WIP: Use proper keyrings directory #163

jlecour · 2022-11-02T23:26:24+01:00

jlecour commented

2022-11-02 23:26:24 +01:00

We've decided that all gpg/asc files for APT go to /etc/apt/trusted.gpg.d, but with APT 2.4 (Debian 12), the proper directory becomes /etc/apt/keyrings

I've added a automatic variables in roles that use this.

I've also added a signed-by option in source.list files for thid-party sources.

From https://manpages.debian.org/testing/apt/apt-key.8.en.html :

Recommended: Instead of placing keys into the /etc/apt/trusted.gpg.d directory, you can place them anywhere on your filesystem by using the Signed-By option in your sources.list and pointing to the filename of the key. See sources.list(5) for details. Since APT 2.4, /etc/apt/keyrings is provided as the recommended location for keys not managed by packages.

We've decided that all gpg/asc files for APT go to `/etc/apt/trusted.gpg.d`, but with APT 2.4 (Debian 12), the proper directory becomes `/etc/apt/keyrings` I've added a automatic variables in roles that use this. I've also added a `signed-by` option in source.list files for thid-party sources. From https://manpages.debian.org/testing/apt/apt-key.8.en.html : > *Recommended*: Instead of placing keys into the `/etc/apt/trusted.gpg.d` directory, you can place them anywhere on your filesystem by using the Signed-By option in your sources.list and pointing to the filename of the key. See [sources.list(5)](https://manpages.debian.org/testing/apt/sources.list.5.en.html) for details. Since APT 2.4, `/etc/apt/keyrings` is provided as the recommended location for keys not managed by packages.

👍 1

jlecour added 2 commits 2022-11-02 23:26:25 +01:00

f531460f49 Use proper keyrings directory for APT version

Debian 9 → 11 : /etc/apt/trusted.gpg.d
Debian 12 : /etc/apt/keyrings

gitea/ansible-roles/pipeline/head This commit looks good

Details

28540247f0 Add signed-by option for additional APT sources

dprevot reviewed 2022-11-03 13:25:27 +01:00

logstash/tasks/main.yml Outdated

					
				@ -41,3 +41,3 @@

				- name: Elastic sources list is available

				  apt_repository:

				    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"

				    repo: "deb [signed-by={{ apt_keyring_dir }}/.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"

dprevot commented

2022-11-03 13:25:27 +01:00

s/.asc/elastic&/

s/\.asc/elastic&/

jlecour marked this conversation as resolved

jlecour added 1 commit 2022-11-03 14:39:41 +01:00

573a6e1d97 logstash: fix elastic signature

jlecour commented

2022-11-06 00:03:58 +01:00

In fact, moving to a deb822 format might make this even easier.
It is supported since since apt version 1.1 so it is available (at least) since Debian 8 (jessie).

I've noticed that we almost never update source files outside of Ansible (with the apt_repository module), so we could decide to change all custom source files to this new format, without breaking anything.

In fact, moving to a [deb822](https://manpages.debian.org/bullseye/apt/sources.list.5.en.html#DEB822-STYLE_FORMAT) format might make this even easier. It is supported since since **apt version 1.1** so it is available (at least) since Debian 8 (jessie). I've noticed that we almost never update source files outside of Ansible (with the `apt_repository` module), so we could decide to change all custom source files to this new format, without breaking anything.

👍 2 ❤️ 1

jlecour added 1 commit 2022-11-06 10:19:47 +01:00