Merge pull request #6202 from influxdata/jdstrand/use-gpg-not-sha256

chore: always verify GPG fingerprint

Author: jstirnaman

Dockerfile.pytest

@@ -7,7 +7,7 @@ FROM golang:latest
 #   Primary key fingerprint: 24C9 75CB A61A 024E E1B6  3178 7C3D 5715 9FC2 F927
 #   Subkey fingerprint:      9D53 9D90 D332 8DC7 D6C8  D3B9 D8FF 8E1F 7DF8 B07E
 ADD https://repos.influxdata.com/influxdata-archive.key ./influxdata-archive.key
-RUN gpg --no-default-keyring --homedir /nonexistent --show-keys ./influxdata-archive.key | grep -q "24C975CBA61A024EE1B631787C3D57159FC2F927" && cat influxdata-archive.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null
+RUN gpg --no-default-keyring --homedir $(mktemp -d) --show-keys --with-fingerprint --with-colons ./influxdata-archive.key 2>&1 | grep -q '^fpr:\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' && cat influxdata-archive.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null
 
 RUN echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive.gpg] https://repos.influxdata.com/debian stable main' | tee /etc/apt/sources.list.d/influxdata.list
 

content/influxdb/v1/introduction/install.md

@@ -75,7 +75,7 @@ For Ubuntu/Debian users, add the InfluxData repository with the following comman
 #   Primary key fingerprint: 24C9 75CB A61A 024E E1B6  3178 7C3D 5715 9FC2 F927
 #   Subkey fingerprint:      9D53 9D90 D332 8DC7 D6C8  D3B9 D8FF 8E1F 7DF8 B07E
 wget -q https://repos.influxdata.com/influxdata-archive.key
-echo '943666881a1b8d9b849b74caebf02d3465d6beb716510d86a39f6c8e8dac7515 influxdata-archive.key' | sha256sum -c && cat influxdata-archive.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null
+gpg --show-keys --with-fingerprint --with-colons ./influxdata-archive.key 2>&1 | grep -q '^fpr:\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' && cat influxdata-archive.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null
 echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive.gpg] https://repos.influxdata.com/debian stable main' | sudo tee /etc/apt/sources.list.d/influxdata.list
 ```
 {{% /code-tab-content %}}
@@ -85,8 +85,8 @@ echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive.gpg] https://repo
 # influxdata-archive.key GPG fingerprint:
 #   Primary key fingerprint: 24C9 75CB A61A 024E E1B6  3178 7C3D 5715 9FC2 F927
 #   Subkey fingerprint:      9D53 9D90 D332 8DC7 D6C8  D3B9 D8FF 8E1F 7DF8 B07E
-wget -q https://repos.influxdata.com/influxdata-archive.key
-echo '943666881a1b8d9b849b74caebf02d3465d6beb716510d86a39f6c8e8dac7515 influxdata-archive.key' | sha256sum -c && cat influxdata-archive.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null
+curl --silent --location -O https://repos.influxdata.com/influxdata-archive.key
+gpg --show-keys --with-fingerprint --with-colons ./influxdata-archive.key 2>&1 | grep -q '^fpr:\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' && cat influxdata-archive.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null
 echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive.gpg] https://repos.influxdata.com/debian stable main' | sudo tee /etc/apt/sources.list.d/influxdata.list
 ```
 {{% /code-tab-content %}}

content/influxdb/v2/install/_index.md

@@ -43,14 +43,14 @@ with your OS version:_
 For newer releases (for example, Ubuntu 20.04 LTS and newer, Debian Buster
 and newer) that support subkey verification:
 
--  Private key file: [`influxdata-archive.key`](https://repos.influxdata.com/influxdata-archive.key)
--  Public key: `943666881a1b8d9b849b74caebf02d3465d6beb716510d86a39f6c8e8dac7515`
+-  GPG key file: [`influxdata-archive.key`](https://repos.influxdata.com/influxdata-archive.key)
+-  Primary key fingerprint: `24C975CBA61A024EE1B631787C3D57159FC2F927`
 
 For older versions (for example, CentOS/RHEL 7, Ubuntu 18.04 LTS, or Debian
 Stretch) that don't support subkeys for verification:
 
--  Private key file: [`influxdata-archive_compat.key`](https://repos.influxdata.com/influxdata-archive_compat.key)
--  Public key: `393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c`
+-  GPG key file: [`influxdata-archive_compat.key`](https://repos.influxdata.com/influxdata-archive_compat.key)
+-  Signing key fingerprint: `9D539D90D3328DC7D6C8D3B9D8FF8E1F7DF8B07E`
 
 {{% /expand %}}
 
@@ -136,8 +136,7 @@ binary releases:
 {{% code-placeholders "https://repos.influxdata.com/influxdata-archive.key" %}}
 
 ```sh
-curl --silent --location \
- https://repos.influxdata.com/influxdata-archive.key \
+curl --silent --location https://repos.influxdata.com/influxdata-archive.key \
  | gpg --import - 2>&1 \
  | grep 'InfluxData Package Signing Key <[email protected]>'
 ```
@@ -344,16 +343,16 @@ To install {{% product-name %}} on Linux, do one of the following:
 2. Run the command for your OS version to install the InfluxData key,
    add the InfluxData repository, and install `influxdb`.
 
-   _Before running the command, replace the checksum and key filename with the
+   _Before running the command, replace the fingerprint and key filename with the
    key-pair from the preceding step._
 
    ```bash
    # Ubuntu and Debian
    # Add the InfluxData key to verify downloads and add the repository
-   curl --silent --location -O \
-   https://repos.influxdata.com/influxdata-archive.key
-   echo "943666881a1b8d9b849b74caebf02d3465d6beb716510d86a39f6c8e8dac7515  influxdata-archive.key" \
-   | sha256sum --check - && cat influxdata-archive.key \
+   curl --silent --location -O https://repos.influxdata.com/influxdata-archive.key
+   gpg --show-keys --with-fingerprint --with-colons ./influxdata-archive.key 2>&1 \
+   | grep -q '^fpr:\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' \
+   && cat influxdata-archive.key \
    | gpg --dearmor \
    | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null \
    && echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive.gpg] https://repos.influxdata.com/debian stable main' \
@@ -366,10 +365,10 @@ To install {{% product-name %}} on Linux, do one of the following:
    ```bash
    # RedHat and CentOS
    # Add the InfluxData key to verify downloads
-   curl --silent --location -O \
-   https://repos.influxdata.com/influxdata-archive.key \
-   && echo "943666881a1b8d9b849b74caebf02d3465d6beb716510d86a39f6c8e8dac7515  influxdata-archive.key" \
-   | sha256sum --check - && cat influxdata-archive.key \
+   curl --silent --location -O https://repos.influxdata.com/influxdata-archive.key
+   gpg --show-keys --with-fingerprint --with-colons ./influxdata-archive.key 2>&1 \
+   | grep -q '^fpr:\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' \
+   && cat influxdata-archive.key \
    | gpg --dearmor \
    | tee /etc/pki/rpm-gpg/RPM-GPG-KEY-influxdata > /dev/null
 

content/influxdb3/cloud-dedicated/reference/cli/influxctl/_index.md

@@ -176,7 +176,7 @@ To download the Linux `influxctl` package, do one of the following:
 #   Primary key fingerprint: 24C9 75CB A61A 024E E1B6  3178 7C3D 5715 9FC2 F927
 #   Subkey fingerprint:      9D53 9D90 D332 8DC7 D6C8  D3B9 D8FF 8E1F 7DF8 B07E
 wget -q https://repos.influxdata.com/influxdata-archive.key
-echo '943666881a1b8d9b849b74caebf02d3465d6beb716510d86a39f6c8e8dac7515 influxdata-archive.key' | sha256sum -c && cat influxdata-archive.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null
+gpg --show-keys --with-fingerprint --with-colons ./influxdata-archive.key 2>&1 | grep -q '^fpr:\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' && cat influxdata-archive.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null
 echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive.gpg] https://repos.influxdata.com/debian stable main' | sudo tee /etc/apt/sources.list.d/influxdata.list
 
 sudo apt-get update && sudo apt-get install influxctl

content/influxdb3/clustered/reference/cli/influxctl/_index.md

@@ -166,7 +166,7 @@ To download the Linux `influxctl` package, do one of the following:
 #   Primary key fingerprint: 24C9 75CB A61A 024E E1B6  3178 7C3D 5715 9FC2 F927
 #   Subkey fingerprint:      9D53 9D90 D332 8DC7 D6C8  D3B9 D8FF 8E1F 7DF8 B07E
 wget -q https://repos.influxdata.com/influxdata-archive.key
-echo '943666881a1b8d9b849b74caebf02d3465d6beb716510d86a39f6c8e8dac7515 influxdata-archive.key' | sha256sum -c && cat influxdata-archive.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null
+gpg --show-keys --with-fingerprint --with-colons ./influxdata-archive.key 2>&1 | grep -q '^fpr:\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' && cat influxdata-archive.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null
 echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive.gpg] https://repos.influxdata.com/debian stable main' | sudo tee /etc/apt/sources.list.d/influxdata.list
 ```
 

content/telegraf/v1/install.md

@@ -126,14 +126,14 @@ Before running the [install](#install) sample code, substitute the key-pair comp
 For newer OS releases (for example, Ubuntu 20.04 LTS and newer, Debian Buster
 and newer) that support subkey verification:
 
--  Private key file: [`influxdata-archive.key`](https://repos.influxdata.com/influxdata-archive.key)
--  Public key: `943666881a1b8d9b849b74caebf02d3465d6beb716510d86a39f6c8e8dac7515`
+-  GPG key file: [`influxdata-archive.key`](https://repos.influxdata.com/influxdata-archive.key)
+-  Primary key fingerprint: `24C975CBA61A024EE1B631787C3D57159FC2F927`
 
 For older versions (for example, CentOS/RHEL 7, Ubuntu 18.04 LTS, or Debian
 Stretch) that don't support subkeys for verification:
 
--  Private key file: [`influxdata-archive_compat.key`](https://repos.influxdata.com/influxdata-archive_compat.key)
--  Public key: `393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c`
+-  GPG key file: [`influxdata-archive_compat.key`](https://repos.influxdata.com/influxdata-archive_compat.key)
+-  Signing key fingerprint: `9D539D90D3328DC7D6C8D3B9D8FF8E1F7DF8B07E`
 
 _For security, InfluxData periodically rotates keys and publishes the new key pairs._
 
@@ -175,10 +175,10 @@ repository:
 <!------------------------BEGIN UBUNTU 20.04 LTS AND NEWER--------------------->
 
 ```bash
-curl --silent --location -O \
-https://repos.influxdata.com/influxdata-archive.key \
-&& echo "943666881a1b8d9b849b74caebf02d3465d6beb716510d86a39f6c8e8dac7515  influxdata-archive.key" \
-| sha256sum -c - && cat influxdata-archive.key \
+curl --silent --location -O https://repos.influxdata.com/influxdata-archive.key
+gpg --show-keys --with-fingerprint --with-colons ./influxdata-archive.key 2>&1 \
+| grep -q '^fpr:\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' \
+&& cat influxdata-archive.key \
 | gpg --dearmor \
 | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null \
 && echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive.gpg] https://repos.influxdata.com/debian stable main' \
@@ -193,10 +193,9 @@ sudo apt-get update && sudo apt-get install telegraf
 
 ```bash
 # influxdata-archive_compat.key GPG Fingerprint: 9D539D90D3328DC7D6C8D3B9D8FF8E1F7DF8B07E
-curl --silent --location -O \
-https://repos.influxdata.com/influxdata-archive_compat.key \
-&& echo "393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c  influxdata-archive_compat.key" \
-| sha256sum -c - \
+curl --silent --location -O https://repos.influxdata.com/influxdata-archive_compat.key
+gpg --show-keys --with-fingerprint --with-colons ./influxdata-archive_compat.key 2>&1 \
+| grep -q '^fpr:\+9D539D90D3328DC7D6C8D3B9D8FF8E1F7DF8B07E:$' \
 && cat influxdata-archive_compat.key \
 | gpg --dearmor \
 | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg > /dev/null

test/Dockerfile.test-oss.centos

@@ -14,15 +14,15 @@ LABEL "com.influxdata.docs"="https://docs.influxdata.com/influxdb/v2/install/?t=
 
 ARG INFLUXDB_LATEST_PATCH=2.7.10
 ARG TELEGRAF_LATEST_PATCH=1.32.3
-ARG PUBLIC_SHA=943666881a1b8d9b849b74caebf02d3465d6beb716510d86a39f6c8e8dac7515
 # ARG basearch=aarch64
 
 # Install InfluxDB keys to verify client installs.
 
 RUN curl --silent --location -O \
   https://repos.influxdata.com/influxdata-archive.key \
-  && echo "${PUBLIC_SHA} influxdata-archive.key" \
-  | sha256sum -c && cat influxdata-archive.key \
+  && gpg --homedir $(mktemp -d) --show-keys --with-fingerprint --with-colons ./influxdata-archive.key 2>&1 \
+  | grep -q '^fpr:\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' \
+  && cat influxdata-archive.key \
   | gpg --dearmor \
   | tee /etc/pki/rpm-gpg/RPM-GPG-KEY-influxdata > /dev/null
 

test/Dockerfile.test-oss.ubuntu

@@ -13,16 +13,15 @@ LABEL description="InfluxData Docs Test OSS install on Ubuntu"
 
 LABEL "com.influxdata.docs"="https://docs.influxdata.com/influxdb/v2/install/?t=Linux"
 
-ARG PUBLIC_SHA=943666881a1b8d9b849b74caebf02d3465d6beb716510d86a39f6c8e8dac7515
-
 # Install gnupg2 and curl to verify client installs.
 RUN apt-get update && apt-get install -y gnupg2 curl
 
 # Install InfluxDB keys to verify client installs.
 RUN curl --silent --location -O \
   https://repos.influxdata.com/influxdata-archive.key \
-  && echo "${PUBLIC_SHA} influxdata-archive.key" \
-  | sha256sum -c && cat influxdata-archive.key \
+  && gpg --homedir $(mktemp -d) --show-keys --with-fingerprint --with-colons ./influxdata-archive.key 2>&1 \
+  | grep -q '^fpr:\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' \
+  && cat influxdata-archive.key \
   | gpg --dearmor \
   | tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null \
   && echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive.gpg] https://repos.influxdata.com/debian stable main' \