Merge pull request #207 from mtrmac/openpgp

Allow choosing between a gpgme and openpgp signature backend using a build tag

.travis.yml

@@ -5,7 +5,10 @@
     email: false
   go:
     - 1.7
-  script: make tools .gitvalidation validate test test-skopeo
+  env:
+    - BUILDTAGS='btrfs_noversion libdm_no_deferred_remove'
+    - BUILDTAGS='btrfs_noversion libdm_no_deferred_remove containers_image_openpgp'
+  script: make tools .gitvalidation validate test test-skopeo BUILDTAGS="$BUILDTAGS"
   dist: trusty
   os:
     - linux

Makefile

@@ -44,7 +44,7 @@ test-skopeo:
 		rm -rf $${vendor_path} && cp -r . $${vendor_path} && rm -rf $${vendor_path}/vendor && \
 		cd $${skopeo_path} && \
 		make BUILDTAGS="$(BUILDTAGS)" binary-local test-all-local && \
-		$(SUDO) make check && \
+		$(SUDO) make BUILDTAGS="$(BUILDTAGS)" check && \
 		rm -rf $${skopeo_path}
 
 validate: lint

README.md

@@ -32,6 +32,16 @@ libraries you should use with this package in your own projects.
 What this project tests against dependencies-wise is located
 [here](https://github.com/containers/image/blob/master/vendor.conf).
 
+## Building
+
+For ordinary use, `go build ./...` is sufficient.
+
+When developing this library, please use `make` to take advantage of the tests and validation.
+
+Optionally, you can use the `containers_image_openpgp` build tag (using `go build -tags …`, or `make … BUILDTAGS=…`).
+This will use a Golang-only OpenPGP implementation for signature verification instead of the default cgo/gpgme-based implementation;
+the primary downside is that creating new signatures with the Golang-only implementation is not supported.
+
 ## License
 
 ASL 2.0

copy/copy.go

@@ -235,6 +235,11 @@ func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageRe
 		if err != nil {
 			return errors.Wrap(err, "Error initializing GPG")
 		}
+		defer mech.Close()
+		if err := mech.SupportsSigning(); err != nil {
+			return errors.Wrap(err, "Signing not supported")
+		}
+
 		dockerReference := dest.Reference().DockerReference()
 		if dockerReference == nil {
 			return errors.Errorf("Cannot determine canonical Docker reference for destination %s", transports.ImageName(dest.Reference()))

signature/docker_test.go

@@ -11,6 +11,12 @@ import (
 func TestSignDockerManifest(t *testing.T) {
 	mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory)
 	require.NoError(t, err)
+	defer mech.Close()
+
+	if err := mech.SupportsSigning(); err != nil {
+		t.Skipf("Signing not supported: %v", err)
+	}
+
 	manifest, err := ioutil.ReadFile("fixtures/image.manifest.json")
 	require.NoError(t, err)
 
@@ -41,6 +47,7 @@ func TestSignDockerManifest(t *testing.T) {
 func TestVerifyDockerManifestSignature(t *testing.T) {
 	mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory)
 	require.NoError(t, err)
+	defer mech.Close()
 	manifest, err := ioutil.ReadFile("fixtures/image.manifest.json")
 	require.NoError(t, err)
 	signature, err := ioutil.ReadFile("fixtures/image.signature")

signature/mechanism.go

@@ -9,19 +9,20 @@ import (
 	"io/ioutil"
 	"strings"
 
-	"github.com/mtrmac/gpgme"
 	"golang.org/x/crypto/openpgp"
 )
 
 // SigningMechanism abstracts a way to sign binary blobs and verify their signatures.
+// Each mechanism should eventually be closed by calling Close().
 // FIXME: Eventually expand on keyIdentity (namespace them between mechanisms to
 // eliminate ambiguities, support CA signatures and perhaps other key properties)
 type SigningMechanism interface {
-	// ImportKeysFromBytes imports public keys from the supplied blob and returns their identities.
-	// The blob is assumed to have an appropriate format (the caller is expected to know which one).
-	// NOTE: This may modify long-term state (e.g. key storage in a directory underlying the mechanism).
-	ImportKeysFromBytes(blob []byte) ([]string, error)
-	// Sign creates a (non-detached) signature of input using keyidentity
+	// Close removes resources associated with the mechanism, if any.
+	Close() error
+	// SupportsSigning returns nil if the mechanism supports signing, or a SigningNotSupportedError.
+	SupportsSigning() error
+	// Sign creates a (non-detached) signature of input using keyIdentity.
+	// Fails with a SigningNotSupportedError if the mechanism does not support signing.
 	Sign(input []byte, keyIdentity string) ([]byte, error)
 	// Verify parses unverifiedSignature and returns the content and the signer's identity
 	Verify(unverifiedSignature []byte) (contents []byte, keyIdentity string, err error)
@@ -33,109 +34,34 @@ type SigningMechanism interface {
 	UntrustedSignatureContents(untrustedSignature []byte) (untrustedContents []byte, shortKeyIdentifier string, err error)
 }
 
-// A GPG/OpenPGP signing mechanism.
-type gpgSigningMechanism struct {
-	ctx *gpgme.Context
+// SigningNotSupportedError is returned when trying to sign using a mechanism which does not support that.
+type SigningNotSupportedError string
+
+func (err SigningNotSupportedError) Error() string {
+	return string(err)
 }
 
-// NewGPGSigningMechanism returns a new GPG/OpenPGP signing mechanism.
+// NewGPGSigningMechanism returns a new GPG/OpenPGP signing mechanism for the user’s default
+// GPG configuration ($GNUPGHOME / ~/.gnupg)
+// The caller must call .Close() on the returned SigningMechanism.
 func NewGPGSigningMechanism() (SigningMechanism, error) {
 	return newGPGSigningMechanismInDirectory("")
 }
 
-// newGPGSigningMechanismInDirectory returns a new GPG/OpenPGP signing mechanism, using optionalDir if not empty.
-func newGPGSigningMechanismInDirectory(optionalDir string) (SigningMechanism, error) {
-	ctx, err := gpgme.New()
-	if err != nil {
-		return nil, err
-	}
-	if err = ctx.SetProtocol(gpgme.ProtocolOpenPGP); err != nil {
-		return nil, err
-	}
-	if optionalDir != "" {
-		err := ctx.SetEngineInfo(gpgme.ProtocolOpenPGP, "", optionalDir)
-		if err != nil {
-			return nil, err
-		}
-	}
-	ctx.SetArmor(false)
-	ctx.SetTextMode(false)
-	return gpgSigningMechanism{ctx: ctx}, nil
-}
-
-// ImportKeysFromBytes implements SigningMechanism.ImportKeysFromBytes
-func (m gpgSigningMechanism) ImportKeysFromBytes(blob []byte) ([]string, error) {
-	inputData, err := gpgme.NewDataBytes(blob)
-	if err != nil {
-		return nil, err
-	}
-	res, err := m.ctx.Import(inputData)
-	if err != nil {
-		return nil, err
-	}
-	keyIdentities := []string{}
-	for _, i := range res.Imports {
-		if i.Result == nil {
-			keyIdentities = append(keyIdentities, i.Fingerprint)
-		}
-	}
-	return keyIdentities, nil
-}
-
-// Sign implements SigningMechanism.Sign
-func (m gpgSigningMechanism) Sign(input []byte, keyIdentity string) ([]byte, error) {
-	key, err := m.ctx.GetKey(keyIdentity, true)
-	if err != nil {
-		return nil, err
-	}
-	inputData, err := gpgme.NewDataBytes(input)
-	if err != nil {
-		return nil, err
-	}
-	var sigBuffer bytes.Buffer
-	sigData, err := gpgme.NewDataWriter(&sigBuffer)
-	if err != nil {
-		return nil, err
-	}
-	if err = m.ctx.Sign([]*gpgme.Key{key}, inputData, sigData, gpgme.SigModeNormal); err != nil {
-		return nil, err
-	}
-	return sigBuffer.Bytes(), nil
-}
-
-// Verify implements SigningMechanism.Verify
-func (m gpgSigningMechanism) Verify(unverifiedSignature []byte) (contents []byte, keyIdentity string, err error) {
-	signedBuffer := bytes.Buffer{}
-	signedData, err := gpgme.NewDataWriter(&signedBuffer)
-	if err != nil {
-		return nil, "", err
-	}
-	unverifiedSignatureData, err := gpgme.NewDataBytes(unverifiedSignature)
-	if err != nil {
-		return nil, "", err
-	}
-	_, sigs, err := m.ctx.Verify(unverifiedSignatureData, nil, signedData)
-	if err != nil {
-		return nil, "", err
-	}
-	if len(sigs) != 1 {
-		return nil, "", InvalidSignatureError{msg: fmt.Sprintf("Unexpected GPG signature count %d", len(sigs))}
-	}
-	sig := sigs[0]
-	// This is sig.Summary == gpgme.SigSumValid except for key trust, which we handle ourselves
-	if sig.Status != nil || sig.Validity == gpgme.ValidityNever || sig.ValidityReason != nil || sig.WrongKeyUsage {
-		// FIXME: Better error reporting eventually
-		return nil, "", InvalidSignatureError{msg: fmt.Sprintf("Invalid GPG signature: %#v", sig)}
-	}
-	return signedBuffer.Bytes(), sig.Fingerprint, nil
+// NewEphemeralGPGSigningMechanism returns a new GPG/OpenPGP signing mechanism which
+// recognizes _only_ public keys from the supplied blob, and returns the identities
+// of these keys.
+// The caller must call .Close() on the returned SigningMechanism.
+func NewEphemeralGPGSigningMechanism(blob []byte) (SigningMechanism, []string, error) {
+	return newEphemeralGPGSigningMechanism(blob)
 }
 
-// UntrustedSignatureContents returns UNTRUSTED contents of the signature WITHOUT ANY VERIFICATION,
+// gpgUntrustedSignatureContents returns UNTRUSTED contents of the signature WITHOUT ANY VERIFICATION,
 // along with a short identifier of the key used for signing.
 // WARNING: The short key identifier (which correponds to "Key ID" for OpenPGP keys)
 // is NOT the same as a "key identity" used in other calls ot this interface, and
 // the values may have no recognizable relationship if the public key is not available.
-func (m gpgSigningMechanism) UntrustedSignatureContents(untrustedSignature []byte) (untrustedContents []byte, shortKeyIdentifier string, err error) {
+func gpgUntrustedSignatureContents(untrustedSignature []byte) (untrustedContents []byte, shortKeyIdentifier string, err error) {
 	// This uses the Golang-native OpenPGP implementation instead of gpgme because we are not doing any cryptography.
 	md, err := openpgp.ReadMessage(bytes.NewReader(untrustedSignature), openpgp.EntityList{}, nil, nil)
 	if err != nil {

signature/mechanism_gpgme.go

@@ -0,0 +1,175 @@
+// +build !containers_image_openpgp
+
+package signature
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/mtrmac/gpgme"
+)
+
+// A GPG/OpenPGP signing mechanism, implemented using gpgme.
+type gpgmeSigningMechanism struct {
+	ctx          *gpgme.Context
+	ephemeralDir string // If not "", a directory to be removed on Close()
+}
+
+// newGPGSigningMechanismInDirectory returns a new GPG/OpenPGP signing mechanism, using optionalDir if not empty.
+// The caller must call .Close() on the returned SigningMechanism.
+func newGPGSigningMechanismInDirectory(optionalDir string) (SigningMechanism, error) {
+	ctx, err := newGPGMEContext(optionalDir)
+	if err != nil {
+		return nil, err
+	}
+	return &gpgmeSigningMechanism{
+		ctx:          ctx,
+		ephemeralDir: "",
+	}, nil
+}
+
+// newEphemeralGPGSigningMechanism returns a new GPG/OpenPGP signing mechanism which
+// recognizes _only_ public keys from the supplied blob, and returns the identities
+// of these keys.
+// The caller must call .Close() on the returned SigningMechanism.
+func newEphemeralGPGSigningMechanism(blob []byte) (SigningMechanism, []string, error) {
+	dir, err := ioutil.TempDir("", "containers-ephemeral-gpg-")
+	if err != nil {
+		return nil, nil, err
+	}
+	removeDir := true
+	defer func() {
+		if removeDir {
+			os.RemoveAll(dir)
+		}
+	}()
+	ctx, err := newGPGMEContext(dir)
+	if err != nil {
+		return nil, nil, err
+	}
+	mech := &gpgmeSigningMechanism{
+		ctx:          ctx,
+		ephemeralDir: dir,
+	}
+	keyIdentities, err := mech.importKeysFromBytes(blob)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	removeDir = false
+	return mech, keyIdentities, nil
+}
+
+// newGPGMEContext returns a new *gpgme.Context, using optionalDir if not empty.
+func newGPGMEContext(optionalDir string) (*gpgme.Context, error) {
+	ctx, err := gpgme.New()
+	if err != nil {
+		return nil, err
+	}
+	if err = ctx.SetProtocol(gpgme.ProtocolOpenPGP); err != nil {
+		return nil, err
+	}
+	if optionalDir != "" {
+		err := ctx.SetEngineInfo(gpgme.ProtocolOpenPGP, "", optionalDir)
+		if err != nil {
+			return nil, err
+		}
+	}
+	ctx.SetArmor(false)
+	ctx.SetTextMode(false)
+	return ctx, nil
+}
+
+func (m *gpgmeSigningMechanism) Close() error {
+	if m.ephemeralDir != "" {
+		os.RemoveAll(m.ephemeralDir) // Ignore an error, if any
+	}
+	return nil
+}
+
+// importKeysFromBytes imports public keys from the supplied blob and returns their identities.
+// The blob is assumed to have an appropriate format (the caller is expected to know which one).
+// NOTE: This may modify long-term state (e.g. key storage in a directory underlying the mechanism);
+// but we do not make this public, it can only be used through newEphemeralGPGSigningMechanism.
+func (m *gpgmeSigningMechanism) importKeysFromBytes(blob []byte) ([]string, error) {
+	inputData, err := gpgme.NewDataBytes(blob)
+	if err != nil {
+		return nil, err
+	}
+	res, err := m.ctx.Import(inputData)
+	if err != nil {
+		return nil, err
+	}
+	keyIdentities := []string{}
+	for _, i := range res.Imports {
+		if i.Result == nil {
+			keyIdentities = append(keyIdentities, i.Fingerprint)
+		}
+	}
+	return keyIdentities, nil
+}
+
+// SupportsSigning returns nil if the mechanism supports signing, or a SigningNotSupportedError.
+func (m *gpgmeSigningMechanism) SupportsSigning() error {
+	return nil
+}
+
+// Sign creates a (non-detached) signature of input using keyIdentity.
+// Fails with a SigningNotSupportedError if the mechanism does not support signing.
+func (m *gpgmeSigningMechanism) Sign(input []byte, keyIdentity string) ([]byte, error) {
+	key, err := m.ctx.GetKey(keyIdentity, true)
+	if err != nil {
+		return nil, err
+	}
+	inputData, err := gpgme.NewDataBytes(input)
+	if err != nil {
+		return nil, err
+	}
+	var sigBuffer bytes.Buffer
+	sigData, err := gpgme.NewDataWriter(&sigBuffer)
+	if err != nil {
+		return nil, err
+	}
+	if err = m.ctx.Sign([]*gpgme.Key{key}, inputData, sigData, gpgme.SigModeNormal); err != nil {
+		return nil, err
+	}
+	return sigBuffer.Bytes(), nil
+}
+
+// Verify parses unverifiedSignature and returns the content and the signer's identity
+func (m gpgmeSigningMechanism) Verify(unverifiedSignature []byte) (contents []byte, keyIdentity string, err error) {
+	signedBuffer := bytes.Buffer{}
+	signedData, err := gpgme.NewDataWriter(&signedBuffer)
+	if err != nil {
+		return nil, "", err
+	}
+	unverifiedSignatureData, err := gpgme.NewDataBytes(unverifiedSignature)
+	if err != nil {
+		return nil, "", err
+	}
+	_, sigs, err := m.ctx.Verify(unverifiedSignatureData, nil, signedData)
+	if err != nil {
+		return nil, "", err
+	}
+	if len(sigs) != 1 {
+		return nil, "", InvalidSignatureError{msg: fmt.Sprintf("Unexpected GPG signature count %d", len(sigs))}
+	}
+	sig := sigs[0]
+	// This is sig.Summary == gpgme.SigSumValid except for key trust, which we handle ourselves
+	if sig.Status != nil || sig.Validity == gpgme.ValidityNever || sig.ValidityReason != nil || sig.WrongKeyUsage {
+		// FIXME: Better error reporting eventually
+		return nil, "", InvalidSignatureError{msg: fmt.Sprintf("Invalid GPG signature: %#v", sig)}
+	}
+	return signedBuffer.Bytes(), sig.Fingerprint, nil
+}
+
+// UntrustedSignatureContents returns UNTRUSTED contents of the signature WITHOUT ANY VERIFICATION,
+// along with a short identifier of the key used for signing.
+// WARNING: The short key identifier (which correponds to "Key ID" for OpenPGP keys)
+// is NOT the same as a "key identity" used in other calls ot this interface, and
+// the values may have no recognizable relationship if the public key is not available.
+func (m gpgmeSigningMechanism) UntrustedSignatureContents(untrustedSignature []byte) (untrustedContents []byte, shortKeyIdentifier string, err error) {
+	return gpgUntrustedSignatureContents(untrustedSignature)
+}