in cookbooks/fb_apt/libraries/default.rb [48:89]
def self._get_owned_keyring_files(node)
s = dpkg('-S /etc/apt/trusted.gpg.d/*')
owned_keys = Set.new
packages = []
s.stdout.each_line do |line|
package, file = line.strip.split(': ')
next unless ::File.exist?(file)
owned_keys.add(file)
packages << package
end
Chef::Log.debug("fb_apt[keys]: Owned keys: #{owned_keys}")
packages.each do |pkg|
cmd = dpkg("-V #{pkg}")
modified_files =
Set.new(cmd.stdout.lines.map { |line| line.split.last })
modified_keys = owned_keys & modified_files
Chef::Log.debug(
"fb_apt[keys]: Modified keys from #{pkg}: #{modified_keys}",
)
unless modified_keys.empty?
if node['fb_apt']['allow_modified_pkg_keyrings']
Chef::Log.warn(
'fb_apt[keys]: The following keys have been modified but we ' +
'are still trusting it, due to ' +
'node["fb_apt"]["allow_modified_pkg_keyrings"]: ' +
modified_keys.to_a.join(', '),
)
else
fail 'fb_apt[keys]: The following keyrings would be trusted, but ' +
"has been modified since package (#{pkg}) was installed: " +
modified_keys.to_a.join(', ')
end
end
end
owned_keys.to_a
end