diff --git a/inbc-program/README.md b/inbc-program/README.md index 4d36ab54d8..8765c2f218 100644 --- a/inbc-program/README.md +++ b/inbc-program/README.md @@ -417,6 +417,10 @@ inbc query --option sw Optionally Downloads and encrypts GPG key and stores it on the system under /usr/share/keyrings. Creates a file under /etc/apt/sources.list.d to store the update source information. This list file is used during 'sudo apt update' to update the application. Deb882 format may be used instead of downloading a GPG key. +**NOTE:** Make sure to add gpgKeyUri to trustedrepositories using INBC Config Append command before using Inbc source application add command +``` + + ### Usage ``` inbc source application add @@ -442,7 +446,6 @@ inbc source application add - Each blank line has a period in it. -> " ." - Each line after the Signed-By: starts with a space -> " gibberish" - ``` inbc source application add --sources diff --git a/inbm/Changelog.md b/inbm/Changelog.md index 8047b01b4b..6946acb605 100644 --- a/inbm/Changelog.md +++ b/inbm/Changelog.md @@ -10,7 +10,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). ### Added - RTC 536601 - Added 'source' command to INBM. This command manages `/etc/apt/sources.list` and `/etc/apt/sources.list.d/*` and associated gpg keys on Ubuntu. +- RTC 537769 - Add URI checks from trusted repo for Source Application gpg key URI +check if sourceApplication Gpg key URL is in trusted repo ### Fixed - RTC 534426 - Could not write to /var/log/inbm-update-status.log on Yocto due to /var/log being a symlink to /var/volatile/log. - RTC 523677 - Improve INBC error logging - invalid child tag not printed diff --git a/inbm/dispatcher-agent/dispatcher/source/ubuntu_source_manager.py b/inbm/dispatcher-agent/dispatcher/source/ubuntu_source_manager.py index 8838ff58a8..4ed56a7f9e 100644 --- a/inbm/dispatcher-agent/dispatcher/source/ubuntu_source_manager.py +++ b/inbm/dispatcher-agent/dispatcher/source/ubuntu_source_manager.py @@ -7,6 +7,10 @@ import logging import os +from dispatcher.packagemanager.package_manager import verify_source +from dispatcher.dispatcher_broker import DispatcherBroker +from inbm_common_lib.utility import CanonicalUri +from dispatcher.dispatcher_exception import DispatcherException from dispatcher.source.source_exception import SourceError from dispatcher.source.constants import ( UBUNTU_APT_SOURCES_LIST, @@ -98,11 +102,19 @@ def __init__(self) -> None: def add(self, parameters: ApplicationAddSourceParameters) -> None: """Adds a source file and optional GPG key to be used during Ubuntu application updates.""" - # Step 1: Add key (Optional) + # Step 1: Verify gpg key uri from trusted repo list if parameters.gpg_key_name and parameters.gpg_key_uri: + try: + url = parameters.gpg_key_uri + #URL slicing to remove the last segment (filename) from the URL + source = url.value[:-(len(url.value.split('/')[-1]) + 1)] + verify_source(source=source, dispatcher_broker=Dispatcher_Broker) + except DispatcherException as err: + raise SourceError(f"Source Gpg key URI verification check failed: {err}") + # Step 2: Add key (Optional) add_gpg_key(parameters.gpg_key_uri, parameters.gpg_key_name) - # Step 2: Add the source + # Step 3: Add the source try: create_file_with_contents( os.path.join(UBUNTU_APT_SOURCES_LIST_D, parameters.file_name), parameters.sources diff --git a/inbm/dispatcher-agent/tests/unit/source/test_ubuntu_source_cmd.py b/inbm/dispatcher-agent/tests/unit/source/test_ubuntu_source_cmd.py index 933e37379b..dd1445be3c 100644 --- a/inbm/dispatcher-agent/tests/unit/source/test_ubuntu_source_cmd.py +++ b/inbm/dispatcher-agent/tests/unit/source/test_ubuntu_source_cmd.py @@ -279,6 +279,20 @@ def test_successfully_remove_gpg_key_and_source_list( except SourceError: self.fail("Remove GPG key raised DispatcherException unexpectedly!") + + def test_successfully_add_gpg_key(self): + parameters = ApplicationAddSourceParameters( + gpg_key_uri="https://dl-ssl.google.com/linux/linux_signing_key.pub" + gpg_key_name="name" + ) + command = UbuntuApplicationSourceManager() + try: + command.add(parameters) + except SourceError: + self.fail("Source Gpg key URI verification check failed") + + + @patch("dispatcher.source.ubuntu_source_manager.remove_gpg_key_if_exists") def test_raises_when_space_check_fails(self, mock_remove_gpg_key): parameters = ApplicationRemoveSourceParameters(