Add support for signed-by in source entries

puppetlabs · Jul 16, 2021 · fbb6a25 · fbb6a25
1 parent 5f91c2d
commit fbb6a25
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 7 deletions.
diff --git a/manifests/source.pp b/manifests/source.pp
@@ -39,6 +39,10 @@
 #   defined type, or a hash of `parameter => value` pairs to be passed to `apt::key`'s `id`, `server`, `content`, `source`, and/or
 #   `options` parameters.
 #
+# @param keyring
+#   Absolute path to a file containing the PGP keyring used to sign this repository. Value is used to set signed-by on the source entry.
+#   See https://wiki.debian.org/DebianRepository/UseThirdParty for details.
+#
 # @param pin
 #   Creates a declaration of the apt::pin defined type. Valid options: a number or string to be passed to the `id` parameter of the
 #   `apt::pin` defined type, or a hash of `parameter => value` pairs to be passed to `apt::pin`'s corresponding parameters.
@@ -62,6 +66,7 @@
   String $repos                                 = 'main',
   Optional[Variant[Hash]] $include              = {},
   Optional[Variant[String, Hash]] $key          = undef,
+  Optional[Stdlib::AbsolutePath] $keyring       = undef,
   Optional[Variant[Hash, Numeric, String]] $pin = undef,
   Optional[String] $architecture                = undef,
   Boolean $allow_unsigned                       = false,
@@ -103,6 +108,10 @@
 
   $includes = merge($::apt::include_defaults, $include)
 
+  if $key and $keyring {
+    fail("parameters key and keyring are mutualy exclusive")
+  }
+
   if $key {
     if $key =~ Hash {
       unless $key['id'] {
@@ -119,8 +128,11 @@
   $sourcelist = epp('apt/source.list.epp', {
     'comment'          => $comment,
     'includes'         => $includes,
-    'opt_architecture' => $architecture,
-    'allow_unsigned'   => $allow_unsigned,
+    'options'          => delete_undef_values({
+      'arch'      => $architecture,
+      'trusted'   => $allow_unsigned ? {true => "yes", false => undef},
+      'signed-by' => $keyring,
+    }),
     'location'         => $_location,
     'release'          => $_release,
     'repos'            => $repos,

diff --git a/spec/defines/source_spec.rb b/spec/defines/source_spec.rb
@@ -154,6 +154,38 @@
     }
   end
 
+  context 'with keyring set' do
+    let :params do
+      {
+        location: 'hello.there',
+        keyring: '/usr/share/keyrings/foo-archive-keyring.gpg',
+      }
+    end
+
+    it {
+      is_expected.to contain_apt__setting('list-my_source').with(ensure: 'present').with_content(
+        %r{# my_source\ndeb \[signed-by=/usr/share/keyrings/foo-archive-keyring.gpg\] hello.there jessie main\n}
+      )
+    }
+  end
+
+  context 'with keyring, architecture and allow_unsigned set' do
+    let :params do
+      {
+        location: 'hello.there',
+        architecture: 'amd64',
+        allow_unsigned: true,
+        keyring: '/usr/share/keyrings/foo-archive-keyring.gpg',
+      }
+    end
+
+    it {
+      is_expected.to contain_apt__setting('list-my_source').with(ensure: 'present').with_content(
+        %r{# my_source\ndeb \[arch=amd64 trusted=yes signed-by=/usr/share/keyrings/foo-archive-keyring.gpg\] hello.there jessie main\n}
+      )
+    }
+  end
+
   context 'with a https location, install apt-transport-https' do
     let :params do
       {

diff --git a/templates/source.list.epp b/templates/source.list.epp
@@ -1,10 +1,8 @@
-<%- | String $comment, Hash $includes, $opt_architecture, Boolean $allow_unsigned, $location, $release, String $repos | -%>
+<%- | String $comment, Hash $includes, Hash $options, $location, $release, String $repos | -%>
 # <%= $comment %>
 <%- if $includes['deb'] { -%>
-deb <%- if ($opt_architecture or $allow_unsigned) {-%>
- [<%- if ($opt_architecture) {%>arch=<%= $opt_architecture %><% } %><%if ($opt_architecture and $allow_unsigned) {%> <% }%><% if ($allow_unsigned) {%>trusted=yes<% } %>] <%- } %> <%= $location %> <%= $release %> <%= $repos %>
+deb <% if !$options.empty() { -%>[<%=  $options.map |$key, $value| { "${key}=${value}" }.join(" ") %>] <% } -%> <%= $location %> <%= $release %> <%= $repos %>
 <%- } -%>
 <%- if $includes['src'] { -%>
-deb-src <%- if $opt_architecture or $allow_unsigned { -%>
- [<%- if ($opt_architecture) {%>arch=<%= $opt_architecture %><% } %><%if ($opt_architecture and $allow_unsigned) {%> <% }%><% if ($allow_unsigned) {%>trusted=yes<% } %>] <%- } %> <%= $location %> <%= $release %> <%= $repos %>
+deb-src <% if !$options.empty() { -%>[<%=  $options.map |$key, $value| { "${key}=${value}" }.join(" ") %>] <% } -%> <%= $location %> <%= $release %> <%= $repos %>
 <%- } -%>