Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore subkeys in apt-key's output #665

Merged
merged 1 commit into from
Aug 25, 2017
Merged

Ignore subkeys in apt-key's output #665

merged 1 commit into from
Aug 25, 2017

Conversation

tiger-jmw
Copy link

(#MODULES-4358)
The output of apt-key adv --list-keys --with-colons --fingerprint --fixed-list-mode is always a pub line followed by one of more fpr lines (for subkeys, if any). This can cause the wrong pairs of pub and fpr lines to be hashed, resulting in nonsense.

The ordering pub, fpr, pub, fpr is guaranteed by apt-key.

Therefore, this commit clears fpr_line when a pub line is encountered, to reset the grouping. The current code ignores subkeys anyway, so this is no more bad.

@tiger-jmw
Ignore subkeys in apt-key's output
fea38ed 
The output of `apt-key adv --list-keys --with-colons --fingerprint --fixed-list-mode` is always a `pub` line followed by one of more `fpr` lines (for subkeys, if any). This can cause the wrong pairs of `pub` and `fpr` lines to be hashed, resulting in nonsense.

The ordering `pub`, `fpr`, `pub`, `fpr` is guaranteed by `apt-key`.

Therefore, this commit clears `fpr_line` when a `pub` line is encountered, to reset the grouping. The current code ignores subkeys anyway, so this is no more bad.
@Caprico85
Copy link

Thank you! I had a problem that puppet always reports some keys as created even if they already existed. Annoying bug if Puppetboard always list your hosts as changed and you wonder who keeps changing them. Your change fixes this for me.

@bootc
Copy link

bootc commented Jul 15, 2017

Yes, can we please get this merged?

@smoeding
Copy link

I started to test on Debian-9 Stretch today and also was bitten by this issue.

It seems that Version 2.1.16 of GnuPG contains a change to always print the fingerprints for subkeys (if I read the changelog correctly). This creates additional "fpr" lines in the output when listing keys. apt-key calls gnupg and this provider calls apt-key so there is the connection.

Ubuntu 17.04 still ships with GnuPG 2.1.15, so there is no problem. But Debian-9 uses 2.1.18 and this causes the apt_key type to fail. So this issue will probably start to bite more people if Stretch is officially supported by Puppetlabs.

Preconditions to trigger the issue:

  • Have Puppet manage two different apt keys
  • Both keys have subkeys (not all Debian keys have them)
  • Use GnuPG >2.1.15

The second key resource seems to be out of sync every time. Manually deleting the first key will re-add the key and then this resource seems to be out of sync every time.

@HelenCampbell HelenCampbell merged commit a541b4e into puppetlabs:master Aug 25, 2017
@HelenCampbell
Copy link

Merged - Thank you!

@LukasAud LukasAud added the bugfix label Jun 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@tiger-jmw @Caprico85 @bootc @smoeding @HelenCampbell @LukasAud