From 24cdd5577a8391a574f5f173640505cd24c03c20 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Thu, 20 Jun 2024 17:22:42 +0100
Subject: [PATCH] flatcar-install: Use --assert-signer rather than
 --trusted-key with gpg

Using a custom key was recently broken by a GnuPG update. The Flatcar
key is not imported when a custom key is given, but we still reference
the Flatcar key with --trusted-key regardless, causing gpg to attempt to
download the key from a keyserver. This fails because we no longer ship
the necessary dirmngr binary, which is now only built when GnuPG has
GnuTLS support enabled.

Enabling GnuTLS support works around the problem, but it is not the
proper fix. --trusted-key causes gpg to trust the given key, even though
there is no secret key present. This is unnecessary, as the key would be
trusted anyway, albeit with a warning. --assert-signer makes more sense,
as this ensures the file was signed specifically by the given key rather
than some other key you happen to have in your keyring.

--assert-signer only accepts the long key ID, not the key file. There is
no way to discover the key ID of a key that has just been imported, but
you can get it from the original key file in a stable manner.

Closes: https://github.com/flatcar/Flatcar/issues/1471
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 bin/flatcar-install | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/bin/flatcar-install b/bin/flatcar-install
index 5a740be..b56169c 100755
--- a/bin/flatcar-install
+++ b/bin/flatcar-install
@@ -127,7 +127,7 @@ Flatcar Container Linux on a machine then use this tool to make a permanent inst
 # sub   rsa4096/FCBEAB91 2020-08-28 [S] [expires: 2021-08-28]
 # sub   rsa4096/250D4A42 2021-08-10 [S] [expires: 2022-08-10]
 # sub   rsa4096/267EC954 2022-08-11 [S] [expires: 2023-08-11]
-GPG_LONG_ID="E25D9AED0593B34A"
+GPG_LONG_ID="F88CFEDEFF29A5B4D9523864E25D9AED0593B34A"
 GPG_KEY="-----BEGIN PGP PUBLIC KEY BLOCK-----
 
 mQINBFqUFawBEACdnSVBBSx3negnGv7Ppf2D6fbIQAHSzUQ+BA5zEG02BS6EKbJh
@@ -668,6 +668,11 @@ function prep_url(){
     mkdir -p "${GNUPGHOME}"
     if [ -n "${KEYFILE}" ]; then
         gpg --batch --quiet --import < "${KEYFILE}"
+
+        # --assert-signer needs the long key ID. We have no way of looking up
+        # the key we just imported, but we can get the ID from the original
+        # file. --with-colons provides a stable interface for parsing.
+        GPG_LONG_ID=$(gpg --show-key --with-colons "${KEYFILE}" | grep -m1 "^fpr:" | cut -d: -f10)
     else
         gpg --batch --quiet --import <<< "${GPG_KEY}"
     fi
@@ -686,7 +691,7 @@ function download_from_url(){
         exit 1
     fi
 
-    if ! gpg --batch --trusted-key "${GPG_LONG_ID}" --verify "${WORKDIR}/${SIG_NAME}" "${PWD}/${IMAGE_NAME}"; then
+    if ! gpg --batch --assert-signer "${GPG_LONG_ID}" --verify "${WORKDIR}/${SIG_NAME}" "${PWD}/${IMAGE_NAME}"; then
         echo "Could not verify ${IMAGE_NAME}." >&2
         exit 1
     fi
@@ -697,7 +702,7 @@ function install_from_url() {
     echo "Downloading, writing and verifying ${IMAGE_NAME}..."
     if ! wget ${WGET_ARGS} --no-verbose -O - "${IMAGE_URL}" \
         | tee >(${BZIP_UTIL} -cd >&3) \
-        | gpg --batch --trusted-key "${GPG_LONG_ID}" \
+        | gpg --batch --assert-signer "${GPG_LONG_ID}" \
             --verify "${WORKDIR}/${SIG_NAME}" -
     then
         local EEND=( "${PIPESTATUS[@]}" )