Skip to content

Trust new APT and RPM keys #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 13, 2016
Merged

Trust new APT and RPM keys #30

merged 2 commits into from
Dec 13, 2016

Conversation

@olivielpeau
Copy link
Member

@olivielpeau olivielpeau commented Sep 27, 2016

Make the pkg managers trust the new keys in addition to the current keys. Similar approach as what's described in DataDog/chef-datadog#365.

APT

  • Straightforward with the apt_key module
  • Allow customizing the URL with datadog_apt_key_url_new (for users
    with local apt mirrors)

RPM

  • Download the new key through plain HTTP for best compatibility (since
    SSL only works when the managed nodes have a recent version of python)
  • Ensure the integrity of the downloaded file using a sha-256 sum. We use
    the sha256sum option instead of checksum since checksum was only
    added in Ansible 2.0
  • The rpm_key module has a good idempotent behavior so no need to have
    extra steps to check whether the key is already imported.

Testing

Tested manually w/ Ansible 1.9.2 and 2.1.1, against Ubuntu 14.04 and CentOS 6

@olivielpeau
[apt] Trust new apt key
a2f9ac9 
Allow customizing the URL with `datadog_apt_key_url_new` (for users
with local apt mirrors).
degemer
degemer approved these changes Sep 27, 2016
View reviewed changes
Copy link
Member

@degemer degemer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (but I'm far from being an ansible expert).

tasks/pkg-redhat.yml Outdated
- name: Download new RPM key
get_url:
url: "http://yum.datadoghq.com/DATADOG_RPM_KEY.public.E09422B3"
dest: /tmp/DATADOG_RPM_KEY.e09422b3.public
Copy link
Member

@degemer degemer Sep 27, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean this file will always be there, even when the rpm key is already imported ?

Copy link
Member Author

@olivielpeau olivielpeau Sep 28, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct. We could avoid this by first checking if the key is already imported and only download/import the new key if it's not. I didn't do it because I didn't think it was worth the added complexity, but let me know what you think.

Copy link
Member

@degemer degemer Sep 28, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it's probably not worth it given the size of the key.

@olivielpeau olivielpeau added this to the 1.2.0 milestone Sep 28, 2016
@olivielpeau
[yum] Import new RPM key
dc2874a 
Download the new key through plain HTTP for best compatibility (since
SSL only works when the managed nodes have a recent version of python).
Ensure the integrity of the downloaded file using a sha-256 sum. We use
the `sha256sum` option instead of `checksum` since `checksum` was only
added in Ansible 2.0

The `rpm_key` module has a good idempotent behavior so no need to have
extra steps to check whether the key is already imported.
@olivielpeau olivielpeau force-pushed the olivielpeau/trust-new-keys branch from 2a29fde to dc2874a Compare October 5, 2016 19:31
@olivielpeau
Copy link
Member Author

olivielpeau commented Oct 5, 2016

Just updated the URL of the new key to DATADOG_RPM_KEY_E09422B3.public (which will be the actual permanent URL of the key)

@degemer: could you do a quick sanity check of my change? 🙇

degemer
degemer approved these changes Oct 6, 2016
View reviewed changes
Copy link
Member

@degemer degemer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awful that Github is not able to show a proper diff. Still LGTM.

@jeffwidman
Copy link
Contributor

jeffwidman commented Dec 9, 2016

Is there a reason this wasn't merged?

@olivielpeau olivielpeau merged commit de8cef4 into master Dec 13, 2016
@olivielpeau olivielpeau deleted the olivielpeau/trust-new-keys branch December 13, 2016 17:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@degemer degemer degemer approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.2.0

Development

Successfully merging this pull request may close these issues.

4 participants

@olivielpeau @jeffwidman @degemer