Use full key ID when adding GPG keys on Ubuntu

[pid1]

To decrease the chances of a collision attack, use the full key fingerprint.

[pid1]

Looks like this failed because of the check on the GPG fingerprint changing, which is entirely valid. Happy to see that included. I assume we can just have someone on the team verify the fingerprint before merging as a workaround, and update the Travis check.

[pid1]

Ah, I found that defined in

puppet-datadog-agent/spec/classes/datadog_agent_ubuntu_spec.rb

Line 16 in cb45891

# it should install the mirror

. If desired, I can add a fix for that to the PR as well.

[truthbk]

@pid1 I'd be happy to make this change - you're absolutely right, the short key ID has been proven vulnerable, and the change should be transparent for users that have the right keys installed. Let's get the tests fixed before merging this in :)

Thank you!

[pid1]

@truthbk Travis checks are fixed; we should be good to go, but if there is anything else that needs updating let me know.

[truthbk]

Thanks for this @pid1 - looks ready to go. I appreciate the effort! 👍

[pid1]

Happy to help!

[ColinHebert]

Hey @truthbk, @pid1, this change broke the install_key behaviour. It used to rely on apt-key list using the short ID to detect whether the command needed to be executed. Now because we're using the fingerprint, the unless condition is never met, which means that the exec is run no matter what each time.

[pid1]

@ColinHebert Thanks for the heads up. I'll send up a new PR to fix that behavior ASAP.