reorder keys from newest to oldest

DataDog · Jun 13, 2023 · ffff3b7 · ffff3b7
1 parent f2323a9
commit ffff3b7
Show file tree

Hide file tree

Showing 9 changed files with 64 additions and 63 deletions.
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -175,9 +175,9 @@
 # of the Agent will be signed with this key.
 # DATADOG_RPM_KEY_CURRENT always contains the key that is used to sign repodata and latest packages
 default['datadog']['yumrepo_gpgkey_new_current'] = "#{yum_protocol}://keys.datadoghq.com/DATADOG_RPM_KEY_CURRENT.public"
-default['datadog']['yumrepo_gpgkey_new_e09422b3'] = "#{yum_protocol}://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public"
-default['datadog']['yumrepo_gpgkey_new_fd4bf915'] = "#{yum_protocol}://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public"
 default['datadog']['yumrepo_gpgkey_new_b01082d3'] = "#{yum_protocol}://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public"
+default['datadog']['yumrepo_gpgkey_new_fd4bf915'] = "#{yum_protocol}://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public"
+default['datadog']['yumrepo_gpgkey_new_e09422b3'] = "#{yum_protocol}://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public"
 
 # Windows Agent Blacklist
 # Attribute to enforce silent failures on agent installs when attempting to install a

diff --git a/recipes/repository.rb b/recipes/repository.rb
@@ -48,9 +48,9 @@
 # DATADOG_RPM_KEY_FD4BF915.public expires in 2024
 # DATADOG_RPM_KEY_B01082D3.public expires in 2028
 rpm_gpg_keys = [['DATADOG_RPM_KEY_CURRENT.public', 'current', ''],
-                ['DATADOG_RPM_KEY_E09422B3.public', 'e09422b3', 'A4C0 B90D 7443 CF6E 4E8A  A341 F106 8E14 E094 22B3'],
-                ['DATADOG_RPM_KEY_FD4BF915.public', 'fd4bf915', 'C655 9B69 0CA8 82F0 23BD  F3F6 3F4D 1729 FD4B F915']]
-                ['DATADOG_RPM_KEY_B01082D3.public', 'b01082d3', '7408 BFD5 6BC5 BF0C 361A  AAE8 5D88 EEA3 B010 82D3']]
+                ['DATADOG_RPM_KEY_B01082D3.public', 'b01082d3', '7408 BFD5 6BC5 BF0C 361A  AAE8 5D88 EEA3 B010 82D3'],
+                ['DATADOG_RPM_KEY_FD4BF915.public', 'fd4bf915', 'C655 9B69 0CA8 82F0 23BD  F3F6 3F4D 1729 FD4B F915'],
+                ['DATADOG_RPM_KEY_E09422B3.public', 'e09422b3', 'A4C0 B90D 7443 CF6E 4E8A  A341 F106 8E14 E094 22B3']]
 
 # Local file name of the key
 rpm_gpg_keys_name = 0
@@ -178,15 +178,15 @@ def warn_deprecated_yumrepo_gpgkey
     action :remove
   end
 
-  apt_repository 'datadog_apt_A2923DFF56EDA6E76E55E492D3A80E30382E94DE' do
+  apt_repository 'datadog_apt_5F1E256061D813B125E156E8E6266D4AC0962C7D' do
     action :remove
   end
 
   apt_repository 'datadog_apt_D75CEA17048B9ACBF186794B32637D44F14F620E' do
     action :remove
   end
 
-  apt_repository 'datadog_apt_5F1E256061D813B125E156E8E6266D4AC0962C7D' do
+  apt_repository 'datadog_apt_A2923DFF56EDA6E76E55E492D3A80E30382E94DE' do
     action :remove
   end
 

diff --git a/spec/repository_spec.rb b/spec/repository_spec.rb
@@ -115,16 +115,16 @@ def handle_keys(key_list, install_gnupg = true)
       expect(chef_run).to remove_apt_repository('datadog-beta')
     end
 
-    it 'removes the datadog_apt_A2923DFF56EDA6E76E55E492D3A80E30382E94DE repo' do
-      expect(chef_run).to remove_apt_repository('datadog_apt_A2923DFF56EDA6E76E55E492D3A80E30382E94DE')
+    it 'removes the datadog_apt_5F1E256061D813B125E156E8E6266D4AC0962C7D repo' do
+      expect(chef_run).to remove_apt_repository('datadog_apt_5F1E256061D813B125E156E8E6266D4AC0962C7D')
     end
 
     it 'removes the datadog_apt_D75CEA17048B9ACBF186794B32637D44F14F620E repo' do
       expect(chef_run).to remove_apt_repository('datadog_apt_D75CEA17048B9ACBF186794B32637D44F14F620E')
     end
 
-    it 'removes the datadog_apt_5F1E256061D813B125E156E8E6266D4AC0962C7D repo' do
-      expect(chef_run).to remove_apt_repository('datadog_apt_5F1E256061D813B125E156E8E6266D4AC0962C7D')
+    it 'removes the datadog_apt_A2923DFF56EDA6E76E55E492D3A80E30382E94DE repo' do
+      expect(chef_run).to remove_apt_repository('datadog_apt_A2923DFF56EDA6E76E55E492D3A80E30382E94DE')
     end
   end
 
@@ -182,19 +182,19 @@ def handle_keys(key_list, install_gnupg = true)
         end.converge(described_recipe)
       end
 
-      # Key E09422B3
-      # Key FD4BF915 (from 2020-09-08 to 2024-09-07)
       # Key B01082D3 (from 2023-04-20 to 2028-04-18)
+      # Key FD4BF915 (from 2020-09-08 to 2024-09-07)
+      # Key E09422B3
       handle_keys ['current', 'b01082d3', 'fd4bf915', 'e09422b3']
 
       # prefer HTTPS on boxes that support TLS1.2
       it 'sets up a yum repo E09422B3, FD4BF915 and B01082D3' do
         expect(chef_run).to create_yum_repository('datadog').with(
           gpgkey: [
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_CURRENT.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
+            'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
+            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
           ]
         ).with(repo_gpgcheck: true)
       end
@@ -209,18 +209,19 @@ def handle_keys(key_list, install_gnupg = true)
         end.converge(described_recipe)
       end
 
-      # Key E09422B3
-      # Key FD4BF915 (from 2020-09-08 to 2024-09-07)
       # Key B01082D3 (from 2023-04-20 to 2028-04-18)
+      # Key FD4BF915 (from 2020-09-08 to 2024-09-07)
+      # Key E09422B3
       handle_keys ['b01082d3', 'fd4bf915', 'e09422b3']
 
       # prefer HTTPS on boxes that support TLS1.2
       it 'sets up a yum repo' do
         expect(chef_run).to create_yum_repository('datadog').with(
           gpgkey: [
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_CURRENT.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
+            'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
+            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
           ]
         ).with(repo_gpgcheck: true)
       end
@@ -235,9 +236,9 @@ def handle_keys(key_list, install_gnupg = true)
         end.converge(described_recipe)
       end
 
-      # Key E09422B3
-      # Key FD4BF915 (from 2020-09-08 to 2024-09-07)
       # Key B01082D3 (from 2023-04-20 to 2028-04-18)
+      # Key FD4BF915 (from 2020-09-08 to 2024-09-07)
+      # Key E09422B3
       handle_keys ['b01082d3', 'fd4bf915', 'e09422b3']
 
       # RHEL5 has to use insecure HTTP due to lack of support for TLS1.2
@@ -246,9 +247,9 @@ def handle_keys(key_list, install_gnupg = true)
         expect(chef_run).to create_yum_repository('datadog').with(
           gpgkey: [
             'http://keys.datadoghq.com/DATADOG_RPM_KEY_CURRENT.public',
-            'http://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
-            'http://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
             'http://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
+            'http://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
+            'http://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
           ]
         ).with(repo_gpgcheck: false)
       end
@@ -268,9 +269,9 @@ def handle_keys(key_list, install_gnupg = true)
         expect(chef_run).to create_yum_repository('datadog').with(
           gpgkey: [
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_CURRENT.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
+            'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
+            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
           ]
         ).with(repo_gpgcheck: false)
       end
@@ -290,9 +291,9 @@ def handle_keys(key_list, install_gnupg = true)
         expect(chef_run).to create_yum_repository('datadog').with(
           gpgkey: [
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_CURRENT.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
+            'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
+            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
           ]
         ).with(repo_gpgcheck: true)
       end
@@ -312,9 +313,9 @@ def handle_keys(key_list, install_gnupg = true)
         expect(chef_run).to create_yum_repository('datadog').with(
           gpgkey: [
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_CURRENT.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
+            'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
+            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
           ]
         ).with(repo_gpgcheck: true)
       end
@@ -334,9 +335,9 @@ def handle_keys(key_list, install_gnupg = true)
         expect(chef_run).to create_yum_repository('datadog').with(
           gpgkey: [
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_CURRENT.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
+            'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
+            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
           ]
         ).with(repo_gpgcheck: true)
       end
@@ -357,7 +358,7 @@ def handle_keys(key_list, install_gnupg = true)
         end.converge(described_recipe)
       end
 
-      handle_keys (['e09422b3', 'fd4bf915', 'b01082d3'], false)
+      handle_keys(['b01082d3', 'fd4bf915', 'e09422b3'], false)
 
       it 'deletes the old RPM GPG key 4172a230 if it exists' do
         expect(chef_run).to run_execute('rpm-remove old gpg key 4172a230-55dd14f6')

diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -46,9 +46,9 @@ def min_chef_version(version)
 
     # recipes/repository.rb
     stub_command('rpm -q gpg-pubkey-current').and_return(false)
-    stub_command('rpm -q gpg-pubkey-e09422b3').and_return(false)
-    stub_command('rpm -q gpg-pubkey-fd4bf915').and_return(false)
     stub_command('rpm -q gpg-pubkey-b01082d3').and_return(false)
+    stub_command('rpm -q gpg-pubkey-fd4bf915').and_return(false)
+    stub_command('rpm -q gpg-pubkey-e09422b3').and_return(false)
     stub_command('rpm -q gpg-pubkey-4172a230-55dd14f6').and_return(true)
     stub_command('apt-key adv --list-public-keys --with-fingerprint --with-colons | grep 382E94DE | grep pub').and_return(false)
   end

diff --git a/test/integration/dd-agent-handler5/serverspec_datadog/dd-agent_spec.rb b/test/integration/dd-agent-handler5/serverspec_datadog/dd-agent_spec.rb
@@ -33,23 +33,23 @@
 # The new APT keys are imported
 describe command('apt-key list'), :if => ['debian', 'ubuntu'].include?(os[:family]) do
   its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain '382E94DE' }
-  its(:stdout) { should contain 'F14F620E' }
   its(:stdout) { should contain 'C0962C7D' }
+  its(:stdout) { should contain 'F14F620E' }
+  its(:stdout) { should contain '382E94DE' }
 end
 
 # The new RPM keys are imported
-describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
+describe command('rpm -q gpg-pubkey-b01082d3'), :if => os[:family] == 'redhat' do
   its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
+  its(:stdout) { should contain 'gpg-pubkey-b01082d3' }
 end
 
 describe command('rpm -q gpg-pubkey-fd4bf915'), :if => os[:family] == 'redhat' do
     its(:exit_status) { should eq 0 }
     its(:stdout) { should contain 'gpg-pubkey-fd4bf915' }
 end
 
-describe command('rpm -q gpg-pubkey-b01082d3'), :if => os[:family] == 'redhat' do
+describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
   its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain 'gpg-pubkey-b01082d3' }
+  its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
 end
diff --git a/test/integration/dd-agent-handler6/serverspec_datadog/dd-agent_spec.rb b/test/integration/dd-agent-handler6/serverspec_datadog/dd-agent_spec.rb
@@ -31,23 +31,23 @@
 # The new APT keys are imported
 describe command('apt-key list'), :if => ['debian', 'ubuntu'].include?(os[:family]) do
   its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain '382E94DE' }
-  its(:stdout) { should contain 'F14F620E' }
   its(:stdout) { should contain 'C0962C7D' }
+  its(:stdout) { should contain 'F14F620E' }
+  its(:stdout) { should contain '382E94DE' }
 end
 
 # The new RPM keys are imported
-describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
+describe command('rpm -q gpg-pubkey-b01082d3'), :if => os[:family] == 'redhat' do
   its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
+  its(:stdout) { should contain 'gpg-pubkey-b01082d3' }
 end
 
 describe command('rpm -q gpg-pubkey-fd4bf915'), :if => os[:family] == 'redhat' do
     its(:exit_status) { should eq 0 }
     its(:stdout) { should contain 'gpg-pubkey-fd4bf915' }
 end
 
-describe command('rpm -q gpg-pubkey-b01082d3'), :if => os[:family] == 'redhat' do
+describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
   its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain 'gpg-pubkey-b01082d3' }
+  its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
 end
diff --git a/test/integration/dd-agent-handler7/serverspec_datadog/dd-agent_spec.rb b/test/integration/dd-agent-handler7/serverspec_datadog/dd-agent_spec.rb
@@ -31,23 +31,23 @@
 # The new APT keys are imported
 describe command('apt-key list'), :if => ['debian', 'ubuntu'].include?(os[:family]) do
   its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain '382E94DE' }
-  its(:stdout) { should contain 'F14F620E' }
   its(:stdout) { should contain 'C0962C7D' }
+  its(:stdout) { should contain 'F14F620E' }
+  its(:stdout) { should contain '382E94DE' }
 end
 
 # The new RPM keys are imported
-describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
+describe command('rpm -q gpg-pubkey-b01082d3'), :if => os[:family] == 'redhat' do
   its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
+  its(:stdout) { should contain 'gpg-pubkey-b01082d3' }
 end
 
 describe command('rpm -q gpg-pubkey-fd4bf915'), :if => os[:family] == 'redhat' do
   its(:exit_status) { should eq 0 }
   its(:stdout) { should contain 'gpg-pubkey-fd4bf915' }
 end
 
-describe command('rpm -q gpg-pubkey-b01082d3'), :if => os[:family] == 'redhat' do
+describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
   its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain 'gpg-pubkey-b01082d3' }
+  its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
 end
diff --git a/test/integration/dd-agent-iot/serverspec_datadog/dd-agent_spec.rb b/test/integration/dd-agent-iot/serverspec_datadog/dd-agent_spec.rb
@@ -33,23 +33,23 @@
 # The new APT keys are imported
 describe command('apt-key list'), :if => ['debian', 'ubuntu'].include?(os[:family]) do
   its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain '382E94DE' }
-  its(:stdout) { should contain 'F14F620E' }
   its(:stdout) { should contain 'C0962C7D' }
+  its(:stdout) { should contain 'F14F620E' }
+  its(:stdout) { should contain '382E94DE' }
 end
 
 # The new RPM keys are imported
-describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
+describe command('rpm -q gpg-pubkey-b01082d3'), :if => os[:family] == 'redhat' do
   its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
+  its(:stdout) { should contain 'gpg-pubkey-b01082d3' }
 end
 
 describe command('rpm -q gpg-pubkey-fd4bf915'), :if => os[:family] == 'redhat' do
   its(:exit_status) { should eq 0 }
   its(:stdout) { should contain 'gpg-pubkey-fd4bf915' }
 end
 
-describe command('rpm -q gpg-pubkey-b01082d3'), :if => os[:family] == 'redhat' do
+describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
   its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain 'gpg-pubkey-b01082d3' }
+  its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
 end
diff --git a/test/integration/dd-agent/serverspec_datadog/dd-agent_spec.rb b/test/integration/dd-agent/serverspec_datadog/dd-agent_spec.rb
@@ -31,23 +31,23 @@
 # The new APT keys are imported
 describe command('apt-key list'), :if => ['debian', 'ubuntu'].include?(os[:family]) do
   its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain '382E94DE' }
-  its(:stdout) { should contain 'F14F620E' }
   its(:stdout) { should contain 'C0962C7D' }
+  its(:stdout) { should contain 'F14F620E' }
+  its(:stdout) { should contain '382E94DE' }
 end
 
 # The new RPM keys are imported
-describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
+describe command('rpm -q gpg-pubkey-b01082d3'), :if => os[:family] == 'redhat' do
   its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
+  its(:stdout) { should contain 'gpg-pubkey-b01082d3' }
 end
 
 describe command('rpm -q gpg-pubkey-fd4bf915'), :if => os[:family] == 'redhat' do
   its(:exit_status) { should eq 0 }
   its(:stdout) { should contain 'gpg-pubkey-fd4bf915' }
 end
 
-describe command('rpm -q gpg-pubkey-b01082d3'), :if => os[:family] == 'redhat' do
+describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
   its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain 'gpg-pubkey-b01082d3' }
+  its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
 end