-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix input/output streams for gpg validation #1057
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: cdoern The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@ashley-cui PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code LGTM! Just seeing if we can test with a locked gpg key. Going to have to trust you on the hardware token part since I don't have a hardware key
@@ -28,6 +28,9 @@ func setupDriver(t *testing.T) (driver *Driver, cleanup func()) { | |||
err = driver.gpg(context.TODO(), nil, nil, "--batch", "--passphrase", "--quick-generate-key", "testing@passdriver") | |||
require.NoError(t, err) | |||
|
|||
err = driver.gpg(context.TODO(), os.Stdin, os.Stderr, "--batch", "--passphrase", "--quick-generate-key", "testing@passdriver") | |||
require.NoError(t, err) | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a way to test this with a key that has a password?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, I was not sure how to approach this. if we could somehow ensure that pass
is installed i could test it really easily but it was not installed on my fedora machine. Is there a way to dnf install stuff in these tests?
cc/ @edsantiago
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you don't need pass installed for the passdriver to work, only gpg. Maybe look into generating a key that has a password? And maybe a gpg flag to pass in the password when decrypting the key?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand the full context here, but (1) no you can't dnf-install, (2) have you considered --passphrase-file
?
e621472
to
a599662
Compare
@ashley-cui PTAL I think thats the most applicable test I can make for this. |
@@ -25,12 +25,15 @@ func setupDriver(t *testing.T) (driver *Driver, cleanup func()) { | |||
}) | |||
require.NoError(t, err) | |||
|
|||
err = driver.gpg(context.TODO(), nil, nil, "--batch", "--passphrase", "--quick-generate-key", "testing@passdriver") | |||
f, err := ioutil.TempFile("", "pass.txt") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I'm just taking a quick look. Did you mean to actually write some sort of passphrase into the file? If so have I missed where that happens?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks @edsantiago I think I missed a line here. I will circle back to this today
98cfad7
to
4322730
Compare
currently, our gpg function which uses exec.Command to `gpg --encrypt` and `gpg --decrypt` does not allow for stdin or out to be anything but a buffer stream directly used in the program this causes `gpg` to error out since it cannot ask for validation on locked keys. Fix this by passing stdin to --decrypt as the "in" var and stdout as the "out" var to --encrypt resolves containers/podman#13539 Signed-off-by: cdoern <cdoern@redhat.com>
CI failure seems persistent (i.e., not a flake) |
@cdoern whats up with this one? |
I am working on this one now, trying to figure out how to give the |
@edsantiago any idea here how to get the test to acknowledge stdin? I tried just writing "123" to a file and setting |
@cdoern I can't see the code you're referring to; I assume it's unpushed and will guess that your question is: "how do I run gpg, from within go, such that its stdin is something of my choice". I don't know enough go to answer that, but the traditional approach has been to |
@edsantiago sorry for the vague question. I figured out a way to modify the code here to pass |
been working on this for a bit, keep walking in circles with trying to wire up the stdin/out @ashley-cui is there any reason we would not want actual stdin/out here? the code seems to be fighting me a lot on this change. |
I'm not sure, since it looks like the gpg() function is just a cmd.exec, so it makes sense that. a regular os.stdin/os.stdout would work. Have you looked at if its specifically stdin or stdout that's not behaving, or do both have issues? |
@cdoern: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@cdoern FWIW I wouldn’t expect just redirecting That behavior needs to be explicitly opted out, in particular the documentation of |
|
That really depends on various details of the specific runtime environment of the process (e.g. is there a login session, is there a controlling TTY known to the kernel, is there an environment variable pointing at a pre-existing GPG agent). I could well imagine that an isolated process with no session and no TTY tries to auto-start the GPG agent, and just fails because it has no way to communicate with the user; while passing a stdin TTY allows the GPG agent to run. I don’t have much of a recommendation for understanding what’s going on beyond I would have recommended using GPGME instead of manually running GPG commands, but ultimately GPGME runs these commands as well, so that’s not helpful for the current situation — it would only add one more layer of indirection to unravel. |
Closing due to inactivity. |
currently, our gpg function which uses exec.Command to
gpg --encrypt
andgpg --decrypt
does not allow for stdin or out to be anything but a buffer stream directly used in the programthis causes
gpg
to error out since it cannot ask for validation on locked keys.Fix this by passing stdin to --decrypt as the "in" var and stdout as the "out" var to --encrypt
resolves containers/podman#13539
Signed-off-by: cdoern cdoern@redhat.com