Re: Installation of package_config/CLASS.gpg
Hey, This is almost what I did. We already have a postinst for all our files/etc/apt/sources.list.d/X directories to substitute in distro names and URLs, so I added: # See if we need to fcopy a signing key in key=$(grep signed-by= $2 | sed -E 's/.*signed-by=(.+?asc)( |\]).*/\1/') if [ "$key" != "" ]; then fcopy -M $key fi Cheers, Andrew On Tue, 2023-08-22 at 09:46 +0200, Thomas Lange wrote: > I would suggest you are using a hook with an fcopy command to put > those files to some other locations. > > > > > > > On Tue, 18 Jul 2023 21:36:04 +1200, Andrew Ruthven > > > > > > said: > > > Hey, > > I see that FAI since 5.8.7 will install package_config/CLASS.gpg > > into /etc/apt/trusted.gpg.d/ . Apt will then trust all the keyrings > in > > /etc/apt/trusted.gpg.d . This isn't really ideal, and I'd prefer to > use > > Signed-By to specify which GPG keyring to trust for our various > additional > > repositories. > > > How about having task_repository check for another file, say > > package_config/CLASS.gpg_dest that'd allow us to specify where to > copy > > package_config/CLASS.gpg to? > -- Andrew Ruthven, Wellington, New Zealand and...@etc.gen.nz | Catalyst Cloud: | This space intentionally left blank https://catalystcloud.nz |
Re: Installation of package_config/CLASS.gpg
I placed 'em under /srv/salt/_files/etc/apt/keyrings/-archive-keyring.gpg and repositories have deb [signed-by=/etc/apt/keyrings/-archive-keyring.gpg arch=amd64] https://... gluster.sls uses: -8<-- create-keyrings-dir: file.directory: - name: /etc/apt/keyrings/ - user: root - group: root - mode: 755 add-gluster-key: file.managed: - name: /etc/apt/keyrings/gluster-archive-keyring.gpg - source: salt://_files/etc/apt/keyrings/gluster{{ salt['pillar.get']('gluster_version','') }}-archive-keyring.gpg add-gluster-repo: file.managed: - name: /etc/apt/sources.list.d/gluster.list - source: salt://_files/etc/apt/sources.list.d/gluster{{ salt['pillar.get']('gluster_version','') }}-{{ grains['oscodename'] }}.list -8<-- (actually create-keydirs-dir is in a separate sls that gets included by all sls files that need to add keyrings, but it's just a detail). Diego Il 22/08/2023 09:46, Thomas Lange ha scritto: I would suggest you are using a hook with an fcopy command to put those files to some other locations. On Tue, 18 Jul 2023 21:36:04 +1200, Andrew Ruthven said: > Hey, > I see that FAI since 5.8.7 will install package_config/CLASS.gpg > into /etc/apt/trusted.gpg.d/ . Apt will then trust all the keyrings in > /etc/apt/trusted.gpg.d . This isn't really ideal, and I'd prefer to use > Signed-By to specify which GPG keyring to trust for our various additional > repositories. > How about having task_repository check for another file, say > package_config/CLASS.gpg_dest that'd allow us to specify where to copy > package_config/CLASS.gpg to? -- Diego Zuccato DIFA - Dip. di Fisica e Astronomia Servizi Informatici Alma Mater Studiorum - Università di Bologna V.le Berti-Pichat 6/2 - 40127 Bologna - Italy tel.: +39 051 20 95786
Re: Installation of package_config/CLASS.gpg
I would suggest you are using a hook with an fcopy command to put those files to some other locations. > On Tue, 18 Jul 2023 21:36:04 +1200, Andrew Ruthven > said: > Hey, > I see that FAI since 5.8.7 will install package_config/CLASS.gpg > into /etc/apt/trusted.gpg.d/ . Apt will then trust all the keyrings in > /etc/apt/trusted.gpg.d . This isn't really ideal, and I'd prefer to use > Signed-By to specify which GPG keyring to trust for our various additional > repositories. > How about having task_repository check for another file, say > package_config/CLASS.gpg_dest that'd allow us to specify where to copy > package_config/CLASS.gpg to? -- regards Thomas