hardcoded key fingerprints break automatic key-rollout on debian/ubuntu

Question

hardcoded key fingerprints break automatic key-rollout on debian/ubuntu

Opened this issue 4 years ago · 0 comments

Hi,

https://github.com/voxpupuli/puppet-bareos/blob/master/manifests/repository.pp#L28

hardcodes pubkeys for bareos-repositories. This leads to:

Error: Could not set 'present' on ensure: The id in your manifest A0CFE15F71F798574AB363DD118283D9A7862CEE and the fingerprint from content/source don't match. Check for an error in the id and content/source is legitimate. (file: /etc/puppetlabs/code/environments/bareos/modules/apt/manifests/key.pp, line: 55)

Notice: /Stage[main]/Bareos::Repository/Apt::Source[bareos]/Apt::Key[Add key: A0CFE15F71F798574AB363DD118283D9A7862CEE from Apt::Source bareos]/Anchor[apt_key A0CFE15F71F798574AB363DD118283D9A7862CEE present]: Dependency Apt_key[Add key: A0CFE15F71F798574AB363DD118283D9A7862CEE from Apt::Source bareos] has failures: true
Warning: /Stage[main]/Bareos::Repository/Apt::Source[bareos]/Apt::Key[Add key: A0CFE15F71F798574AB363DD118283D9A7862CEE from Apt::Source bareos]/Anchor[apt_key A0CFE15F71F798574AB363DD118283D9A7862CEE present]: Skipping because of failed dependencies
Warning: /Stage[main]/Bareos::Repository/Apt::Source[bareos]/Apt::Setting[list-bareos]/File[/etc/apt/sources.list.d/bareos.list]: Skipping because of failed dependencies

That is because bareos signs each repo with it's own individual keys.

this is from ubuntu 18 with bareos latest (default).

pub rsa4096 2019-12-11 [SC]
641A 1497 F1B1 1BEA 945F 840F E5D8 82B2 8657 AE28
uid [ unbekannt] Bareos 19.2 Signing Key signing@bareos.com