Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Properly handle GnuPG keys for APT repositories #940

Merged
merged 4 commits into from
Oct 24, 2016
Merged

[SECURITY] Properly handle GnuPG keys for APT repositories #940

merged 4 commits into from
Oct 24, 2016

Conversation

vutny
Copy link
Contributor

@vutny vutny commented Aug 19, 2016
edited
Loading

What does this PR do?

It allows to handle GPG keys for configured APT repositories on Debian/Ubuntu in secure or INsecure way depending on user request.

First, apt-key adv command is the preferred method for obtaining public keys by different URLs without any additional downloading tools such as wget; it also honours -I and -l parameters from the Salt Bootstrap.

Second, having pubkey fingerprints hardcoded in the script is unreliable because of:

  • We have only main Debian archive key verification, but Security and Backports repositories haven't been covered. Also, derivative distros such as Raspbian has different keys, so adding the other distro key is meaningless and mostly unwanted.
  • Once the key would be expired or revoked, it will require immediate patching of the Salt Bootstrap script; otherwise the attempt of installing wrong key could fail or leave the system in an inappropriate state.

This PR mostly address those issues. See the details below in behavior sections.

What issues does this PR fix or reference?

Should indirectly resolve issue #939 by skipping the check of apt-get update command status.

Previous Behavior

  • Bootstrap script attempts to upgrade debian-archive-keyring each time. Although, it will fail if archive signature would be changed.
  • Install hard-coded pub key if the fingerprint wasn't found.

New Behavior

  • Bootstrap script updates archive keys only if the user granted the permission to upgrade the whole system with -U option. The signature of debian-archive-keyring package will not be verified if user allowed insecure downloading with -I option. This enables the possibility to bootstrap Salt during distro PKI renewal period on older systems or outdated VM/container images.
  • System upgrade will be done prior to any bootstrapping operations (other repo configurations and packages installations). This should go smoothly, because debian-archive-keyring would be updated before.

@vutny vutny mentioned this pull request Aug 19, 2016
Closed
@rallytime
Copy link
Contributor

This looks good to me, but I'd like @s0undt3ch to take a look before merging this in since it's such a large and important change.

@rallytime
Copy link
Contributor

I spot with @s0undt3ch offline about this one and he says this is ready to go. Thanks again @vutny!

@rallytime rallytime merged commit 96086e7 into saltstack:develop Oct 24, 2016
@vutny vutny deleted the apt-secure branch October 26, 2016 10:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Pending Discussion
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vutny @rallytime