The apt module automates obtaining and installing software packages on \*nix systems.
-**Note**: While this module allows the use of short keys, **we urge you NOT to use short keys**, as they pose a serious security issue by opening you up to collision attacks.
+**Note**: While this module allows the use of short keys, **warnings are thrown if a full fingerprint is not used**, as they pose a serious security issue by opening you up to collision attacks.
## Setup
confine :osfamily => :debian
defaultfor :osfamily => :debian
commands :apt_key => 'apt-key'
+ commands :gpg => '/usr/bin/gpg'
def self.instances
cli_args = ['adv','--list-keys', '--with-colons', '--fingerprint']
file = Tempfile.new('apt_key')
file.write content
file.close
+ #confirm that the fingerprint from the file, matches the long key that is in the manifest
+ if name.size == 40
+ if File.executable? command(:gpg)
+ extracted_key = execute(["#{command(:gpg)} --with-fingerprint --with-colons #{file.path} | awk -F: '/^fpr:/ { print $10 }'"], :failonfail => false)
+ extracted_key = extracted_key.chomp
+ if extracted_key != name
+ fail ("The id in your manifest #{resource[:name]} and the fingerprint from content/source do not match. Please check there is not an error in the id or check the content/source is legitimate.")
+ end
+ else
+ warning ('/usr/bin/gpg cannot be found for verification of the id.')
+ end
+ end
file.path
end
if self[:content] and self[:source]
fail('The properties content and source are mutually exclusive.')
end
+ if self[:id].length < 40
+ warning('The id should be a full fingerprint (40 characters), see README.')
+ end
end
newparam(:id, :namevar => true) do
end
end
end
+
+ describe 'fingerprint validation against source/content' do
+ context 'fingerprint in id matches fingerprint from remote key' do
+ it 'works' do
+ pp = <<-EOS
+ apt_key { 'puppetlabs':
+ id => '#{PUPPETLABS_GPG_KEY_FINGERPRINT}',
+ ensure => 'present',
+ source => 'https://#{PUPPETLABS_APT_URL}/#{PUPPETLABS_GPG_KEY_FILE}',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ apply_manifest(pp, :catch_failures => true)
+ end
+ end
+
+ context 'fingerprint in id does NOT match fingerprint from remote key' do
+ it 'works' do
+ pp = <<-EOS
+ apt_key { 'puppetlabs':
+ id => '47B320EB4C7C375AA9DAE1A01054B7A24BD6E666',
+ ensure => 'present',
+ source => 'https://#{PUPPETLABS_APT_URL}/#{PUPPETLABS_GPG_KEY_FILE}',
+ }
+ EOS
+
+ apply_manifest(pp, :expect_failures => true) do |r|
+ expect(r.stderr).to match(/do not match/)
+ end
+ end
+ end
+ end
+
end
Code Review / puppet-modules / puppetlabs-apt.git / commitdiff