Recipe for managing apt gpg keys¶
Note: There are several apt modules on the Puppet Forge that provide an apt::key resource
This puppet definition allows you to import pgp keys into apt.
define apt::key($keyid, $ensure, $keyserver = 'keyserver.ubuntu.com') {
case $ensure {
present: {
exec { "Import $keyid to apt keystore":
path => '/bin:/usr/bin',
environment => 'HOME=/root',
command => "gpg --keyserver $keyserver --recv-keys $keyid && gpg --export --armor $keyid | apt-key add -",
user => 'root',
group => 'root',
unless => "apt-key list | grep $keyid",
logoutput => on_failure,
}
}
absent: {
exec { "Remove $keyid from apt keystore":
path => '/bin:/usr/bin',
environment => 'HOME=/root',
command => "apt-key del $keyid",
user => 'root',
group => 'root',
onlyif => "apt-key list | grep $keyid",
}
}
default: {
fail "Invalid 'ensure' value '$ensure' for apt::key"
}
}
}
You can use this definition as follows:
node mynode {
apt::key { 'KEYID':
ensure => present,
keyid => 'KEYID',
}
apt::key { 'UNWANTEDKEYID':
ensure => absent,
keyid => 'UNWANTEDKEYID',
}
}
If you don’t want to store your keys on a public keyserver you could place them on your own webserver like this (assuming that wget is on all your nodes):
define apt::key($ensure, $apt_key_url = 'http://www.example.com/apt/keys') {
case $ensure {
'present': {
exec { "apt-key present $name":
command => "/usr/bin/wget -q $apt_key_url/$name -O -|/usr/bin/apt-key add -",
unless => "/usr/bin/apt-key list|/bin/grep -c $name",
}
}
'absent': {
exec { "apt-key absent $name":
command => "/usr/bin/apt-key del $name",
onlyif => "/usr/bin/apt-key list|/bin/grep -c $name",
}
}
default: {
fail "Invalid 'ensure' value '$ensure' for apt::key"
}
}
}
Notes:
- For some repos, just ‘command => “/usr/bin/wget -q $apt_key_url -O –|/usr/bin/apt-key add –”,’ is enough (without the ‘/$name’)
- After you add a key using this define, make sure you require an ‘apt-get update’ to be run.
Or you could transport them with a File-Resource to the node before importing them into apt