Provide a "last-modified" header for https://choria.io/RELEASE-GPG-KEY

[dploeger]

After complying with the new APT keyring features, the keyring will be downloaded from https://choria.io/RELEASE-GPG-KEY every single time Puppet runs.

Would it be possible to provide a "last-modified" header on it so it isn't updated every time?

[ripienaar]

Hmm this is hosted on netlify iirc not sure I have control over that.

But it’s certainly not good that this is being downloaded each time. Any ideas @smortex ?

[smortex]

The file resource has a replace attribute that tells Puppet to ignore the file content if the file is there. Keys are not supposed to change often, so it is somewhat acceptable, but when they do change, I bet we will shoot in our own foot…

I quickly tested the checksum / checksum_value parameters to hard-code the checksum of the file in the Puppet manifest. According to the --debug output, it only download the file if the checksum is not the expected one. That would also limit the impact of a compromised file server where the key is replaced and rogue packages are delivered.

file { '/tmp/KEY':
  ensure         => file,
  checksum       => 'md5', # sha256 or sha512 is maybe preferable
  checksum_value => '422b78010c402b95b502bca70f4e61d7',
  source         => 'https://choria.io/RELEASE-GPG-KEY',
}

Does this seems reasonable?

[dploeger]

The problem is that this would need to be implemented in the apt module. An alternative could be to use the archive module to download the keyring and provide that as the source. Archive has more possibilities.

But fixing that problem on the source is the best option IMHO - IF that's actually possible for you of course.

[ripienaar]

I could host the file on apt.[eu|uk|us].choria.io but there's no round robin address that would make that reliable so pointing to one of those alone wouldnt be good - apt itself uses mirrorlists.choria.io which isnt https cos old debian doesnt like it.

Though old debian is now dead so we could switch that over but would require a bunch of testing

[smortex]

After updating the module, I see that not only the file is downloaded on each run, but puppet also report it as changed (I failed to understand this from the previous discussion).

So this (static) website is served by a service provider that does not handle file date properly? That's hard to believe…

[ripienaar]

Yeah their CDN records time that the cache node got the file not when the file was changed - and then doesn’t add this header

[smortex]

I was thinking about pointing to the "source" file (raw file in the GitHub repo of the website) but GitHub does not provide such header too (I guess it is costly to extract it from git with low added value 🤷). We can workaround this by embedding the key in the module: not great, but should be better that downloading the key every half hour on all nodes, and this avoid an HTTP request per run to check if a new key is available. Of course, updating the key becomes more painful (update the key, update the module to use the new key, ship a new version of the module, update the version of the module used)… What do you think?

[ripienaar]

Does the module support multiple urls to try if one fails?

[ripienaar]

Not sure what to say, it's just not how the biggest hosting offerings globally function :)

So I guess we should make the url to the key configurable, but its about as bad as embedding it in the module, both means everyone will have a bad time if I ever have to update that key

[dploeger]

As an alternative it would be possible to use the Archive module to download the key file and use what comes out of that as the source instead of just providing the url.

[ripienaar]

Can you see if https://static.choria.io/RELEASE-GPG-KEY will work for you?

[dploeger]

It does, thanks a lot. I'm preparing a PR for it.

[dploeger]

See choria-io/puppet-choria#354