feat(debian): use keyrings instead of key_ids

Author: javierbertoli

docs/README.apt.keyrings.rst

@@ -0,0 +1,34 @@
+.. _readme_apt_keyrings:
+
+apt repositories' keyrings
+==========================
+
+Debian family of OSes deprecated the use of `apt-key` to manage repositories' keys
+in favor of using `keyring files` which contain a binary OpenPGP format of the key
+(also known as "GPG key public ring")
+
+As nginx and passenger don't provide such key files, we created them following the
+official recomendations in their sites and install the resulting files.
+
+Ngninx
+------
+
+See https://nginx.org/en/linux_packages.html#Debian for details
+
+.. code-block:: bash
+
+   $ curl -s https://nginx.org/keys/nginx_signing.key | \
+       gpg --dearmor --output nginx-archive-keyring.gpg
+
+Phusion-passenger
+-----------------
+
+See https://www.phusionpassenger.com/docs/tutorials/deploy_to_production/installations/oss/ownserver/ruby/nginx/
+for more details.
+
+.. code-block:: bash
+
+   $ gpg --keyserver keyserver.ubuntu.com \
+         --output - \
+         --recv-keys 561F9B9CAC40B2F7 | \
+     gpg --export --output phusionpassenger-archive-keyring.gpg

nginx/files/default/nginx-archive-keyring.gpg

@@ -2,7 +2,11 @@
 #
 # Manages installation of nginx from pkg.
 
-{% from 'nginx/map.jinja' import nginx, sls_block with context %}
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- from tplroot ~ "/map.jinja" import nginx, sls_block with context %}
+{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}
+
 {%- if nginx.install_from_repo %}
   {% set from_official = true %}
   {% set from_ppa = false %}
@@ -34,6 +38,18 @@ nginx_install:
     {% endif %}
 
 {% if salt['grains.get']('os_family') == 'Debian' %}
+  {%- if from_official %}
+nginx_official_repo_keyring:
+  file.managed:
+    - name: /usr/share/keyrings/nginx-archive-keyring.gpg
+    - source: {{ files_switch(['nginx-archive-keyring.gpg'],
+                              lookup='nginx_official_repo_keyring'
+                 )
+              }}
+    - require_in:
+      - pkgrepo: nginx_official_repo
+  {%- endif %}
+
 nginx_official_repo:
   pkgrepo:
     {%- if from_official %}
@@ -42,10 +58,8 @@ nginx_official_repo:
     - absent
     {%- endif %}
     - humanname: nginx apt repo
-    - name: deb http://nginx.org/packages/{{ grains['os'].lower() }}/ {{ grains['oscodename'] }} nginx
+    - name: deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/{{ grains['os'].lower() }}/ {{ grains['oscodename'] }} nginx
     - file: /etc/apt/sources.list.d/nginx-official-{{ grains['oscodename'] }}.list
-    - keyid: ABF5BD827BD9BF62
-    - keyserver: keyserver.ubuntu.com
     - require_in:
       - pkg: nginx_install
     - watch_in:
@@ -73,6 +87,30 @@ nginx_ppa_repo:
       - pkg: nginx_install
    {%- endif %}
 
+  {%- if from_phusionpassenger %}
+nginx_phusionpassenger_repo_keyring:
+  file.managed:
+    - name: /usr/share/keyrings/phusionpassenger-archive-keyring.gpg
+    - source: {{ files_switch(['phusionpassenger-archive-keyring.gpg'],
+                              lookup='nginx_phusionpassenger_repo_keyring'
+                 )
+              }}
+    - require_in:
+      - pkgrepo: nginx_phusionpassenger_repo
+
+# Remove the old repo file
+nginx_phusionpassenger_repo_remove:
+  pkgrepo.absent:
+    - name: deb http://nginx.org/packages/{{ grains['os'].lower() }}/ {{ grains['oscodename'] }} nginx
+    - keyid: 561F9B9CAC40B2F7
+    - require_in:
+      - pkgrepo: nginx_phusionpassenger_repo
+  file.absent:
+    - name: /etc/apt/sources.list.d/nginx-phusionpassenger-{{ grains['oscodename'] }}.list
+    - require_in:
+      - pkgrepo: nginx_phusionpassenger_repo
+  {%- endif %}
+
 nginx_phusionpassenger_repo:
   pkgrepo:
     {%- if from_phusionpassenger %}
@@ -81,10 +119,8 @@ nginx_phusionpassenger_repo:
     - absent
     {%- endif %}
     - humanname: nginx phusionpassenger repo
-    - name: deb https://oss-binaries.phusionpassenger.com/apt/passenger {{ grains['oscodename'] }} main
-    - file: /etc/apt/sources.list.d/nginx-phusionpassenger-{{ grains['oscodename'] }}.list
-    - keyid: 561F9B9CAC40B2F7
-    - keyserver: keyserver.ubuntu.com
+    - name: deb [signed-by=/usr/share/keyrings/phusionpassenger-archive-keyring.gpg] https://oss-binaries.phusionpassenger.com/apt/passenger {{ grains['oscodename'] }} main
+    - file: /etc/apt/sources.list.d/phusionpassenger-official-{{ grains['oscodename'] }}.list
     - require_in:
       - pkg: nginx_install
     - watch_in:

nginx/files/default/phusionpassenger-archive-keyring.gpg

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+case os[:name]
+when 'centos'
+  repo_file = '/etc/yum.repos.d/passenger.repo'
+  repo_url = 'https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/$basearch'
+when 'debian', 'ubuntu'
+  # Inspec does not provide a `codename` matcher, so we add ours
+  case platform[:release].to_f.truncate
+  # ubuntu
+  when 18
+    codename = 'bionic'
+  when 20
+    codename = 'focal'
+  # debian
+  when 10
+    codename = 'buster'
+  when 11
+    codename = 'bullseye'
+  end
+  repo_keyring = '/usr/share/keyrings/phusionpassenger-archive-keyring.gpg'
+  repo_file = "/etc/apt/sources.list.d/phusionpassenger-official-#{codename}.list"
+  # rubocop:disable Metrics/LineLength
+  repo_url = "deb [signed-by=#{repo_keyring}] https://oss-binaries.phusionpassenger.com/apt/passenger #{codename} main"
+  # rubocop:enable Metrics/LineLength
+end
+
+control 'Phusion-passenger repository keyring' do
+  title 'should be installed'
+
+  only_if('Requirement for Debian family') do
+    os.debian?
+  end
+
+  describe file(repo_keyring) do
+    it { should exist }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0644' }
+  end
+end
+
+control 'Phusion-passenger repository' do
+  impact 1
+  title 'should be configured'
+  describe file(repo_file) do
+    its('content') { should include repo_url }
+  end
+end