Skip to content

Commit

Permalink
flatcar-install: Remove unnecessary --trusted-key gpg option
Browse files Browse the repository at this point in the history 
Using a custom key was recently broken by a GnuPG update. The Flatcar
key is not imported when a custom key is given, but we still reference
the Flatcar key with --trusted-key regardless, causing gpg to attempt to
download the key from a keyserver. This fails because we no longer ship
the necessary dirmngr binary, which is now only built when GnuPG has
GnuTLS support enabled.

Enabling GnuTLS support works around the problem, but it is not the
proper fix. --trusted-key causes gpg to trust the given key, even though
there is no secret key present. This is unnecessary, as the key would be
trusted anyway, albeit with a warning.

Using --assert-signer would be safer, as this ensures the file was
signed specifically by the given key rather than some other key you
happen to have in your keyring. It is not present in older GnuPG
versions that we need to support though, and flatcar-install creates a
temporary home for gpg, so no other keys would be present anyway.

Closes: flatcar/Flatcar#1471
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
  • Loading branch information
@chewi
chewi committed Jun 21, 2024
1 parent 05e3d8b commit c55eca1
Showing 1 changed file with 2 additions and 4 deletions.
6 changes: 2 additions & 4 deletions bin/flatcar-install
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,6 @@ Flatcar Container Linux on a machine then use this tool to make a permanent inst
# sub rsa4096/FCBEAB91 2020-08-28 [S] [expires: 2021-08-28]
# sub rsa4096/250D4A42 2021-08-10 [S] [expires: 2022-08-10]
# sub rsa4096/267EC954 2022-08-11 [S] [expires: 2023-08-11]
GPG_LONG_ID="E25D9AED0593B34A"
GPG_KEY="-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFqUFawBEACdnSVBBSx3negnGv7Ppf2D6fbIQAHSzUQ+BA5zEG02BS6EKbJh
Expand Down Expand Up @@ -686,7 +685,7 @@ function download_from_url(){
exit 1
fi
if ! gpg --batch --trusted-key "${GPG_LONG_ID}" --verify "${WORKDIR}/${SIG_NAME}" "${PWD}/${IMAGE_NAME}"; then
if ! gpg --batch --verify "${WORKDIR}/${SIG_NAME}" "${PWD}/${IMAGE_NAME}"; then
echo "Could not verify ${IMAGE_NAME}." >&2
exit 1
fi
Expand All @@ -697,8 +696,7 @@ function install_from_url() {
echo "Downloading, writing and verifying ${IMAGE_NAME}..."
if ! wget ${WGET_ARGS} --no-verbose -O - "${IMAGE_URL}" \
| tee >(${BZIP_UTIL} -cd >&3) \
| gpg --batch --trusted-key "${GPG_LONG_ID}" \
--verify "${WORKDIR}/${SIG_NAME}" -
| gpg --batch --verify "${WORKDIR}/${SIG_NAME}" -
then
local EEND=( "${PIPESTATUS[@]}" )
[ ${EEND[0]} -ne 0 ] && echo "${EEND[0]}: Download of ${IMAGE_NAME} did not complete" >&2
Expand Down

0 comments on commit c55eca1

Please sign in to comment.