Changes on Tor, Signal and APT repository handling

author Silvio Rhatto <rhatto@riseup.net>

Mon, 19 Aug 2024 12:48:40 +0000 (09:48 -0300)

committer Silvio Rhatto <rhatto@riseup.net>

Mon, 19 Aug 2024 12:48:40 +0000 (09:48 -0300)
author Silvio Rhatto <rhatto@riseup.net>
Mon, 19 Aug 2024 12:48:40 +0000 (09:48 -0300)
committer Silvio Rhatto <rhatto@riseup.net>
Mon, 19 Aug 2024 12:48:40 +0000 (09:48 -0300)
diff --git a/files/etc/apt/trusted.gpg.d/signal.org.gpg b/files/etc/apt/keyrings/signal.org.gpg

similarity index 100%

rename from files/etc/apt/trusted.gpg.d/signal.org.gpg

rename to files/etc/apt/keyrings/signal.org.gpg
diff --git a/files/etc/apt/trusted.gpg.d/torproject.org.gpg b/files/usr/share/keyrings/deb.torproject.org-keyring.gpg

similarity index 96%

rename from files/etc/apt/trusted.gpg.d/torproject.org.gpg

rename to files/usr/share/keyrings/deb.torproject.org-keyring.gpg

index 7614b2039d918e50e3ba16a23ae24693d53461a2..738ef5d7f1408470e1f1e2d6cf4e7639fc5e3f7f 100644 (file)

Binary files a/files/etc/apt/trusted.gpg.d/torproject.org.gpg and b/files/usr/share/keyrings/deb.torproject.org-keyring.gpg differ
diff --git a/manifests/subsystem/apt/repo.pp b/manifests/subsystem/apt/repo.pp

index ca8f5e14bdfbad45b3bce43b3140575ac1c569a3..d6e03c06af1fb009b575df9b4f14c6287eabc931 100644 (file)
--- a/manifests/subsystem/apt/repo.pp
+++ b/manifests/subsystem/apt/repo.pp
@@ -1,15 +1,31 @@
  define nodo::subsystem::apt::repo(
    $definition,
    $key_source,
-  $ensure = present,
+  $keyrings_folder = '/etc/apt/keyrings',
+  $ensure          = present,
  ) {
-  file { "/etc/apt/trusted.gpg.d/${name}.gpg":
+  # The recommended locations for keyrings are /usr/share/keyrings for keyrings
+  # managed by packages, and /etc/apt/keyrings for keyrings managed by the
+  # system operator. If no keyring files are specified the default is the
+  # trusted.gpg keyring and all keyrings in the trusted.gpg.d/ directory (see
+  # apt-key fingerprint).
+  #
+  # -- sources.list(5)
+  file { "${keyrings_folder}/${name}.gpg":
      ensure  => $ensure,
      owner   => "root",
      group   => "root",
      mode    => "0644",
      source  => $key_source,
-    notify  => Exec["apt-repo-auto-update-${name}"],
+  }
+
+  # Old location
+  file { "/etc/apt/trusted.gpg.d/${name}.gpg":
+    ensure  => absent,
+    owner   => "root",
+    group   => "root",
+    mode    => "0644",
+    source  => $key_source,
    }
  
    file { "/etc/apt/sources.list.d/${name}.list":
@@ -18,7 +34,7 @@ define nodo::subsystem::apt::repo(
      group   => "root",
      mode    => "0644",
      content => "${definition}\n",
-    require => [ File["/etc/apt/trusted.gpg.d/${name}.gpg"], Package['apt-transport-https'] ],
+    require => [ File["${keyrings_folder}/${name}.gpg"], Package['apt-transport-https'] ],
      notify  => Exec["apt-repo-auto-update-${name}"],
    }
  
diff --git a/manifests/utils/network/signal.pp b/manifests/utils/network/signal.pp

index 037140a6f76c1ca908f67f2bf6cb2054b51acf53..6cd200bb788e7aebcbb10ae0932b7750580b63d2 100644 (file)
--- a/manifests/utils/network/signal.pp
+++ b/manifests/utils/network/signal.pp
@@ -1,7 +1,7 @@
  class nodo::utils::network::signal {
    nodo::subsystem::apt::repo { 'signal.org':
-    definition => 'deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main',
-    key_source => 'puppet:///modules/nodo/etc/apt/trusted.gpg.d/signal.org.gpg',
+    definition => 'deb [signed-by=/etc/apt/keyrings/signal.org.gpg arch=amd64] https://updates.signal.org/desktop/apt xenial main',
+    key_source => 'puppet:///modules/nodo/etc/apt/keyrings/signal.org.gpg',
    }
  
    package { 'signal-desktop':
diff --git a/manifests/utils/network/tor.pp b/manifests/utils/network/tor.pp

index 78b08a41c7eeb1fba4f507bb447e66f410213bf3..f8726f7a808d316b40bc6383fe55bb066f93d5b8 100644 (file)
--- a/manifests/utils/network/tor.pp
+++ b/manifests/utils/network/tor.pp
@@ -3,9 +3,15 @@
  class nodo::utils::network::tor (
    $ensure = 'installed',
  ) {
-  nodo::subsystem::apt::repo { 'torproject.org':
-    definition => "deb [signed-by=/etc/apt/trusted.gpg.d/torproject.org.gpg] https://deb.torproject.org/torproject.org ${::lsbdistcodename} main",
-    key_source => 'puppet:///modules/nodo/etc/apt/trusted.gpg.d/torproject.org.gpg',
+  # Old keyring location
+  file { '/etc/apt/trusted.gpg.d/torproject.org.gpg':
+    ensure => absent,
+  }
+
+  nodo::subsystem::apt::repo { 'deb.torproject.org-keyring.gpg':
+    definition      => "deb [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org ${::lsbdistcodename} main",
+    key_source      => 'puppet:///modules/nodo/usr/share/keyrings/deb.torproject.org-keyring.gpg',
+    keyrings_folder => '/usr/share/keyrings',
    }
  
    package { "deb.torproject.org-keyring":
@@ -14,8 +20,15 @@ class nodo::utils::network::tor (
    }
  
    package { [
-    'tor-arm',
+    'nyx',
    ]:
      ensure => $ensure,
    }
+
+  # Package 'tor-arm' was renamed to 'nyx'
+  package { [
+    'tor-arm',
+  ]:
+    ensure => absent,
+  }
  }
author	Silvio Rhatto <rhatto@riseup.net>
	Mon, 19 Aug 2024 12:48:40 +0000 (09:48 -0300)
committer	Silvio Rhatto <rhatto@riseup.net>
	Mon, 19 Aug 2024 12:48:40 +0000 (09:48 -0300)
files/etc/apt/keyrings/signal.org.gpg	[moved from files/etc/apt/trusted.gpg.d/signal.org.gpg with 100% similarity]	patch \| blob \| history
files/usr/share/keyrings/deb.torproject.org-keyring.gpg	[moved from files/etc/apt/trusted.gpg.d/torproject.org.gpg with 96% similarity]	patch \| blob \| history
manifests/subsystem/apt/repo.pp		patch \| blob \| history
manifests/utils/network/signal.pp		patch \| blob \| history
manifests/utils/network/tor.pp		patch \| blob \| history