Revert "Trust new signing key (#754)"

This reverts commit 7da5879.
DataDog · Nov 25, 2020 · 20c85e0 · 20c85e0
1 parent fe82910
commit 20c85e0
Show file tree

Hide file tree

Showing 9 changed files with 63 additions and 215 deletions.
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -167,10 +167,9 @@
 # Only applies if specific version specified
 default['datadog']['windows_agent_installer_prefix'] = nil
 
-# Location of additional rpm gpg keys to import. In the future the rpm packages
+# Location of additional rpm gpgkey to import (with signature `e09422b3`). In the future the rpm packages
 # of the Agent will be signed with this key.
-default['datadog']['yumrepo_gpgkey_new_e09422b3'] = "#{yum_protocol}://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public"
-default['datadog']['yumrepo_gpgkey_new_fd4bf915'] = "#{yum_protocol}://yum.datadoghq.com/DATADOG_RPM_KEY_20200908.public"
+default['datadog']['yumrepo_gpgkey_new'] = "#{yum_protocol}://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public"
 
 # Windows Agent Blacklist
 # Attribute to enforce silent failures on agent installs when attempting to install a

diff --git a/recipes/repository.rb b/recipes/repository.rb
@@ -26,22 +26,6 @@
 
 agent_major_version = Chef::Datadog.agent_major_version(node)
 
-# A2923DFF56EDA6E76E55E492D3A80E30382E94DE expires in 2022
-# D75CEA17048B9ACBF186794B32637D44F14F620E expires in 2032
-apt_gpg_keys = ['A2923DFF56EDA6E76E55E492D3A80E30382E94DE', 'D75CEA17048B9ACBF186794B32637D44F14F620E']
-
-# DATADOG_RPM_KEY_E09422B3.public expires in 2022
-# DATADOG_RPM_KEY_20200908.public expires in 2024
-rpm_gpg_keys = [['DATADOG_RPM_KEY_E09422B3.public', 'e09422b3', 'A4C0 B90D 7443 CF6E 4E8A  A341 F106 8E14 E094 22B3'],
-                ['DATADOG_RPM_KEY_20200908.public', 'fd4bf915', 'C655 9B69 0CA8 82F0 23BD  F3F6 3F4D 1729 FD4B F915']]
-
-# Local file name of the key
-rpm_gpg_keys_name = 0
-# Short fingerprint for rpm commands, used in "rpm -q gpg-pubkey-*" and node['datadog']["yumrepo_gpgkey_new_*"]
-rpm_gpg_keys_short_fingerprint = 1
-# Space delimited full fingerprint
-rpm_gpg_keys_full_fingerprint = 2
-
 case node['platform_family']
 when 'debian'
   apt_update 'update'
@@ -64,17 +48,15 @@
 
   retries = node['datadog']['aptrepo_retries']
   keyserver = node['datadog']['aptrepo_use_backup_keyserver'] ? node['datadog']['aptrepo_backup_keyserver'] : node['datadog']['aptrepo_keyserver']
-  # Add APT repositories
-  apt_gpg_keys.each do |apt_gpg_key|
-    apt_repository "datadog_apt_#{apt_gpg_key}" do
-      keyserver keyserver
-      key apt_gpg_key
-      uri node['datadog']['aptrepo']
-      distribution node['datadog']['aptrepo_dist']
-      components components
-      action :add
-      retries retries
-    end
+  # Add APT repository
+  apt_repository 'datadog' do
+    keyserver keyserver
+    key 'A2923DFF56EDA6E76E55E492D3A80E30382E94DE'
+    uri node['datadog']['aptrepo']
+    distribution node['datadog']['aptrepo_dist']
+    components components
+    action :add
+    retries retries
   end
 
   # Previous versions of the cookbook could create this repo file, make sure we remove it now
@@ -83,31 +65,26 @@
   end
 when 'rhel', 'fedora', 'amazon'
   # Import new RPM key
-  rpm_gpg_keys.each do |rpm_gpg_key|
-    next unless node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"]
-
+  if node['datadog']['yumrepo_gpgkey_new']
     # gnupg is required to check the downloaded key's fingerprint
     package 'gnupg' do
       action :install
       only_if { node['packages']['gnupg2'].nil? }
     end
 
     # Download new RPM key
-    key_local_path = ::File.join(Chef::Config[:file_cache_path], rpm_gpg_key[rpm_gpg_keys_name])
-    remote_file "remote_file_#{rpm_gpg_key[rpm_gpg_keys_name]}" do
+    key_local_path = ::File.join(Chef::Config[:file_cache_path], 'DATADOG_RPM_KEY_E09422B3.public')
+    remote_file 'DATADOG_RPM_KEY_E09422B3.public' do
       path key_local_path
-      source node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"]
-      not_if "rpm -q gpg-pubkey-#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}" # (key already imported)
-      notifies :run, "execute[rpm-import datadog key #{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}]", :immediately
+      source node['datadog']['yumrepo_gpgkey_new']
+      not_if 'rpm -q gpg-pubkey-e09422b3' # (key already imported)
+      notifies :run, 'execute[rpm-import datadog key e09422b3]', :immediately
     end
 
-    # The fingerprint string has spaces in it, calculate one without space here
-    gpg_key_fingerprint_without_space = rpm_gpg_key[rpm_gpg_keys_full_fingerprint].delete(' ')
-
     # Import key if fingerprint matches
-    execute "rpm-import datadog key #{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}" do
+    execute 'rpm-import datadog key e09422b3' do
       command "rpm --import #{key_local_path}"
-      only_if "gpg --dry-run --quiet --with-fingerprint #{key_local_path} | grep '#{rpm_gpg_key[rpm_gpg_keys_full_fingerprint]}' || gpg --dry-run --import --import-options import-show #{key_local_path} | grep '#{gpg_key_fingerprint_without_space}'"
+      only_if "gpg --dry-run --quiet --with-fingerprint #{key_local_path} | grep 'A4C0 B90D 7443 CF6E 4E8A  A341 F106 8E14 E094 22B3' || gpg --dry-run --import --import-options import-show #{key_local_path} | grep 'A4C0B90D7443CF6E4E8AA341F1068E14E09422B3'"
       action :nothing
     end
   end
@@ -128,51 +105,36 @@
   end
 
   # Add YUM repository
-  yumrepo_gpgkeys = []
-  if agent_major_version < 7
-    yumrepo_gpgkeys.push(node['datadog']['yumrepo_gpgkey'])
-  else
-    rpm_gpg_keys.each do |rpm_gpg_key|
-      yumrepo_gpgkeys.push(node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"])
-    end
-  end
-
   yum_repository 'datadog' do
     description 'datadog'
     baseurl baseurl
     proxy node['datadog']['yumrepo_proxy']
     proxy_username node['datadog']['yumrepo_proxy_username']
     proxy_password node['datadog']['yumrepo_proxy_password']
-    gpgkey yumrepo_gpgkeys
+    gpgkey agent_major_version < 7 ? node['datadog']['yumrepo_gpgkey'] : node['datadog']['yumrepo_gpgkey_new']
     gpgcheck true
     action :create
   end
 when 'suse'
   # Import new RPM key
-  rpm_gpg_keys.each do |rpm_gpg_key|
-    next unless node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"]
-
+  if node['datadog']['yumrepo_gpgkey_new']
     # Download new RPM key
-    new_key_local_path = ::File.join(Chef::Config[:file_cache_path], rpm_gpg_key[rpm_gpg_keys_name])
-    remote_file "remote_file_#{rpm_gpg_key[rpm_gpg_keys_name]}" do
+    new_key_local_path = ::File.join(Chef::Config[:file_cache_path], 'DATADOG_RPM_KEY_E09422B3.public')
+    remote_file 'DATADOG_RPM_KEY_E09422B3.public' do
       path new_key_local_path
-      source node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"]
-      not_if "rpm -q gpg-pubkey-#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}" # (key already imported)
-      notifies :run, "execute[rpm-import datadog key #{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}]", :immediately
+      source node['datadog']['yumrepo_gpgkey_new']
+      not_if 'rpm -q gpg-pubkey-e09422b3' # (key already imported)
+      notifies :run, 'execute[rpm-import datadog key e09422b3]', :immediately
     end
 
-    # The fingerprint string has spaces in it, calculate one without space here
-    gpg_key_fingerprint_without_space = rpm_gpg_key[rpm_gpg_keys_full_fingerprint].delete(' ')
-
     # Import key if fingerprint matches
-    execute "rpm-import datadog key #{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}" do
+    execute 'rpm-import datadog key e09422b3' do
       command "rpm --import #{new_key_local_path}"
-      only_if "gpg --dry-run --quiet --with-fingerprint #{new_key_local_path} | grep '#{rpm_gpg_key[rpm_gpg_keys_full_fingerprint]}' || gpg --dry-run --import --import-options import-show #{new_key_local_path} | grep '#{gpg_key_fingerprint_without_space}'"
+      only_if "gpg --dry-run --quiet --with-fingerprint #{new_key_local_path} | grep 'A4C0 B90D 7443 CF6E 4E8A  A341 F106 8E14 E094 22B3' || gpg --dry-run --import --import-options import-show #{new_key_local_path} | grep 'A4C0B90D7443CF6E4E8AA341F1068E14E09422B3'"
       action :nothing
     end
   end
 
-  # Now the old key is mostly hard-coded
   old_key_local_path = ::File.join(Chef::Config[:file_cache_path], 'DATADOG_RPM_KEY.public')
   remote_file 'DATADOG_RPM_KEY.public' do
     path old_key_local_path
@@ -205,7 +167,7 @@
   zypper_repository 'datadog' do
     description 'datadog'
     baseurl baseurl
-    gpgkey agent_major_version < 7 ? node['datadog']['yumrepo_gpgkey'] : node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_keys[0][rpm_gpg_keys_short_fingerprint]}"]
+    gpgkey agent_major_version < 7 ? node['datadog']['yumrepo_gpgkey'] : node['datadog']['yumrepo_gpgkey_new']
     gpgautoimportkeys false
     gpgcheck false
     action :create