Yumrepo gpgcheck puppet-lint check

puppet

The most recent in my recent series of puppet-lint plugins, the yumrepo gpgcheck enabled check, will mostly be of interest to security conscious Linux users who use a yum or dnf based package manager. In this case we’re checking the gpgcheck attribute, which indicates if yum should perform a GPG signature check on packages. Having this disabled means you’ll accept any packages from your configured repo, not just those signed by the packagers. While it’s often more work to sign your own packages you should at the very least enable it for all upstream yum repositories.

The plugin issues warnings for two different forms of configuration. The first is a yumrepo without a gpgcheck attribute -

    yumrepo { 'company_app_repo':
      enabled  => 1,
      descr    => 'Local repo holding company application packages',
      baseurl  => 'http://repos.example.org/apps',
    }
yumrepo should have the gpgcheck attribute

The second warning comes from having gpgcheck disabled:

    yumrepo { 'company_app_repo':
      enabled  => 1,
      descr    => 'Local repo holding company application packages',
      baseurl  => 'http://repos.example.org/apps',
      gpgcheck => 0,
    }
yumrepo should enable the gpgcheck attribute

Installing the plugin is done in the usual way -

    gem 'puppet-lint-yumrepo_gpgcheck_enabled-check'

    `bundle install`