From 5a096f370583547c6e038e611fde11fa672ccdc8 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Fri, 2 Aug 2019 19:00:36 +0000 Subject: [PATCH] Re-add the Debian 8/jessie key to reprepro Because of a limitation in GnuPG we need to have the Jessie archive signing key in the list of VerifyRelease key IDs for the Debian reprepro mirror. Also some suites (currently buster-backports) are signed by a subkey of an archive signing key, so add the "+" suffix to all these key IDs indicating subkey signatures are also allowed. As always, Debian signing keys are published and available here: https://ftp-master.debian.org/keys.html Change-Id: Iedce38318718a18ace7b2c638755a7d7d4dcd69b --- .../reprepro/debian-jessie-mirror-gpg-key.asc | 112 ++++++++++++++++++ .../files/reprepro/debuntu-updates | 2 +- .../manifests/mirror_update.pp | 12 ++ 3 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 modules/openstack_project/files/reprepro/debian-jessie-mirror-gpg-key.asc diff --git a/modules/openstack_project/files/reprepro/debian-jessie-mirror-gpg-key.asc b/modules/openstack_project/files/reprepro/debian-jessie-mirror-gpg-key.asc new file mode 100644 index 0000000000..63c6af1981 --- /dev/null +++ b/modules/openstack_project/files/reprepro/debian-jessie-mirror-gpg-key.asc @@ -0,0 +1,112 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 + +mQINBFRvqBkBEADAe63Jl0pw5Ry9LDwn31BJSBat+2WYJXT4Iqsgtmm79drvAcVU +JjtGZX11XdJj/aIVxeafghYxVj4Ld+yxiB25GAcxGr5O3Acv7DOlBQnqFZ7jvZUd +qwSCpsoDoBt5rX+FlHl/NB8VGjpS0cgC+wuSrLRW6Qux0/tn2Dow7KzB5B7YvaCi +ChF2M7ZPJhhp5QGoI+ucEwSJ/NIeOguZWiOEl+Tbglz5YTHuVjZViNIX4Xdw+N7l +1//oR8k/GEWuVU4dFsWmc6UCEClCotYHXoPHHGJpIUDBMk3sU5v3ULjKcIDkHOHX +qu91lk9OEdteieWS6npsuyy2pOOgRgXKxi1mAc7jPTLejT2GTCoUl6anP6/MbMdC +uMww1TadVaVTnw7zxW0t/uQ97wr1YtwnB6mLdfgCbUTtXMoFdijGJx+k/qb4cmmr +hPBXn5frUdwA3He6x5gkGINxy6scHhwYXpLuvpgf6WCOMRQ7afeKokHN1ctnnKCr +LJbV/Y8wkWI62O0XkqqfFyaz0fhhnaoEbMjksWYo86GeAtZysrw0MwZfANf9/l5E +GfUZIAQNiMIsGjNmyc+pSyzbBQoaJpQOdzER7z6ywzUETLQp2TRIUg2BvDkLPzLJ +Lun4KdChr8TKHoq3EtiV0hIAeGDD173b5x8Mukb2DSyvzc2vPorqRyqawQARAQAB +iQI3BB8BCAAhBQJUc6aAFwyAATCZEb6pZtBhMFMEVxG05f8VsP2CAgcAAAoJEHY4 +0EQrkNAQQt0P/1jWfbtfR0A7WUChOPHWCNZ+rm8PdBpY4FnRS4hbrBHJdVJnMAIZ +J2Ys+5Uj9/xzMLYmrK8ObktUBBegrLTzkrS8B1OsvFJE7jSzoIxRZtYVMcsN2ADK +j0dz1a9AMaKf8xtnJBTxD6af8leb50FnR8iUV0ZPVD5zG3J49T2DmhkhFwgaU4fV +Y2Padtmp65CNdH2YUgPE9nCKU8tMVeVftFWfVBJRkmvwFkPaWy822IqTFkLWpNoS +L+DCxDN0WKPbBfD+7vEaKHfAA18MCF5d064FupUn7m61b969Ntie0UwoUjzooW7O +IgNH0mpwrVNwQMa0DPdr8zPQRX9mIgg5ZEz6SSi5KKZGK0PkOnx50fiAUwhaQ/Wo +SsZesmMauOokxzZMBkzp4QiSWOy3ctcEuAVSjg3Zb1kRkiRSyRZvzL57EET4W5t5 +d35GuPyF07D5cOsD5EU368ACfIrJtUPRDHjOpV0E29kav65eHmYcGJW59wCnaCOF +UVwFoRcLPkcYQCE3XoWoGFOI9yCkYS1LEzyDKLrtrBJZ5rUGTQXA2A9RfXxwrJgn +jq+jmRuce5C2eYvHRNMrj9AsHGC23nj45pxLCHiRJO0hWcsnkFgWoEx5I6mcn1sI +0FBpI2qc9CJ9/+GKDUbjYoaZYUbT+OFIRqGWLtPE5BakbTL/8QO8JD4UiQI3BB8B +CAAhBQJUc6ZhFwyAAfv6vbVBtdyVW9m6btsWz1uxJSXEAgcAAAoJEHY40EQrkNAQ +hU4QAJVHgI4Tu//AmYrXUJQkVPqqLJojpRdXlyBSbUy6BMk+K4JjAG+drMeu4/CX +VXpX86EoA1u7VOZpSqAHFlWFnLZQRLjdLElW4Obi0O3TgHCrFcg3J9JxjxlX6jUn +eok6z1zPpWiKEV4UYuiBuRNhWCJW3T80ZUaR+CxRSI/f3vw74CkFAGAYhZW99lI1 +gMAcozlVK+Z8JWH/QPFDRBy/n0Lk9FXfX95GtLE3JUBGoeBHt9Nn0kRck8daQttb +rASt2IqRIuJJCHn5QGSgqmtf6tXkF8n1BjZ+m6svMWj6BmELIo2mHE8y8v5Ax0QS +/SrVKQ6qh4oD3W6H9Y4TCF0yAAvSBkcrWzNw/ItUrWWJqDMP00n6WvYPxYKO6QaW +OOpikRWELTOpuVV/yGEqG2/xgrNtIAlGMamhhct5AFCv9/lniqyXilMaEOECw2Sd +SPnAaiBvxGqBMNt2T4KjQSvoMWaFD2SoRv+zZHAyt2GJ9QMSQn9imL8TNH7OajTy +B+5MJs5pWN4l1jv6T1pmIH2hqN5exmr/SvcYLiaMV9bus6C0QYk5THa2gQeQQBor +b6FoeXtWFyT9EF/R4/MY0DvflZAVsBO8d+5L6X7boVobef6TMPkNFzvQrtIz/KHX +vVlGf80KiL+jH/ZOwljXH/gsldbwZxM/mTFK7mscsdWp9+/1iQI3BB8BCAAhBQJU +c6YzFwyAAYDpdvFKUIpI6co/6bw3IlLKHPlkAgcAAAoJEHY40EQrkNAQNccP/jF5 +PrHhRZRbPBiXcYCBpceUUSmkd9nw0MKhL1MpqiQFF0izptt6etsA1esy2oXl+lAy +wQfCFGXIu51CHXqJpAEnv0MNqhExLZTW1GjoBNGB7iPJdtDlGfk9eamWqNZ7F4Ry +TkppqLFT7tOrWW3pnPP9wgTwdu+qw4eC5T1DIDPNYnXZ/dcSIzYS9t6H8HxROJvG +0pnXKmUWn6EiASv6eEBbKC9lNnC1S1IqwELDV6fSjDqqAz88MRdM1vqlmp1Oa1Gq +egPvIziuAUCP2XpMvGLf67CL4D5v4w9p8zLfNnK3G/s12S+l+KalSlmufdbcyveV +DD38bVjtLSwXoNQOG6GK+NvNlQGjsvRa8eQhVjCRtFTitH63V6rDc7cuc+EFqrTI +ut37qD0fQMlxb2WF0VXg8vQqpuchFYbiYneH9vADGr0LG7cFNKurEYgjsY+f8DJk +PoNHkt7rLzmBX8wfhMDsIwoQgscNEQTRwyQYnUAHUyU9rcVqE8puwLgy49bp2QXl +079YO7s8vdHk7n5RbK93tADuSHMYY1bbhPP8dMCiuK35oDQmSOzAURZx0C5XSGkm +5gnlFCYNoirO3xEdh9C2Eu0JvcKBE5aPw1xNBLZml75jP3WdJpnR+bsQjCSofMRX +FERt5unDXn0zNpaP1+czDKTxperLK09QyEhRKbtOtEZEZWJpYW4gQXJjaGl2ZSBB +dXRvbWF0aWMgU2lnbmluZyBLZXkgKDgvamVzc2llKSA8ZnRwbWFzdGVyQGRlYmlh +bi5vcmc+iQI+BBMBCAAoBQJUb6gZAhsDBQkPCZwABgsJCAcDAgYVCAIJCgsEFgID +AQIeAQIXgAAKCRB2ONBEK5DQEC6aD/9zdJeMq2ouH+DE7sev5l9w6dQueAckjr6w +v3V431pkjwJtm/vF+Q0bTEcsjNE84DQ76xKLpZzZ90WR9QseNUSuo0XQfyshw99m +0lyyomyMvcMQv2BYu/MyPp9Vv1HuMVb/qpDhBfhJtHXE3XIhcbhvvsKaA0a0WJyy +c5+KIFbT4MzOwSEySm1q2BAlQ4QoAvbXxzCM4SFfwCwLm7SgM+k3vPXUsIwFaMG6 +fruG3Jd5DJBy7dWJiIV8Z49DSLbUNggTa2sXMcI3v7hKEX3/XBjCQ83yGywfXxR3 +HqcgWuhtmmIAJE8FCXeekJZY6UYTm+fIxrds8uz5vUI8dqMVOYRERNFx14Hb4FaO +Ri+ySANaMXt7CqlcbM4kwr0EK9NJ3ft7q63OL70DxhqMBC8NinsR0CC7ivBvnvaL +pQLb31zDE+kyyiNgrMauNrQsr/JusI/olVdNiygrXFre7lhUVO4iOMOdPWxYZGyZ +6qxiaXYpu13jN/gzO9a8rdbIwN2DzVzMmFzYc3XfE46v//t1SuQPbNttLu7t3iHG +ne23WEd5/XaQKVhhVrnRBavqMjtJl6tGJqIpX91rQ+w2TDaKFFVSWuLsClQLX/vU +r1X7aL9roEDEqn3OcXYh+tuZHRjBpQDc4wyxdnQFn+7cipwHAh1v7ZziPAhsqA4a +fZxOvoTcr4kCHAQQAQgABgUCVG+rPQAKCRCLSK1iRpJVUyNoD/451GSQa3fu/go8 +PUDtZH+ym6OgAwW7epLY0wl4SS1LeFEhZJjA7qaJ2zMc85BEjNhzn4gdxChaN/Yf +c33mBXKjhTQQJfkG0FoZa/08qzET/Wt2y4nSX4gL8cd6nWw79a/YsOxRqdCFDIzb +foZpGOdy/RyFx3QpTN7PF4ZNOK4cW6dPSDjRQKn1uP0q0XuHrUoELqHKNOHB1Z9Q +Uwm36mE4lDQU/AX7UerZjxLXEbyxT73Pu+tey1S1cd0VVpXCl84DOijSvcHyf7gH +X4JKVKe6hwP030tvxilAOBp2gfNAs7zGlDsPY3RVaV99EP5jf8MiHKFWKQPR/orv +geHWYFz5tRLi3Shl/EwSYt6DqAj59cg8k+KDfsk03lrMxKqBNSZ+Onr7Di9qYEUe +DIfZIHaqrYFqAFSvSEACSKoJfWcNuoroWMZfktxAxw9BeYQ/S7G4jg1/JFml/poS +2sdsIx3PoLgJyrWkeniELH91HZoqJwOaul1p7nYr5ZqR/wxmlYSoD102Ewn7TWLV +xnsL8IG1wdy8Q00sT2NeObFxkAJGyjoptZnwo/d3Cqki9xZo4DPUyktoINWq0v7T +eaB2gWFI8SZ3RFUUvXupnFfS5yYM/bIlVDTtJPFHuTak8nt/YCeZc1Kjxn8Jx/eA +zLAlINzpKnRAUA7RSO5Z01CNO//jBIkCHAQQAQoABgUCVG+vbgAKCRC8NyJSyhz5 +ZNbbEACAlkzTwAgg4RUr742fyzfUXA0BEBdDHGyzm9M5cdVu7XxAgjQ7wWqXMHX+ +ocXxAEZEbEUWS6WcqqDOQtOwgq4TL+St/jnVpk+I+LJwAm1VTuXS7FfBxEa/q5Sp +LMKrnh6tl7ZTIvdDquIZWqiJmV7NbgP3sMPH4mhxX0tkFnb78MdoT5geBYRxOYpn +5eNdpoXvqak10oQqWVBQKWE6HziOaUv5PLhES9F765TyKZDACU/9mblSCGVAEIrO +ENtjaC8tlE8B6JZZOZgE2sbbSFyyjRF1MoQ4au6m+rh+GhKDcb0eH2fVgIS1qzOL +fjoHsgIgLTGwuJOptKyLQBmbexHLYEtmqx7Eu8oTTAupuP9UM0/qY3DD3/PAqRED +V/mXd1Q9uMHNtc+fR2mfXnJoD1kz/ujZiL2lvIqjq2Qiah9D/zINUNhWN9g2iRx3 +OHRiLswBTpTwG9q7WylJs3OLOIGQkvCVf6qENCFCgj95HUhu4f5IKQmcGNS7afm3 +ZbO665JijnAZB9P0izVvnvFDrDg3fsvvT8Cm52aaNbIjBufONFroUHNhcrPmbBTo +RrbYygz/+tl2T2R7vyfcKNhTKSiucIUevWGaWILsejmfE/XrzNrygPgF7O6WiytV +JNQxnsW4p44mdPbz8h98K9ffudOK3kFmuZWBTVOI1DIqFqQp3okCHAQQAQgABgUC +VHHhnAAKCRARtOX/FbD9giWID/9wYtDp/HLqY7SVs+nQLXA8hNvU64KLVCIncw9n +xNj7JEJD1CyrhHd1eagaPSlQ8Eglkbw058QVAb0hYc4XD/h0DRZntYGTMBlo3DZM +0+8WCYNKgIKT96gn2MRG5+UvodzYNcwGGbWmqsZIaPA+TCr57tu9tI7qZ40Ep1nS +C48gYh9e+ovYx+AxKsXUaR3D/vNj6eMr6XwnuoTaC6xe4764nRtt7a+eiIz48+ov +mHh+G6707cq6r2CKme2ZVCGe/6TvESilEaG9LTZTFrpTix58w9vJClOlKA3Lt6/D +A/YePlHbAsW6qMZ6EdMo1YDlIGDshFsmc9EIMgwpKMSsUUtS5GveVqdRym34AMs6 +QEWZkSwqifU/ICycr5+0EO9fubolApmEFB/6XkEBbhNKorAjpVlvIpNQdFd1lPVD +wgEu1Ab6vvaYfuNfJOkn8Z4+fkcpIi5ABMVbzZv7DHyUg0CJpY9dDw3L2XQKqx3n +RjQpn8NDo0cfOhHytgO3E0/ejWhhwYQThIm8YOiF44uUUaHYXOcydBLXyssp37VC +di9ii63tXvbOEXhi7F/RFsUfasPdZqt2VrXnvouXK6OT+sacykAeae0d0tOODORm +DnNwKSS8DBWB1PK682lc4je1ni2xNOdxqgXusE03Bi1i0gBxEbDCyGdIVAqfCZdB +m3R99YkCSwQQAQgANQUCVHTyOQcac3RyaW5nJhpodHRwOi8vZ3BnLmdhbm5lZmYu +ZGUvcG9saWN5LnR4dF92MS4zAAoJENsWz1uxJSXEjUYQAI+NzGxxCTZ7jXyFL7Lc +vIavmDt3+hUm4txfA/kxhTfwIDXZkdSIAU99GnpKsgTGPFujjt2ZvGb+F6M41ddz +b+2E/1B+fD/mHhlQNywgHEiebFOiAq7AubEjUHAQshtMEyKvCoi/0fr135CJbi+T +L2OmYOtRvhdPf8aC6wcQ2ihlb66asJsMoQsT2VgUBBndxZbLB3U+uS9QW9hzm2eq +lrym72ojiTFy5LFbvxHPiYStoxLuIvjCufsKbBhhL5e5LE/IFdL+1tqz368BXaPv +JpGOjkSSLPCsZq7ln+6aS804rypi1Ef8awz6zuWLuHwMjJZZWyTQkfEjUj4UAvGk +FsNNErZqLlHk1E+jrEBjhscKEtH72p0eCIdF0S4WDSroWX4ya4QXbajYz+vQUH3W +HxlinJ0JND5cVmsvRBgIwYyt5qwdpsVpTllJO7qc7HGBNJb/k1FNDqW8cBhHmtnf +mGgUv2Ust8hjK7/JH+FTP4mVA2FrKwf9KvkkUHmihNuAPZA3juJE1XrzaJaES8Ep +KF5wfRe4WGw9wTjcieZX1q9cS++FD7wmCmScXFSdK7rREWDsY7wPoHjR6QWWtS3S +oNSlnmSOz6WhxNfTed7vIUnhTJGkwqhS4ZNlphGMlLYs6iVt6EhYqiHKYsnzftKy +3rRmtFrJQ50iIcnJX8TjzB9e +=2Gih +-----END PGP PUBLIC KEY BLOCK----- diff --git a/modules/openstack_project/files/reprepro/debuntu-updates b/modules/openstack_project/files/reprepro/debuntu-updates index 63985bd13a..a280909a6b 100644 --- a/modules/openstack_project/files/reprepro/debuntu-updates +++ b/modules/openstack_project/files/reprepro/debuntu-updates @@ -36,4 +36,4 @@ Components: main UDebComponents: main Architectures: amd64 arm64 source GetInRelease: no -VerifyRelease: E0B11894F66AEC98|DC30D7C23CBBABEE +VerifyRelease: 7638D0442B90D010+|E0B11894F66AEC98+|DC30D7C23CBBABEE+ diff --git a/modules/openstack_project/manifests/mirror_update.pp b/modules/openstack_project/manifests/mirror_update.pp index 3b763352f4..7cd0e7fe0b 100644 --- a/modules/openstack_project/manifests/mirror_update.pp +++ b/modules/openstack_project/manifests/mirror_update.pp @@ -81,6 +81,18 @@ class openstack_project::mirror_update ( ] } + # This key is included as a workaround, as GnuPG (at least the version on + # Xenial) and so by extension reprepro is unable to parse multi-signature + # Release files so only sees the first one it encounters, which in the case + # of the Stretch archive is the Jessie archive signing key. + gnupg_key { 'Debian 8/jessie Archive': + ensure => present, + key_id => '7638D0442B90D010', + user => 'root', + key_source => 'puppet:///modules/openstack_project/reprepro/debian-jessie-mirror-gpg-key.asc', + key_type => 'public', + } + gnupg_key { 'Debian 9/stretch Archive': ensure => present, key_id => 'E0B11894F66AEC98',