Don't copy cached gpg key file permissions to repo key.

apt requires the key file to be world readable, but cached files are written as 0600.
2025-04-17 10:10:20 +00:00 · 2022-08-27 15:40:26 -07:00 · 2022-08-27 15:40:26 -07:00 · a36bdf14b9
commit a36bdf14b9
parent d0f9c7b051
2 changed files with 11 additions and 10 deletions
--- a/salt/modules/aptpkg.py
+++ b/salt/modules/aptpkg.py
@ -2373,7 +2373,13 @@ def add_repo_key(
    cmd = ["apt-key"]
    kwargs = {}

-    current_repo_keys = get_repo_keys(aptkey=aptkey, keydir=keydir)
+    # If the keyid is provided or determined, check it against the existing
+    # repo key ids to determine whether it needs to be imported.
+    if keyid:
+        for current_keyid in get_repo_keys(aptkey=aptkey, keydir=keydir):
+            if current_keyid[-(len(keyid)) :] == keyid:
+                log.debug("The keyid '%s' already present: %s", keyid, current_keyid)
+                return True

    if path:
        cached_source_path = __salt__["cp.cache_file"](path, saltenv)
@ -2386,7 +2392,9 @@ def add_repo_key(
            key = _decrypt_key(cached_source_path)
            if not key:
                return False
-            cmd = ["cp", key, str(keydir)]
+            key = pathlib.Path(str(key))
+            shutil.copyfile(key, keydir / key.name)
+            return True
        else:
            cmd.extend(["add", cached_source_path])
    elif text:
@ -2427,14 +2435,6 @@ def add_repo_key(
            "{}() takes at least 1 argument (0 given)".format(add_repo_key.__name__)
        )

-    # If the keyid is provided or determined, check it against the existing
-    # repo key ids to determine whether it needs to be imported.
-    if keyid:
-        for current_keyid in current_repo_keys:
-            if current_keyid[-(len(keyid)) :] == keyid:
-                log.debug("The keyid '%s' already present: %s", keyid, current_keyid)
-                return True
-
    cmd_ret = _call_apt(cmd, **kwargs)

    if cmd_ret["retcode"] == 0:
--- a/tests/pytests/functional/modules/test_aptpkg.py
+++ b/tests/pytests/functional/modules/test_aptpkg.py
@ -312,6 +312,7 @@ def test_add_del_repo_key(get_key_file, aptkey):
        keyfile = pathlib.Path("/etc", "apt", "keyrings", get_key_file)
        if not aptkey:
            assert keyfile.is_file()
+            assert oct(keyfile.stat().st_mode)[-3:] == "644"
        query_key = aptpkg.get_repo_keys(aptkey=aptkey)
        assert (
            query_key["0E08A149DE57BFBE"]["uid"]