#!/bin/bash
set -eu -o pipefail
# NOTE: apt-key is gone as of apt version 2.9.17, and /etc/apt/trusted.gpg.d
# got deprecated with version 2.9.24. But key files might still be in
# /etc/apt/trusted.gpg.d, and there's no interface/tooling available to list
# trusted key. So rely on apt-key only on Debian bookworm.
DEBIAN_RELEASE=$(sed -e 's/\([0-9]*\)\..*/\1/' /etc/debian_version)
case "${DEBIAN_RELEASE}" in
12)
# note: we need to avoid this apt-key warning on stderr:
# Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
# otherwise the output of this script doesn't match what we expect
# from within our system-tests
# check for expired key within apt's trust store:
if apt-key list 2>&1 | grep -q 'expired:' ; then
echo "Error: Found expired keys in apt-key." >&2
exit 1
fi
# ensure old dsa1024 sipwise apt key isn't present:
if apt-key list --with-colons 2>/dev/null | grep '^pub' | cut -d':' -f 5 | grep -Eo '.{8}$' | grep -q 'A42C4F2A' ; then
echo "Error: Found deprecated dsa1024 apt key A42C4F2A" >&2
exit 1
fi
;;
*)
# nothing to do with apt-key for trixie and newer
;;
esac
apt_etc_dir=$(apt-config dump --format '%v%n' Dir::Etc | head -1)
apt_etc_trusted_parts=$(apt-config dump --format '%v%n' Dir::Etc::trustedparts)
apt_trusted_dir="/${apt_etc_dir=}"/"${apt_etc_trusted_parts}"
# make sure we don't have any unexpected files inside apt_trusted_dir,
# which defaults to /etc/apt/trusted.gpg.d
for file in "${apt_trusted_dir}"/* ; do
test -f "${file}" || continue
case "$(basename "${file}")" in
debian-archive-trixie-automatic.asc|debian-archive-trixie-security-automatic.asc|debian-archive-trixie-stable.asc)
;;
debian-archive-bookworm-automatic.asc|debian-archive-bookworm-security-automatic.asc|debian-archive-bookworm-stable.asc)
;;
debian-archive-bullseye-automatic.asc|debian-archive-bullseye-security-automatic.asc|debian-archive-bullseye-stable.asc)
;;
debian-archive-buster-automatic.asc|debian-archive-buster-security-automatic.asc|debian-archive-buster-stable.asc)
;;
sipwise-archive-2015.gpg|sipwise-autobuilder-2011.gpg)
;;
sipwise-mr10.5.gpg| sipwise-mr11.5.gpg| sipwise_mr12_5.gpg)
;;
*)
echo "Error: Unexpected file '${file}' inside '${apt_trusted_dir}'" >&2
exit 1
;;
esac
done
# check for expired keys
tmpdir=$(mktemp -d --tmpdir ngcp-system-tests-gpg-home.XXXXXXXXXX) # avoid touching ~/.gnupg or alike
chmod 700 "${tmpdir}"
for file in "${apt_trusted_dir}"/* ; do
test -f "${file}" || continue
if gpg --homedir "${tmpdir}" "${file}" 2>/dev/null | grep -q expired ; then
echo "Error: Expired key present in '${file}':" >&2
gpg "${tmpdir}""${file}"
fi
done
rm -rf "${tmpdir}"
# some files might be missing (this is OK),
# but the existing ones need to match what we expect
pushd "${apt_trusted_dir}" >/dev/null
case "${DEBIAN_RELEASE}" in
# bookworm
12)
echo "c2a9a16fde95e037bafd0fa6b7e31f41b4ff1e85851de5558f19a2a2f0e955e2 debian-archive-bookworm-automatic.asc
74f81645b4e3156d1e9a88c8dd9259271b89c7099d64af89a2a6996b592faa1f debian-archive-bookworm-security-automatic.asc
521e9f6a9f9b92ee8d5ce74345e8cfd04028dae9db6f571259d584b293549824 debian-archive-bookworm-stable.asc
0b7dc94b880f0b63e2093394b113cafd870badb86e020a35614f49b9d83beb1e debian-archive-bullseye-automatic.asc
716e79393c724d14ecba8be46e99ecbe1b689f67ceff3cb3cab28f6e69e8b8b8 debian-archive-bullseye-security-automatic.asc
fb260ce8521a2faa4937d98a29a5347807e10614b97d510fbabe5480c803bda9 debian-archive-bullseye-stable.asc
9c854992fc6c423efe8622c3c326a66e73268995ecbe8f685129063206a18043 debian-archive-buster-automatic.asc
4cf886d6df0fc1c185ce9fb085d1cd8d678bc460e6267d80a833d7ea507a0fbd debian-archive-buster-security-automatic.asc
ca9bd1a0b3743495ae45693c6d4e54abadcffb242d72df15eda5b28e4ff385fa debian-archive-buster-stable.asc
811f878f5320fc8563a70b166d2c27ec060b4397ca021702f433bc4659336b9b sipwise-archive-2015.gpg
f00aad42a76ddec341fb2c67b45b41e2d1c19d67bd239196cd52488c4b7da4a0 sipwise-autobuilder-2011.gpg
06cd0ec90ce6fe35917debde9976e6ccf24350e6db492ab7b1baab450a58b9af sipwise-mr10.5.gpg
ff8a919dce361dca2a1a67c7d106ed57159ea362394b2c0f5c622a64382103e0 sipwise-mr11.5.gpg
e58c32479486501226872a1dc27f41083d636ff21876306f9e35a72c7197dd6a sipwise_mr12_5.gpg" | sha256sum -c --quiet --ignore-missing
;;
# trixie and newer
*)
echo "c2a9a16fde95e037bafd0fa6b7e31f41b4ff1e85851de5558f19a2a2f0e955e2 debian-archive-bookworm-automatic.asc
74f81645b4e3156d1e9a88c8dd9259271b89c7099d64af89a2a6996b592faa1f debian-archive-bookworm-security-automatic.asc
521e9f6a9f9b92ee8d5ce74345e8cfd04028dae9db6f571259d584b293549824 debian-archive-bookworm-stable.asc
0b7dc94b880f0b63e2093394b113cafd870badb86e020a35614f49b9d83beb1e debian-archive-bullseye-automatic.asc
716e79393c724d14ecba8be46e99ecbe1b689f67ceff3cb3cab28f6e69e8b8b8 debian-archive-bullseye-security-automatic.asc
fb260ce8521a2faa4937d98a29a5347807e10614b97d510fbabe5480c803bda9 debian-archive-bullseye-stable.asc
9c854992fc6c423efe8622c3c326a66e73268995ecbe8f685129063206a18043 debian-archive-buster-automatic.asc
4cf886d6df0fc1c185ce9fb085d1cd8d678bc460e6267d80a833d7ea507a0fbd debian-archive-buster-security-automatic.asc
ca9bd1a0b3743495ae45693c6d4e54abadcffb242d72df15eda5b28e4ff385fa debian-archive-buster-stable.asc
4d097bb93f83d731f475c5b92a0c2fcf108cfce1d4932792fca72d00b48d198b debian-archive-trixie-stable.asc
6f1d277429dd7ffedcc6f8688a7ad9a458859b1139ffa026d1eeaadcbffb0da7 debian-archive-trixie-automatic.asc
844c07d242db37f283afab9d5531270a0550841e90f9f1a9c3bd599722b808b7 debian-archive-trixie-security-automatic.asc
88d92e09810a13b5e749839bca89029fbbe73cca261a3a26712a560cc7b50e47 sipwise-archive-2015.gpg
b64656d5f8fa0a636d46084bda74e16cef502d3d48e8ed101c6386ad8bbcacef sipwise-autobuilder-2011.gpg
06cd0ec90ce6fe35917debde9976e6ccf24350e6db492ab7b1baab450a58b9af sipwise-mr10.5.gpg
ff8a919dce361dca2a1a67c7d106ed57159ea362394b2c0f5c622a64382103e0 sipwise-mr11.5.gpg
e58c32479486501226872a1dc27f41083d636ff21876306f9e35a72c7197dd6a sipwise_mr12_5.gpg" | sha256sum -c --quiet --ignore-missing
;;
esac
popd >/dev/null
# this is the expected output of templates/140_apt-keys.yaml
echo "OK"