Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
[security] apt_key module does not verify key fingerprints #5237
OS / ENVIRONMENT
apt_key module does not verify key fingerprints and imports keys based on 16 digits long id.
The problem is this workaround.
STEPS TO REPRODUCE
- name: Try to import key without verifying that we import the correct key hosts: 'dev.example.com' become: True tasks: - apt_key: id: '00000000000000000000000047AE7F72479BC94B' keyserver: 'hkp://pool.sks-keyservers.net'
That key does not exist. No key is added.
The key id 479BC94B is imported.
Enforce correct key fingerprint with a trick such as:
mkdir /tmp/gpg && chmod 700 /tmp/gpg gpg --homedir /tmp/gpg --recv-keys --keyserver hkp://pool.sks-keyservers.net --recv 479BC94B gpg --homedir /tmp/gpg --export DDA2C105C4B73A6649AD2BBD47AE7F72479BC94B | apt-key add -
@ypid I see your example code. That said, it's not a pull request. Unless you have something usable, I've got about zero time to develop something, let alone test it. I don't have the resources to investigate or test this (so I'm loathe to make any deep changes). If it was in the form of a pull request I'd only have to test. That was what I meant by submitting code.
I'm not part of the Ansible core team (or any Ansible team, really). I just submitted this module and they accepted it. They never took over maintenance. It wasn't even really discussed. I never even signed up to maintain anything. One day I started getting messages from the ansibot. I can only imagine that I ended up being the maintainer by default. I also suspect that I'm not the only one in this situation. All of that said, don't assume that I'm anything other than a guy reading this when he'd rather be playing MInecraft or 3D-printing something.
So, yeah, I figured they'd take this over themselves and have a security team, etc. I agree that this is pretty critical functionality. However, that doesn't seem to be the way they work. If I were to guess, short of sufficient Twitter shaming clout (or a contract and a decently sized check), good luck getting them to pay attention to it.
added a commit
Oct 21, 2016
Also -- I've noticed that there aren't any tests for apt_key specifically. If you'd want to add a few to /test/integration/target/apt_key in the ansible/ansible repository that would help make sure we don't regress this or any other fix as other fixes are applied. You can ping me in #ansible-devel on irc.freenode.net if you do that and need someone to review and merge it.