From b0ee3c467cd887337729e2d7aa5ca7ab84929f40 Mon Sep 17 00:00:00 2001
From: Kenyon Ralph <quic_kralph@quicinc.com>
Date: Tue, 21 Nov 2023 13:34:15 -0800
Subject: [PATCH 1/4] (MODULES-9695) Debian: use modern APT keyring format

This updates puppet_agent::osfamily::debian to use modern APT keyrings
instead of the deprecated apt-key method used by apt::key and
apt::source.key without `name`.

This also removes the legacy key, because keys not used for signing
package sources aren't needed.

/etc/pki is not needed anymore (also this directory is a RedHatism)
because keyrings are now stored in the default location of
/etc/apt/keyrings. We don't clean it up though, in case people are using
the files there for something else.
---
 manifests/osfamily/debian.pp                  | 35 +-----------
 metadata.json                                 |  6 +-
 .../puppet_agent_osfamily_debian_spec.rb      | 56 +++----------------
 3 files changed, 14 insertions(+), 83 deletions(-)

diff --git a/manifests/osfamily/debian.pp b/manifests/osfamily/debian.pp
index 7cbd9d3e..3cc2f525 100644
--- a/manifests/osfamily/debian.pp
+++ b/manifests/osfamily/debian.pp
@@ -71,44 +71,15 @@
       } else {
         $source = $puppet_agent::apt_source
       }
-      $legacy_keyname = 'GPG-KEY-puppet'
-      $legacy_gpg_path = "/etc/pki/deb-gpg/${legacy_keyname}"
-      $keyname = 'GPG-KEY-puppet-20250406'
-      $gpg_path = "/etc/pki/deb-gpg/${keyname}"
-
-      if getvar('::puppet_agent::manage_pki_dir') == true {
-        file { ['/etc/pki', '/etc/pki/deb-gpg']:
-          ensure => directory,
-        }
-      }
-
-      file { $legacy_gpg_path:
-        ensure => file,
-        owner  => 0,
-        group  => 0,
-        mode   => '0644',
-        source => "puppet:///modules/puppet_agent/${legacy_keyname}",
-      }
-
-      apt::key { 'legacy key':
-        id     => '6F6B15509CF8E59E6E469F327F438280EF8D349F',
-        source => $legacy_gpg_path,
-      }
 
-      file { $gpg_path:
-        ensure => file,
-        owner  => 0,
-        group  => 0,
-        mode   => '0644',
-        source => "puppet:///modules/puppet_agent/${keyname}",
-      }
+      $keyname = 'GPG-KEY-puppet-20250406'
 
       apt::source { 'pc_repo':
         location => $source,
         repos    => $puppet_agent::collection,
         key      => {
-          'id'     => 'D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26',
-          'source' => $gpg_path,
+          'name'    => "${keyname}.asc",
+          'content' => file("${module_name}/${keyname}"),
         },
         notify   => Exec['pc_repo_force'],
       }
diff --git a/metadata.json b/metadata.json
index 1f19705b..bc06541d 100644
--- a/metadata.json
+++ b/metadata.json
@@ -10,15 +10,15 @@
   "dependencies": [
     {
       "name": "puppetlabs-stdlib",
-      "version_requirement": ">= 5.1.0 < 10.0.0"
+      "version_requirement": ">= 9.0.0 < 10.0.0"
     },
     {
       "name": "puppetlabs-inifile",
-      "version_requirement": ">= 2.4.0 < 7.0.0"
+      "version_requirement": ">= 6.1.0 < 7.0.0"
     },
     {
       "name": "puppetlabs-apt",
-      "version_requirement": ">= 7.7.1 < 10.0.0"
+      "version_requirement": ">= 9.2.0 < 10.0.0"
     },
     {
       "name": "puppetlabs-facts",
diff --git a/spec/classes/puppet_agent_osfamily_debian_spec.rb b/spec/classes/puppet_agent_osfamily_debian_spec.rb
index d532365d..3601dd39 100644
--- a/spec/classes/puppet_agent_osfamily_debian_spec.rb
+++ b/spec/classes/puppet_agent_osfamily_debian_spec.rb
@@ -151,44 +151,14 @@
                 })
       }
 
-      it {
-        is_expected.to contain_file('/etc/pki/deb-gpg/GPG-KEY-puppet-20250406')
-          .with({
-                  'ensure' => 'file',
-                  'owner'  => '0',
-                  'group'  => '0',
-                  'mode'   => '0644',
-                  'source' => 'puppet:///modules/puppet_agent/GPG-KEY-puppet-20250406',
-                })
-      }
-
-      it {
-        is_expected.to contain_file('/etc/pki/deb-gpg/GPG-KEY-puppet')
-          .with({
-                  'ensure' => 'file',
-                  'owner'  => '0',
-                  'group'  => '0',
-                  'mode'   => '0644',
-                  'source' => 'puppet:///modules/puppet_agent/GPG-KEY-puppet',
-                })
-      }
-
-      it {
-        is_expected.to contain_apt__key('legacy key')
-          .with({
-                  'id'     => '6F6B15509CF8E59E6E469F327F438280EF8D349F',
-                  'source' => '/etc/pki/deb-gpg/GPG-KEY-puppet',
-                })
-      }
-
       it {
         is_expected.to contain_apt__source('pc_repo')
           .with({
                   'location' => 'https://master.example.vm:8140/packages/2000.0.0/debian-7-x86_64',
                   'repos'    => 'PC1',
                   'key'      => {
-                    'id'     => 'D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26',
-                    'source' => '/etc/pki/deb-gpg/GPG-KEY-puppet-20250406',
+                    'name'    => 'GPG-KEY-puppet-20250406.asc',
+                    'content' => Puppet::FileSystem.read_preserve_line_endings('files/GPG-KEY-puppet-20250406'),
                   },
                 })
       }
@@ -209,8 +179,8 @@
                   'location' => 'https://fake-apt-mirror.com/packages/2000.0.0/debian-7-x86_64',
                   'repos'    => 'PC1',
                   'key'      => {
-                    'id'     => 'D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26',
-                    'source' => '/etc/pki/deb-gpg/GPG-KEY-puppet-20250406',
+                    'name'    => 'GPG-KEY-puppet-20250406.asc',
+                    'content' => Puppet::FileSystem.read_preserve_line_endings('files/GPG-KEY-puppet-20250406'),
                   },
                 })
       }
@@ -225,7 +195,6 @@
       end
 
       it { is_expected.not_to contain_apt__setting('conf-pc_repo') }
-      it { is_expected.not_to contain_apt__key('legacy key') }
       it { is_expected.not_to contain_apt__source('pc_repo') }
     end
 
@@ -245,22 +214,14 @@
         }
       end
 
-      it {
-        is_expected.to contain_apt__key('legacy key')
-          .with({
-                  'id'     => '6F6B15509CF8E59E6E469F327F438280EF8D349F',
-                  'source' => '/etc/pki/deb-gpg/GPG-KEY-puppet',
-                })
-      }
-
       it {
         is_expected.to contain_apt__source('pc_repo')
           .with({
                   'location' => 'https://apt.puppet.com',
                   'repos'    => 'puppet5',
                   'key'      => {
-                    'id'     => 'D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26',
-                    'source' => '/etc/pki/deb-gpg/GPG-KEY-puppet-20250406',
+                    'name'    => 'GPG-KEY-puppet-20250406.asc',
+                    'content' => Puppet::FileSystem.read_preserve_line_endings('files/GPG-KEY-puppet-20250406'),
                   },
                 })
       }
@@ -282,8 +243,8 @@
                   'location' => 'https://fake-apt-mirror.com/',
                   'repos'    => 'puppet5',
                   'key'      => {
-                    'id'     => 'D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26',
-                    'source' => '/etc/pki/deb-gpg/GPG-KEY-puppet-20250406',
+                    'name'    => 'GPG-KEY-puppet-20250406.asc',
+                    'content' => Puppet::FileSystem.read_preserve_line_endings('files/GPG-KEY-puppet-20250406'),
                   },
                 })
       }
@@ -297,7 +258,6 @@
         }
       end
 
-      it { is_expected.not_to contain_apt__key('legacy key') }
       it { is_expected.not_to contain_apt__source('pc_repo') }
     end
 

From d76cad3e9ef145badc1769cf347f5a3a6ce66628 Mon Sep 17 00:00:00 2001
From: Kenyon Ralph <quic_kralph@quicinc.com>
Date: Wed, 3 Jul 2024 14:04:24 -0700
Subject: [PATCH 2/4] metadata.json: require Puppet 7

The module dependencies (apt, stdlib, inifile) require Puppet 7.
---
 metadata.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/metadata.json b/metadata.json
index bc06541d..73987723 100644
--- a/metadata.json
+++ b/metadata.json
@@ -75,7 +75,7 @@
   "requirements": [
     {
       "name": "puppet",
-      "version_requirement": ">= 5.0.0 < 9.0.0"
+      "version_requirement": ">= 7.0.0 < 9.0.0"
     }
   ],
   "pdk-version": "3.2.0",

From 30505fb7d9b2a767a4273bcd9057633af41e321d Mon Sep 17 00:00:00 2001
From: Kenyon Ralph <quic_kralph@quicinc.com>
Date: Fri, 28 Jun 2024 15:02:29 -0700
Subject: [PATCH 3/4] acceptance test helpers: update puppetlabs-apt to v9.4.0

---
 acceptance/helpers.rb          | 6 +++---
 spec/spec_helper_acceptance.rb | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/acceptance/helpers.rb b/acceptance/helpers.rb
index f56cdab0..96af946a 100644
--- a/acceptance/helpers.rb
+++ b/acceptance/helpers.rb
@@ -177,9 +177,9 @@ def new_puppet_testing_environment
     # @param [String] environment The puppet environment to install the modules to, this must
     #   be a valid environment in the puppet install on the host.
     def install_puppet_agent_module_on(host, environment)
-      on(host, puppet('module', 'install', 'puppetlabs-stdlib',     '--version', '8.4.0', '--environment', environment), { acceptable_exit_codes: [0] })
-      on(host, puppet('module', 'install', 'puppetlabs-inifile',    '--version', '5.3.0', '--environment', environment), { acceptable_exit_codes: [0] })
-      on(host, puppet('module', 'install', 'puppetlabs-apt',        '--version', '9.0.0', '--environment', environment), { acceptable_exit_codes: [0] })
+      on(host, puppet('module', 'install', 'puppetlabs-stdlib',     '--version', '9.0.0', '--environment', environment), { acceptable_exit_codes: [0] })
+      on(host, puppet('module', 'install', 'puppetlabs-inifile',    '--version', '6.1.0', '--environment', environment), { acceptable_exit_codes: [0] })
+      on(host, puppet('module', 'install', 'puppetlabs-apt',        '--version', '9.4.0', '--environment', environment), { acceptable_exit_codes: [0] })
 
       install_dev_puppet_module_on(host,
                                    source: File.join(File.dirname(__FILE__), '..'),
diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb
index bafa5704..0de18ec9 100644
--- a/spec/spec_helper_acceptance.rb
+++ b/spec/spec_helper_acceptance.rb
@@ -116,7 +116,7 @@ def teardown_puppet_on(host)
   # the machine after each run.
   case host['platform']
   when %r{debian|ubuntu}
-    on host, '/opt/puppetlabs/bin/puppet module install puppetlabs-apt --version 9.0.0', { acceptable_exit_codes: [0, 1] }
+    on host, '/opt/puppetlabs/bin/puppet module install puppetlabs-apt --version 9.4.0', { acceptable_exit_codes: [0, 1] }
     clean_repo = "include apt\napt::source { 'pc_repo': ensure => absent, notify => Package['puppet-agent'] }"
   when %r{fedora|el|centos}
     clean_repo = "yumrepo { 'pc_repo': ensure => absent, notify => Package['puppet-agent'] }"

From 87d67b292b9c65d784e91e5d8ff34d0eddc4f65d Mon Sep 17 00:00:00 2001
From: Michael Hashizume <michael.hashizume@puppet.com>
Date: Mon, 8 Jul 2024 15:57:16 -0700
Subject: [PATCH 4/4] acceptance/helpers.rb: add signed-by to apt sources.list

---
 acceptance/helpers.rb | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/acceptance/helpers.rb b/acceptance/helpers.rb
index 96af946a..55f0efc7 100644
--- a/acceptance/helpers.rb
+++ b/acceptance/helpers.rb
@@ -235,6 +235,15 @@ def set_up_initial_agent_on(host, initial_package_version_or_collection)
                                   end
 
           install_puppet_agent_on(host, agent_install_options)
+
+          # beaker-puppet doesn't add signing information to the apt source list, but this module does.
+          # This discrepancy causes apt to error, so we manually add signing info.
+          if %r{debian|ubuntu}.match?(host['platform'])
+            step '(Agent) Add apt signing information' do
+              on(host, "sed -e 's/^deb http/deb [signed-by=\\/etc\\/apt\\/keyrings\\/GPG-KEY-puppet-20250406.asc] http/' /etc/apt/sources.list.d/puppet*.list -i")
+            end
+          end
+
           teardowns << -> do
             remove_installed_agent(host)
           end