Closed guenhter closed 1 year ago
Wouldn't it be a better solution to store the key in an own file and use it as signed-by?
- name: Add Nodesource apt key.
get_url:
url: https://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x1655A0AB68576280
dest: /etc/apt/trusted.gpg.d/nodesource.asc
mode: '0644'
force: true
- name: Add NodeSource repositories for Node.js.
apt_repository:
repo: "{{ item }}"
state: present
with_items:
- "deb [signed-by=/etc/apt/trusted.gpg.d/nodesource.asc] https://deb.nodesource.com/node_{{ nodejs_version }} {{ ansible_distribution_release }} main"
- "deb-src [signed-by=/etc/apt/trusted.gpg.d/nodesource.asc] https://deb.nodesource.com/node_{{ nodejs_version }} {{ ansible_distribution_release }} main"
register: node_repo
Hi, this is an excellent idea. Thx. I'll work that in as soon as I'm on this topic again.
Does https://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x1655A0AB68576280
give me the key for node or is this just some sample?
It should give you the key for nodejs. It is the same url as in your commit. Searching for the key on the server results in
uid NodeSource gpg@nodesource.com sig sig 1655a0ab68576280 2014-06-13T16:20:06Z ____ ____ [selfsig]
https://keyserver.ubuntu.com/pks/lookup?search=0x1655A0AB68576280&fingerprint=on&op=index
Very nice. Thx for the explaination.
@garbast I've worked in your changes except how the key for nodejs is obtained.
Does getting it via the keyserver.ubuntu.com has any benefits over getting it from deb.nodesource.com directly?
I like getting it via the https://deb.nodesource.com url because then you easily see it in the task where the key actually comes from.
I have no oppinion about keyserver.ubuntu.com.
If you can get the key from nodesource.com i'm fine with that. The author server should be trustedable.
@geerlingguy could you please have a look at this PR, if it is sufficient for merging?
Wouldn't it be a better solution to store the key in an own file and use it as signed-by?
- name: Add Nodesource apt key. get_url: url: https://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x1655A0AB68576280 dest: /etc/apt/trusted.gpg.d/nodesource.asc mode: '0644' force: true - name: Add NodeSource repositories for Node.js. apt_repository: repo: "{{ item }}" state: present with_items: - "deb [signed-by=/etc/apt/trusted.gpg.d/nodesource.asc] https://deb.nodesource.com/node_{{ nodejs_version }} {{ ansible_distribution_release }} main" - "deb-src [signed-by=/etc/apt/trusted.gpg.d/nodesource.asc] https://deb.nodesource.com/node_{{ nodejs_version }} {{ ansible_distribution_release }} main" register: node_repo
Should be to /etc/apt/keyrings/ or /usr/share/keyrings as any keyrings in /etc/apt/trusted.gpg.d/ are trusted by all apt lists without a signed-by.
"The reason for this change is that when adding an OpenPGP key that's used to sign an APT repository to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d, the key is unconditionally trusted by APT on all other repositories configured on the system that don't have a signed-by (see below) option, even the official Debian / Ubuntu repositories. As a result, any unofficial APT repository which has its signing key added to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d can replace any package on the system. So this change was made for security reasons (your security)." - https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html
I'll close this MR because I no longer use this role because we install Node now via fnm
.
If you are still interested, feel free to take this changes and open a new MR.
As the https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_key_module.html describes:
Although the best alternative for the apt-key would be to
the key, I still hope this version without
gpg --dearmor
is also good enough and also described hee https://opensource.com/article/22/9/deprecated-linux-apt-key as a valid alternative (even though not the best)