Merge remote-tracking branch 'spwhitton/insecure-sbuild-keygen'

1 files changed, 17 insertions, 1 deletions

diff --git a/src/Propellor/Property/Sbuild.hs b/src/Propellor/Property/Sbuild.hs
index 2647e69e..bfa264a8 100644
--- a/src/Propellor/Property/Sbuild.hs
+++ b/src/Propellor/Property/Sbuild.hs
@@ -66,6 +66,7 @@ module Propellor.Property.Sbuild (
 	-- blockNetwork,
 	installed,
 	keypairGenerated,
+	keypairInsecurelyGenerated,
 	shareAptCache,
 	usableBy,
 ) where
@@ -320,7 +321,22 @@ keypairGenerated = check (not <$> doesFileExist secKeyFile) $ go
 	go = tightenTargets $
 		cmdProperty "sbuild-update" ["--keygen"]
 		`assume` MadeChange
-	secKeyFile = "/var/lib/sbuild/apt-keys/sbuild-key.sec"
+
+secKeyFile :: FilePath
+secKeyFile = "/var/lib/sbuild/apt-keys/sbuild-key.sec"
+
+-- | Generate the apt keys needed by sbuild using a low-quality source of
+-- randomness
+--
+-- Useful on throwaway build VMs.
+keypairInsecurelyGenerated :: Property DebianLike
+keypairInsecurelyGenerated = check (not <$> doesFileExist secKeyFile) go
+  where
+	go :: Property DebianLike
+	go = combineProperties "sbuild keyring insecurely generated" $ props
+		& Apt.installed ["rng-tools"]
+		& cmdProperty "rngd" ["-r", "/dev/urandom"] `assume` MadeChange
+		& keypairGenerated
 
 -- another script from wiki.d.o/sbuild
 ccachePrepared :: Property DebianLike