Merge pull request #3642 from yuumasato/improve_fedora_gpg_pubkey

Improve parameters for ensure_fedora_gpgkey_installed

fedora/product.yml

@@ -11,7 +11,12 @@ pkg_manager: "dnf"
 init_system: "systemd"
 
 # The fingerprints below are retrieved from https://getfedora.org/keys/
-latest_version: 28
-latest_release_fingerprint: "128C F232 A937 1991 C8A6  5695 E08E 7E62 9DB6 2FB1"
-previous_version: 27
-previous_release_fingerprint: "860E 19B0 AFA8 00A1 7518  81A6 F55E 7430 F528 2EE4"
+latest_version: 29
+latest_release_fingerprint: "5A03B4DD8254ECA02FDA1637A20AA56B429476B4"
+latest_pkg_release: "5a886537"
+latest_pkg_version: "429476b4"
+
+previous_version: 28
+previous_release_fingerprint: "128CF232A9371991C8A65695E08E7E629DB62FB1"
+previous_pkg_release: "59920156"
+previous_pkg_version: "9db62fb1"

linux_os/guide/system/software/updating/ensure_fedora_gpgkey_installed/bash/shared.sh

@@ -25,14 +25,16 @@ if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
 then
   # If they are safe, try to obtain fingerprints from the key file
   # (to ensure there won't be e.g. CRC error).
-  IFS=$'\n' GPG_OUT=($(gpg --with-fingerprint "${REDHAT_RELEASE_KEY}" | grep 'Key fingerprint ='))
+  # Backup IFS value
+  IFS_BKP=$IFS
+  IFS=$'\n' GPG_OUT=($(gpg --with-fingerprint --with-colons "${REDHAT_RELEASE_KEY}" | grep '"^fpr' | cut -d ":" -f 10))
   GPG_RESULT=$?
   # Reset IFS back to default
-  unset IFS
+  IFS=$IFS_BKP
   # No CRC error, safe to proceed
   if [ "${GPG_RESULT}" -eq "0" ]
   then
-    tr -s ' ' <<< "${GPG_OUT}" | grep -vE "${FEDORA_RELEASE_FINGERPRINT}" || {
+    echo "${GPG_OUT}" | grep -vE "${FEDORA_RELEASE_FINGERPRINT}" || {
       # If file doesn't contains any keys with unknown fingerprint, import it
       rpm --import "${REDHAT_RELEASE_KEY}"
     }

linux_os/guide/system/software/updating/ensure_fedora_gpgkey_installed/oval/shared.xml

@@ -1,3 +1,23 @@
+{{% macro fedora_gpgkey_criterion(fedora_version, pkg_release, pkg_version) %}}
+   <criterion comment="Fedora {{{ fedora_version }}} package gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}} is installed"
+        test_ref="test_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" />
+{{% endmacro %}}
+
+{{% macro fedora_gpgkey_check(fedora_version, pkg_release, pkg_version) %}}
+  <!-- Test for Fedora {{{ fedora_version }}} release key -->
+  <linux:rpminfo_test check="only one" check_existence="at_least_one_exists"
+  id="test_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" version="1"
+  comment="Fedora {{{ pkg_version }}} release key package is installed">
+    <linux:object object_ref="object_package_gpg-pubkey" />
+    <linux:state state_ref="state_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" />
+  </linux:rpminfo_test>
+
+  <linux:rpminfo_state id="state_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" version="1">
+    <linux:release>{{{ pkg_release }}}</linux:release>
+    <linux:version>{{{ pkg_version }}}</linux:version>
+  </linux:rpminfo_state>
+{{% endmacro %}}
+
 <def-group>
   <definition class="compliance" id="ensure_fedora_gpgkey_installed" version="2">
     <metadata>
@@ -10,8 +30,8 @@
     <criteria comment="Fedora Vendor keys" operator="AND">
       <extend_definition comment="Fedora installed" definition_ref="installed_OS_is_fedora" />
       <criteria comment="Supported Fedora key is installed" operator="OR">
-        <criterion comment="Fedora 28 package gpg-pubkey-9db62fb1-59920156 is installed"
-        test_ref="test_package_gpgkey-9db62fb1-59920156_installed" />
+          {{{ fedora_gpgkey_criterion(latest_version, latest_pkg_release, latest_pkg_version) }}}
+          {{{ fedora_gpgkey_criterion(previous_version, previous_pkg_release, previous_pkg_version) }}}
       </criteria>
     </criteria>
   </definition>
@@ -22,17 +42,7 @@
   </linux:rpminfo_object>
 
   <!-- Perform the particular tests themselves -->
-  <!-- Test for Fedora 28 release key -->
-  <linux:rpminfo_test check="only one" check_existence="at_least_one_exists"
-  id="test_package_gpgkey-9db62fb1-59920156_installed" version="1"
-  comment="Fedora 28 release key package is installed">
-    <linux:object object_ref="object_package_gpg-pubkey" />
-    <linux:state state_ref="state_package_gpg-pubkey-9db62fb1-59920156" />
-  </linux:rpminfo_test>
-
-  <linux:rpminfo_state id="state_package_gpg-pubkey-9db62fb1-59920156" version="1">
-    <linux:release>59920156</linux:release>
-    <linux:version>9db62fb1</linux:version>
-  </linux:rpminfo_state>
+  {{{ fedora_gpgkey_check(latest_version, latest_pkg_release, latest_pkg_version) }}}
+  {{{ fedora_gpgkey_check(previous_version, previous_pkg_release, previous_pkg_version) }}}
 
 </def-group>

linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh

@@ -12,18 +12,20 @@ if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
 then
   # If they are safe, try to obtain fingerprints from the key file
   # (to ensure there won't be e.g. CRC error).
+  # Backup IFS value
+  IFS_BKP=$IFS
 {{% if product == "rhel8" %}}
   IFS=$'\n' GPG_OUT=($(gpg --show-key --with-colons "$REDHAT_RELEASE_KEY" | grep "^fpr" | cut -d ":" -f 10))
 {{% else %}}
   IFS=$'\n' GPG_OUT=($(gpg --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep "^fpr" | cut -d ":" -f 10))
 {{% endif %}}
   GPG_RESULT=$?
   # Reset IFS back to default
-  unset IFS
+  IFS=$IFS_BKP
   # No CRC error, safe to proceed
   if [ "${GPG_RESULT}" -eq "0" ]
   then
-    tr -s ' ' <<< "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_2_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || {
+    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_2_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || {
       # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
       rpm --import "${REDHAT_RELEASE_KEY}"
     }