Home > Back-end >  Add signed APT repo using Puppet
Add signed APT repo using Puppet

Time:07-07

I want to install Telegraf using Puppet 6, and I'm finding it really difficult to do so by using the apt module. I'm using the module so I can import the GPG key and add the corresponding source.

My manifest looks something like this:

  include apt
 
  apt::key { 'influxdata':
    id     => '05CE15085FC09D18E99EFB22684A14CF2582E0C5',
    ensure => 'present',
    source => 'https://repos.influxdata.com/influxdb.key',
  }
 
  apt::source { 'influxdata':
    comment  => 'InfluxData repo to download Telegraf agent.',
    location => 'https://repos.influxdata.com/debian',
    release  => 'stable',
    repos    => 'main',
    key      => {
      'id'     => '05CE15085FC09D18E99EFB22684A14CF2582E0C5',
      'source' => 'https://repos.influxdata.com/influxdb.key',
    },
  } ~> exec { "apt-update":
    command =>  "/usr/bin/apt-get update"
  }
 
  package { 'telegraf':
    ensure  => 'latest',
  }

It seems to be working with no errors, but a quick cat /etc/apt/sources.list.d/influxdata.list shows that the repo is missing the signed-by part:

# This file is managed by Puppet. DO NOT EDIT.
# InfluxData repo to download Telegraf agent.
deb [   ] https://repos.influxdata.com/debian stable main

Ideally, it should be:

deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.gpg] https://repos.influxdata.com/debian stable main

What am I missing?

TIA!

CodePudding user response:

What am I missing?

You are probably missing at least that your repository works (do check), which will confirm that the needed key is in fact installed.

You may be missing that the signed-by option is not needed or intended for marking or using a signed repository. Instead, it is for designating specific key(ring)s to use to verify the repository, as opposed to allowing any of the configured keys to be used.

You appear to be missing that, perhaps unintuitively, apt::source::key is merely a shortcut for declaring an apt::key resource (so yours is redundant with the explicitly declared apt::key). That makes the key available for verifying that repository and others, but it does not limit the repository to being verified via that particular key.

You are surely missing the apt::source::keyring parameter, whose docs specify that it sets the signed-by option on the source.

Page link:https//www.codepudding.com/Backend/467533.html

Prev:FileNotFoundError raceback (most recent call last) while using os.listdir()
Next:Add Image in listView using image from url Picasso crash in android
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding