Merge pull request #24 from ypid/secure_apt_gpg

Enforce the correct GPG key in lxc container images.
debops · Oct 27, 2015 · cce561d · cce561d
2 parents 9ed33e4 + 8e45d40
commit cce561d
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/templates/usr/share/lxc/templates/lxc-debops.j2 b/templates/usr/share/lxc/templates/lxc-debops.j2
@@ -75,7 +75,7 @@ EOF
 {% if lxc_template_salt is defined and lxc_template_salt %}
     # Configure Salt APT repository
     echo "{{ lxc_template_salt_upstream_repository }}" >> $rootfs/etc/apt/sources.list
-    wget -q -O- "{{ lxc_template_salt_apt_key_url }}" | chroot $rootfs apt-key add -
+    chroot $rootfs apt-key adv --keyserver "{{ lxc_default_gpg_keyserver }}" --recv-keys "{{ lxc_template_salt_apt_key_fingerprint }}"
     chroot $rootfs apt-get update
 
     # Install Salt packages

diff --git a/vars/main.yml b/vars/main.yml
@@ -32,7 +32,12 @@ lxc_kernel_mail_body: |
 # ---- Salt integration ----
 
 # SaltStack Debian repository GPG key
-lxc_template_salt_apt_key_url: 'http://debian.saltstack.com/debian-salt-team-joehealy.gpg.key'
+lxc_template_salt_apt_key_fingerprint: '102E2FE7D5141DBD12B260FCB09E40B0F2AE6AB9'
+
+lxc_default_gpg_keyserver: '{{ ansible_local.core.keyserver
+                   if (ansible_local|d() and ansible_local.core|d() and
+                       ansible_local.core.keyserver|d())
+                   else "hkp://pool.sks-keyservers.net" }}'
 
 # SaltStack Debian APT repository
 lxc_template_salt_upstream_repository: 'deb http://debian.saltstack.com/debian {{ ansible_distribution_release.split("/")[0] }}-saltstack main'