in policies/apt.go [134:191]
func aptRepositories(ctx context.Context, repos []*agentendpointpb.AptRepository, repoFile string) error {
var es []*openpgp.Entity
var keys []string
for _, repo := range repos {
key := repo.GetGpgKey()
if key == "" {
continue
}
keys = append(keys, key)
}
sort.Strings(keys)
for _, key := range keys {
entityList, err := getAptGPGKey(key)
if err != nil {
clog.Errorf(ctx, "Error fetching gpg key %q: %v", key, err)
continue
}
for _, e := range entityList {
if !containsEntity(es, e) {
es = append(es, e)
}
}
}
if len(es) > 0 {
var buf bytes.Buffer
for _, e := range es {
if err := e.Serialize(&buf); err != nil {
clog.Errorf(ctx, "Error serializing gpg key: %v", err)
}
}
if err := writeIfChanged(ctx, buf.Bytes(), aptGPGFile); err != nil {
clog.Errorf(ctx, "Error writing gpg key: %v", err)
}
}
/*
# Repo file managed by Google OSConfig agent
deb http://repo1-url/ repo1 main
deb http://repo1-url/ repo2 main contrib non-free
# For now, 'signed-by' keyring approach will be used for Debian 12+ and Ubuntu 24+ only.
To avoid conflicting repos for old stable OSes versions
e.g. deb [signed-by=/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg] http://repo1-url/ repo1 main
NOTE: suggested by ofca@
*/
var buf bytes.Buffer
buf.WriteString("# Repo file managed by Google OSConfig agent\n")
shouldUseSignedByBool := shouldUseSignedBy()
for _, repo := range repos {
line := getAptRepoLine(repo, shouldUseSignedByBool)
buf.WriteString(line + "\n")
}
return writeIfChanged(ctx, buf.Bytes(), repoFile)
}