MT#58014 Remove support for fetching OpenPGP certificates from keyservers

The code trying to fetch the OpenPGP certificate from a keyserver has been non-functional for a while as the GPG_KEY_SERVER variable was removed in commit 316c28bcc2. Instead of restoring the variable with an up-to-date keyserver (not part of the SKS pool, as that network is dead), we remove the support entirely as it's a potential security issue due to fingerprint collisions for example. As a side effect this removes apt-key usage which has been deprecated upstream and is slated for removal. Change-Id: I63171a66201c631da9233d54579bd1601ff22e3e
1 year ago · 0a91a49826
parent 362f7cbea1
commit 0a91a49826
1 changed files with 1 additions and 26 deletions
--- a/templates/scripts/includes/deployment.sh
+++ b/templates/scripts/includes/deployment.sh
@ -28,7 +28,6 @@ Control target system:
  debianrelease=...        - install specified Debian release
  debianrepo=...           - hostname of Debian APT repository mirror
  debianrepotransport=...  - use specified transport for Debian repository
-  debootstrapkey=...       - use specified GPG key to bootstrap Debian
  enablevmservices         - add some tricks for installation to VM
  fallbackfssize=...       - size of ngcp-fallback partition. Equal to ngncp-root size if not specified
  ip=...                   - standard Linux kernel ip= boot option
@ -1558,9 +1557,6 @@ for param in "${PARAMS[@]}" ; do
    debianrepotransport=*)
      DEBIAN_REPO_TRANSPORT="${param//debianrepotransport=/}"
    ;;
-    debootstrapkey=*)
-      GPG_KEY="${param//debootstrapkey=/}"
-    ;;
    debugmode)
      DEBUG_MODE=true
      enable_trace
@ -2095,28 +2091,7 @@ MIRROR="${DEBIAN_URL}/debian/"
 SEC_MIRROR="${DEBIAN_URL}/debian-security/"
 DBG_MIRROR="${DEBIAN_URL}/debian-debug/"

-if [ -z "${GPG_KEY}" ] ; then
-  KEYRING="${SIPWISE_APT_KEY_PATH}"
-else
-  KEYRING='/etc/apt/trusted.gpg'
-
-  echo "Fetching debootstrap keyring as GPG key '${GPG_KEY}'..."
-
-  TRY=60
-  while ! gpg --keyserver "${GPG_KEY_SERVER}" --recv-keys "${GPG_KEY}" ; do
-    if [ ${TRY} -gt 0 ] ; then
-      TRY=$((TRY-5))
-      echo "Waiting for gpg keyserver '${GPG_KEY_SERVER}' availability ($TRY seconds)..."
-      sleep 5
-    else
-      die "Failed to fetch GPG key '${GPG_KEY}' from '${GPG_KEY_SERVER}'"
-    fi
-  done
-
-  if ! gpg -a --export "${GPG_KEY}" | apt-key add - ; then
-    die "Failed to import GPG key '${GPG_KEY}' as apt-key"
-  fi
-fi
+KEYRING="${SIPWISE_APT_KEY_PATH}"

 set_deploy_status "debootstrap"