Add signed-by option to sources.list (Closes: #8425)

This gets us a simple apt repository privilege separation:
  (a) our key can't be used to forge other repos
  (b) other keys can't be used to forge our repo.

From sources.list(5):

  · Signed-By (signed-by) is either an absolute path to a keyring
    file (has to be accessible and readable for the _apt user, so ensure
    everyone has read-permissions on the file) or one or more
    fingerprints of keys either in the trusted.gpg keyring or in the
    keyrings in the trusted.gpg.d/ directory (see apt-key
    fingerprint). If the option is set, only the key(s) in this keyring
    or only the keys with these fingerprints are used for the
    apt-secure(8) verification of this repository. Defaults to the value
    of the option with the same name if set in the previously acquired
    Release file. Otherwise all keys in the trusted keyrings are
    considered valid signers for this repository.

1 files changed, 7 insertions, 1 deletions

diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp
index 3d95d8b6..7c6c49c5 100644
--- a/puppet/modules/site_apt/manifests/leap_repo.pp
+++ b/puppet/modules/site_apt/manifests/leap_repo.pp
@@ -4,8 +4,14 @@ class site_apt::leap_repo {
   $platform = hiera_hash('platform')
   $major_version = $platform['major_version']
 
+  if $::site_apt::apt_url_platform_basic =~ /.*experimental.*/ {
+    $archive_key = '/usr/share/keyrings/leap-experimental-archive.gpg'
+  } else {
+    $archive_key = '/usr/share/keyrings/leap-archive.gpg'
+  }
+
   apt::sources_list { 'leap.list':
-    content => "deb ${::site_apt::apt_url_platform_basic} ${::site_apt::apt_platform_codename} ${::site_apt::apt_platform_component}\n",
+    content => "deb [signed-by=${archive_key}] ${::site_apt::apt_url_platform_basic} ${::site_apt::apt_platform_codename} ${::site_apt::apt_platform_component}\n",
     before  => Exec[refresh_apt]
   }