#{codename} #{codename}-dev main" + repo_keyring = '/usr/share/keyrings/arvados-archive-keyring.gpg' + repo_url = "deb [signed-by=/usr/share/keyrings/arvados-archive-keyring.gpg arch=amd64] http://apt.arvados.org/#{codename} #{codename}-dev main" +end + +control 'arvados repository keyring' do + title 'should be installed' + + only_if('Requirement for Debian family') do + platform.family == 'debian' + end + + describe file(repo_keyring) do + it { should exist } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + its('mode') { should cmp '0644' } + end end control 'arvados repository' do -- 2.30.2