[MODULES-3307] puppetlabs-apt doesn't detect or allow updating expired keys Created: 2016/04/28 Updated: 2018/09/27 Resolved: 2018/09/27 |
|
Status: |
Resolved |
Project: |
|
Component/s: |
|
Affects Version/s: |
|
Fix Version/s: |
None |
Type: |
Bug |
Priority: |
Normal |
Reporter: |
Assignee: |
||
Resolution: |
Fixed |
Votes: |
12 |
None |
|||
Remaining Estimate: |
Not Specified |
||
Time Spent: |
Not Specified |
||
Original Estimate: |
Not Specified |
||
Environment: |
Ubuntu 14.04, puppet version 3.8.7 with puppetlabs-apt version 2.2.2 |
Modules |
Description |
|
I'm using puppet to manager CRAN's R. Their APT signing key is installed with:
This works great on new systems, but on older systems they have an expired key, with the same fingerprint. There is an ensure => present, but unlike packages there's no ensure => latest. Nor is there any way I could find documented to check if the key is valid, or refresh the key from the keyserver. So the result is apt fails with:
If I view the key:
On a newer system:
Note the fingerprint is the same, but the expiration is different. So the problem is the puppetlabs-apt seems to have no way for me to ask for an up to date key.
|
Comments |
|
Comment by Nick Peelman [ 2016/07/11 ] |
||
Seconded. Just got bit by the apt.puppetlabs.com repo key expiring today. Even manually setting content via apt-key doesn't seem to take effect since the IDs match... Short of managing the keys inside of puppet, and having to manually update puppet each time they change, or running via exec and touching a file for idempotency, neither of which is the best way forward, I'm not sure what the action should be here. Touching all 25 of my machines to run `sudo apt-key adv --recv-keys --keyserver keys.gnupg.net 4BD6EC30` isn't a big deal, but if I had 200 machines, there has to be a better way... |
||
Comment by Tom Downes [ 2016/07/11 ] |
||
Comment by Nick Peelman [ 2016/07/11 ] |
||
My hack, for anybody interested: |
||
Comment by Nick Peelman [ 2016/07/11 ] |
||
After a little more digging I unearthed [this gem](https://gist.github.com/garthk/3726289): Kudos to garthk. That is a lot cleaner and much more future-proof than a touch file. Lesson learned; hadn't considered doing a chained walk of commands to test for expired keys...that kind of path will come in handy... All that said, something similar to GarthK's solution could be baked into the apt module rather easily. |
||
Comment by Clayton O'Neill [ 2016/07/11 ] |
||
Couldn't this be fixed by just treating expired keys as absent in the apt_key resource? |
||
Comment by Nick Peelman [ 2016/07/11 ] |
||
I don't think so, because the ID doesn't change. They aren't expiring the old key and replacing it with a new one. They are renewing the old public key by extending its expiration date (insofar as I can tell). Looks like the R maintainers in the OP are doing the same thing. |
||
Comment by Arney [ 2016/08/29 ] |
||
apt_key can already detect whether a key has expired, but this is a read-only property. I guess the main question here is how it should act on this? It should check, whether there is a key available at the source Is that key actually newer or just the expired key installed already? If newer, then replace. Sure, an expired key is pretty useless, but deleting it without adequate replacement seems risky. If anyone comes up with the commands to do this, I'd volunteer to implement them. |
||
Comment by Clayton O'Neill [ 2016/08/29 ] |
||
GPG tells you in the listkeys output if the key is expired. One fix would be to treat expired keys as if they weren't present. This would allow replacing keys with unexpired versions, but would cause idempotence issues when the key expires and there is no replacement. I don't know if there is a way to check an existing key to see if it has expired, especially when you may have it as a file on disk, as a string, or it may need to be retrieved from a remote key server. |
||
Comment by Coen de Meijer [ 2016/08/31 ] |
||
Nick Peelman thanks for the gem. I needed to modify it a bit to get it to work for me but it looks like a nice addition. Looking forward to january fifth next year. Changes I made: |
||
Comment by Christoph Tavan [ 2016/09/03 ] |
||
Nick Peelman thanks for the snippet. I had to change it slightly: The reason was that I also had a revoked version of the key on some hosts, so the unless check was not evaluating correctly before:
Coen de Meijer I think that's probably what you would also wanted to do, since your change towards grep expires will always fetch the keys with each puppet run since you are checking for keys which will expire in the future instead of for keys which have expired. |
||
Comment by Nick Peelman [ 2016/09/03 ] |
||
That works. I might have just added `-v revoked` (you can keep adding strings to grep and it will concat matches as needed). I don't think inverting the logic will cause problems, but its a holiday weekend and my brain has checked out so I might not be thinking through all the edge cases well enough. |
||
Comment by Coen de Meijer [ 2016/09/29 ] |
||
Christoph Tavan I had to let go of the grep -v expired because it would not produce the desired result in every case. It would return with 0 exit code (which is what we want) if the
previous command produced multiple lines. Grep -v returns 0 (as desired): Grep -v returns 1 (bummer): As I understand it, when I have one line that expires in the future, there is no need to run the command. Which I believe is what my code does now (according to the documentation of the unless attribute for exec: "If this parameter is set, then this exec will run unless the command has an exit code of 0." My puppet code right now (which does not fetch the keys at every run): In my hiera config I simply have an array that lists the names of the keys that need to be checked. |
||
Comment by Christoph Tavan [ 2016/09/29 ] |
||
Coen de Meijer I'm still not sure about your suggestion... What about keys that never expire? I understand that you will probably not add those keys to your hiera config, but nonetheless it duplicates configuration. I also don't really understand what the problem is with: Can you elaborate? That's why I'm using onlyif in combination with grep expired and not unless in combination with grep -v expired (which would exhibit the problem you describe above... |
||
Comment by Coen de Meijer [ 2016/09/29 ] |
||
I'm not sure what you mean by duplication here. I have the puppetlabs key in hiera and then a separate array with the names of the keys that may need to be updated. The puppetlabs key is the only one with this issue so far. Feels like a minimum of additional code (additional array and a tiny bit of puppet script). To be honest, I don't know why I stuck with the unless. I actually like your suggestion better. I vaguely remember there being some reason, but I'm not sure. Maybe I just forgot the first grep? |
||
Comment by Herwig Bogaert [ 2016/10/28 ] |
||
I solved this problem by adding a refresh parameter to the
apt_key resource. |
||
Comment by Mithil Patel [ 2017/03/30 ] |
||
Inspite of running the command manually, this doesn't seem to be fixed. Output as below: root@netlogin-test-01:~# apt-key list | grep expired root@netlogin-test-01:~# apt-key adv --recv-keys --keyserver
keyserver.ubuntu.com 4BD6EC30 root@netlogin-test-01:~# apt-key list | grep expired If this command doesn't even work manually then no point in creating an exec resource. Has anyone faced this issue as well? |
||
Comment by Eimhin Laverty [ 2018/09/05 ] |
||
Hey Herwig Bogaert I'm just following up to see if the solution you have specified was able to remediate the issue of updating an expired key? |
||
Comment by Herwig Bogaert [ 2018/09/05 ] |
||
Hi Eimhin Laverty. the solution in https://github.com/hbog/puppetlabs-apt/tree/refresh worked and has been running for a while. In it latest version, I used 'ensure => refreshed' to make it update expired keys. I stopped using the branch a few months ago, because it was no longer needed in our setup. Note that we were running Puppet 3.8 at the time it was in use. |
||
Comment by Eimhin Laverty [ 2018/09/05 ] |
||
Hey Herwig Bogaert I'll use the additions you have added to the repo to figure out a solution for the current version of the module if you don't mind. Thanks! |
||
Comment by Herwig Bogaert [ 2018/09/06 ] |
||
Feel free Eimhin Laverty. |
||
Comment by Eimhin Laverty [ 2018/09/24 ] |
||
Just updating this ticket to let you all know that I have merged a pull request which introduces functionality to allow you to have your keys automatically update when expired. This can be achieved by simply setting the `ensure` property of your apt::key resources to `refreshed`. Many thanks to Herwig Bogaert for his solution which was a big help. I hope this helps solve your issues but please feel free to provide feedback (or a PR ) if you feel there is any way it can be improved. |
||
Comment by Eimhin Laverty [ 2018/09/27 ] |
||
I'm going to go ahead and resolve this ticket now but if there are issues that you feel need re-addressed feel free to re-open the ticket. Thanks! |
Generated at Thu Nov 25 14:08:28 PST 2021 using Jira 8.13.2#813002-sha1:c495a97c0445fc6ed348f0d5238c2bc2e2c2ef37.
Tags: allow updating, to allow, [modules3307], expired, detect, allow, updating, doesnt, puppetlabsapt