From 1083a5c17fcb0d0a200a3bc77de7f4a64c0b79e7 Mon Sep 17 00:00:00 2001 From: Denys Havrysh Date: Tue, 29 Aug 2017 15:46:17 +0300 Subject: [PATCH] Fix #1137: import GPG key through an HTTP(S) proxy --- bootstrap-salt.sh | 90 ++++++++++++++++++++++++++--------------------- 1 file changed, 49 insertions(+), 41 deletions(-) diff --git a/bootstrap-salt.sh b/bootstrap-salt.sh index dca78ce..19d2b26 100755 --- a/bootstrap-salt.sh +++ b/bootstrap-salt.sh @@ -710,10 +710,24 @@ else SETUP_PY_INSTALL_ARGS="" fi +# Handle the insecure flags +if [ "$_INSECURE_DL" -eq $BS_TRUE ]; then + _CURL_ARGS="${_CURL_ARGS} --insecure" + _FETCH_ARGS="${_FETCH_ARGS} --no-verify-peer" + _GPG_ARGS="${_GPG_ARGS} --keyserver-options no-check-cert" + _WGET_ARGS="${_WGET_ARGS} --no-check-certificate" +else + _GPG_ARGS="${_GPG_ARGS} --keyserver-options ca-cert-file=/etc/ssl/certs/ca-certificates.crt" +fi + # Export the http_proxy configuration to our current environment if [ "${_HTTP_PROXY}" != "" ]; then - export http_proxy="$_HTTP_PROXY" - export https_proxy="$_HTTP_PROXY" + export http_proxy="${_HTTP_PROXY}" + export https_proxy="${_HTTP_PROXY}" + # Using "deprecated" option here, but that appears the only way to make it work. + # See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818802 + # and https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/1625848 + _GPG_ARGS="${_GPG_ARGS},http-proxy=${_HTTP_PROXY}" fi # Work around for 'Docker + salt-bootstrap failure' https://github.com/saltstack/salt-bootstrap/issues/394 @@ -738,16 +752,6 @@ if [ -d "${_VIRTUALENV_DIR}" ]; then fi -# Handle the insecure flags -if [ "$_INSECURE_DL" -eq $BS_TRUE ]; then - _CURL_ARGS="${_CURL_ARGS} --insecure" - _FETCH_ARGS="${_FETCH_ARGS} --no-verify-peer" - _GPG_ARGS="${_GPG_ARGS} --keyserver-options no-check-cert" - _WGET_ARGS="${_WGET_ARGS} --no-check-certificate" -else - _GPG_ARGS="${_GPG_ARGS} --keyserver-options ca-cert-file=/etc/ssl/certs/ca-certificates.crt" -fi - #--- FUNCTION ------------------------------------------------------------------------------------------------------- # NAME: __fetch_url # DESCRIPTION: Retrieves a URL and writes it to a given path @@ -1730,18 +1734,6 @@ if ([ "${DISTRO_NAME_L}" != "ubuntu" ] && [ $_PIP_ALL -eq $BS_TRUE ]); then exit 1 fi -# Starting from Debian 9 and Ubuntu 16.10, gnupg-curl has been renamed to gnupg1-curl. -GNUPG_CURL="gnupg-curl" -if [ "$DISTRO_NAME_L" = "debian" ]; then - if [ "$DISTRO_MAJOR_VERSION" -gt 8 ]; then - GNUPG_CURL="gnupg1-curl" - fi -elif [ "$DISTRO_NAME_L" = "ubuntu" ]; then - if [ "${DISTRO_VERSION}" = "16.10" ] || [ "$DISTRO_MAJOR_VERSION" -gt 16 ]; then - GNUPG_CURL="gnupg1-curl" - fi -fi - #--- FUNCTION ------------------------------------------------------------------------------------------------------- # NAME: __function_defined @@ -1787,8 +1779,6 @@ __apt_get_upgrade_noinput() { __apt_key_fetch() { url=$1 - __apt_get_install_noinput ${GNUPG_CURL} || return 1 - # shellcheck disable=SC2086 apt-key adv ${_GPG_ARGS} --fetch-keys "$url"; return $? } # ---------- end of function __apt_key_fetch ---------- @@ -2540,7 +2530,6 @@ __enable_universe_repository() { } __install_saltstack_ubuntu_repository() { - # Workaround for latest non-LTS ubuntu if [ "$DISTRO_VERSION" = "16.10" ] || [ "$DISTRO_MAJOR_VERSION" -gt 16 ]; then echowarn "Non-LTS Ubuntu detected, but stable packages requested. Trying packages from latest LTS release. You may experience problems." @@ -2551,15 +2540,27 @@ __install_saltstack_ubuntu_repository() { UBUNTU_CODENAME=$DISTRO_CODENAME fi - # SaltStack's stable Ubuntu repository: - SALTSTACK_UBUNTU_URL="${HTTP_VAL}://${_REPO_URL}/apt/ubuntu/${UBUNTU_VERSION}/${__REPO_ARCH}/${STABLE_REV}" - echo "deb $SALTSTACK_UBUNTU_URL $UBUNTU_CODENAME main" > /etc/apt/sources.list.d/saltstack.list + __PACKAGES='' + + # Install downloader backend for GPG keys fetching + if [ "$DISTRO_VERSION" = "16.10" ] || [ "$DISTRO_MAJOR_VERSION" -gt 16 ]; then + __PACKAGES="${__PACKAGES} gnupg2 dirmngr" + else + __PACKAGES="${__PACKAGES} gnupg-curl" + fi # Make sure https transport is available if [ "$HTTP_VAL" = "https" ] ; then - __apt_get_install_noinput apt-transport-https ca-certificates || return 1 + __PACKAGES="${__PACKAGES} apt-transport-https ca-certificates" fi + # shellcheck disable=SC2086,SC2090 + __apt_get_install_noinput ${__PACKAGES} || return 1 + + # SaltStack's stable Ubuntu repository: + SALTSTACK_UBUNTU_URL="${HTTP_VAL}://${_REPO_URL}/apt/ubuntu/${UBUNTU_VERSION}/${__REPO_ARCH}/${STABLE_REV}" + echo "deb $SALTSTACK_UBUNTU_URL $UBUNTU_CODENAME main" > /etc/apt/sources.list.d/saltstack.list + __apt_key_fetch "$SALTSTACK_UBUNTU_URL/SALTSTACK-GPG-KEY.pub" || return 1 apt-get update @@ -2937,18 +2938,30 @@ __install_saltstack_debian_repository() { DEBIAN_CODENAME="$DISTRO_CODENAME" fi + __PACKAGES='' + + # Install downloader backend for GPG keys fetching + if [ "$DISTRO_MAJOR_VERSION" -ge 9 ]; then + __PACKAGES="${__PACKAGES} gnupg2 dirmngr" + else + __PACKAGES="${__PACKAGES} gnupg-curl" + fi + + # Make sure https transport is available + if [ "$HTTP_VAL" = "https" ] ; then + __PACKAGES="${__PACKAGES} apt-transport-https ca-certificates" + fi + + # shellcheck disable=SC2086,SC2090 + __apt_get_install_noinput ${__PACKAGES} || return 1 + # amd64 is just a part of repository URI, 32-bit pkgs are hosted under the same location SALTSTACK_DEBIAN_URL="${HTTP_VAL}://${_REPO_URL}/apt/debian/${DEBIAN_RELEASE}/${__REPO_ARCH}/${STABLE_REV}" echo "deb $SALTSTACK_DEBIAN_URL $DEBIAN_CODENAME main" > "/etc/apt/sources.list.d/saltstack.list" - if [ "$HTTP_VAL" = "https" ] ; then - __apt_get_install_noinput apt-transport-https ca-certificates || return 1 - fi - __apt_key_fetch "$SALTSTACK_DEBIAN_URL/SALTSTACK-GPG-KEY.pub" || return 1 apt-get update - } install_debian_deps() { @@ -2979,11 +2992,6 @@ install_debian_deps() { # YAML module is used for generating custom master/minion configs __PACKAGES="${__PACKAGES} python-yaml" - # Debian 9 needs the dirmgr package in order to import the GPG key later - if [ "$DISTRO_MAJOR_VERSION" -ge 9 ]; then - __PACKAGES="${__PACKAGES} dirmngr" - fi - # shellcheck disable=SC2086 __apt_get_install_noinput ${__PACKAGES} || return 1