Release 4.7.2 (#757)

- Undo revert of #754, seems to be working fine.
- Update metadata and changelog.

Author: albertvaka

CHANGELOG.md

@@ -1,6 +1,9 @@
 Changes
 =======
 
+# 4.7.2 / 2020-11-25
+* [FEATURE] Trust new signing key [#754][] [@mikezhu-dd][]
+
 # 4.7.1 / 2020-11-25
 * [BUGFIX] Revert [#754][]
 

attributes/default.rb

@@ -167,9 +167,10 @@
 # Only applies if specific version specified
 default['datadog']['windows_agent_installer_prefix'] = nil
 
-# Location of additional rpm gpgkey to import (with signature `e09422b3`). In the future the rpm packages
+# Location of additional rpm gpg keys to import. In the future the rpm packages
 # of the Agent will be signed with this key.
-default['datadog']['yumrepo_gpgkey_new'] = "#{yum_protocol}://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public"
+default['datadog']['yumrepo_gpgkey_new_e09422b3'] = "#{yum_protocol}://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public"
+default['datadog']['yumrepo_gpgkey_new_fd4bf915'] = "#{yum_protocol}://yum.datadoghq.com/DATADOG_RPM_KEY_20200908.public"
 
 # Windows Agent Blacklist
 # Attribute to enforce silent failures on agent installs when attempting to install a

metadata.rb

@@ -3,7 +3,7 @@
 maintainer_email '[email protected]'
 license          'Apache-2.0'
 description      'Installs/Configures datadog components'
-version          '4.7.1'
+version          '4.7.2'
 chef_version     '>= 12.7'
 source_url       'https://github.com/DataDog/chef-datadog'
 issues_url       'https://github.com/DataDog/chef-datadog/issues'

recipes/repository.rb

@@ -26,6 +26,22 @@
 
 agent_major_version = Chef::Datadog.agent_major_version(node)
 
+# A2923DFF56EDA6E76E55E492D3A80E30382E94DE expires in 2022
+# D75CEA17048B9ACBF186794B32637D44F14F620E expires in 2032
+apt_gpg_keys = ['A2923DFF56EDA6E76E55E492D3A80E30382E94DE', 'D75CEA17048B9ACBF186794B32637D44F14F620E']
+
+# DATADOG_RPM_KEY_E09422B3.public expires in 2022
+# DATADOG_RPM_KEY_20200908.public expires in 2024
+rpm_gpg_keys = [['DATADOG_RPM_KEY_E09422B3.public', 'e09422b3', 'A4C0 B90D 7443 CF6E 4E8A  A341 F106 8E14 E094 22B3'],
+                ['DATADOG_RPM_KEY_20200908.public', 'fd4bf915', 'C655 9B69 0CA8 82F0 23BD  F3F6 3F4D 1729 FD4B F915']]
+
+# Local file name of the key
+rpm_gpg_keys_name = 0
+# Short fingerprint for rpm commands, used in "rpm -q gpg-pubkey-*" and node['datadog']["yumrepo_gpgkey_new_*"]
+rpm_gpg_keys_short_fingerprint = 1
+# Space delimited full fingerprint
+rpm_gpg_keys_full_fingerprint = 2
+
 case node['platform_family']
 when 'debian'
   apt_update 'update'
@@ -48,15 +64,17 @@
 
   retries = node['datadog']['aptrepo_retries']
   keyserver = node['datadog']['aptrepo_use_backup_keyserver'] ? node['datadog']['aptrepo_backup_keyserver'] : node['datadog']['aptrepo_keyserver']
-  # Add APT repository
-  apt_repository 'datadog' do
-    keyserver keyserver
-    key 'A2923DFF56EDA6E76E55E492D3A80E30382E94DE'
-    uri node['datadog']['aptrepo']
-    distribution node['datadog']['aptrepo_dist']
-    components components
-    action :add
-    retries retries
+  # Add APT repositories
+  apt_gpg_keys.each do |apt_gpg_key|
+    apt_repository "datadog_apt_#{apt_gpg_key}" do
+      keyserver keyserver
+      key apt_gpg_key
+      uri node['datadog']['aptrepo']
+      distribution node['datadog']['aptrepo_dist']
+      components components
+      action :add
+      retries retries
+    end
   end
 
   # Previous versions of the cookbook could create this repo file, make sure we remove it now
@@ -65,26 +83,31 @@
   end
 when 'rhel', 'fedora', 'amazon'
   # Import new RPM key
-  if node['datadog']['yumrepo_gpgkey_new']
+  rpm_gpg_keys.each do |rpm_gpg_key|
+    next unless node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"]
+
     # gnupg is required to check the downloaded key's fingerprint
     package 'gnupg' do
       action :install
       only_if { node['packages']['gnupg2'].nil? }
     end
 
     # Download new RPM key
-    key_local_path = ::File.join(Chef::Config[:file_cache_path], 'DATADOG_RPM_KEY_E09422B3.public')
-    remote_file 'DATADOG_RPM_KEY_E09422B3.public' do
+    key_local_path = ::File.join(Chef::Config[:file_cache_path], rpm_gpg_key[rpm_gpg_keys_name])
+    remote_file "remote_file_#{rpm_gpg_key[rpm_gpg_keys_name]}" do
       path key_local_path
-      source node['datadog']['yumrepo_gpgkey_new']
-      not_if 'rpm -q gpg-pubkey-e09422b3' # (key already imported)
-      notifies :run, 'execute[rpm-import datadog key e09422b3]', :immediately
+      source node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"]
+      not_if "rpm -q gpg-pubkey-#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}" # (key already imported)
+      notifies :run, "execute[rpm-import datadog key #{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}]", :immediately
     end
 
+    # The fingerprint string has spaces in it, calculate one without space here
+    gpg_key_fingerprint_without_space = rpm_gpg_key[rpm_gpg_keys_full_fingerprint].delete(' ')
+
     # Import key if fingerprint matches
-    execute 'rpm-import datadog key e09422b3' do
+    execute "rpm-import datadog key #{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}" do
       command "rpm --import #{key_local_path}"
-      only_if "gpg --dry-run --quiet --with-fingerprint #{key_local_path} | grep 'A4C0 B90D 7443 CF6E 4E8A  A341 F106 8E14 E094 22B3' || gpg --dry-run --import --import-options import-show #{key_local_path} | grep 'A4C0B90D7443CF6E4E8AA341F1068E14E09422B3'"
+      only_if "gpg --dry-run --quiet --with-fingerprint #{key_local_path} | grep '#{rpm_gpg_key[rpm_gpg_keys_full_fingerprint]}' || gpg --dry-run --import --import-options import-show #{key_local_path} | grep '#{gpg_key_fingerprint_without_space}'"
       action :nothing
     end
   end
@@ -105,36 +128,51 @@
   end
 
   # Add YUM repository
+  yumrepo_gpgkeys = []
+  if agent_major_version < 7
+    yumrepo_gpgkeys.push(node['datadog']['yumrepo_gpgkey'])
+  else
+    rpm_gpg_keys.each do |rpm_gpg_key|
+      yumrepo_gpgkeys.push(node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"])
+    end
+  end
+
   yum_repository 'datadog' do
     description 'datadog'
     baseurl baseurl
     proxy node['datadog']['yumrepo_proxy']
     proxy_username node['datadog']['yumrepo_proxy_username']
     proxy_password node['datadog']['yumrepo_proxy_password']
-    gpgkey agent_major_version < 7 ? node['datadog']['yumrepo_gpgkey'] : node['datadog']['yumrepo_gpgkey_new']
+    gpgkey yumrepo_gpgkeys
     gpgcheck true
     action :create
   end
 when 'suse'
   # Import new RPM key
-  if node['datadog']['yumrepo_gpgkey_new']
+  rpm_gpg_keys.each do |rpm_gpg_key|
+    next unless node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"]
+
     # Download new RPM key
-    new_key_local_path = ::File.join(Chef::Config[:file_cache_path], 'DATADOG_RPM_KEY_E09422B3.public')
-    remote_file 'DATADOG_RPM_KEY_E09422B3.public' do
+    new_key_local_path = ::File.join(Chef::Config[:file_cache_path], rpm_gpg_key[rpm_gpg_keys_name])
+    remote_file "remote_file_#{rpm_gpg_key[rpm_gpg_keys_name]}" do
       path new_key_local_path
-      source node['datadog']['yumrepo_gpgkey_new']
-      not_if 'rpm -q gpg-pubkey-e09422b3' # (key already imported)
-      notifies :run, 'execute[rpm-import datadog key e09422b3]', :immediately
+      source node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"]
+      not_if "rpm -q gpg-pubkey-#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}" # (key already imported)
+      notifies :run, "execute[rpm-import datadog key #{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}]", :immediately
     end
 
+    # The fingerprint string has spaces in it, calculate one without space here
+    gpg_key_fingerprint_without_space = rpm_gpg_key[rpm_gpg_keys_full_fingerprint].delete(' ')
+
     # Import key if fingerprint matches
-    execute 'rpm-import datadog key e09422b3' do
+    execute "rpm-import datadog key #{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}" do
       command "rpm --import #{new_key_local_path}"
-      only_if "gpg --dry-run --quiet --with-fingerprint #{new_key_local_path} | grep 'A4C0 B90D 7443 CF6E 4E8A  A341 F106 8E14 E094 22B3' || gpg --dry-run --import --import-options import-show #{new_key_local_path} | grep 'A4C0B90D7443CF6E4E8AA341F1068E14E09422B3'"
+      only_if "gpg --dry-run --quiet --with-fingerprint #{new_key_local_path} | grep '#{rpm_gpg_key[rpm_gpg_keys_full_fingerprint]}' || gpg --dry-run --import --import-options import-show #{new_key_local_path} | grep '#{gpg_key_fingerprint_without_space}'"
       action :nothing
     end
   end
 
+  # Now the old key is mostly hard-coded
   old_key_local_path = ::File.join(Chef::Config[:file_cache_path], 'DATADOG_RPM_KEY.public')
   remote_file 'DATADOG_RPM_KEY.public' do
     path old_key_local_path
@@ -167,7 +205,7 @@
   zypper_repository 'datadog' do
     description 'datadog'
     baseurl baseurl
-    gpgkey agent_major_version < 7 ? node['datadog']['yumrepo_gpgkey'] : node['datadog']['yumrepo_gpgkey_new']
+    gpgkey agent_major_version < 7 ? node['datadog']['yumrepo_gpgkey'] : node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_keys[0][rpm_gpg_keys_short_fingerprint]}"]
     gpgautoimportkeys false
     gpgcheck false
     action :create