MT#62249 Rework apt-key checks to support Debian/trixie

apt-key is gone as of apt version 2.9.17, so rely on apt-key only for Debian bookworm, instead use our own tooling to verify the key situation on Debian/trixie (v13) and newer. Migrate our existing checks from templates/140_apt-keys.yaml.tt2 to our new helper script helper/check-apt-keyrings, so we have one single interface for all those checks. FTR: the checksums of the sipwise-archive-2015.gpg + sipwise-autobuilder-2011.gpg keyfiles differ between bookworm and trixie, because of the way we generate them during package builds (gnupg for bookworm vs. sequoia starting with trixie). Situation on bookworm / trunk: | root@spce:~# gpg /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg | gpg: WARNING: no command supplied. Trying to guess what you mean ... | pub rsa4096 2015-03-05 [SC] [expires: 2029-10-12] | 68A702B1FD8E422AAAA1ADA3773236EFF411A836 | uid Sipwise GmbH (Sipwise Repository Key) <support@sipwise.com> | sub rsa4096 2015-03-05 [E] [expires: 2029-10-12] | root@spce:~# gpg /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg | gpg: WARNING: no command supplied. Trying to guess what you mean ... | pub rsa4096 2011-06-06 [SC] | F7B8A739CE638D719A078C9859104633EE5E097D | uid Sipwise autobuilder (Used to sign packages for autobuild) <development@sipwise.com> | sub rsa4096 2011-06-06 [E] | root@spce:~# sha256sum /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg | 811f878f5320fc8563a70b166d2c27ec060b4397ca021702f433bc4659336b9b /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg | f00aad42a76ddec341fb2c67b45b41e2d1c19d67bd239196cd52488c4b7da4a0 /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg Situation on trixie / trunk: | root@spce:~# gpg /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg | gpg: WARNING: no command supplied. Trying to guess what you mean ... | pub rsa4096 2015-03-05 [SC] [expires: 2029-10-12] | 68A702B1FD8E422AAAA1ADA3773236EFF411A836 | uid Sipwise GmbH (Sipwise Repository Key) <support@sipwise.com> | sub rsa4096 2015-03-05 [E] [expires: 2029-10-12] | root@spce:~# gpg /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg | gpg: WARNING: no command supplied. Trying to guess what you mean ... | pub rsa4096 2011-06-06 [SC] | F7B8A739CE638D719A078C9859104633EE5E097D | uid Sipwise autobuilder (Used to sign packages for autobuild) <development@sipwise.com> | sub rsa4096 2011-06-06 [E] | | root@spce:~# sha256sum /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg | 88d92e09810a13b5e749839bca89029fbbe73cca261a3a26712a560cc7b50e47 /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg | b64656d5f8fa0a636d46084bda74e16cef502d3d48e8ed101c6386ad8bbcacef /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg NOTE: Once we switch our /etc/apt/sources.list* setup to the deb822.sources format (see sources.list(5) + deb822(5) for details), and neither our ngcp-archive-keyring nor Debian's debian-archive-keyring no longer installs any files inside /etc/apt/trusted.gpg.d, we can instead check for empty /etc/apt/trusted.gpg.d + /etc/apt/keyrings and expected files inside /usr/share/keyrings. Change-Id: I0ef7e1d8f0684f94c1e6ae0499f85080cdcd690a
2 months ago · b73fea40fb
parent 72d1a73695
commit b73fea40fb
3 changed files with 119 additions and 8 deletions
--- a/debian/ngcp-system-tests.install
+++ b/debian/ngcp-system-tests.install
@ -1,3 +1,4 @@
+helper/check-apt-keyrings /usr/share/ngcp-system-tests/
 helper/compare_dbs.pl /usr/share/ngcp-system-tests/
 ngcp-system-tests /usr/bin/
 sbin/ngcp-mysql-compare-dbs /usr/sbin/
--- a/helper/check-apt-keyrings
+++ b/helper/check-apt-keyrings
@ -0,0 +1,116 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+# NOTE: apt-key is gone as of apt version 2.9.17, and /etc/apt/trusted.gpg.d
+# got deprecated with version 2.9.24. But key files might still be in
+# /etc/apt/trusted.gpg.d, and there's no interface/tooling available to list
+# trusted key. So rely on apt-key only on Debian bookworm.
+
+DEBIAN_RELEASE=$(sed -e 's/\([0-9]*\)\..*/\1/' /etc/debian_version)
+
+case "${DEBIAN_RELEASE}" in
+  12)
+    # note: we need to avoid this apt-key warning on stderr:
+    #   Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
+    # otherwise the output of this script doesn't match what we expect
+    # from within our system-tests
+
+    # check for expired key within apt's trust store:
+    if apt-key list 2>&1 | grep -q 'expired:' ; then
+      echo "Error: Found expired keys in apt-key." >&2
+      exit 1
+    fi
+
+    # ensure old dsa1024 sipwise apt key isn't present:
+    if apt-key list --with-colons 2>/dev/null | grep '^pub' | cut -d':' -f 5 | grep -Eo '.{8}$' | grep -q 'A42C4F2A' ; then
+      echo "Error: Found deprecated dsa1024 apt key A42C4F2A" >&2
+      exit 1
+    fi
+    ;;
+  *)
+    # nothing to do with apt-key for trixie and newer
+    ;;
+esac
+
+apt_etc_dir=$(apt-config dump --format '%v%n' Dir::Etc | head -1)
+apt_etc_trusted_parts=$(apt-config dump --format '%v%n' Dir::Etc::trustedparts)
+apt_trusted_dir="/${apt_etc_dir=}"/"${apt_etc_trusted_parts}"
+
+# make sure we don't have any unexpected files inside apt_trusted_dir,
+# which defaults to /etc/apt/trusted.gpg.d
+for file in "${apt_trusted_dir}"/* ; do
+  test -f "${file}" || continue
+  case "$(basename "${file}")" in
+    debian-archive-bookworm-automatic.asc|debian-archive-bookworm-security-automatic.asc|debian-archive-bookworm-stable.asc)
+      ;;
+    debian-archive-bullseye-automatic.asc|debian-archive-bullseye-security-automatic.asc|debian-archive-bullseye-stable.asc)
+      ;;
+    debian-archive-buster-automatic.asc|debian-archive-buster-security-automatic.asc|debian-archive-buster-stable.asc)
+      ;;
+    sipwise-archive-2015.gpg|sipwise-autobuilder-2011.gpg)
+      ;;
+    sipwise-mr10.5.gpg| sipwise-mr11.5.gpg| sipwise_mr12_5.gpg)
+      ;;
+     *)
+      echo "Error: Unexpected file '${file}' inside '${apt_trusted_dir}'" >&2
+      exit 1
+      ;;
+  esac
+done
+
+# check for expired keys
+tmpdir=$(mktemp -d --tmpdir ngcp-system-tests-gpg-home.XXXXXXXXXX) # avoid touching ~/.gnupg or alike
+chmod 700 "${tmpdir}"
+for file in "${apt_trusted_dir}"/* ; do
+  test -f "${file}" || continue
+  if gpg --homedir "${tmpdir}" "${file}" 2>/dev/null | grep -q expired ; then
+    echo "Error: Expired key present in '${file}':" >&2
+    gpg "${tmpdir}""${file}"
+  fi
+done
+rm -rf "${tmpdir}"
+
+# some files might be missing (this is OK),
+# but the existing ones need to match what we expect
+pushd "${apt_trusted_dir}" >/dev/null
+case "${DEBIAN_RELEASE}" in
+  # bookworm
+  12)
+    echo "c2a9a16fde95e037bafd0fa6b7e31f41b4ff1e85851de5558f19a2a2f0e955e2  debian-archive-bookworm-automatic.asc
+74f81645b4e3156d1e9a88c8dd9259271b89c7099d64af89a2a6996b592faa1f  debian-archive-bookworm-security-automatic.asc
+521e9f6a9f9b92ee8d5ce74345e8cfd04028dae9db6f571259d584b293549824  debian-archive-bookworm-stable.asc
+0b7dc94b880f0b63e2093394b113cafd870badb86e020a35614f49b9d83beb1e  debian-archive-bullseye-automatic.asc
+716e79393c724d14ecba8be46e99ecbe1b689f67ceff3cb3cab28f6e69e8b8b8  debian-archive-bullseye-security-automatic.asc
+fb260ce8521a2faa4937d98a29a5347807e10614b97d510fbabe5480c803bda9  debian-archive-bullseye-stable.asc
+9c854992fc6c423efe8622c3c326a66e73268995ecbe8f685129063206a18043  debian-archive-buster-automatic.asc
+4cf886d6df0fc1c185ce9fb085d1cd8d678bc460e6267d80a833d7ea507a0fbd  debian-archive-buster-security-automatic.asc
+ca9bd1a0b3743495ae45693c6d4e54abadcffb242d72df15eda5b28e4ff385fa  debian-archive-buster-stable.asc
+811f878f5320fc8563a70b166d2c27ec060b4397ca021702f433bc4659336b9b  sipwise-archive-2015.gpg
+f00aad42a76ddec341fb2c67b45b41e2d1c19d67bd239196cd52488c4b7da4a0  sipwise-autobuilder-2011.gpg
+06cd0ec90ce6fe35917debde9976e6ccf24350e6db492ab7b1baab450a58b9af  sipwise-mr10.5.gpg
+ff8a919dce361dca2a1a67c7d106ed57159ea362394b2c0f5c622a64382103e0  sipwise-mr11.5.gpg
+e58c32479486501226872a1dc27f41083d636ff21876306f9e35a72c7197dd6a  sipwise_mr12_5.gpg" | sha256sum -c --quiet --ignore-missing
+    ;;
+  # trixie and newer
+  *)
+echo "c2a9a16fde95e037bafd0fa6b7e31f41b4ff1e85851de5558f19a2a2f0e955e2  debian-archive-bookworm-automatic.asc
+74f81645b4e3156d1e9a88c8dd9259271b89c7099d64af89a2a6996b592faa1f  debian-archive-bookworm-security-automatic.asc
+521e9f6a9f9b92ee8d5ce74345e8cfd04028dae9db6f571259d584b293549824  debian-archive-bookworm-stable.asc
+0b7dc94b880f0b63e2093394b113cafd870badb86e020a35614f49b9d83beb1e  debian-archive-bullseye-automatic.asc
+716e79393c724d14ecba8be46e99ecbe1b689f67ceff3cb3cab28f6e69e8b8b8  debian-archive-bullseye-security-automatic.asc
+fb260ce8521a2faa4937d98a29a5347807e10614b97d510fbabe5480c803bda9  debian-archive-bullseye-stable.asc
+9c854992fc6c423efe8622c3c326a66e73268995ecbe8f685129063206a18043  debian-archive-buster-automatic.asc
+4cf886d6df0fc1c185ce9fb085d1cd8d678bc460e6267d80a833d7ea507a0fbd  debian-archive-buster-security-automatic.asc
+ca9bd1a0b3743495ae45693c6d4e54abadcffb242d72df15eda5b28e4ff385fa  debian-archive-buster-stable.asc
+88d92e09810a13b5e749839bca89029fbbe73cca261a3a26712a560cc7b50e47  sipwise-archive-2015.gpg
+b64656d5f8fa0a636d46084bda74e16cef502d3d48e8ed101c6386ad8bbcacef  sipwise-autobuilder-2011.gpg
+06cd0ec90ce6fe35917debde9976e6ccf24350e6db492ab7b1baab450a58b9af  sipwise-mr10.5.gpg
+ff8a919dce361dca2a1a67c7d106ed57159ea362394b2c0f5c622a64382103e0  sipwise-mr11.5.gpg
+e58c32479486501226872a1dc27f41083d636ff21876306f9e35a72c7197dd6a  sipwise_mr12_5.gpg" | sha256sum -c --quiet --ignore-missing
+    ;;
+esac
+popd >/dev/null
+
+# this is the expected output of templates/140_apt-keys.yaml
+echo "OK"
--- a/templates/140_apt-keys.yaml.tt2
+++ b/templates/140_apt-keys.yaml.tt2
@ -1,13 +1,7 @@
 command:
-  apt-key list 2>&1 | grep -q expired:
-    exit-status: 1
-    stdout: []
-    stderr: []
-    timeout: 10000
-
-  apt-key list --with-colons | grep '^pub' | cut -d':' -f 5 | grep -Eo '.{8}$':
+  /usr/share/ngcp-system-tests/check-apt-keyrings:
    exit-status: 0
    stdout:
-    - "!A42C4F2A"
+    - "OK"
    stderr: []
    timeout: 10000