Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

initial commit for apt_key checking #459

Merged
merged 1 commit into from Mar 13, 2015
Merged

initial commit for apt_key checking #459

merged 1 commit into from Mar 13, 2015

Conversation

tphoney
Copy link

@tphoney tphoney commented Mar 10, 2015

better attempt at gpg version checking

adding in key length warning

daenney
daenney reviewed Mar 10, 2015
View reviewed changes
manifests/init.pp
@@ -71,6 +71,10 @@
fail('This module only works on Debian or derivatives like Ubuntu')
}

if $::apt_gpgversion and versioncmp ('2.0.26', $::apt_gpgversion) > 0 {
warning("You are running an old version of gpg. version=$::apt_gpgversion, please upgrade to at least 2.0.26")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. This will throw warnings on Ubuntu Trusty Thar, Debian Wheezy and a few more and users have no way of getting a newer version. Also, Debian and Ubuntu make a point of back porting security fixes from newer releases into older ones if needed, like CVE's so an exact version matching is probably not a correct representation.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think I agree with @daenney here over the original ticket submitter. Sorry for not catching this sooner @tphoney

@underscorgan
Copy link

Just for background, this work was inspired by MODULES-1675

underscorgan
underscorgan reviewed Mar 10, 2015
View reviewed changes
lib/facter/apt_gpg.rb
Facter::Util::Resolution.exec("/usr/bin/gpg --version | head -n 1 | awk '{print $NF}'")
end
end
end
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we aren't warning on gpgversion I don't know if we still need this fact :\ sorry for sending you down this rabbit hole :(

@tphoney tphoney force-pushed the modules-1675_check_gpg_version branch from 00e51eb to 453b4eb Compare March 11, 2015 15:26
@tphoney
Copy link
Author

tphoney commented Mar 11, 2015

@daenney @mhaskel This is my happy path approach for checking keys are valid. Tests are incoming.

@tphoney tphoney force-pushed the modules-1675_check_gpg_version branch from 453b4eb to 55e3119 Compare March 11, 2015 16:25
daenney
daenney reviewed Mar 11, 2015
View reviewed changes
spec/acceptance/apt_key_provider_spec.rb
it 'works' do
pp = <<-EOS
apt_key { 'puppetlabs':
id => '#{PUPPETLABS_GPG_KEY_FINGERPRINT}',
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Arrow alignment.

@tphoney tphoney changed the title initial commit for gpg version checking initial commit for apt_key checking Mar 11, 2015
@tphoney tphoney force-pushed the modules-1675_check_gpg_version branch from 55e3119 to 1011109 Compare March 11, 2015 17:06
daenney
daenney reviewed Mar 11, 2015
View reviewed changes
lib/puppet/provider/apt_key/apt_key.rb
#confirm that the fingerprint from the file, matches the long key that is in the manifest
if name.size == 40
if File.executable? "/usr/bin/gpg"
extracted_key = execute(["/usr/bin/gpg --with-fingerprint --with-colons #{file.path} | awk -F: '/^fpr:/ { print $10 }'"], :failonfail => false)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should define this as a commands, just like we're doing with apt-get. It gets you some nice and saner behaviour too.

@tphoney tphoney force-pushed the modules-1675_check_gpg_version branch 2 times, most recently from efc23c6 to 03af1a3 Compare March 12, 2015 11:18
initial commit for gpg key checking
f588f26 
better attempt at gpg version checking

adding in key length warning

removing version check, adding key check

adding tests

clean up the code

small changes

use commands

documentation updates
@tphoney tphoney force-pushed the modules-1675_check_gpg_version branch from 03af1a3 to f588f26 Compare March 12, 2015 18:25
@tphoney
Copy link
Author

tphoney commented Mar 12, 2015

@daenney @mhaskel I made the changes you suggested, and put in the changes suggested by the documentation people.

Thanks for your patience 👍

underscorgan pushed a commit that referenced this pull request Mar 13, 2015
Merge pull request #459 from tphoney/modules-1675_check_gpg_version
97f7003 
initial commit for apt_key checking
@underscorgan underscorgan merged commit 97f7003 into puppetlabs:master Mar 13, 2015
@underscorgan
Copy link

thanks @tphoney 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@tphoney @underscorgan @daenney @LukasAud