Replace apt-key call by signed-by using key_url in yaml

Signed-off-by: Jose Luis Rivero <[email protected]>
gazebo-tooling · Nov 24, 2023 · a4bf13b · a4bf13b
1 parent 23bb2f7
commit a4bf13b
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 18 deletions.
diff --git a/plugins/config/repository.yaml b/plugins/config/repository.yaml
@@ -2,6 +2,7 @@
 repositories:
     - name: osrf
       key: D2486D2DD83DB69272AFE98867170598AF249743
+      key_url: https://packages.osrfoundation.org/gazebo.gpg
       linux_distro: ubuntu
       types:
           - name: stable
@@ -12,6 +13,7 @@ repositories:
             url: http://packages.osrfoundation.org/gazebo/ubuntu-nightly
     - name: osrf
       key: D2486D2DD83DB69272AFE98867170598AF249743
+      key_url: https://packages.osrfoundation.org/gazebo.gpg
       linux_distro: debian
       types:
           - name: stable

diff --git a/plugins/repository.py b/plugins/repository.py
@@ -19,11 +19,13 @@
         --version               Show gzdev's version
 """
 
+import os
 import pathlib
 import re
 import subprocess
 import sys
-from os.path import isfile
+import urllib.error
+import urllib.request
 
 from docopt import docopt
 
@@ -86,6 +88,14 @@ def get_repo_key(repo_name, config):
     error('No key in repo: ' + repo_name)
 
 
+def get_repo_key_url(repo_name, config):
+    for p in config['repositories']:
+        if p['name'] == repo_name:
+            return p['key_url']
+
+    error('No key in repo: ' + repo_name)
+
+
 def get_repo_url(repo_name, repo_type, config):
     for p in config['repositories']:
         if p['name'] == repo_name and p['linux_distro'].lower() == get_linux_distro():
@@ -102,10 +112,42 @@ def get_sources_list_file_path(repo_name, repo_type):
     return directory + '/' + filename
 
 
-def install_key(key):
-    _check_call(['apt-key', 'adv',
-                 '--keyserver', 'keyserver.ubuntu.com',
-                 '--recv-keys', key])
+def key_filepath(repo_name, repo_type):
+    return f"/usr/share/keyrings/{repo_name}_{repo_type}.gpg"
+
+
+def assert_key_in_file(key, key_path):
+    output = subprocess.check_output(
+        ['gpg', '--show-keys', key_path])
+
+    print(output.decode("ascii"))
+    if key not in output.decode("ascii"):
+        error(f"Key {key} was not found in file {key_path}")
+
+
+def download_key(repo_name, repo_type, key_url):
+    key_path = key_filepath(repo_name, repo_type)
+    if os.path.exists(key_path):
+        warn(f"keyring gpg file already exists in the system: {key_path}\n"
+             "Overwritting to grab the new one.")
+        os.remove(key_path)
+    try:
+        response = urllib.request.urlopen(key_url)
+        if response.code == 200:
+            with open(key_path, "wb") as file:
+                file.write(response.read())
+        else:
+            error(response.code)
+    except urllib.error.HTTPError as e:
+        error(f"HTTPError: {e.code}")
+    except urllib.error.URLError as e:
+        error(f"URLError: {e.reason}")
+
+    return key_path
+
+
+def remove_deprecated_apt_key(key):
+    _check_call(['apt-key', 'del', key])
 
 
 def run_apt_update():
@@ -120,26 +162,29 @@ def install_repos(project_list, config, linux_distro):
 def install_repo(repo_name, repo_type, config, linux_distro):
     url = get_repo_url(repo_name, repo_type, config)
     key = get_repo_key(repo_name, config)
-    # if not linux_distro provided, try to guess it
-    if not linux_distro:
-        linux_distro = distro.codename()
-    content = 'deb ' + url + ' ' + linux_distro + ' main\n'
-    full_path = get_sources_list_file_path(repo_name, repo_type)
+    key_url = get_repo_key_url(repo_name, config)
 
-    if isfile(full_path):
-        warn('gzdev file with the repositoy already exists in the system\n[' + full_path + ']')
-        return
+    try:
+        key_path = download_key(repo_name, repo_type, key_url)
+        assert_key_in_file(key, key_path)
 
-    install_key(key)
+        # if not linux_distro provided, try to guess it
+        if not linux_distro:
+            linux_distro = distro.codename()
+
+        content = f"deb [signed-by={key_path}] {url} {linux_distro} main"
+        full_path = get_sources_list_file_path(repo_name, repo_type)
+        if os.path.isfile(full_path):
+            warn("gzdev file with the repositoy already exists in the system:"
+                 f"{full_path}. \n Overwritting to use new signed-by.")
 
-    try:
         f = open(full_path, 'w')
         f.write(content)
         f.close()
-    except PermissionError:
-        print('No permissiong to install ' + full_path + '. Run the script with sudo.')
 
-    run_apt_update()
+        run_apt_update()
+    except PermissionError:
+        print('No permissiong to make system file modifications. Run the script with sudo.')
 
 
 def disable_repo(repo_name):