2

The puppet apt repository PGP key has expired some days ago

/etc/apt/trusted.gpg.d//puppetlabs-keyring.gpg
----------------------------------------------
pub   4096R/4BD6EC30 2010-07-10 [expired: 2016-07-08]
uid                  Puppet Labs Release Key (Puppet Labs Release Key)

Of course, it can be updated manually

apt-key adv --recv-keys --keyserver keys.gnupg.net 4BD6EC30

However, can it be updated via a Puppet run automatically (for example via the Puppet apt module)?

olliiiver
  • 256
  • 3
  • 12

3 Answers3

3

This is what we started using (thanks garthk):

  $key = '4BD6EC30'
  exec { 'apt-key puppetlabs':
    path    => '/bin:/usr/bin',
    unless  => "apt-key list | grep '${key}' | grep -v expired",
    command => "apt-key adv --keyserver keyserver.ubuntu.com \
      --recv-keys ${key}",
  }

More discussion in a ticket open for the apt module

peelman
  • 801
  • 1
  • 5
  • 11
2

Not a beauty solution, but the following works for me:

exec { 'update_apt_key':
        command => '/usr/bin/apt-key adv --recv-keys --keyserver keys.gnupg.net 47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
        onlyif  => "/usr/bin/apt-key adv --list-public-keys --with-fingerprint --with-colons | grep -B 1 47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30 | head -n 1 | grep -e '^pub:e:'",
}
olliiiver
  • 256
  • 3
  • 12
1

Updating a GPG key:

Yes, that's possible using the exec resource type, which "executes external commands". To prevent the exec from running each time, use unless and check / parse the output of apt-key list, for example via grep.

Adding a GPG key:

The puppetlabs apt module provides apt::key, which adds GPG keys. To use it, put something into your code along the lines of (from the docs):

apt::key { 'puppetlabs':
  id      => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
  server  => 'pgp.mit.edu',
}

Security note:

Using short key IDs presents a serious security issue, potentially leaving you open to collision attacks. We recommend you always use full fingerprints to identify your GPG keys. This module allows short keys, but issues a security warning if you use them.

Some more information why this should matter to you:

Short OpenPGP Key IDs, for example 0×2861A790, are 32 bits long. They have been shown to be easily spoofed by another key with the same Key ID. Long OpenPGP Key IDs (for example 0xA1E6148633874A3D) are 64 bits long. They are trivially collidable, which is also a potentially serious problem.

If you want to deal with a cryptographically-strong identifier for a key, you should use the full fingerprint. You should never rely on the short, or even long, Key ID. [...]

Reference and more information about this.

Community
  • 1
gxx
  • 5,591
  • 2
  • 22
  • 42
  • Sure, but that would mean that it is executed though every run, except you code some additional checks on expire date. – olliiiver Jul 12 '16 at 10:34
  • @olliiiver Yes. So use [unless](https://docs.puppet.com/puppet/latest/reference/types/exec.html#exec-attribute-unless) and check the output of `apt-key list` if the key is present already, via `grep` for example. If this is not sufficient for you, please clarify your question and try to make clear, what you're after. – gxx Jul 12 '16 at 10:38
  • apt::key will just add the key. It is not going to update it. – olliiiver Jul 12 '16 at 10:52
  • @olliiiver That's true, I wrote so in my answer. (I've edited my answer now to make this more clear.) What speaks against `exec` with `unless`? As written: If this doesn't help you, please explain why and what you're after. – gxx Jul 12 '16 at 10:55
  • @olliiiver Great! +1! – gxx Jul 12 '16 at 13:28