diff options
| author | Thayne McCombs <thayne@lucidchart.com> | 2023-02-07 14:04:22 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-07 16:04:22 -0500 |
| commit | a484732c2ab1a55d26be65c3c2260c287ef138e1 (patch) | |
| tree | e4aee0700ac15128464d0a77fd228d0620847383 /lib | |
| parent | fd02b3b8b9fb75b420cba1db7c27fd60aeed85aa (diff) | |
| download | chef-a484732c2ab1a55d26be65c3c2260c287ef138e1.tar.gz | |
fix(apt_repository): Detect changes to expiration in key (#13535)
This makes it so that the apt keys are updated if the expiration of a key is updated without
changing the fingerprint.
See: https://gitlab.com/gitlab-cookbooks/cookbook-gitlab-runner/-/merge_requests/37/diffs#35cd6a49d9e22469db42af7a30c5f3a76487e3c7
Fixes: #13308
Signed-off-by: Thayne McCombs <thayne@lucid.co>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/chef/resource/apt_repository.rb | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/lib/chef/resource/apt_repository.rb b/lib/chef/resource/apt_repository.rb index 80df76ef4c..7e2ced5c92 100644 --- a/lib/chef/resource/apt_repository.rb +++ b/lib/chef/resource/apt_repository.rb @@ -187,6 +187,24 @@ class Chef end.compact end + # run the specified command and extract the public key ids + # accepts the command so it can be used to extract both the current keys + # and the new keys + # @param [Array<String>] cmd the command to run + # + # @return [Array] an array of key ids + def extract_public_keys_from_cmd(*cmd) + so = shell_out(*cmd) + # Sample output + # pub:-:4096:1:D94AA3F0EFE21092:1336774248:::-:::scSC::::::23::0: + so.stdout.split(/\n/).map do |t| + if t.match(/^pub:/) + f = t.split(":") + f.slice(0, 6).join(":") + end + end.compact + end + # validate the key against the apt keystore to see if that version is expired # @param [String] key # @@ -222,8 +240,8 @@ class Chef def no_new_keys?(file) # Now we are using the option --with-colons that works across old os versions # as well as the latest (16.10). This for both `apt-key` and `gpg` commands - installed_keys = extract_fingerprints_from_cmd(*LIST_APT_KEY_FINGERPRINTS) - proposed_keys = extract_fingerprints_from_cmd("gpg", "--with-fingerprint", "--with-colons", file) + installed_keys = extract_public_keys_from_cmd(*LIST_APT_KEY_FINGERPRINTS) + proposed_keys = extract_public_keys_from_cmd("gpg", "--with-fingerprint", "--with-colons", file) (installed_keys & proposed_keys).sort == proposed_keys.sort end |