refactor: import armored gpg keys instead of db

2024-10-01 02:35:49 -04:00 · 2024-01-03 18:07:49 +01:00 · 2024-01-03 18:07:49 +01:00 · 6bb426a057
commit 6bb426a057
parent 0eecbcffc4
10 changed files with 88 additions and 32 deletions
--- a/salt/mirage-builder/configure.sls
+++ b/salt/mirage-builder/configure.sls
@ -40,16 +40,34 @@ include:
    - mode: '0700'
    - makedirs: True

-"{{ slsdotpath }}-keyring-and-trustdb":
-  file.managed:
+"{{ slsdotpath }}-save-keys":
+  file.recurse:
+    - require:
+      - file: "{{ slsdotpath }}-gnupg-home"
+    - name: /home/user/.gnupg/mirage-firewall/download/
+    - source: salt://{{ slsdotpath }}/files/client/keys/
    - user: user
    - group: user
-    - mode: '0600'
-    - names:
-      - /home/user/.gnupg/mirage-firewall/pubring.kbx:
-        - source: salt://{{ slsdotpath }}/files/client/keys/pubring.kbx
-      - /home/user/.gnupg/mirage-firewall/trustdb.gpg:
-        - source: salt://{{ slsdotpath }}/files/client/keys/trustdb.gpg
+    - file_mode: '0600'
+    - dir_mode: '0700'
+    - makedirs: True
+
+"{{ slsdotpath }}-import-keys":
+  cmd.run:
+    - require:
+      - file: "{{ slsdotpath }}-save-keys"
+    - name: gpg --status-fd=2 --homedir . --import download/*.asc
+    - cwd: /home/user/.gnupg/mirage-firewall
+    - runas: user
+    - success_stderr: IMPORT_OK
+
+"{{ slsdotpath }}-import-ownertrust":
+  cmd.run:
+    - require:
+      - cmd: "{{ slsdotpath }}-import-keys"
+    - name: gpg --homedir . --import-ownertrust download/otrust.txt
+    - cwd: /home/user/.gnupg/mirage-firewall
+    - runas: user

 "{{ slsdotpath }}-git-clone":
  git.latest:
@ -83,7 +101,7 @@ include:
    - mode: '0755'
    - makedirs: True

-{% if salt['grains.get']('os_family') = 'RedHat' -%}
+{% if salt['grains.get']('os_family') == 'RedHat' -%}
 "{{ slsdotpath }}-file-security-context":
  cmd.run:
    - name: chcon -Rt container_file_t /home/user/docker
--- a/salt/mirage-builder/files/client/keys/pubring.kbx
+++ b/salt/mirage-builder/files/client/keys/pubring.kbx
--- a/salt/mirage-builder/files/client/keys/trustdb.gpg
+++ b/salt/mirage-builder/files/client/keys/trustdb.gpg
--- a/salt/qubes-builder/configure.sls
+++ b/salt/qubes-builder/configure.sls
@ -43,29 +43,48 @@ include:
    - target: /home/user/src/qubes-infrastructure-mirrors
    - user: user

-"{{ slsdotpath }}-gnupg-home-for-builder":
+"{{ slsdotpath }}-gnupg-home":
  file.directory:
    - name: /home/user/.gnupg/qubes-builder
    - user: user
    - group: user
    - mode: '0700'

-"{{ slsdotpath }}-keyring-and-trustdb":
-  file.managed:
+"{{ slsdotpath }}-save-keys":
+  file.recurse:
+    - require:
+      - file: "{{ slsdotpath }}-gnupg-home"
+    - name: /home/user/.gnupg/qubes-builder/download/
+    - source: salt://{{ slsdotpath }}/files/client/keys/
    - user: user
    - group: user
-    - mode: '0600'
-    - names:
-      - /home/user/.gnupg/qubes-builder/pubring.kbx:
-        - source: salt://{{ slsdotpath }}/files/client/keys/pubring.kbx
-      - /home/user/.gnupg/qubes-builder/trustdb.gpg:
-        - source: salt://{{ slsdotpath }}/files/client/keys/trustdb.gpg
+    - file_mode: '0600'
+    - dir_mode: '0700'
+    - makedirs: True
+
+"{{ slsdotpath }}-import-keys":
+  cmd.run:
+    - require:
+      - file: "{{ slsdotpath }}-save-keys"
+    - name: gpg --status-fd=2 --homedir . --import download/*.asc
+    - cwd: /home/user/.gnupg/qubes-builder
+    - runas: user
+    - success_stderr: IMPORT_OK
+
+"{{ slsdotpath }}-import-ownertrust":
+  cmd.run:
+    - require:
+      - cmd: "{{ slsdotpath }}-import-keys"
+    - name: gpg --homedir . --import-ownertrust download/otrust.txt
+    - cwd: /home/user/.gnupg/qubes-builder
+    - runas: user

 "{{ slsdotpath }}-git-verify-HEAD-builderv2":
  cmd.run:
    - require:
      - git: "{{ slsdotpath }}-git-clone-builderv2"
-    - name: GNUPGHOME="$HOME/.gnupg/qubes-builder" git -c gpg.program=gpg2 verify-commit "HEAD^{commit}"
+      - cmd: "{{ slsdotpath }}-import-ownertrust"
+    - name: GNUPGHOME="$HOME/.gnupg/qubes-builder" git -c gpg.program=gpg2 verify-tag "$(git describe --tags --abbrev=0)"
    - cwd: /home/user/src/qubes-builderv2
    - runas: user

@ -73,6 +92,7 @@ include:
  cmd.run:
    - require:
      - git: "{{ slsdotpath }}-git-clone-infrastructure-mirrors"
+      - cmd: "{{ slsdotpath }}-import-ownertrust"
    - name: GNUPGHOME="$HOME/.gnupg/qubes-builder" git -c gpg.program=gpg2 verify-commit "HEAD^{commit}"
    - cwd: /home/user/src/qubes-infrastructure-mirrors
    - runas: user
--- a/salt/qubes-builder/files/admin/policy/default.policy
+++ b/salt/qubes-builder/files/admin/policy/default.policy
@ -5,11 +5,11 @@

 ## Do not modify this file, create a new policy with with a lower number in the
 ## file name instead. For example `30-user.policy`.
-qubes.Gpg2 * {{ sls_path }} @default ask target=sys-pgp
+qubes.Gpg2 * {{ sls_path }} @default ask target=sys-pgp default_target=sys-pgp

 qusal.GitInit  +qubes-builder {{ sls_path }} @default allow target=sys-git
 qusal.GitFetch +qubes-builder {{ sls_path }} @default allow target=sys-git
-qusal.GitPush  +qubes-builder {{ sls_path }} @default ask   target=sys-git
+qusal.GitPush  +qubes-builder {{ sls_path }} @default ask   target=sys-git default_target=sys-pgp

 qusal.SshAgent +qubes-builder {{ sls_path }} @default allow target=sys-ssh-agent
 qusal.SshAgent +qubes-builder {{ sls_path }} @anyvm deny
--- a/salt/qubes-builder/files/client/keys/pubring.kbx
+++ b/salt/qubes-builder/files/client/keys/pubring.kbx
--- a/salt/qubes-builder/files/client/keys/trustdb.gpg
+++ b/salt/qubes-builder/files/client/keys/trustdb.gpg
--- a/salt/sys-pihole/files/server/keys/pubring.kbx
+++ b/salt/sys-pihole/files/server/keys/pubring.kbx
--- a/salt/sys-pihole/files/server/keys/trustdb.gpg
+++ b/salt/sys-pihole/files/server/keys/trustdb.gpg
--- a/salt/sys-pihole/install.sls
+++ b/salt/sys-pihole/install.sls
@ -78,7 +78,7 @@ include:
    - target: /root/pi-hole
    - force_fetch: True

-"{{ slsdotpath }}-gnupg-home-for-pihole":
+"{{ slsdotpath }}-gnupg-home":
  file.directory:
    - name: /root/.gnupg/pihole
    - user: root
@ -86,16 +86,34 @@ include:
    - mode: '0700'
    - makedirs: True

-"{{ slsdotpath }}-keyring-and-trustdb":
-  file.managed:
-    - user: root
-    - group: root
-    - mode: '0600'
-    - names:
-      - /root/.gnupg/pihole/pubring.kbx:
-        - source: salt://{{ slsdotpath }}/files/server/keys/pubring.kbx
-      - /root/.gnupg/pihole/trustdb.gpg:
-        - source: salt://{{ slsdotpath }}/files/server/keys/trustdb.gpg
+"{{ slsdotpath }}-save-keys":
+  file.recurse:
+    - require:
+      - file: "{{ slsdotpath }}-gnupg-home"
+    - name: /root/.gnupg/pihole/download/
+    - source: salt://{{ slsdotpath }}/files/server/keys/
+    - user: user
+    - group: user
+    - file_mode: '0600'
+    - dir_mode: '0700'
+    - makedirs: True
+
+"{{ slsdotpath }}-import-keys":
+  cmd.run:
+    - require:
+      - file: "{{ slsdotpath }}-save-keys"
+    - name: gpg --status-fd=2 --homedir . --import download/*.asc
+    - cwd: /root/.gnupg/pihole
+    - runas: root
+    - success_stderr: IMPORT_OK
+
+"{{ slsdotpath }}-import-ownertrust":
+  cmd.run:
+    - require:
+      - cmd: "{{ slsdotpath }}-import-keys"
+    - name: gpg --homedir . --import-ownertrust download/otrust.txt
+    - cwd: /root/.gnupg/pihole
+    - runas: root

 ## The tag is annotated, using verify-commit instead.
 "{{ slsdotpath }}-git-verify-tag-pihole":