ben-grande
commented
3 months ago source_hash_sig When source is a remote file source, source_hash is a file, skip_verify is not true and use_etag is not true, ensure a valid GPG signature exists on the source hash file. Set this to true for an inline (clearsigned) signature, or to a file URI retrievable by :py:func:`cp.cache_file
for a detached one. Note
A signature on the source_hash file is enforced regardless of changes since its contents are used to check if an existing file is in the correct state - but only for remote sources! As for signature, existing target files will not be modified, only the cached source_hash and source_hash_sig files will be removed.
Not doing signature verification because the file is local is not great, it impacts on split setups where a qube downloads the file and the other has the archive and shasum locally.
Current problem (if any)
PGP verification is done with
cmd.rundue to to unavailability of options in gpg.verify and archive.extracted.In Salt
3007.0, new options to these modules have been added regarding PGP signature verification, most notably:signed_by_any,signed_by_all.gnupghomeandkeyring. Thesource_hash_sigProposed solution
Evaluate if it is worth the change.
Sequoia has the GNUPG interface through
chameleon, butgpg.verifydoes not appear to have a way to specify thegpgbinary, in any way,chameleonis not available in Debian yet, it is on Fedora though.When we migrate to Sequoia completely instead of GNUPG, unless Salt supports Sequoia, we are back to
cmd.runas the module for signature verification.The value to a user, and who that user might be
Cleaner Salt output, less workarounds with
cmd.run. Potentially a more tested program..