Recipe for managing apt gpg keys¶
This puppet definition allows you to import pgp keys into apt.
define apt::key($keyid, $ensure, $keyserver = "keyserver.ubuntu.com") {
case $ensure {
present: {
exec { "Import $keyid to apt keystore":
path => "/bin:/usr/bin",
environment => "HOME=/root",
command => "gpg --keyserver $keyserver --recv-keys $keyid && gpg --export --armor $keyid | apt-key add -",
user => "root",
group => "root",
unless => "apt-key list | grep $keyid",
logoutput => on_failure,
}
}
absent: {
exec { "Remove $keyid from apt keystore":
path => "/bin:/usr/bin",
environment => "HOME=/root",
command => "apt-key del $keyid",
user => "root",
group => "root",
onlyif => "apt-key list | grep $keyid",
}
}
default: {
fail "Invalid 'ensure' value '$ensure' for apt::key"
}
}
}
You can use this definition as follows:
node mynode {
apt::key { "KEYID":
keyid => "KEYID",
ensure => present,
}
apt::key { "UNWANTEDKEYID":
keyid => "UNWANTEDKEYID",
ensure => absent,
}
}
If you don’t want to store your keys on a public keyserver you could place them on your own webserver like this (assuming that wget is on all your nodes):
define apt::key($ensure, $apt_key_url = "http://www.example.com/apt/keys") {
case $ensure {
"present": {
exec { "apt-key present $name":
command => "/usr/bin/wget -q $apt_key_url/$name -O -|/usr/bin/apt-key add -",
unless => "/usr/bin/apt-key list|/bin/grep -c $name",
}
}
"absent": {
exec { "apt-key absent $name":
command => "/usr/bin/apt-key del $name",
onlyif => "/usr/bin/apt-key list|/bin/grep -c $name",
}
}
default: {
fail "Invalid 'ensure' value '$ensure' for apt::key"
}
}
}
Notes:
- For some repos, just ‘command => “/usr/bin/wget -q $apt_key_url -O –|/usr/bin/apt-key add –”,’ is enough (without the ‘/$name’)
- After you add a key using this define, make sure you require an ‘apt-get update’ to be run.
Or you could transport them with a File-Resource to the node before importing them into apt