From 5d00c764bc06f568e4bdcd2004801adb94d40e93 Mon Sep 17 00:00:00 2001
From: Ben Grande <ben.grande.b@gmail.com>
Date: Wed, 3 Jan 2024 18:07:49 +0100
Subject: [PATCH] refactor: import armored gpg keys instead of db

---
 salt/mirage-builder/configure.sls             |  36 ++++++++++++----
 .../files/client/keys/pubring.kbx             | Bin 802 -> 0 bytes
 .../files/client/keys/trustdb.gpg             | Bin 1280 -> 0 bytes
 salt/qubes-builder/configure.sls              |  40 +++++++++++++-----
 .../files/admin/policy/default.policy         |   4 +-
 .../files/client/keys/pubring.kbx             | Bin 7652 -> 0 bytes
 .../files/client/keys/trustdb.gpg             | Bin 1520 -> 0 bytes
 salt/sys-pihole/files/server/keys/pubring.kbx | Bin 802 -> 0 bytes
 salt/sys-pihole/files/server/keys/trustdb.gpg | Bin 1280 -> 0 bytes
 salt/sys-pihole/install.sls                   |  40 +++++++++++++-----
 10 files changed, 88 insertions(+), 32 deletions(-)
 delete mode 100644 salt/mirage-builder/files/client/keys/pubring.kbx
 delete mode 100644 salt/mirage-builder/files/client/keys/trustdb.gpg
 delete mode 100644 salt/qubes-builder/files/client/keys/pubring.kbx
 delete mode 100644 salt/qubes-builder/files/client/keys/trustdb.gpg
 delete mode 100644 salt/sys-pihole/files/server/keys/pubring.kbx
 delete mode 100644 salt/sys-pihole/files/server/keys/trustdb.gpg

diff --git a/salt/mirage-builder/configure.sls b/salt/mirage-builder/configure.sls
index 3a2706c..a15870c 100644
--- a/salt/mirage-builder/configure.sls
+++ b/salt/mirage-builder/configure.sls
@@ -40,16 +40,34 @@ include:
     - mode: '0700'
     - makedirs: True
 
-"{{ slsdotpath }}-keyring-and-trustdb":
-  file.managed:
+"{{ slsdotpath }}-save-keys":
+  file.recurse:
+    - require:
+      - file: "{{ slsdotpath }}-gnupg-home"
+    - name: /home/user/.gnupg/mirage-firewall/download/
+    - source: salt://{{ slsdotpath }}/files/client/keys/
     - user: user
     - group: user
-    - mode: '0600'
-    - names:
-      - /home/user/.gnupg/mirage-firewall/pubring.kbx:
-        - source: salt://{{ slsdotpath }}/files/client/keys/pubring.kbx
-      - /home/user/.gnupg/mirage-firewall/trustdb.gpg:
-        - source: salt://{{ slsdotpath }}/files/client/keys/trustdb.gpg
+    - file_mode: '0600'
+    - dir_mode: '0700'
+    - makedirs: True
+
+"{{ slsdotpath }}-import-keys":
+  cmd.run:
+    - require:
+      - file: "{{ slsdotpath }}-save-keys"
+    - name: gpg --status-fd=2 --homedir . --import download/*.asc
+    - cwd: /home/user/.gnupg/mirage-firewall
+    - runas: user
+    - success_stderr: IMPORT_OK
+
+"{{ slsdotpath }}-import-ownertrust":
+  cmd.run:
+    - require:
+      - cmd: "{{ slsdotpath }}-import-keys"
+    - name: gpg --homedir . --import-ownertrust download/otrust.txt
+    - cwd: /home/user/.gnupg/mirage-firewall
+    - runas: user
 
 "{{ slsdotpath }}-git-clone":
   git.latest:
@@ -83,7 +101,7 @@ include:
     - mode: '0755'
     - makedirs: True
 
-{% if salt['grains.get']('os_family') = 'RedHat' -%}
+{% if salt['grains.get']('os_family') == 'RedHat' -%}
 "{{ slsdotpath }}-file-security-context":
   cmd.run:
     - name: chcon -Rt container_file_t /home/user/docker
diff --git a/salt/mirage-builder/files/client/keys/pubring.kbx b/salt/mirage-builder/files/client/keys/pubring.kbx
deleted file mode 100644
index 25df66888b4cc1b523de82c8e625f14288cd329b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 802
zcmZQzU{GLWWMJ}kib!Jsf>alAT@VJbA%K~Qi4n|-V_;yKz`)2L6Z`l<z#R8iHXpp4
zE_=O`_+j<;wK7nJ0z^Gf1rGxQV;zuZ3Kn5xV1dfODWDB@AkIuiUY5uy8IFt`44Y#O
z-oBjqDKk2+a)J=Mg*sEx)_dzi*0C%8Iy9rABlc9rJ45cM<8gkI!gXhD%U!j7=Vaz9
ziw<u8BfG!LyFbA*Mvk#xzq|X1=PvIF`xo`xpV;&8pwwkgp7%-CEDw5r`1OgD_<J$m
z`>>Yd*kaqp<9ny^?3s4(wDTRK30vFS<Iaf3UHzc><HDPm9Y4f>D*UK^dBMhH-jr<?
zrxh%{R^IWBZd)t+Zev7P=g)HQpxX@V+G1kFr|~G?%6oc<?>J|{ra;Z9F|RZDQcK_3
z{$gMCm4A8VI~_iWp8DuzVy_L8<v+)Y9k=)Nz5D)T2HT2jCTBNfRnB7D|Ky#pWT31)
zgGXY}S5;>QK}H6~4Zx5~FGz=kH^UZF_skNH(j*0q^3){Vw4D5Mh2;F)+{_Y%;>`5C
z%)E3>1)IG5qSS(%N{95!l8n+MJ)pcD)DR{}Xm>Iyu?PdhSB#Yj6w;gmuoz>KW@eHE
z+BB1q{hxwxMC77dJ*jN6ADGTeGEokF(0rfASgw7=pNlEKi@3z!#(i8ddE?q&uWY;%
zohuS#I(O$!=64F!zO{ae&E9R>KiLT?R(;(o5V0}HVA>fk|He4)OFi{jpA7ge-?#cV
zWua}Hb8t4#v6>3qPxobR1fMfKwa7>3_o-a<(+dqQF~@#=ch1dSSxS6z)!8D0vro^3
z|2niMK*as>-A09}O_tv#Y~TI+kcQ<$v2C9w+e&Uc6&qYQ^U_O>n9ci@^|+FF6C0Q}
z=v#bbVHM}R`@ltg*DNciA1>jte*Jrx5B+X`dSSKRqYv9zZ#l_o%*nI-Tveizx#q_4
xpW=^XCa<!8G`(+%l;rvT4Qvd|z;I_!uR0xPKTUnXGKX99!)<0as75Z~1^}EoJGcM<

diff --git a/salt/mirage-builder/files/client/keys/trustdb.gpg b/salt/mirage-builder/files/client/keys/trustdb.gpg
deleted file mode 100644
index e08b410df17efd6204ed36e8169a0c5203a37a9a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1280
zcmZQfFGy!*W@Ke#Vqi#hk>F;)4j8$xi(`n6s>28pumH`&MQ(uX#cnMF&HX!SFMZP0
zAPZ+6hS<js0_M2CviacUblK~j#1E^#ua(&#u9QbOmX{%|%_Pq+aVdMmq*o~uGX7jy
N_<4mYR2@PY0{{|U89x93

diff --git a/salt/qubes-builder/configure.sls b/salt/qubes-builder/configure.sls
index 94da951..0e78ba2 100644
--- a/salt/qubes-builder/configure.sls
+++ b/salt/qubes-builder/configure.sls
@@ -43,29 +43,48 @@ include:
     - target: /home/user/src/qubes-infrastructure-mirrors
     - user: user
 
-"{{ slsdotpath }}-gnupg-home-for-builder":
+"{{ slsdotpath }}-gnupg-home":
   file.directory:
     - name: /home/user/.gnupg/qubes-builder
     - user: user
     - group: user
     - mode: '0700'
 
-"{{ slsdotpath }}-keyring-and-trustdb":
-  file.managed:
+"{{ slsdotpath }}-save-keys":
+  file.recurse:
+    - require:
+      - file: "{{ slsdotpath }}-gnupg-home"
+    - name: /home/user/.gnupg/qubes-builder/download/
+    - source: salt://{{ slsdotpath }}/files/client/keys/
     - user: user
     - group: user
-    - mode: '0600'
-    - names:
-      - /home/user/.gnupg/qubes-builder/pubring.kbx:
-        - source: salt://{{ slsdotpath }}/files/client/keys/pubring.kbx
-      - /home/user/.gnupg/qubes-builder/trustdb.gpg:
-        - source: salt://{{ slsdotpath }}/files/client/keys/trustdb.gpg
+    - file_mode: '0600'
+    - dir_mode: '0700'
+    - makedirs: True
+
+"{{ slsdotpath }}-import-keys":
+  cmd.run:
+    - require:
+      - file: "{{ slsdotpath }}-save-keys"
+    - name: gpg --status-fd=2 --homedir . --import download/*.asc
+    - cwd: /home/user/.gnupg/qubes-builder
+    - runas: user
+    - success_stderr: IMPORT_OK
+
+"{{ slsdotpath }}-import-ownertrust":
+  cmd.run:
+    - require:
+      - cmd: "{{ slsdotpath }}-import-keys"
+    - name: gpg --homedir . --import-ownertrust download/otrust.txt
+    - cwd: /home/user/.gnupg/qubes-builder
+    - runas: user
 
 "{{ slsdotpath }}-git-verify-HEAD-builderv2":
   cmd.run:
     - require:
       - git: "{{ slsdotpath }}-git-clone-builderv2"
-    - name: GNUPGHOME="$HOME/.gnupg/qubes-builder" git -c gpg.program=gpg2 verify-commit "HEAD^{commit}"
+      - cmd: "{{ slsdotpath }}-import-ownertrust"
+    - name: GNUPGHOME="$HOME/.gnupg/qubes-builder" git -c gpg.program=gpg2 verify-tag "$(git describe --tags --abbrev=0)"
     - cwd: /home/user/src/qubes-builderv2
     - runas: user
 
@@ -73,6 +92,7 @@ include:
   cmd.run:
     - require:
       - git: "{{ slsdotpath }}-git-clone-infrastructure-mirrors"
+      - cmd: "{{ slsdotpath }}-import-ownertrust"
     - name: GNUPGHOME="$HOME/.gnupg/qubes-builder" git -c gpg.program=gpg2 verify-commit "HEAD^{commit}"
     - cwd: /home/user/src/qubes-infrastructure-mirrors
     - runas: user
diff --git a/salt/qubes-builder/files/admin/policy/default.policy b/salt/qubes-builder/files/admin/policy/default.policy
index 1051544..5953898 100644
--- a/salt/qubes-builder/files/admin/policy/default.policy
+++ b/salt/qubes-builder/files/admin/policy/default.policy
@@ -5,11 +5,11 @@
 
 ## Do not modify this file, create a new policy with with a lower number in the
 ## file name instead. For example `30-user.policy`.
-qubes.Gpg2 * {{ sls_path }} @default ask target=sys-pgp
+qubes.Gpg2 * {{ sls_path }} @default ask target=sys-pgp default_target=sys-pgp
 
 qusal.GitInit  +qubes-builder {{ sls_path }} @default allow target=sys-git
 qusal.GitFetch +qubes-builder {{ sls_path }} @default allow target=sys-git
-qusal.GitPush  +qubes-builder {{ sls_path }} @default ask   target=sys-git
+qusal.GitPush  +qubes-builder {{ sls_path }} @default ask   target=sys-git default_target=sys-pgp
 
 qusal.SshAgent +qubes-builder {{ sls_path }} @default allow target=sys-ssh-agent
 qusal.SshAgent +qubes-builder {{ sls_path }} @anyvm deny
diff --git a/salt/qubes-builder/files/client/keys/pubring.kbx b/salt/qubes-builder/files/client/keys/pubring.kbx
deleted file mode 100644
index 541232e36158405c458deda61a4957e5b0668a03..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 7652
zcma)=byQT{-p7ZbyO9`RXpm9_0coU>ZWNL3p$3pfx}+PWd+3g#q$LHULuo`{=!O@c
z=kdLF-TU14y?dQGYoFiV>#Xy~cfQ}xZvy}TFcJ~~s3@sx4!9p?93)4-e!u2_4$MLz
z(jPM)005H|00e+C3l!rnUOU(vMsXC#i4)Wf_qeXy?*RYW<yLV_-4`e#J6^1w2njFm
zge9U*-j{`ct=$hK01f~E%($QZSpfo2{;2=U?e`a?0&!7ZF~S^?2mlMd%u%sBnV0w;
zin<vvWjmI^3CeDEKB%D7V<GR;EN+#+{6qX@nzOzHUVKiNnx<&h;&bZ34Bob5nF-rt
zLW^uWEOSprJ5d&bOb2mB%6ThQ%P^4`1}&EvS5RDj)U;RI9CyUhPu<YnQIPv{^rxwd
z$R=axfn$vib3$Kwsta>^s(%vpLMh@!>aUA%$}}I@Y4*ya=T4eKDhumQ5K;M@AxB{u
zFn@}?3^5ipXe)9tRbwi!U(A*!<vSr4Rht*KQ~MDj3VN1<viD5qUE~D+#lyoP2_EXG
zGW>Z(qB+Oj_rN$(`9yUj7%9`4t;5*h$@v;cO5qwKPFW|UydT>)V6ZEdwdhK0D;7gD
zx@`PI*7+&C1<BGqaI~~Gzf1PY4qA|?vww&;v`bnL54{i%e+|NASW=_lt0y!R#5hy?
z)bRenZ0-CU?`MC6_j`<P>t@sKoeIj~(0~&G9xa}w*e0R}u7pk3vLYu;9{R`!(Uuv{
zqxqn)**s&308W2?mP4N!o7#u1q&2`f@ZuD+&l;;Z!h3{cPR7sZbe;GTI;;yLRE4Cs
zHat>0$0ye){XynGRiDWy`z*9}RDv|fPZWQofaE0Her`+u$|6P2wi*L1tzdv)aF?^5
zC6V2&-Mi3R`untbj2NmI2VLk$IV;Imo2MV=bT7uOc}DXAgh&9S%6s)#I9U9tM?kHx
zj8j*!X;-n6l?hnY%FM~h3<_p7H*>IpI+?M7h0UGJOwI1sxE%gm6L)kmHgo2*cjmHp
zvJn02UBEx37Y0;8Aw~iM=uv^c1P7!-M#IL$Kt~3mkzxQbv9M9dfXGNd8YJKYKL8yj
z!Ef1<(V_g^zd^W(01%Z&ARLh_wcScEV(l5Q9!3hPBG>-jJVUS4(chD$`NlML{apJ3
zM9vwcVum{Lke@N@a+Js8xd<DDCa8d+1DhxEkU?ge@_W^pj)8AyPB9$uMzo`4jYHjH
zK2$kvnJE8C$0Pz$Pj(hwDce7N>5E8^2wqBBeg)}KetRHc!b>a@2j3;Pk7bOa_jE?0
zFF8E^E}Pd7_tb2ZUh1)ToLlHq2BTpr`!Z@x{+zO~c=dP_TaF)gWm003sDjZ*=V?%a
z&o;VvJs({)EpZ9jAswt;4M<Hhw~5<0i(P7_8#Qbn+*L1z4?QaItE}ImQ=q<rQD@LO
zTKl2qNQvJ1V?d2LF?(efmS*;JL-sqHJw}*j7OR<0OvOWvZRDIpnNtwBM*+$!?UdVW
zH&H!nZf3bNOAb%#Ux*GE`7kHVs!ez``8`{%lm&jN)cL{9hI&ZM#OKoe{qi7ZfpTYc
z!Y!Jt=F5#$v3iaCYe;A9j@|sq8<RmD)^4pw?gJ|HE<c53AvY2A6>u9rYpz$mSbhT5
zNhQr+Wc)UKk6#nfSPV)iMTkz)_+n44!pBG|DOl~**u3oqzFF6Ov#w;{EP}2LZY*Zb
zoV>pd<jKig9n%17Df@~@)#mrtY%(8$V-$m0FwqXvyGMry33pN!(1_%>vwyT1h_Mr7
zwgd6WG6bQOXaMAUtpb|<;b9%Z$xaWru-wBT<S0{}Z{AbyKj71USD*zQ(9_sR$iW8l
ztCpQJt0kZKD@PxgJ&w%^DYJ*rw-qp&q+dAM8^AxsGh_r5lq8LFHqRj@u6g#PP5ZbJ
zKW*f~@1#8HgTB9+5^)h<MeE$F5axC{EOAa_PKmZIW{dt}+zHp&_i>Hu)@budi=F&w
zC53skK^?qV&CbkyE86V~M}c^J#w8(b*x?Ijp+i#7Ocm=YYKdAJy4o<;J0RU~h@OKT
zx%>43+TPijDMx+#UJ3(%i?>oZs?YluH1FKkP7L_%qY@4+0+hENPO`7(N?Oj@-*SOD
zcID*z4Dm6W-%WSUriktF4wRPi#+vjb&-HmNEpni^9`5d`bQ^{BFS<3pF;<;&sb&rw
zzq4qJSlp<lt-UEiRno{5;vub|Bjh30Wtg|%__AyMBNsKlN|#Fc_;@kllfF3Z>f&<J
zM8sTuuD<NqD~UHgF>RNK>UCXO><`PNgVLHhdalB~N74$~d>piZ)g0wI!`bX9<j){2
ziiV`Z;abO5j<2`y6Nls?ZNM=9r|{)K_hxcIVs{M7B17J`QK?pX;&~Uvijt87IA`NQ
zjZlWYfYA);ld7qKnzDRK?LwAElp|;Krw9F2B9>?E7I^qC@+)jpUy(gz^@0<NE9taa
zGm{{0IGQ_?<2B#^;bCFGrzqt2PJ{W|X>k4vLrG-AzcYDdBQ%L)8^Z<JCCfm6niu1x
z?sn1d+;bEKoj1@`i6z}}>YMb!A%uze(nSVN;ZKRr*3Vk3_}KW`4@AxLr2;AHYJ`p3
zuXkV3JDn2_<nFq|ao?^jC?${F=$565k%Ml!E131X=rR|HKvN$HZ{YsK51h;}74mM`
zgjFT^NG%mraTmru24aPr$@Y$1enIj3=uTE4Lux`H4C_rhx2Fd_mv?MW>PsOb#-nX;
z+-B{z-VcarHLo6&oz548RL$<250h&4#pW?Jhq8OC+faEy-VfYFvKCB9rS3*^Ge@Qb
zMbW!P&kOXAv*t+IBSN+uCHI28+(~V?8Td|h(5ZhyEFpq3lY)|bSl^ix#oqk@s*-my
zXZ-Z8nv1oVU?(#n8}v62F~E54$>eegATAAgG|@rL2&=Tdmd6`Hj8Pm#XM1N)7WFkB
zBy}YtdG<tnP|Rjvxx=*>QdFOhRDH{=K|=VM)$M~larmSBQ_Fx|%2O-}#X|5&4Om*X
zYLdHh@#-Vf#8^k5cw`Etv)qIVEWqUR(h0c)-W|UPN#swQgCYrgJTa`*!Z%+%2OMBR
z?D5kD5S6Y7PEGO0^ooK_H1%DeEP5;IHjFV@p4Z<JD}is{>G#T9bm>NyzM`MYYmTG(
zb{3_NtSa6w)84UZi>@rNy_bSI1yiX^PLKX=D0N@wDB4X=8IQ?6W?S~VWTQ{U^8o<p
z-hW}5@%<eA9<)F#%0w{a!&^3fvum_D6kfOkgm&~k?7)Aq)}JWmfBz);N98}G*x9f3
zUnur+xy9%n#p(+Tc6L#V$l9=#_`Z6!?p?^MzF;3XuNPNhbLmDIFq4)td>Xu;m~8Tf
z!>iDjiLlq?0_GYcc|zx%CKXDBHy+h$63WkVs#qxaJu_NN!Z|F{V`)uQaK1k_=6O#}
zX~O_sx5&_d(wM<MH(TPx7i-^u!~ssDkUMP@&Z)sfGS7+LuF0wJeAqX|k3&Ta9S>0T
zqHVgdlZ1^I5{M?vt40zkkFLU#@5pmmHE9FsCnWWFIn_s*=xlNcC=_f6Mmf~c=jS4M
z6IW(lSE5t;VC1);e6fYK4=_`^>{qd80IKx@_pUw7Hy_n=48V)2O;4_$Vc&i$n2Q)&
zL@jauaMD;9c7&V9er=&n9jD}lb@s!^$JC;dBqY2%!lg;RH>lkeATj>95VyRf2f<LT
zK}_bvhyF-x^o@RXXA#b5m0Yxl?3Gs>zX~&DwR$EAA#vANx2@um&mD`6je`@R>$dCT
z!9yG?$7b;#AaToLI&(TfM7NZ=5AnQty_-WuozI$r+s`8@jiM}4gM}TjIulP{NF4CE
z3|Dh6J?DLz#hX0N_2}@iQa0YLgS*ecyFfT<1&cgo2+cMj#aOJY{Ql#hjoszoo@+%d
zhmxi&eGL_m`q5RnkleU?E5#;lqvquM+cfF^V7}#rBHya6b84K{@`tHe_G+GNB}+8>
zR!Si@e}`g{8di4p5U{L~m9v=>m{si;X@ONVz|K|{5G#lU*v8ELp2(bkZ4$SFxLP?|
z8QYpcE$^3{ZH<h%OziFc4ak)5feZ^EaF1Ajr({&%FE!qC8tN}jyT>#vObl$`KVupe
zCc$snXIA0gvV7oRXggmtgxI2unG)Ug4L2=USUEqHD+mKZz+9NopEB~p$uvZotKwWi
zdUJLNAuO1f!lo*pb<KzR3xqaELg8{_0GXvir%Z>)cGbTobLxFo#Nsison-Y(szE%y
zg?Y0}+R>Xu0wrQ_qeK&6EZ%x|8%HHdVzDI~JojuzH`Po+L+45DjvL-WESNtj>B}BD
z)`{Ot!yfk2vlmhA7M6{=#%YucRkB;I1_6!!df@Knc?!OdeNR`o=J&tM$&6rCideca
z&Q>1ybIazG<G}DS^Xr?E+jz7+i7Ci(-(E$?3h5ljj3pvvveS!L%&JPpJWdGp0J+wg
za(iyUckwW$?VZG`#7_ut^Z2*xJdVNxX)h%4n)^D($M-goKPzir)ufhF32HX>%DMYR
zH19uU^E4V2=im#AIrp_-CTQr=<gn9}%(bT&ax8spM6SD9BmHXqWkhTpRNe`_40;0M
zKm6I+bkMLwbxKNFPQ25~)ICo`8G%@v@CZzON~FrJoQa!?u&G<tmd0UK?h;H0+B#oX
zF-OJ6Ctv+KT&z<RxNHmx87`B{lABk)zW7ej8Erd?f7ZGs1z!z#PofMRrHL{z44J<%
zDRtH4RLj<_^XZ;?N5IQFs4oQmT*688dFiZ1#T2FgoS8>LaT}@-NtuiEIOsK&Cvl#;
z!f*Qw13p0^K*9h}-wR99m+%I^L=gjt0RdXPq!fJ`l8|sOtm~i{z`c5YS3c|!04kZb
za?qx~siu3gu2X1`G_EKrP{FHH%od+0IftPw(Z32;uMpn6BCE)(Ya`~Ns+f0_40(1S
zC@&wO&Y<)n1){DIx;CT+zq>XE*sXzY)z@X$mw64f`|8b(NLQn00d!aAs83QWKZhB*
zbvw;bPqua7vcmM!J*f$IS^X&|a``NoNA(~b)40WQsi}z1R2a{LH4i=cSiknZ8^(WF
z-A&mSBynVC%e9&(JEo%2=w32e2b(GC5LUI(BeK)NNsi!0&hu{=EuiuF+F&p9z%=1J
z$E&-6?=jL(?~A%b?N2%xAp^Ht#8d(*PKoHj>ygz^ifbD?CSSi4+NY0n8V#!WbMs$L
z&ND;#((&q=-k`|$=4UR0g3B<EA3?c4I=#O3!1Psg#1cMc92R~J-qdaVLX?;`PG7Um
zxF7aO#_*CTK3}WzItDp4*<XMu<tTQ6`X}>@jsq7}9wL7=EgWzw3~+U3-uyCh39CrQ
zsT617=*unlo+!r?(P1;_9)!shz%cKs5|F_gSKbHcw?#<NlV!kbCGk6CLUCs$l#6d-
zkt0DiS|NHy$gif-<sV;%koR|b1<#|$epmbmsqxzQ<Q9jJMV8-TPxTVel+70>{(z=7
z(vQn-HxQspT@%9^#o=z%t?@02^dqg#OR_blPp4#8%`DKvoEI$n6CFPH>iN}q0*dWF
zvPZa;W7@i%VU4Zc8XMHeyaE7F3I7V;*8l)Y=CAPmJ7wLcDEL>D-j6@S_x?l$K>pYB
zznz2JpMm^u@G92ET-*n5pJ2|#0;(fIyzKIdm@MA@HZs7#Qy4lMS%smGiPza9)VdA~
zh)$?grn5BILh4W<4<Z*k?2r|d*?@`|i+jl{sJ}u?Va5(xe=AxU*r6*~J4p$C-1#`J
zsp!GX>CgrHCDzZPYvJs49`yBj4ifLC5~!Fg`o~PtNUFJaFO4CQ{0<5Iol_a*8?V+n
z#G}TFg}a*f<vuxxz7G<4rmobdw7&tG;+i75F?<%Ui+aGapACw48g+Gh<qonSYFQ)j
z`Fxh((($~+kT@_>sWV$4d#{|AoUhrIm~>61oP!+4&~Hr2ue(VJ_hnq({PMMQQfe9L
zM!sH=ug(i2Rqd8Yobw{{g<!YwM8fG&1`Dwab>gnD6~%<b6{(^;h1)OblYz>%+^rhL
zVrz!6r*Yek<%@3P?K;NXoV<nEbjKMHRp<UP-$JVq$h@9B4~R?|kkGWH!SDk~si#5<
zwOl$eb{p7b!dezuTozB}9K^+?fn@Lw8YS*sT3FQF<hV4%IA-m7B**TDB!9-;+YhVA
z3%*mFDK#H^w=oDkcPOWE8mtIF-1;UDwXe|#(2o!DYVNF{A))&(Wkbck!|Jz}s_XlK
z=J8*jCw>SDDO1u~b`rWwt&9seMm3>Uues2hl_|QzTQVABYCCjcBx9{##cpPJFTEy9
z5hZu_?pm6B@96J>m;BGDRWfph-UqM7UvaBw=Kine8~=#Yztbiv&?pZq^#8=^Z$pF#
z;NO5gHi2OH&y8Ktn#$;A<mY7>3#j{c+#E%73h{(2UTd;*Iyah<A`3=k+H<ZZq~E^r
zatMQ%(`=ODsFkLm8Isl~G(0pAiwN&|XtVytX!-3-H+iy<C+|M{F5!k2DoNEByX->k
z^0($|!D(KrH&%<TkOq!fLI;ChqjUZu@!jfc)*a1wmuQ!}d4;$%o`xihOGX21iS0I<
zB!z4hyT+b$?%qWxCO=wBwSXhTQPutfhh9>;$c;-#;!Ql?cs87^dIpLP1Ud5K!`#Jz
zPZq<(9m8`PByDX#xP}Hd2BvsqtDiVRj-*HiP|O`}qT+4?=8%e>hq~~0g+#k47Fj$|
zdDB-Gou1mVt0KA}LL>`#3G4WP*0`qGRl11D-WVSicY8P)CpJo%^Khw__eo$R&2<5y
zD86DQe!IB3YP|`+Ot?DoaBxT%vt5V6YS$UK9?e8|OG_iT!_FgGdfg~p?k?bEoSG)Y
z5NhzPBG8?7PbPJq_j0#syP~F>Iwd2%-4V1@_WTKKuM|JGpP-j-Jz>Kz;XA424tnS~
zHPLY*Lwzzd!i`}^^f&`CGIw5>*s%8`&KnRYd?4?7H+sOCd&{a{NM2r%&(5kbEh<bX
zfE5+%s+GL5jiLY9n*&0Z6J6OzK-CSL%U0Cn+MfLyz>eVj%7sfj?%a)drAPZaPRZC|
zNoc-Xx9g^o0LZM7gPzvmeV2hA{ZHKp#V<nym`X-VYpT`kY=--y2?{hzjutZBTOarj
z`}=K(zq%34KPvx4H=;q7h<0y^bCT(%lqZdob1n2jITZekGU*;RkFCOy!^&hQMo>JT
zQVC%>+$G~5bJrf!Xt8L`mz?G{%&S%qA=avnl(Q0gP5KioNNnTP5owsE6I4fBkfhrM
z>r_vSFKb8qNwa&@FM=<oXz*NEJc{|-O0+(I;%kf)IpoJ{88(b;4;4UPdsa=^Mm9zs
zOcNaIGr~hLgRV5Tlza8w0FOzTKSK-CM0NZve>eGEs7gXl$rTYAW!Zu2@G1@n_1yTS
zuM5wRW%|sL)DU^xm4Mf6MoYhac>A=$%sZ`CqBYk__{zrElZR^o{K%u`Kr(*C{vsm$
zl%R~ljSznv1WFp5j+R1{zv+GMT)yu3p7)-KY86AMB6OhtJCmBsgvpi+b`r>W-KL_v
zl<Ej40b<+(vKW$gOyFUN&u}YRU{G8#1{ZFqZ+(k;)TaElJr@?j@WrTV<#nq%e4TMJ
zT#wCBTOGA6SbY(B<;fFb+U<i(Vy%ktQ}(dS{7Y}4Pi#u-raOsQq1*5ZPe%WmTUux1
z*7p%TrJz7r-r4KxfrDcI7ZmU4kYN(D(?n<yVD?XoITq`3*J%2J*58rLu(G!cAk2x9
zKAb{m_5^j9j#u!w?ea)rhq?ft?Lj@%+Nc`^xt6KAffdgcLA*ODZjv7y)7+(IV6Yo0
zQTN5p8Ln>W%)Wrz%fB;4O(i2IGaK;z-NeJ)#@@}@#)?z6tH#O9#K!7BHYavQPWP9Y
z&41gU{K81A{{tiM4VCbpF_KM}0FXG-<F5ecmF*@xd>}OQVN1nMeMCg`>Rq=Yzb_V4
znKenl`fcW(*&00K2v6#UB#*FQtZe;63KyDLub45r@@nd|C5C&N@!H}<({Ehwhn_3_
zjGXZ1XGUc0%nlMcvkVGYmhb`AetXe+jQjqXQ_uvol$kL&z2%$c;;7*|zp9Lfe65cl
z@}qO-7g02Ng;tf;XH@ggEEecL&bRmTz7|y2S>P`yS9vGv@mx=}Sa8!AFTgZHg^8x8
zV*<mkVz%|!)C7%(lX3gogIfB&&-Ct&W8Lqb>t{K8`Zz8WvLI``Y@}|Ak2M)cRof*g
z9g>N8?n~#)NtI3!$0J_QgB4%6T)6%4WHVy$;O(1@!5+oiG5COjVX&5yoB4iL#JLt6
z3BN54I%Fv)sph`sgET=<RoektjtKGmuCb?UvN$A;1ZnToQB_y;)vN2lRi$uH8UAi9
z_Go&)<H>j&fu35GHJ#3SD1kHQ#LuFB<uA$MGG2rT@dNb177r$;k*v<($B$Q7V#@qh
z86}k`DB}>|G$tV)p(l~i#)$Q09@`~`2K-}<wH=P_!M=$?rJk?mP1gc8D&)vqEl%CK
z#lXjf#!3&S-!MxA<%Q%0z(q(msh5oQRli2qg?t^5Zag5zSFZC-Bd2_wpFG$+)ye=A
zs&rIb*|<JTaoto%6eBil_>GZaz<<Q?-#O#2I2K_4f8zMJjf%z*06sO}EDWKjOS0H5
zREDFEmWGmr4<HB`%h&rQus-H+z$ydL_Yf}xRGCg0d_5j=`}P;o7@K4xtB&r!$Uq?l
z)HT2%S*^0Cmyzcx=2dapnWDE9SF9L5KaJ^_LgiNz_y-v&6&XZ}Gi%_lnO<u~<*XR&
z>YG8Yby$j_TQ>Mf9i>#<icQ&#l?j?Qn2C3~U5x2MPR?d5Y^>9-!%)1HIVCM6q+dAL
z6Oh~?YM*U>;4(*I<#Mc-=LoS$*%n9RWw8pP_h<+k(a?7#Nzajx;sN0xXb8pno=BUq
zEiqxXns16Rn6KS7o4$2~iT8-)M5``Un6SK<>dfH?$>~zL4o}c1HUBYd;m6Sg9VIY?
z?)7!I@>NJxOG;;|+9&dG$B;xL%fr#&RLn6m@Q}*|(mtOqwohwKLniL|*=kL|;dr$c
zY%5G3?@TY(WV~pX^AF+K*;6C4;gXx-Z|A;fqSdaTX@-uyJm<T<i}q-6CQLhfQ<=!?
zaG=K$p|75HK5TO4ZR|pwF!f2MLWj+Uq|~G3u<a3uA$TiUKi*VuW<EK8$~RDw;iYxz
z$q-C^sOR<tEfthfh4q7c6>3a(cU@mmKq~X(?nvIjn0(ofCj%j*3BlNz;bp`Ewu=Y4
zj7JTDIn+Y0<xX>Jbtn#Z!HsRI)7Tq^aGhA0hr$K=C%nJoc(C9o`?>RcK6+KmguM*%
Kfq-65%l`nET!d->

diff --git a/salt/qubes-builder/files/client/keys/trustdb.gpg b/salt/qubes-builder/files/client/keys/trustdb.gpg
deleted file mode 100644
index d7523461b0127eb745c51453c12fb203a2273f92..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1520
zcmZQfFGy!*W@Ke#Vqi$sxpRa8J7DAji7R54L>2|BLl(fnrnx$K>=x79UWEa&7rV6#
zH23dNvR4k_*wJu7gatBdu!jo|!~A95lYYh(WPj?@S?1v&u=VWGvPWzXFQ_7X!o#5M
zC$yUR(?3n~)IV&uSWNa5<jJ3hs#8H$=TtBFmw%Nv2cz-_nY+KF?9AGyOo6IXMpnm=
z;?(aN61e&G^R9X}ON(7j=a;KM)hQv=@iMgh|7Of+BdK8`Hzoer(uYge>@(?yszWGa
z;AJq(T@hI{J^Jalp2b&x$HrJ*?rq(UO&#CGD_RxTA|2n%otpn|W9h`}JUw%<sVkVr
ZIPGj(g0$-VT~fvc#s^;9F>k|E2LSLHQ_KJW

diff --git a/salt/sys-pihole/files/server/keys/pubring.kbx b/salt/sys-pihole/files/server/keys/pubring.kbx
deleted file mode 100644
index 25df66888b4cc1b523de82c8e625f14288cd329b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 802
zcmZQzU{GLWWMJ}kib!Jsf>alAT@VJbA%K~Qi4n|-V_;yKz`)2L6Z`l<z#R8iHXpp4
zE_=O`_+j<;wK7nJ0z^Gf1rGxQV;zuZ3Kn5xV1dfODWDB@AkIuiUY5uy8IFt`44Y#O
z-oBjqDKk2+a)J=Mg*sEx)_dzi*0C%8Iy9rABlc9rJ45cM<8gkI!gXhD%U!j7=Vaz9
ziw<u8BfG!LyFbA*Mvk#xzq|X1=PvIF`xo`xpV;&8pwwkgp7%-CEDw5r`1OgD_<J$m
z`>>Yd*kaqp<9ny^?3s4(wDTRK30vFS<Iaf3UHzc><HDPm9Y4f>D*UK^dBMhH-jr<?
zrxh%{R^IWBZd)t+Zev7P=g)HQpxX@V+G1kFr|~G?%6oc<?>J|{ra;Z9F|RZDQcK_3
z{$gMCm4A8VI~_iWp8DuzVy_L8<v+)Y9k=)Nz5D)T2HT2jCTBNfRnB7D|Ky#pWT31)
zgGXY}S5;>QK}H6~4Zx5~FGz=kH^UZF_skNH(j*0q^3){Vw4D5Mh2;F)+{_Y%;>`5C
z%)E3>1)IG5qSS(%N{95!l8n+MJ)pcD)DR{}Xm>Iyu?PdhSB#Yj6w;gmuoz>KW@eHE
z+BB1q{hxwxMC77dJ*jN6ADGTeGEokF(0rfASgw7=pNlEKi@3z!#(i8ddE?q&uWY;%
zohuS#I(O$!=64F!zO{ae&E9R>KiLT?R(;(o5V0}HVA>fk|He4)OFi{jpA7ge-?#cV
zWua}Hb8t4#v6>3qPxobR1fMfKwa7>3_o-a<(+dqQF~@#=ch1dSSxS6z)!8D0vro^3
z|2niMK*as>-A09}O_tv#Y~TI+kcQ<$v2C9w+e&Uc6&qYQ^U_O>n9ci@^|+FF6C0Q}
z=v#bbVHM}R`@ltg*DNciA1>jte*Jrx5B+X`dSSKRqYv9zZ#l_o%*nI-Tveizx#q_4
xpW=^XCa<!8G`(+%l;rvT4Qvd|z;I_!uR0xPKTUnXGKX99!)<0as75Z~1^}EoJGcM<

diff --git a/salt/sys-pihole/files/server/keys/trustdb.gpg b/salt/sys-pihole/files/server/keys/trustdb.gpg
deleted file mode 100644
index e08b410df17efd6204ed36e8169a0c5203a37a9a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1280
zcmZQfFGy!*W@Ke#Vqi#hk>F;)4j8$xi(`n6s>28pumH`&MQ(uX#cnMF&HX!SFMZP0
zAPZ+6hS<js0_M2CviacUblK~j#1E^#ua(&#u9QbOmX{%|%_Pq+aVdMmq*o~uGX7jy
N_<4mYR2@PY0{{|U89x93

diff --git a/salt/sys-pihole/install.sls b/salt/sys-pihole/install.sls
index 29bd530..047dd26 100644
--- a/salt/sys-pihole/install.sls
+++ b/salt/sys-pihole/install.sls
@@ -78,7 +78,7 @@ include:
     - target: /root/pi-hole
     - force_fetch: True
 
-"{{ slsdotpath }}-gnupg-home-for-pihole":
+"{{ slsdotpath }}-gnupg-home":
   file.directory:
     - name: /root/.gnupg/pihole
     - user: root
@@ -86,16 +86,34 @@ include:
     - mode: '0700'
     - makedirs: True
 
-"{{ slsdotpath }}-keyring-and-trustdb":
-  file.managed:
-    - user: root
-    - group: root
-    - mode: '0600'
-    - names:
-      - /root/.gnupg/pihole/pubring.kbx:
-        - source: salt://{{ slsdotpath }}/files/server/keys/pubring.kbx
-      - /root/.gnupg/pihole/trustdb.gpg:
-        - source: salt://{{ slsdotpath }}/files/server/keys/trustdb.gpg
+"{{ slsdotpath }}-save-keys":
+  file.recurse:
+    - require:
+      - file: "{{ slsdotpath }}-gnupg-home"
+    - name: /root/.gnupg/pihole/download/
+    - source: salt://{{ slsdotpath }}/files/server/keys/
+    - user: user
+    - group: user
+    - file_mode: '0600'
+    - dir_mode: '0700'
+    - makedirs: True
+
+"{{ slsdotpath }}-import-keys":
+  cmd.run:
+    - require:
+      - file: "{{ slsdotpath }}-save-keys"
+    - name: gpg --status-fd=2 --homedir . --import download/*.asc
+    - cwd: /root/.gnupg/pihole
+    - runas: root
+    - success_stderr: IMPORT_OK
+
+"{{ slsdotpath }}-import-ownertrust":
+  cmd.run:
+    - require:
+      - cmd: "{{ slsdotpath }}-import-keys"
+    - name: gpg --homedir . --import-ownertrust download/otrust.txt
+    - cwd: /root/.gnupg/pihole
+    - runas: root
 
 ## The tag is annotated, using verify-commit instead.
 "{{ slsdotpath }}-git-verify-tag-pihole":