Remove passphrase from signing key
authorJan Dittberner <jandd@cacert.org>
Fri, 2 Aug 2019 08:13:02 +0000 (10:13 +0200)
committerJan Dittberner <jandd@cacert.org>
Fri, 2 Aug 2019 08:13:02 +0000 (10:13 +0200)
hieradata/nodes/webstatic.yaml
sitemodules/profiles/manifests/debarchive.pp

index 76dec24..7dd2459 100644 (file)
@@ -6,74 +6,58 @@ profiles::base::admins:
   - law
 profiles::debarchive::notification_email_address: jandd@cacert.org
 profiles::debarchive::release_signing_keyid: "CAcert Debian Archive Signing Key 2019"
-profiles::debarchive::release_signing_keygrip: 223894064EE26851A245DE9208C5C0ABF772F7A7
-profiles::debarchive::release_signing_passphrase: >
-    ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEw
-    DQYJKoZIhvcNAQEBBQAEggEAOo5m999kQDHcWwrDXAn37SUyzvQZ3xq6mlMa
-    sJ8RTlgbMe6e22GyaYfD78agnS/M0xgdbtv5YF6lykn9ACi0US7Tr6tS+D/3
-    AxcdLFC1qUAE7HJdq5QBYXU/Ahd1Ot0DXHMnUvX8wSUY1aWIvJpZXnuWZrp+
-    792E5SxNAmi6T12AxlQbJC9M4mHpRzj65ORAG3heDO/kwL8v4T2acDs7i0g4
-    Q2kszyoG3zKVIP0/k/eCOWZynS2D4H8aSYhU7MDU9lGUlIpd2NyizXYypb9n
-    yWUALiSLCAIy61R9/c/PEAfZtLX9mJTTGqg3LEubULQSktjRlCIVxhL8foiB
-    1bCYcTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBFres4FSCj+KEUb9gU
-    cfM+gDAvP/N8eQsOcQoZxqZTFl270FiaPZtgcF5Zb/yuLPFvFcU4SdseDjbe
-    e6g7/Uc6du4=]
-profiles::debarchive::release_signing_private_key: >
-    ENC[PKCS7,MIIJfQYJKoZIhvcNAQcDoIIJbjCCCWoCAQAxggEhMIIBHQIBADAFMAACAQEw
-    DQYJKoZIhvcNAQEBBQAEggEAYfzMeAdn+nl+k0NB82RjNbSW68Ci4xIKBuRV
-    7pxDkYDNGp4UUB/SmDiPYO2BbMEJHQMPa+jQDtC81UfwZ9n7f/XINq6ph27c
-    yAWlfw0RgFEk68Qk3EKxCXANCrNf2HiOR6CabWFllzWoOFrZOMdTpZmB0CBy
-    NGnkkkwUfyanwPlycjIbrvP/r072jdA/JuCpa533TH6zw9uwwwTxv5q5deLq
-    mkvXlM8VZsziLaH+bAeopRL8uENqyt83YyaxNMk8zHyz6L1RpP8vVLr8sg3n
-    eYbdVoqch+KM4L3Hi8X/AuG/BEeGihgvEdbqmVzJYHmJh7tBXaADite+H+hr
-    golbtjCCCD4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEIYfkjacKpZlGCwA
-    HbCvYM6AgggQc6wQ9rphDQBo8ybKYIU+QTNPbqFMgk6FR6Mxx/4DugSO7p6f
-    5aMSGUetOD00fKJb1PlWTuqmnALCwbQu3w018dk9uuFDwiz+lAQHb9p6CLgG
-    kZLnUOQCfnLPFxihePUYeLQFIRqjYsOSvDudzj4dI/70IiDaP51EYznB7wVE
-    vJEVS/np6hm6z+WKnfSibonZTiU/mh8jdHiJVDxAAE1o0ehodREp5Kwwpsjw
-    8mHreRWrFJRIFrW4h4bTJfzLOEz+LYkBG7WJLtK+VtpU/xiWe1ApT6dXiVS8
-    dISbPJPASzCnIsTzTw8PQ+aOiagAS8oeeA242dnCLHTu1wApKj8DZF5OXlrr
-    A8hE0n1IW4yon2ZsP5acf80r2TwvREfrAfCBKsD5+gfQqcjt4vJFXy3CRwMw
-    zo2/DrOgeHJziZXKkZl8/m4E5Xxw/knX6sJh/qSymotGYKY+VnaDzfff36bk
-    56Jy1KO8K2k7CnlpartBzQnA3qTEQxRXpj5eAU4iNZMTfk3ZSQe+l6Ws7gqb
-    AEIEF40x5QdsgMJLc2OVjacTtNkHvXDAvaQJ2nd+M0uYFHLWNVI3gQQ0DKH0
-    HaG3lNZfQ+D1Ev16031FjqhGP7lgCx/XQ/ck81k4QiGrTJu30eQV+gl3wxl5
-    TjihVNXcJ3TqoagzHT2JwbfnDTskb29xLTJ1eFRWouJzRVEW51tThMXa9kDV
-    rCE+/jcHGMYwyPn8DlLLLEI1M0Wh06LySEaaDb0ASBIjbHrK88gWHmM8oW9v
-    +oKmfO5VMeGaB+V8Rwqjy+T7C1aB4iSmqu3w9RDonkLNZ5fgny3pVZi2UgSR
-    uEcgGx8Qflg8waDQ8mc23AEsIdzNREvBTfi3IRNf9dquGqnamZYqvOnuMmg1
-    MoC0euxrhLsRvYdOF6kzHfm82NzyHx6ekOhHEONa9HPW4sqVWTBRiewojGfe
-    ZtOHMj2DckZY0J4fmK4CGuz3Y6G25+8P1LCKzkO6jjTHIj1l32tX7BRCdKpH
-    7M+rsZxEnqz1kMp6xx5JC4vsRv7U3azZ1vmLuJlL1w9eY99WV71v+XCFwuPt
-    FdkmFxvG+c8JWjEEtrH5ObbzqGoOw5LBAhr2cvbDbUbyYIZ4OBeo4yb8nTPG
-    vSEIJkFu7OquG9NWFYAHKc8Vly/B2lJDZPY3HRYcybxwiwPtbUV2vUnC+u21
-    DwJFqQH616edvONhYJAASOfBzrdE5vzgDaJl01K8EnS7bgJQP01J0Elx9jBO
-    bY8hBI9c1KYBA2NjIbigrpFeRXs0555rTzNhOWJzlfKMMZTcOPYIhr1tziem
-    TX8aCxHUcc/8cl0K+mtDTTjbAeHUXrZ0cfUgIexjaehKMiwNkNYAMqkDkEZK
-    oMceeRvRW5daVdqsqYVh0eHlZ9G7n4SNxcffI3XQvm36ZyHUOQ7dBbclVK7u
-    dJKQKwEXKgfDQGbL6Ko4OTgZKgjgwiyKpK4LTii4QR/FU44thBDFFoWjyn//
-    GgDIALXIayiRuDiNZKDJv6Du5vaZzntoKU4tWTzJwOVK34vaj+2U6Yx7Ezkj
-    Cr4duDeXdePuGsqAkcgUGUHuzwjzyMIon33FnlrmfpdqLRJLvY/PEiEWcxil
-    oNbmzmGSpN2ldHOIp/VJ+GvF7sb7WqjyMa489sK4kOaVetWm2hqnTtFTE3Nj
-    D4Do2Sf4MlGBDOr0ZYb3FvKeo93fD7zHh9TnvIg4DzB6HpyrSZ5FQbNj17fV
-    i9bu1DRdhhBlRUYk1BaDTV+jXY0RDnFTo5DR0wkLnT2Re9pF8nDZVlKSJc2O
-    7zUznCSkSdCrB40f8ARDY5uHPMez5xEraBfqk0aUUKahwzJSXSdPJ0lq/qn9
-    x7E2bLhpvughwqaNeonqngZ2u+tvRAt2Qsa3hzt5fh7LA5+iP+NXXb/QFmVn
-    izlMFPVaF97IOuycZxCpZ0/obWLav9SnQPsbmnHEci7YdNjhueRcTlQryhO+
-    VTmcSKcMcRWuzeu485+hexYXvyf7UxIvvdetB9q7gCGpyeEF4UFvNp222kCg
-    Loy6/UdfF/mukAH+vZ0PjC2FdQLF4NlxjoMbTwvrUaotB7w+Ht+e7OqkUUFB
-    5tHtI9M3xC6Tfxt5iehwUGUIdy5ybYE8qSuV5YnDRA3vPvVLnjDC9cfZLvJh
-    3J01qq3H7xWpYXTyAwLqtGkalifzG0gYvZUDBeqCLAgX/Vg5zQ68W6SNQOoM
-    NH4xMJbunhkEkbyPuPheJRP3s8NpDKRguAxGHET2Xm88cprGg60p5rP1CyE0
-    h3uYHRJArbOVEeLB4FmS6t73gnuvadSOcR0CF9Xmj1bAXQTbFr1TCtt/B5eA
-    o+4votCrbFy61qQLXA9rUjMaK4Z2YUWt3gyJgEOKEYFUzYnHZVsWw5NRFQzZ
-    sB7q1KGNSCt/NSgaIVHPWMTzwpTrn+PzE3nRc6DgxzFmHive6fhvK441elBg
-    Lr1rB7siBM+NCRGB/WGOAMJtNE34odq2oDSOI4ImG+l8dciDrp+5yZJ930SQ
-    SnFKunJQ4VHNpec4j5UGGgjZAJzC6mshe5CGM1RHxC+i9mZWXcnEB1wkEL0m
-    BYRXfjHF1w7/cIi4bvQiS4fhHU/brpkNODFDZgGggxuQrYOKLkbbr7gEfGD/
-    s4+hT+NvjWfe+uuCjMCKNe23dhvcWMVqYHuEMAF6XKuXqPRDsDTo0M+neT1V
-    KNYnkHBqPiU2Fgbf+j2BqmoAXsP1RWFhatqoX/rNTqPteHzTYdU/mdYUdkzR
-    w/Ux]
+profiles::debarchive::release_signing_key: >
+    ENC[PKCS7,MIIIzQYJKoZIhvcNAQcDoIIIvjCCCLoCAQAxggEhMIIBHQIBADAFMAACAQEw
+    DQYJKoZIhvcNAQEBBQAEggEAtJiS4GluyFbbkmxFKmH+2CWZRD1wotHn8HAc
+    7wXckaUSIaUvHY9aor6lxFgjD8vnE5ROmiBTtCsJ0Rmx0oJMO7XDTTKfauwZ
+    sTNIi/xPq4YX3fGAKZQ0HpDZQRsgFuh+6acW3B59KAWZlcJCQqnSO/OUdCNz
+    yHSdFF1hMM7fTHYfMXkvp91oOkxkSHhAtiC2AbB82AaSikt7rNv/03rL6Hv7
+    8vzfjo14m0UGMGGo5Yn8N38Yn24WQTJOGhgBeUm1GpLylaqUDNWN8kRVWrqF
+    0/O+FTjtGQjeQVkR73u2Iy9n+cvX3blYZKl1ItRRWgFjf/pP6uV4P7d8IrSG
+    1myvMzCCB44GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEJeo9l7ZAFDCx2IS
+    K4F1IoqAggdgIZWj1bAB165e6eZ0MDx60xsurDWPOFqMlVNmVhrM7O5+n/pB
+    IGBJ+ylUsi97gaWrIAAyzYqnfbqN8pjwNA55gqw6jx2H8AsRuMUDU76JBUtu
+    WvxiMgYOmf4V0tt6i5uLxDIEzkfIf4Mh4sSVoZW/wR2A0n5L4YcbJTHRW9D0
+    idNVfV2hKFxqX9QpbwoJk4IlW68hidk9mpKKO81bA6rO+IF0OoYg1vTBu26M
+    ZdFChv9Ypm10jR2vqhbbb15btOyi5pa/wcis8GYBEvANnQgUfGS//YHK9ttd
+    1x3JQ6YL87Ye5iXUzOoohHIZ+QHalfyMHPotOy8fsnQyxZd3pkA6utLMItr6
+    3ehPtsT71a17nC30TJFKgopGigccvk24K5kZozZdG2qyy7yycn1JHp53TirK
+    kdLDfAbwPnhV2+gUycz+51eGvBE3ZdafV+20Wx6hUd6S+F3zef/aeD9D7u9c
+    soIDj1Lun7f7CBE0qgbvlg0vUHFlpGvtTFK2eoJVAid3odefj9x06yoi23RU
+    Y8MddhqxvZGtZituqPvfpDqOY3cTu4WJc/VznKcEkOlWU4R4gqw6NWrt1J6l
+    1/PqJCqLlvkebbd9R8jZGuy6PgKCsg4oDRjcKpsxbydO9NJwMgUd6UQI4HeZ
+    vbcpbBOwGcXizE+myTjUbS3UbtZAMGWiBPDa+pkNSet4R8MdkcFnaS0vwa8N
+    Uot7eqpDUpKvgeJz/Vk0WhUfPkyiaT3idy1i0GDFZD9eV9v3tpyp9xBQMK42
+    VZEep2p0mXopUk61xY9tpuZQvw53//Bqq3YXfZghhXlgdeLIcxpp7af5lBAU
+    iavhoMs5fZwEsSxfkUXVT4w7A4b02X9FeDdQ1TY3orI1yTLKzmx/FgozztTy
+    CYh1/o6K9r1Mo1INWpngy/kLCaZtySppzTzaDBIoCbDWJjWE5FzMlslaBVqk
+    PjTemUHuyXsWoRFnik0JW4AMuRYqcsf8KsrI/lDiGgNDR9BxNRrmHplclhvA
+    8zAccSQLH53NKh4ma5WPVmbl++6gB6OSeHlwttQDaNBuujoMADF8MWiJNXjj
+    qfqpKHxlEQEqG/CrTJoWJ+EROl5daH6+TVXTXGzUSIsqOir91Jo4Sd4fJYsh
+    CpjHy+jyQZiXuYWWOWXV7suBw399Twozm4sKBcefumXMkgiJnSnibGtSV7ia
+    Ob84hEoQH+Hg/md6rJYefIZYyCOi8IyEV8n4mUr4/DOD0s+BmPxPOgYCDhc8
+    o8IyiUajFCR64gVWou8xnR4OG0ged+1zaU75pq04U5kPARg/WfFWHYWo9Ljq
+    v81+VsWSPEb3ILsX3ZCLT/axkSE3VYEAOaRoT1mE8cc4ENjVRzd50y4I2V4A
+    rALARll+gSSdE/cXqFI4DrkwkobCATYlYNpvBACASkpQVzJontdmJ5sIjEPE
+    LVbAhOHIL4mNNI24zLABOzwS6RGi0sJjfZIjnc7qsb5cxU2PtwkLleHbbcgM
+    tVcmX3EFg+rMg9wGYLT+l4K91pjWmBRN8lssEYNoOcrPu5gvvQDBpWHc3Y+b
+    Oa5x5bT1IjSKgkCWpducMq3u6zvHQnlS5hDgPTfCZPYmQdM5FVCOcJ0TYoZ8
+    +taq1nV2vsX25dtUzxkUcYkRlnXOZx80j53tkJwqFPr2GrN+6I9brL3KYIwp
+    itRzGROLovhX6tSsawPI0bLwAG/5c2OoPPbs6jSP0K+JSTxmalLw4TDUKAl+
+    QfZNzMEH98lw6HGq7aG9njtggw6G4odBrY1ud0KN7/GlF2kjAUyJVJEMiIfj
+    0Lq968XdYiNDOwpre8mn5xqJCtt0sZjy9zWZ9xoyUYDoIeAOCrdS9VgaOilP
+    IG9w/uszbRBWXxiSU76oTgKHAJMFZttWAkBHX5NEcCGksKUbS1Frh76/Kj2G
+    kSL6tDJRsAqEPibtrKCWU9DNGNjwOndlLZveSqNWTK4yWVrLozff0qdV+ZBn
+    VvKW280MpQNFMwhnuxj+WA9tcwg4ajUWFP/8WhpQMc+5aDuvQSTvWUo5YXgk
+    I/5Gcb7Y05CodZ1eJEtyh8r+Z01LmBW1l6a15PeUIBPLs1xg6mqdSenFnB/D
+    q2UnFnd/aoeh49VLpEWRhdK9Yl3Jyz+0tHNDnD0uQ/Zlox49KYx3YQv4gpMq
+    CcC1tw9Lfcc/UY23yhG3MJ5dRJIeP+FWBTfqeN+lq+dnu7ua/4CKVzjiaeU4
+    ygAo2m4Myono4lSpN4VgyUfGzrMpOXOyOa40mgBBgrxDNmAgyIk2obU7h26U
+    ZcZKSgk/W97dSORGPYQcLNZBiRCV+hHV3I8IGdGcz+MZugluNH28znhpUnp0
+    aTkO/6mPnojAA/5ERXrdBEyTuOR662BfVMAkIVCfVPe5W6P34popQQwNRRjL
+    7qKVOpRKA15H3QDHEsh/SOc59L9tvzCa637rBGJMBfvf8QyrUwOVnVebgFSm
+    r9bg7DReCgweHUukIbHzVPy3UE/lyqnAZWeIPJ4+jmTqrATq/EOs9iQQetyR
+    VP8xiy7PwA==]
 profiles::debarchive::uploaders:
   - jandd
 profiles::icinga2_agent::pki_ticket: >
index 01a9170..eb89f3e 100644 (file)
@@ -6,20 +6,16 @@
 # Parameters
 # ----------
 #
-# @param notification_email_address  email address that will receive reports
-#                                    from mini-dinstall
+# @param notification_email_address email address that will receive reports
+#                                   from mini-dinstall
 #
-# @param release_signing_keygrip     GPG keygrip of the release signing key
+# @param release_signing_keyid      GPG key id of the release signing key
 #
-# @param release_signing_keyid       GPG key id of the release signing key
+# @param release_signing_key        data of a GPG key that is used for
+#                                   release file signing
 #
-# @param release_signing_passphrase  passphrase for the release signing key
-#
-# @param release_signing_private_key data of a GPG key that is used for
-#                                    release file signing
-#
-# @param uploaders                   a list of users that are allowed to dput
-#                                    files to the Debian archive
+# @param uploaders                  a list of users that are allowed to dput
+#                                   files to the Debian archive
 #
 # Examples
 # --------
 #
 class profiles::debarchive (
   String $notification_email_address,
-  String $release_signing_keygrip,
   String $release_signing_keyid,
-  String $release_signing_passphrase,
-  String $release_signing_private_key,
+  String $release_signing_key,
   Array[String] $uploaders = [],
 ) {
   include profiles::base
@@ -154,14 +148,7 @@ class profiles::debarchive (
     owner   => 'debarchive',
     group   => 'nogroup',
     mode    => '0600',
-    content => $release_signing_private_key,
-  }
-  file { "${gpg_home}/passphrase":
-    ensure  => file,
-    owner   => 'debarchive',
-    group   => 'nogroup',
-    mode    => '0600',
-    content => $release_signing_passphrase,
+    content => $release_signing_key,
   }
   file { "${gpg_home}/gpg-agent.conf":
     ensure  => file,
@@ -220,6 +207,7 @@ class profiles::debarchive (
       'Codename: stretch/cacert',
       'Architectures: amd64 source',
       'Components: main',
+      'SignWith: yes',
       '',
       ''], "\n"),
   }
@@ -231,6 +219,7 @@ class profiles::debarchive (
       'Codename: buster/cacert',
       'Architectures: amd64 source',
       'Components: main',
+      'SignWith: yes',
       '',
       ''], "\n"),
   }