summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README25
-rw-r--r--manifests/key.pp15
-rw-r--r--manifests/key/plain.pp13
3 files changed, 41 insertions, 12 deletions
diff --git a/README b/README
index 835db79..d2cb71b 100644
--- a/README
+++ b/README
@@ -485,8 +485,25 @@ Deploys a secure apt OpenPGP key. This usually accompanies the
sources.list snippets above for third party repositories. For example,
you would do:
- apt::key { 'neurodebian.key':
- source => 'puppet:///modules/site_apt/neurodebian.key',
+ apt::key { 'neurodebian.gpg':
+ ensure => present,
+ source => 'puppet:///modules/site_apt/neurodebian.gpg',
+ }
+
+This deploys the key in the `/etc/apt/trusted.gpg.d` directory, which
+is assumed by secure apt to be binary OpenPGP keys and *not*
+"ascii-armored" or "plain text" OpenPGP key material. For the latter,
+use `apt::key::plain`.
+
+apt::key::plain
+---------------
+
+Deploys a secure apt OpenPGP key. This usually accompanies the
+sources.list snippets above for third party repositories. For example,
+you would do:
+
+ apt::key::asc { 'neurodebian.asc':
+ source => 'puppet:///modules/site_apt/neurodebian.asc',
}
This deploys the key in the `${apt_base_dir}/keys` directory (as
@@ -495,6 +512,10 @@ this exists on top of `$custom_key_dir` is to allow a more
decentralised distribution of those keys, without having all modules
throw their keys in the same directory in the manifests.
+Note that this model does *not* currently allow keys to be removed!
+Use `apt::key` instead for a more practical, revokable approach, but
+that needs binary keys.
+
apt::upgrade_package
--------------------
diff --git a/manifests/key.pp b/manifests/key.pp
index 0ef9721..3f9660f 100644
--- a/manifests/key.pp
+++ b/manifests/key.pp
@@ -1,13 +1,8 @@
-define apt::key ($source) {
+define apt::key ($ensure => 'present', $source) {
file {
- "${apt::apt_base_dir}/${name}":
- source => $source;
- "${apt::apt_base_dir}/keys":
- ensure => directory;
- }
- exec { "apt-key add ${apt::apt_base_dir}/${name}":
- subscribe => File["${apt::apt_base_dir}/${name}"],
- refreshonly => true,
- notify => Exec['refresh_apt'],
+ "/etc/apt/trusted.gpg.d/$name":
+ source => $source,
+ ensure => $ensure,
+ notify => Exec['refresh_apt'],
}
}
diff --git a/manifests/key/plain.pp b/manifests/key/plain.pp
new file mode 100644
index 0000000..a84e6dd
--- /dev/null
+++ b/manifests/key/plain.pp
@@ -0,0 +1,13 @@
+define apt::key::plain ($source) {
+ file {
+ "${apt::apt_base_dir}/${name}":
+ source => $source;
+ "${apt::apt_base_dir}/keys":
+ ensure => directory;
+ }
+ exec { "apt-key add ${apt::apt_base_dir}/${name}":
+ subscribe => File["${apt::apt_base_dir}/${name}"],
+ refreshonly => true,
+ notify => Exec['refresh_apt'],
+ }
+}