initial commit for apt_key checking #459
Conversation
| @@ -71,6 +71,10 @@ | |||
| fail('This module only works on Debian or derivatives like Ubuntu') | |||
| } | |||
|
|
|||
| if $::apt_gpgversion and versioncmp ('2.0.26', $::apt_gpgversion) > 0 { | |||
| warning("You are running an old version of gpg. version=$::apt_gpgversion, please upgrade to at least 2.0.26") | |||
There was a problem hiding this comment.
No. This will throw warnings on Ubuntu Trusty Thar, Debian Wheezy and a few more and users have no way of getting a newer version. Also, Debian and Ubuntu make a point of back porting security fixes from newer releases into older ones if needed, like CVE's so an exact version matching is probably not a correct representation.
|
Just for background, this work was inspired by MODULES-1675 |
| Facter::Util::Resolution.exec("/usr/bin/gpg --version | head -n 1 | awk '{print $NF}'") | ||
| end | ||
| end | ||
| end |
There was a problem hiding this comment.
if we aren't warning on gpgversion I don't know if we still need this fact :\ sorry for sending you down this rabbit hole :(
tphoney
force-pushed
the
modules-1675_check_gpg_version
branch
from
00e51eb to
453b4eb
Compare
|
@daenney @mhaskel This is my happy path approach for checking keys are valid. Tests are incoming. |
tphoney
force-pushed
the
modules-1675_check_gpg_version
branch
from
453b4eb to
55e3119
Compare
| it 'works' do | ||
| pp = <<-EOS | ||
| apt_key { 'puppetlabs': | ||
| id => '#{PUPPETLABS_GPG_KEY_FINGERPRINT}', |
tphoney
changed the title
tphoney
force-pushed
the
modules-1675_check_gpg_version
branch
from
55e3119 to
1011109
Compare
| #confirm that the fingerprint from the file, matches the long key that is in the manifest | ||
| if name.size == 40 | ||
| if File.executable? "/usr/bin/gpg" | ||
| extracted_key = execute(["/usr/bin/gpg --with-fingerprint --with-colons #{file.path} | awk -F: '/^fpr:/ { print $10 }'"], :failonfail => false) |
There was a problem hiding this comment.
I think we should define this as a commands, just like we're doing with apt-get. It gets you some nice and saner behaviour too.
tphoney
force-pushed
the
modules-1675_check_gpg_version
branch
2 times, most recently
from
efc23c6 to
03af1a3
Compare
better attempt at gpg version checking adding in key length warning removing version check, adding key check adding tests clean up the code small changes use commands documentation updates
tphoney
force-pushed
the
modules-1675_check_gpg_version
branch
from
03af1a3 to
f588f26
Compare
|
@daenney @mhaskel I made the changes you suggested, and put in the changes suggested by the documentation people. Thanks for your patience 👍 |
initial commit for apt_key checking
|
thanks @tphoney 👍 |
better attempt at gpg version checking
adding in key length warning