diff --git a/CHANGELOG.md b/CHANGELOG.md index a99fceb..859e30f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ This file is used to list changes made in each version of the gpg cookbook. ## Unreleased +- Add support for adding keys via --keyserver and --recv-keys + ## 2.0.11 - *2023-09-28* ## 2.0.10 - *2023-09-04* diff --git a/documentation/resource/key.md b/documentation/resource/key.md index f34a21e..1f9ec99 100644 --- a/documentation/resource/key.md +++ b/documentation/resource/key.md @@ -2,27 +2,28 @@ ## Properties -| Property | Ruby Type | Default | Description | -| -------------------------- | ---------------- | -------------------------------------- | ---------------------------------------------------------------------------------------------------------- | -| `batch_name` | String | | Name of the key/batch to generate. | -| `override_default_keyring` | [true, false] | `false` | Set to true if you want to override the pubring_file and secring_file locations. | -| `pubring_file` | String | | Public keyring file location (override_default_keyring must be set to true or this option will be ignored) | -| `secring_file` | String | | Secret keyring file location (override_default_keyring must be set to true or this option will be ignored) | -| `user` | String | `root` | User to generate the key for | -| `group` | String | `user` | Group to run the generate command as | -| `key_type` | String | `1` (RSA) | Corresponds to GPG option: Key-Type (RSA or DSA) | -| `key_length` | String | `2048` | Corresponds to GPG option: Key-Length (2048 or 4096) | -| `name_real` | String | Chef Generated Default (#{batch_name}) | Corresponds to GPG option: Name-Real | -| `name_comment` | String | generated by Chef | Corresponds to GPG option: Name-Comment | -| `name_email` | String | #{node.name}@example.com | Corresponds to GPG option: Name-Email | -| `expire_date` | String | 0 | Corresponds to GPG option: Expire-Date. | -| `home_dir` | String | ~#{user}/.gnupg | Location to store the keyring. Defaults to ~/.gnupg | -| `batch_config_file` | String | gpg_batch_config_#{batch_name} | Batch config file name | -| `passphrase` | String | | Passphrase for key | -| `key_file` | String | | Keyfile name | -| `key_fingerprint` | String | | Key finger print. Used to identify when deleting keys using the :delete action | -| `pinentry_mode` | [String, false] | `loopback` if Ubuntu or False | Pinentry mode. Set to loopback on Ubuntu and False (off) for all other platforms. | -| `batch` | [true, false] | true | Turn batch mode on or off when genrating keys | +| Property | Ruby Type | Default | Description | +|----------------------------|-----------------|----------------------------------------|------------------------------------------------------------------------------------------------------------| +| `batch_name` | String | | Name of the key/batch to generate. | +| `override_default_keyring` | [true, false] | `false` | Set to true if you want to override the pubring_file and secring_file locations. | +| `pubring_file` | String | | Public keyring file location (override_default_keyring must be set to true or this option will be ignored) | +| `secring_file` | String | | Secret keyring file location (override_default_keyring must be set to true or this option will be ignored) | +| `user` | String | `root` | User to generate the key for | +| `group` | String | `user` | Group to run the generate command as | +| `key_type` | String | `1` (RSA) | Corresponds to GPG option: Key-Type (RSA or DSA) | +| `key_length` | String | `2048` | Corresponds to GPG option: Key-Length (2048 or 4096) | +| `name_real` | String | Chef Generated Default (#{batch_name}) | Corresponds to GPG option: Name-Real | +| `name_comment` | String | generated by Chef | Corresponds to GPG option: Name-Comment | +| `name_email` | String | #{node.name}@example.com | Corresponds to GPG option: Name-Email | +| `expire_date` | String | 0 | Corresponds to GPG option: Expire-Date. | +| `home_dir` | String | ~#{user}/.gnupg | Location to store the keyring. Defaults to ~/.gnupg | +| `batch_config_file` | String | gpg_batch_config_#{batch_name} | Batch config file name | +| `passphrase` | String | | Passphrase for key | +| `key_file` | String | | Keyfile name | +| `key_fingerprint` | [String, Array] | | Key fingerprint. Used to identify keys | +| `pinentry_mode` | [String, false] | `loopback` if Ubuntu or False | Pinentry mode. Set to loopback on Ubuntu and False (off) for all other platforms. | +| `batch` | [true, false] | true | Turn batch mode on or off when genrating keys | +| `keyserver` | String | | Keyserver to use when importing keys | ## Actions diff --git a/kitchen.dokken.yml b/kitchen.dokken.yml index 47eff95..06e59d2 100644 --- a/kitchen.dokken.yml +++ b/kitchen.dokken.yml @@ -2,6 +2,8 @@ driver: name: dokken privileged: true chef_version: <%= ENV['CHEF_VERSION'] || 'current' %> + multiple_converge: 2 + enforce_idempotency: true transport: { name: dokken } provisioner: { name: dokken } diff --git a/libraries/helpers.rb b/libraries/helpers.rb index 085b72f..8b28a44 100644 --- a/libraries/helpers.rb +++ b/libraries/helpers.rb @@ -2,10 +2,15 @@ module Gpg module Helpers include Chef::Mixin::ShellOut - def key_exists(new_resource) + def key_exists(new_resource, key = nil) gpg_check = gpg_cmd gpg_check << gpg_opts if new_resource.override_default_keyring - gpg_check << "--list-keys | grep '#{new_resource.name_real}'" + + gpg_check << if new_resource.keyserver + "--list-keys #{key}" + else + "--list-keys | grep #{new_resource.name_real}" + end cmd = Mixlib::ShellOut.new( gpg_check, @@ -14,7 +19,6 @@ def key_exists(new_resource) ) cmd.run_command - cmd.exitstatus == 0 end diff --git a/resources/key.rb b/resources/key.rb index 826a7de..02069f9 100644 --- a/resources/key.rb +++ b/resources/key.rb @@ -61,7 +61,7 @@ property :key_file, String, description: 'Keyfile name' -property :key_fingerprint, String, +property :key_fingerprint, [String, Array], description: 'Key finger print. Used to identify when deleting keys using the :delete action' # Only Ubuntu > 16.04 supports the pinetree_mode. And requires it @@ -73,6 +73,9 @@ default: true, description: 'Turn batch mode on or off when genrating keys' +property :keyserver, String, + description: 'Keyserver to receive keys from' + action :generate do unless key_exists(new_resource) @@ -126,11 +129,22 @@ end action :import do - execute 'gpg2: import key' do - command "#{gpg_cmd} --import #{new_resource.key_file}" - user new_resource.user - group new_resource.group - not_if { key_exists(new_resource) } + Array(new_resource.key_fingerprint).each do |key| + # If a keyserver is specified, use that to import the key + if new_resource.keyserver + cmd = "#{gpg_cmd} --keyserver #{new_resource.keyserver} --recv-keys #{key}" + title = "Receive Key #{key}" + else + cmd = "#{gpg_cmd} --import #{new_resource.key_file}" + title = "Import Key from #{new_resource.key_file}" + end + + execute "gpg2: #{title}" do + command cmd + user new_resource.user + group new_resource.group + not_if { key_exists(new_resource, key) } + end end end diff --git a/test/fixtures/cookbooks/test/recipes/default.rb b/test/fixtures/cookbooks/test/recipes/default.rb index a235a6c..afc4386 100644 --- a/test/fixtures/cookbooks/test/recipes/default.rb +++ b/test/fixtures/cookbooks/test/recipes/default.rb @@ -54,5 +54,12 @@ action :import end +# Importing the specified key +gpg_key 'Import Ubuntu Key' do + keyserver 'keyserver.ubuntu.com' + key_fingerprint %w(409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB) + action :import +end + # Dummy key for deleting include_recipe 'test::dummy_key'