search

geerlingguy / ansible-role-nodejs

Ansible Role - Node.js
https://galaxy.ansible.com/geerlingguy/nodejs/
MIT License
410 stars 252 forks source link

Avoid using the deprecated apt-key module for new ubuntu versions #145

Closed guenhter closed 1 year ago

guenhter commented 1 year ago

As the https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_key_module.html describes:

The apt-key command has been deprecated and suggests to ‘manage keyring files in trusted.gpg.d instead’. See the Debian wiki for details. This module is kept for backwards compatibility for systems that still use apt-key as the main way to manage apt repository keys.

Although the best alternative for the apt-key would be to

gpg --dearmor

the key, I still hope this version without gpg --dearmor is also good enough and also described hee https://opensource.com/article/22/9/deprecated-linux-apt-key as a valid alternative (even though not the best)

garbast commented 1 year ago

Wouldn't it be a better solution to store the key in an own file and use it as signed-by?

- name: Add Nodesource apt key.
  get_url:
    url: https://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x1655A0AB68576280
    dest: /etc/apt/trusted.gpg.d/nodesource.asc
    mode: '0644'
    force: true

- name: Add NodeSource repositories for Node.js.
  apt_repository:
    repo: "{{ item }}"
    state: present
  with_items:
    - "deb [signed-by=/etc/apt/trusted.gpg.d/nodesource.asc] https://deb.nodesource.com/node_{{ nodejs_version }} {{ ansible_distribution_release }} main"
    - "deb-src [signed-by=/etc/apt/trusted.gpg.d/nodesource.asc] https://deb.nodesource.com/node_{{ nodejs_version }} {{ ansible_distribution_release }} main"
  register: node_repo
guenhter commented 1 year ago

Hi, this is an excellent idea. Thx. I'll work that in as soon as I'm on this topic again.

Does https://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x1655A0AB68576280 give me the key for node or is this just some sample?

garbast commented 1 year ago

It should give you the key for nodejs. It is the same url as in your commit. Searching for the key on the server results in

uid NodeSource gpg@nodesource.com sig sig 1655a0ab68576280 2014-06-13T16:20:06Z ____ ____ [selfsig]

https://keyserver.ubuntu.com/pks/lookup?search=0x1655A0AB68576280&fingerprint=on&op=index

guenhter commented 1 year ago

Very nice. Thx for the explaination.

guenhter commented 1 year ago

@garbast I've worked in your changes except how the key for nodejs is obtained.

Does getting it via the keyserver.ubuntu.com has any benefits over getting it from deb.nodesource.com directly?

I like getting it via the https://deb.nodesource.com url because then you easily see it in the task where the key actually comes from.

garbast commented 1 year ago

I have no oppinion about keyserver.ubuntu.com.

If you can get the key from nodesource.com i'm fine with that. The author server should be trustedable.

garbast commented 1 year ago

@geerlingguy could you please have a look at this PR, if it is sufficient for merging?

wizhippo commented 1 year ago

Wouldn't it be a better solution to store the key in an own file and use it as signed-by?

- name: Add Nodesource apt key.
  get_url:
    url: https://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x1655A0AB68576280
    dest: /etc/apt/trusted.gpg.d/nodesource.asc
    mode: '0644'
    force: true

- name: Add NodeSource repositories for Node.js.
  apt_repository:
    repo: "{{ item }}"
    state: present
  with_items:
    - "deb [signed-by=/etc/apt/trusted.gpg.d/nodesource.asc] https://deb.nodesource.com/node_{{ nodejs_version }} {{ ansible_distribution_release }} main"
    - "deb-src [signed-by=/etc/apt/trusted.gpg.d/nodesource.asc] https://deb.nodesource.com/node_{{ nodejs_version }} {{ ansible_distribution_release }} main"
  register: node_repo

Should be to /etc/apt/keyrings/ or /usr/share/keyrings as any keyrings in /etc/apt/trusted.gpg.d/ are trusted by all apt lists without a signed-by.

"The reason for this change is that when adding an OpenPGP key that's used to sign an APT repository to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d, the key is unconditionally trusted by APT on all other repositories configured on the system that don't have a signed-by (see below) option, even the official Debian / Ubuntu repositories. As a result, any unofficial APT repository which has its signing key added to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d can replace any package on the system. So this change was made for security reasons (your security)." - https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html

guenhter commented 1 year ago

I'll close this MR because I no longer use this role because we install Node now via fnm. If you are still interested, feel free to take this changes and open a new MR.