initial commit for gpg version checking

better attempt at gpg version checking adding in key length warning removing version check, adding key check
puppetlabs · Mar 11, 2015 · 453b4eb · 453b4eb
1 parent b473af1
commit 453b4eb
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/lib/puppet/provider/apt_key/apt_key.rb b/lib/puppet/provider/apt_key/apt_key.rb
@@ -136,6 +136,16 @@ def tempfile(content)
     file = Tempfile.new('apt_key')
     file.write content
     file.close
+    #we now need to confirm that the fingerprint in this file, matches the long key that the user has given in the manifest
+    if name.size == 40
+      if File.executable? "/usr/bin/gpg"
+        extractedKey = execute(["/usr/bin/gpg --with-fingerprint --with-colons #{file.path} | awk -F: '/^fpr:/ { print $10 }'"], :failonfail => false) 
+        extractedKey = extractedKey.chomp
+        if extractedKey != name
+          fail ("The id in your manifest and the fingerprint from content/source do not match. Please check the content/source is legitimate.")
+        end
+      end 
+    end
     file.path
   end
 

diff --git a/lib/puppet/type/apt_key.rb b/lib/puppet/type/apt_key.rb
@@ -23,6 +23,9 @@
     if self[:content] and self[:source]
       fail('The properties content and source are mutually exclusive.')
     end
+    if self[:id].length < 40 
+      warning('The key should be at least a full fingerprint.')
+    end 
   end
 
   newparam(:id, :namevar => true) do