From 22c947c33a452e912859832c78bd3660b6734cc6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 May 2017 12:32:05 -0400 Subject: Add signed-by option to sources.list (Closes: #8425) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This gets us a simple apt repository privilege separation: (a) our key can't be used to forge other repos (b) other keys can't be used to forge our repo. From sources.list(5): ยท Signed-By (signed-by) is either an absolute path to a keyring file (has to be accessible and readable for the _apt user, so ensure everyone has read-permissions on the file) or one or more fingerprints of keys either in the trusted.gpg keyring or in the keyrings in the trusted.gpg.d/ directory (see apt-key fingerprint). If the option is set, only the key(s) in this keyring or only the keys with these fingerprints are used for the apt-secure(8) verification of this repository. Defaults to the value of the option with the same name if set in the previously acquired Release file. Otherwise all keys in the trusted keyrings are considered valid signers for this repository. --- puppet/modules/site_apt/manifests/leap_repo.pp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 3d95d8b6..7c6c49c5 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -4,8 +4,14 @@ class site_apt::leap_repo { $platform = hiera_hash('platform') $major_version = $platform['major_version'] + if $::site_apt::apt_url_platform_basic =~ /.*experimental.*/ { + $archive_key = '/usr/share/keyrings/leap-experimental-archive.gpg' + } else { + $archive_key = '/usr/share/keyrings/leap-archive.gpg' + } + apt::sources_list { 'leap.list': - content => "deb ${::site_apt::apt_url_platform_basic} ${::site_apt::apt_platform_codename} ${::site_apt::apt_platform_component}\n", + content => "deb [signed-by=${archive_key}] ${::site_apt::apt_url_platform_basic} ${::site_apt::apt_platform_codename} ${::site_apt::apt_platform_component}\n", before => Exec[refresh_apt] } -- cgit v1.2.3