[SECURITY] Properly handle GnuPG keys for APT repositories #940
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
It allows to handle GPG keys for configured APT repositories on Debian/Ubuntu in secure or INsecure way depending on user request.
First,
apt-key adv
command is the preferred method for obtaining public keys by different URLs without any additional downloading tools such aswget
; it also honours-I
and-l
parameters from the Salt Bootstrap.Second, having pubkey fingerprints hardcoded in the script is unreliable because of:
This PR mostly address those issues. See the details below in behavior sections.
What issues does this PR fix or reference?
Should indirectly resolve issue #939 by skipping the check of
apt-get update
command status.Previous Behavior
debian-archive-keyring
each time. Although, it will fail if archive signature would be changed.New Behavior
-U
option. The signature ofdebian-archive-keyring
package will not be verified if user allowed insecure downloading with-I
option. This enables the possibility to bootstrap Salt during distro PKI renewal period on older systems or outdated VM/container images.debian-archive-keyring
would be updated before.