apt: Validate trusted keys

This checks that the specified keyrings exist, and are valid.

Closes #323

bootstrapvz/common/task_groups.py

@@ -121,6 +121,7 @@ def get_apt_group(manifest):
     if 'sources' in manifest.packages:
         group.append(apt.AddManifestSources)
     if 'trusted-keys' in manifest.packages:
+        group.append(apt.ValidateTrustedKeys)
         group.append(apt.InstallTrustedKeys)
     if 'preferences' in manifest.packages:
         group.append(apt.AddManifestPreferences)

bootstrapvz/common/tasks/apt.py

@@ -6,6 +6,37 @@ import logging
 import os
 
 
+class ValidateTrustedKeys(Task):
+    description = 'Validate apt trusted keys'
+    phase = phases.validation
+
+    @classmethod
+    def run(cls, info):
+        from bootstrapvz.common.tools import log_call
+
+        for i, key_path in enumerate(info.manifest.packages.get('trusted-keys', {})):
+            if not os.path.isfile(key_path):
+                info.manifest.validation_error('File not found: {}'.format(key_path),
+                                               ['packages', 'trusted-keys', i])
+
+            from tempfile import mkdtemp
+            from shutil import rmtree
+            tempdir = mkdtemp()
+
+            status, _, _ = log_call(
+                ['gpg', '--quiet',
+                 '--homedir', tempdir,
+                 '--keyring', key_path,
+                 '-k']
+            )
+
+            rmtree(tempdir)
+
+            if status != 0:
+                info.manifest.validation_error('Invalid GPG keyring: {}'.format(key_path),
+                                               ['packages', 'trusted-keys', i])
+
+
 class AddManifestSources(Task):
     description = 'Adding sources from the manifest'
     phase = phases.preparation
@@ -70,6 +101,7 @@ class AddManifestPreferences(Task):
 class InstallTrustedKeys(Task):
     description = 'Installing trusted keys'
     phase = phases.package_installation
+    predecessors = [ValidateTrustedKeys]
 
     @classmethod
     def run(cls, info):