diff --git a/inbc-program/README.md b/inbc-program/README.md
index 4d36ab54d8..8765c2f218 100644
--- a/inbc-program/README.md
+++ b/inbc-program/README.md
@@ -417,6 +417,10 @@ inbc query --option sw
Optionally Downloads and encrypts GPG key and stores it on the system under /usr/share/keyrings. Creates a file under /etc/apt/sources.list.d to store the update source information.
This list file is used during 'sudo apt update' to update the application. Deb882 format may be used instead of downloading a GPG key.
+**NOTE:** Make sure to add gpgKeyUri to trustedrepositories using INBC Config Append command before using Inbc source application add command
+```
+
+
### Usage
```
inbc source application add
@@ -442,7 +446,6 @@ inbc source application add
- Each blank line has a period in it. -> " ."
- Each line after the Signed-By: starts with a space -> " gibberish"
-
```
inbc source application add
--sources
diff --git a/inbm/Changelog.md b/inbm/Changelog.md
index 8047b01b4b..6946acb605 100644
--- a/inbm/Changelog.md
+++ b/inbm/Changelog.md
@@ -10,7 +10,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
### Added
- RTC 536601 - Added 'source' command to INBM. This command manages `/etc/apt/sources.list` and `/etc/apt/sources.list.d/*` and associated gpg keys on Ubuntu.
+- RTC 537769 - Add URI checks from trusted repo for Source Application gpg key URI
+check if sourceApplication Gpg key URL is in trusted repo
### Fixed
- RTC 534426 - Could not write to /var/log/inbm-update-status.log on Yocto due to /var/log being a symlink to /var/volatile/log.
- RTC 523677 - Improve INBC error logging - invalid child tag not printed
diff --git a/inbm/dispatcher-agent/dispatcher/source/ubuntu_source_manager.py b/inbm/dispatcher-agent/dispatcher/source/ubuntu_source_manager.py
index 8838ff58a8..4ed56a7f9e 100644
--- a/inbm/dispatcher-agent/dispatcher/source/ubuntu_source_manager.py
+++ b/inbm/dispatcher-agent/dispatcher/source/ubuntu_source_manager.py
@@ -7,6 +7,10 @@
import logging
import os
+from dispatcher.packagemanager.package_manager import verify_source
+from dispatcher.dispatcher_broker import DispatcherBroker
+from inbm_common_lib.utility import CanonicalUri
+from dispatcher.dispatcher_exception import DispatcherException
from dispatcher.source.source_exception import SourceError
from dispatcher.source.constants import (
UBUNTU_APT_SOURCES_LIST,
@@ -98,11 +102,19 @@ def __init__(self) -> None:
def add(self, parameters: ApplicationAddSourceParameters) -> None:
"""Adds a source file and optional GPG key to be used during Ubuntu application updates."""
- # Step 1: Add key (Optional)
+ # Step 1: Verify gpg key uri from trusted repo list
if parameters.gpg_key_name and parameters.gpg_key_uri:
+ try:
+ url = parameters.gpg_key_uri
+ #URL slicing to remove the last segment (filename) from the URL
+ source = url.value[:-(len(url.value.split('/')[-1]) + 1)]
+ verify_source(source=source, dispatcher_broker=Dispatcher_Broker)
+ except DispatcherException as err:
+ raise SourceError(f"Source Gpg key URI verification check failed: {err}")
+ # Step 2: Add key (Optional)
add_gpg_key(parameters.gpg_key_uri, parameters.gpg_key_name)
- # Step 2: Add the source
+ # Step 3: Add the source
try:
create_file_with_contents(
os.path.join(UBUNTU_APT_SOURCES_LIST_D, parameters.file_name), parameters.sources
diff --git a/inbm/dispatcher-agent/tests/unit/source/test_ubuntu_source_cmd.py b/inbm/dispatcher-agent/tests/unit/source/test_ubuntu_source_cmd.py
index 933e37379b..dd1445be3c 100644
--- a/inbm/dispatcher-agent/tests/unit/source/test_ubuntu_source_cmd.py
+++ b/inbm/dispatcher-agent/tests/unit/source/test_ubuntu_source_cmd.py
@@ -279,6 +279,20 @@ def test_successfully_remove_gpg_key_and_source_list(
except SourceError:
self.fail("Remove GPG key raised DispatcherException unexpectedly!")
+
+ def test_successfully_add_gpg_key(self):
+ parameters = ApplicationAddSourceParameters(
+ gpg_key_uri="https://dl-ssl.google.com/linux/linux_signing_key.pub"
+ gpg_key_name="name"
+ )
+ command = UbuntuApplicationSourceManager()
+ try:
+ command.add(parameters)
+ except SourceError:
+ self.fail("Source Gpg key URI verification check failed")
+
+
+
@patch("dispatcher.source.ubuntu_source_manager.remove_gpg_key_if_exists")
def test_raises_when_space_check_fails(self, mock_remove_gpg_key):
parameters = ApplicationRemoveSourceParameters(