From 33acc00e5c6d8ab18f2992cccc8ee036b4d7771d Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Thu, 11 Jun 2015 10:07:47 -0400 Subject: add apt::key resource to deploy arbitrary keys the rationale of this is that isn't useful for third party modules, because they cannot inject keys in there without some serious apt class hijacking --- README | 17 +++++++++++++++++ manifests/key.pp | 13 +++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 manifests/key.pp diff --git a/README b/README index 8333be2..835db79 100644 --- a/README +++ b/README @@ -478,6 +478,23 @@ Example: 'puppet:///modules/site_apt/company_internals.list' ], } +apt::key +-------- + +Deploys a secure apt OpenPGP key. This usually accompanies the +sources.list snippets above for third party repositories. For example, +you would do: + + apt::key { 'neurodebian.key': + source => 'puppet:///modules/site_apt/neurodebian.key', + } + +This deploys the key in the `${apt_base_dir}/keys` directory (as +opposed to `$custom_key_dir` which deploys it in `keys.d`). The reason +this exists on top of `$custom_key_dir` is to allow a more +decentralised distribution of those keys, without having all modules +throw their keys in the same directory in the manifests. + apt::upgrade_package -------------------- diff --git a/manifests/key.pp b/manifests/key.pp new file mode 100644 index 0000000..0ef9721 --- /dev/null +++ b/manifests/key.pp @@ -0,0 +1,13 @@ +define apt::key ($source) { + file { + "${apt::apt_base_dir}/${name}": + source => $source; + "${apt::apt_base_dir}/keys": + ensure => directory; + } + exec { "apt-key add ${apt::apt_base_dir}/${name}": + subscribe => File["${apt::apt_base_dir}/${name}"], + refreshonly => true, + notify => Exec['refresh_apt'], + } +} -- cgit v1.2.3 From 891aa0fbbed87e24322da7d3a80514f1bf94f0ac Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Thu, 11 Jun 2015 10:21:56 -0400 Subject: allow for binary keys that can be removed --- README | 25 +++++++++++++++++++++++-- manifests/key.pp | 15 +++++---------- manifests/key/plain.pp | 13 +++++++++++++ 3 files changed, 41 insertions(+), 12 deletions(-) create mode 100644 manifests/key/plain.pp diff --git a/README b/README index 835db79..d2cb71b 100644 --- a/README +++ b/README @@ -485,8 +485,25 @@ Deploys a secure apt OpenPGP key. This usually accompanies the sources.list snippets above for third party repositories. For example, you would do: - apt::key { 'neurodebian.key': - source => 'puppet:///modules/site_apt/neurodebian.key', + apt::key { 'neurodebian.gpg': + ensure => present, + source => 'puppet:///modules/site_apt/neurodebian.gpg', + } + +This deploys the key in the `/etc/apt/trusted.gpg.d` directory, which +is assumed by secure apt to be binary OpenPGP keys and *not* +"ascii-armored" or "plain text" OpenPGP key material. For the latter, +use `apt::key::plain`. + +apt::key::plain +--------------- + +Deploys a secure apt OpenPGP key. This usually accompanies the +sources.list snippets above for third party repositories. For example, +you would do: + + apt::key::asc { 'neurodebian.asc': + source => 'puppet:///modules/site_apt/neurodebian.asc', } This deploys the key in the `${apt_base_dir}/keys` directory (as @@ -495,6 +512,10 @@ this exists on top of `$custom_key_dir` is to allow a more decentralised distribution of those keys, without having all modules throw their keys in the same directory in the manifests. +Note that this model does *not* currently allow keys to be removed! +Use `apt::key` instead for a more practical, revokable approach, but +that needs binary keys. + apt::upgrade_package -------------------- diff --git a/manifests/key.pp b/manifests/key.pp index 0ef9721..3f9660f 100644 --- a/manifests/key.pp +++ b/manifests/key.pp @@ -1,13 +1,8 @@ -define apt::key ($source) { +define apt::key ($ensure => 'present', $source) { file { - "${apt::apt_base_dir}/${name}": - source => $source; - "${apt::apt_base_dir}/keys": - ensure => directory; - } - exec { "apt-key add ${apt::apt_base_dir}/${name}": - subscribe => File["${apt::apt_base_dir}/${name}"], - refreshonly => true, - notify => Exec['refresh_apt'], + "/etc/apt/trusted.gpg.d/$name": + source => $source, + ensure => $ensure, + notify => Exec['refresh_apt'], } } diff --git a/manifests/key/plain.pp b/manifests/key/plain.pp new file mode 100644 index 0000000..a84e6dd --- /dev/null +++ b/manifests/key/plain.pp @@ -0,0 +1,13 @@ +define apt::key::plain ($source) { + file { + "${apt::apt_base_dir}/${name}": + source => $source; + "${apt::apt_base_dir}/keys": + ensure => directory; + } + exec { "apt-key add ${apt::apt_base_dir}/${name}": + subscribe => File["${apt::apt_base_dir}/${name}"], + refreshonly => true, + notify => Exec['refresh_apt'], + } +} -- cgit v1.2.3 From 931076f85488e1b0f57aeaf67357a2443b18ffba Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Thu, 11 Jun 2015 10:32:40 -0400 Subject: fix typo --- manifests/key.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/key.pp b/manifests/key.pp index 3f9660f..b396c1e 100644 --- a/manifests/key.pp +++ b/manifests/key.pp @@ -1,4 +1,4 @@ -define apt::key ($ensure => 'present', $source) { +define apt::key ($ensure = 'present', $source) { file { "/etc/apt/trusted.gpg.d/$name": source => $source, -- cgit v1.2.3 From ae0570dee6b46081c1e58d0f3cb2263caf55d667 Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Wed, 26 Aug 2015 23:25:16 -0400 Subject: fix typo --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index d2cb71b..bcec047 100644 --- a/README +++ b/README @@ -502,7 +502,7 @@ Deploys a secure apt OpenPGP key. This usually accompanies the sources.list snippets above for third party repositories. For example, you would do: - apt::key::asc { 'neurodebian.asc': + apt::key::plain { 'neurodebian.asc': source => 'puppet:///modules/site_apt/neurodebian.asc', } -- cgit v1.2.3 From 5564b3fba3d8aebdc3cbcd7441e9c7a216243f46 Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Wed, 26 Aug 2015 23:27:58 -0400 Subject: fix install location of apt::key::plain --- manifests/key/plain.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/key/plain.pp b/manifests/key/plain.pp index a84e6dd..a24a51b 100644 --- a/manifests/key/plain.pp +++ b/manifests/key/plain.pp @@ -1,12 +1,12 @@ define apt::key::plain ($source) { file { - "${apt::apt_base_dir}/${name}": + "${apt::apt_base_dir}/keys/${name}": source => $source; "${apt::apt_base_dir}/keys": ensure => directory; } - exec { "apt-key add ${apt::apt_base_dir}/${name}": - subscribe => File["${apt::apt_base_dir}/${name}"], + exec { "apt-key add ${apt::apt_base_dir}/keys/${name}": + subscribe => File["${apt::apt_base_dir}/keys/${name}"], refreshonly => true, notify => Exec['refresh_apt'], } -- cgit v1.2.3 From 544796e0502e1377fc374bc9092a0ae8d8392be0 Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Wed, 26 Aug 2015 23:29:11 -0400 Subject: document the .gpg extension requirement --- README | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README b/README index bcec047..85cf6df 100644 --- a/README +++ b/README @@ -495,6 +495,8 @@ is assumed by secure apt to be binary OpenPGP keys and *not* "ascii-armored" or "plain text" OpenPGP key material. For the latter, use `apt::key::plain`. +The `.gpg` extension is compulsory for `apt` to pickup the key properly. + apt::key::plain --------------- -- cgit v1.2.3