Re: Installation of package_config/CLASS.gpg

2023-08-23 Diskussionsfäden Christopher Huhn 

Am 18.07.23 um 11:36 schrieb Andrew Ruthven:

Apt will then trust all the keyrings in
/etc/apt/trusted.gpg.d . This isn't really ideal, and I'd prefer to use
Signed-By to specify which GPG keyring to trust for our various additional
repositories.


Just out of curiosity:
What security benefit do you achieve by demanding that a certain repo is 
signed by a specific key?


Best

Christopher


--

Christopher Huhn
Linux & web group
IT department

GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
Planckstr. 1, 64291 Darmstadt, https://www.gsi.de/

Sitz der Gesellschaft / Registered Office:Darmstadt
Handelsregister   / Commercial Register:
Amtsgericht Darmstadt, HRB 1528

Geschaeftsfuehrung/ Managing Directors:
 Professor Dr. Paolo Giubellino, Joerg Blaurock

Vorsitzender des GSI-Aufsichtsrates /
  Chairman of the GSI Supervisory Board:
  Ministerialdirigent Dr. Volkmar Dietz

Re: Installation of package_config/CLASS.gpg

2023-08-22 Diskussionsfäden Andrew Ruthven 
Hey,

This is almost what I did. We already have a postinst for all our
files/etc/apt/sources.list.d/X directories to substitute in distro names and
URLs, so I added:

# See if we need to fcopy a signing key in
key=$(grep signed-by= $2 | sed -E 's/.*signed-by=(.+?asc)( |\]).*/\1/')
if [ "$key" != "" ];
then
fcopy -M $key
fi

Cheers,
Andrew

On Tue, 2023-08-22 at 09:46 +0200, Thomas Lange wrote:
> I would suggest you are using a hook with an fcopy command to put
> those files to some other locations.
> 
> > > > > > On Tue, 18 Jul 2023 21:36:04 +1200, Andrew Ruthven
> > > > > >  said:
> 
>     > Hey,
>     > I see that FAI since 5.8.7 will install package_config/CLASS.gpg
>     > into /etc/apt/trusted.gpg.d/ . Apt will then trust all the keyrings
> in
>     > /etc/apt/trusted.gpg.d . This isn't really ideal, and I'd prefer to
> use
>     > Signed-By to specify which GPG keyring to trust for our various
> additional
>     > repositories.
> 
>     > How about having task_repository check for another file, say
>     > package_config/CLASS.gpg_dest that'd allow us to specify where to
> copy
>     > package_config/CLASS.gpg to?
> 

-- 
Andrew Ruthven, Wellington, New Zealand
and...@etc.gen.nz |
Catalyst Cloud:   | This space intentionally left blank
 https://catalystcloud.nz |

Re: Installation of package_config/CLASS.gpg

2023-08-22 Diskussionsfäden Diego Zuccato 
I placed 'em under 
/srv/salt/_files/etc/apt/keyrings/-archive-keyring.gpg and 
repositories have
deb [signed-by=/etc/apt/keyrings/-archive-keyring.gpg arch=amd64] 
https://...


gluster.sls uses:
-8<--
create-keyrings-dir:
 file.directory:
   - name: /etc/apt/keyrings/
   - user: root
   - group: root
   - mode: 755

add-gluster-key:
  file.managed:
- name: /etc/apt/keyrings/gluster-archive-keyring.gpg
- source: salt://_files/etc/apt/keyrings/gluster{{ 
salt['pillar.get']('gluster_version','') }}-archive-keyring.gpg


add-gluster-repo:
  file.managed:
- name: /etc/apt/sources.list.d/gluster.list
- source: salt://_files/etc/apt/sources.list.d/gluster{{ 
salt['pillar.get']('gluster_version','') }}-{{ grains['oscodename'] }}.list

-8<--

(actually create-keydirs-dir is in a separate sls that gets included by 
all sls files that need to add keyrings, but it's just a detail).


Diego

Il 22/08/2023 09:46, Thomas Lange ha scritto:

I would suggest you are using a hook with an fcopy command to put
those files to some other locations.


On Tue, 18 Jul 2023 21:36:04 +1200, Andrew Ruthven  said:


 > Hey,
 > I see that FAI since 5.8.7 will install package_config/CLASS.gpg
 > into /etc/apt/trusted.gpg.d/ . Apt will then trust all the keyrings in
 > /etc/apt/trusted.gpg.d . This isn't really ideal, and I'd prefer to use
 > Signed-By to specify which GPG keyring to trust for our various 
additional
 > repositories.

 > How about having task_repository check for another file, say
 > package_config/CLASS.gpg_dest that'd allow us to specify where to copy
 > package_config/CLASS.gpg to?



--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786

Re: Installation of package_config/CLASS.gpg

2023-08-22 Diskussionsfäden Thomas Lange 
I would suggest you are using a hook with an fcopy command to put
those files to some other locations.

> On Tue, 18 Jul 2023 21:36:04 +1200, Andrew Ruthven  
> said:

> Hey,
> I see that FAI since 5.8.7 will install package_config/CLASS.gpg
> into /etc/apt/trusted.gpg.d/ . Apt will then trust all the keyrings in
> /etc/apt/trusted.gpg.d . This isn't really ideal, and I'd prefer to use
> Signed-By to specify which GPG keyring to trust for our various additional
> repositories.

> How about having task_repository check for another file, say
> package_config/CLASS.gpg_dest that'd allow us to specify where to copy
> package_config/CLASS.gpg to?

-- 
regards Thomas