From 8cf2fef7ecefa4cff9ae1545eddc9a07c0dc4fc0 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Mon, 19 Aug 2024 09:48:40 -0300
Subject: Changes on Tor, Signal and APT repository handling

---
 files/etc/apt/keyrings/signal.org.gpg              | Bin 0 -> 2223 bytes
 files/etc/apt/trusted.gpg.d/signal.org.gpg         | Bin 2223 -> 0 bytes
 files/etc/apt/trusted.gpg.d/torproject.org.gpg     | Bin 37730 -> 0 bytes
 .../share/keyrings/deb.torproject.org-keyring.gpg  | Bin 0 -> 38678 bytes
 manifests/subsystem/apt/repo.pp                    |  24 +++++++++++++++++----
 manifests/utils/network/signal.pp                  |   4 ++--
 manifests/utils/network/tor.pp                     |  21 ++++++++++++++----
 7 files changed, 39 insertions(+), 10 deletions(-)
 create mode 100644 files/etc/apt/keyrings/signal.org.gpg
 delete mode 100644 files/etc/apt/trusted.gpg.d/signal.org.gpg
 delete mode 100644 files/etc/apt/trusted.gpg.d/torproject.org.gpg
 create mode 100644 files/usr/share/keyrings/deb.torproject.org-keyring.gpg

diff --git a/files/etc/apt/keyrings/signal.org.gpg b/files/etc/apt/keyrings/signal.org.gpg
new file mode 100644
index 0000000..b5e68a0
Binary files /dev/null and b/files/etc/apt/keyrings/signal.org.gpg differ
diff --git a/files/etc/apt/trusted.gpg.d/signal.org.gpg b/files/etc/apt/trusted.gpg.d/signal.org.gpg
deleted file mode 100644
index b5e68a0..0000000
Binary files a/files/etc/apt/trusted.gpg.d/signal.org.gpg and /dev/null differ
diff --git a/files/etc/apt/trusted.gpg.d/torproject.org.gpg b/files/etc/apt/trusted.gpg.d/torproject.org.gpg
deleted file mode 100644
index 7614b20..0000000
Binary files a/files/etc/apt/trusted.gpg.d/torproject.org.gpg and /dev/null differ
diff --git a/files/usr/share/keyrings/deb.torproject.org-keyring.gpg b/files/usr/share/keyrings/deb.torproject.org-keyring.gpg
new file mode 100644
index 0000000..738ef5d
Binary files /dev/null and b/files/usr/share/keyrings/deb.torproject.org-keyring.gpg differ
diff --git a/manifests/subsystem/apt/repo.pp b/manifests/subsystem/apt/repo.pp
index ca8f5e1..d6e03c0 100644
--- a/manifests/subsystem/apt/repo.pp
+++ b/manifests/subsystem/apt/repo.pp
@@ -1,15 +1,31 @@
 define nodo::subsystem::apt::repo(
   $definition,
   $key_source,
-  $ensure = present,
+  $keyrings_folder = '/etc/apt/keyrings',
+  $ensure          = present,
 ) {
-  file { "/etc/apt/trusted.gpg.d/${name}.gpg":
+  # The recommended locations for keyrings are /usr/share/keyrings for keyrings
+  # managed by packages, and /etc/apt/keyrings for keyrings managed by the
+  # system operator. If no keyring files are specified the default is the
+  # trusted.gpg keyring and all keyrings in the trusted.gpg.d/ directory (see
+  # apt-key fingerprint).
+  #
+  # -- sources.list(5)
+  file { "${keyrings_folder}/${name}.gpg":
     ensure  => $ensure,
     owner   => "root",
     group   => "root",
     mode    => "0644",
     source  => $key_source,
-    notify  => Exec["apt-repo-auto-update-${name}"],
+  }
+
+  # Old location
+  file { "/etc/apt/trusted.gpg.d/${name}.gpg":
+    ensure  => absent,
+    owner   => "root",
+    group   => "root",
+    mode    => "0644",
+    source  => $key_source,
   }
 
   file { "/etc/apt/sources.list.d/${name}.list":
@@ -18,7 +34,7 @@ define nodo::subsystem::apt::repo(
     group   => "root",
     mode    => "0644",
     content => "${definition}\n",
-    require => [ File["/etc/apt/trusted.gpg.d/${name}.gpg"], Package['apt-transport-https'] ],
+    require => [ File["${keyrings_folder}/${name}.gpg"], Package['apt-transport-https'] ],
     notify  => Exec["apt-repo-auto-update-${name}"],
   }
 
diff --git a/manifests/utils/network/signal.pp b/manifests/utils/network/signal.pp
index 037140a..6cd200b 100644
--- a/manifests/utils/network/signal.pp
+++ b/manifests/utils/network/signal.pp
@@ -1,7 +1,7 @@
 class nodo::utils::network::signal {
   nodo::subsystem::apt::repo { 'signal.org':
-    definition => 'deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main',
-    key_source => 'puppet:///modules/nodo/etc/apt/trusted.gpg.d/signal.org.gpg',
+    definition => 'deb [signed-by=/etc/apt/keyrings/signal.org.gpg arch=amd64] https://updates.signal.org/desktop/apt xenial main',
+    key_source => 'puppet:///modules/nodo/etc/apt/keyrings/signal.org.gpg',
   }
 
   package { 'signal-desktop':
diff --git a/manifests/utils/network/tor.pp b/manifests/utils/network/tor.pp
index 78b08a4..f8726f7 100644
--- a/manifests/utils/network/tor.pp
+++ b/manifests/utils/network/tor.pp
@@ -3,9 +3,15 @@
 class nodo::utils::network::tor (
   $ensure = 'installed',
 ) {
-  nodo::subsystem::apt::repo { 'torproject.org':
-    definition => "deb [signed-by=/etc/apt/trusted.gpg.d/torproject.org.gpg] https://deb.torproject.org/torproject.org ${::lsbdistcodename} main",
-    key_source => 'puppet:///modules/nodo/etc/apt/trusted.gpg.d/torproject.org.gpg',
+  # Old keyring location
+  file { '/etc/apt/trusted.gpg.d/torproject.org.gpg':
+    ensure => absent,
+  }
+
+  nodo::subsystem::apt::repo { 'deb.torproject.org-keyring.gpg':
+    definition      => "deb [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org ${::lsbdistcodename} main",
+    key_source      => 'puppet:///modules/nodo/usr/share/keyrings/deb.torproject.org-keyring.gpg',
+    keyrings_folder => '/usr/share/keyrings',
   }
 
   package { "deb.torproject.org-keyring":
@@ -14,8 +20,15 @@ class nodo::utils::network::tor (
   }
 
   package { [
-    'tor-arm',
+    'nyx',
   ]:
     ensure => $ensure,
   }
+
+  # Package 'tor-arm' was renamed to 'nyx'
+  package { [
+    'tor-arm',
+  ]:
+    ensure => absent,
+  }
 }
-- 
cgit v1.2.3