salt.states.gpg

Manage GPG keychains

New in version 2016.3.0.

exception salt.states.gpg.KeyNotContained(message='', info=None)

Raised when a data source does not contain a requested key

salt.states.gpg.absent(name, keys=None, user=None, gnupghome=None, keyring=None, keyring_absent_if_empty=False, **kwargs)

Ensure a GPG public key is absent from the keychain.

name

The key ID of the GPG public key.

keys

The key ID or key IDs to remove from the GPG keychain.

user

Remove GPG keys from the specified user's keychain.

gnupghome

Override GnuPG home directory.

keyring

Limit the operation to this specific keyring, specified as a local filesystem path.

New in version 3007.0.

keyring_absent_if_empty

Make sure to not leave behind an empty keyring file if keyring was specified. Defaults to false.

New in version 3007.0.

salt.states.gpg.present(name, keys=None, user=None, keyserver=None, gnupghome=None, trust=None, keyring=None, source=None, skip_keyserver=False, text=None, subkey_maxage=100, **kwargs)

Ensure a GPG public key is present in the GPG keychain and that it is not expired.

name

The key ID of the GPG public key.

keys

The key ID or key IDs to add to the GPG keychain.

user

Add GPG keys to the specified user's keychain.

keyserver

The keyserver to retrieve the keys from.

gnupghome

Override GnuPG home directory.

trust

Trust level for the key in the keychain, ignored by default. Valid trust levels: expired, unknown, not_trusted, marginally, fully, ultimately

keyring

Limit the operation to this specific keyring, specified as a local filesystem path.

New in version 3007.0.

source

A (list of) path(s)/URI to retrieve the key(s) from. By default, this works as a backup option in case retrieving a key from the keyserver fails.

Note

All listed sources will be iterated over in order until the first one found to contain the requested key. If multiple keys are managed in a single state, the effective sources are allowed to differ between keys.

Important

Internally, this uses gpg.read_key to list keys in the sources. If a source is not a keyring, on GnuPG <2.1, this can lead to unintentional decryption.

New in version 3008.0.

skip_keyserver

Do not attempt to retrieve the key from the keyserver, only use source. Irrelevant when text is passed. Defaults to false.

New in version 3008.0.

text

Instead of retrieving the key(s) to import from a keyserver/URI, import them from this (armored) string.

Note

name or keys must still specify the expected key ID(s), so this cannot be used to indiscriminately import a keyring. Requires python-gnupg v0.5.1.

New in version 3008.0.

subkey_maxage

If the managed key has expired subkeys, this state attempts an update. Since sometimes keys have long expired subkeys, it filters eligible subkeys that trigger the update check. This parameter specifies the maximum number of days since a subkey's expiration for the key to be eligible. Defaults to 100, meaning subkeys that have expired more than 100 days ago do not trigger an attempt. Set this to a falsy value to skip the explicit management of subkeys.

New in version 3008.0.