flatcar-install: Use --assert-signer rather than --trusted-key with gpg

Using a custom key was recently broken by a GnuPG update. The Flatcar key is not imported when a custom key is given, but we still reference the Flatcar key with --trusted-key regardless, causing gpg to attempt to download the key from a keyserver. This fails because we no longer ship the necessary dirmngr binary, which is now only built when GnuPG has GnuTLS support enabled. Enabling GnuTLS support works around the problem, but it is not the proper fix. --trusted-key causes gpg to trust the given key, even though there is no secret key present. This is unnecessary, as the key would be trusted anyway, albeit with a warning. --assert-signer makes more sense, as this ensures the file was signed specifically by the given key rather than some other key you happen to have in your keyring. --assert-signer only accepts the long key ID, not the key file. There is no way to discover the key ID of a key that has just been imported, but you can get it from the original key file in a stable manner. Closes: flatcar/Flatcar#1471 Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
flatcar · Jun 21, 2024 · 24cdd55 · 24cdd55
1 parent 05e3d8b
commit 24cdd55
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/bin/flatcar-install b/bin/flatcar-install
@@ -127,7 +127,7 @@ Flatcar Container Linux on a machine then use this tool to make a permanent inst
 # sub   rsa4096/FCBEAB91 2020-08-28 [S] [expires: 2021-08-28]
 # sub   rsa4096/250D4A42 2021-08-10 [S] [expires: 2022-08-10]
 # sub   rsa4096/267EC954 2022-08-11 [S] [expires: 2023-08-11]
-GPG_LONG_ID="E25D9AED0593B34A"
+GPG_LONG_ID="F88CFEDEFF29A5B4D9523864E25D9AED0593B34A"
 GPG_KEY="-----BEGIN PGP PUBLIC KEY BLOCK-----
 
 mQINBFqUFawBEACdnSVBBSx3negnGv7Ppf2D6fbIQAHSzUQ+BA5zEG02BS6EKbJh
@@ -668,6 +668,11 @@ function prep_url(){
     mkdir -p "${GNUPGHOME}"
     if [ -n "${KEYFILE}" ]; then
         gpg --batch --quiet --import < "${KEYFILE}"
+
+        # --assert-signer needs the long key ID. We have no way of looking up
+        # the key we just imported, but we can get the ID from the original
+        # file. --with-colons provides a stable interface for parsing.
+        GPG_LONG_ID=$(gpg --show-key --with-colons "${KEYFILE}" | grep -m1 "^fpr:" | cut -d: -f10)
     else
         gpg --batch --quiet --import <<< "${GPG_KEY}"
     fi
@@ -686,7 +691,7 @@ function download_from_url(){
         exit 1
     fi
 
-    if ! gpg --batch --trusted-key "${GPG_LONG_ID}" --verify "${WORKDIR}/${SIG_NAME}" "${PWD}/${IMAGE_NAME}"; then
+    if ! gpg --batch --assert-signer "${GPG_LONG_ID}" --verify "${WORKDIR}/${SIG_NAME}" "${PWD}/${IMAGE_NAME}"; then
         echo "Could not verify ${IMAGE_NAME}." >&2
         exit 1
     fi
@@ -697,7 +702,7 @@ function install_from_url() {
     echo "Downloading, writing and verifying ${IMAGE_NAME}..."
     if ! wget ${WGET_ARGS} --no-verbose -O - "${IMAGE_URL}" \
         | tee >(${BZIP_UTIL} -cd >&3) \
-        | gpg --batch --trusted-key "${GPG_LONG_ID}" \
+        | gpg --batch --assert-signer "${GPG_LONG_ID}" \
             --verify "${WORKDIR}/${SIG_NAME}" -
     then
         local EEND=( "${PIPESTATUS[@]}" )