Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Place public OpenPGP key in the file system directory openpgp #85

Closed
bernhardreiter opened this issue Mar 31, 2022 · 2 comments · Fixed by #161
Closed

Place public OpenPGP key in the file system directory openpgp #85

bernhardreiter opened this issue Mar 31, 2022 · 2 comments · Fixed by #161
Assignees
@s-l-teichmann
Labels
csaf_provider important

Comments

@bernhardreiter
Copy link
Collaborator

As clarified from @tschmidtb51 and others in January, the public OpenPGP key used for signing the CSAF files shall be placed in a directory openpgp/ next to the provider-metadata.json by the provider.

Accordingly this is where the pgp_keys url should point to.
@bernhardreiter
Copy link
Collaborator Author

Rationale

Not using WKD or public pubkey servers is making the implementation more reliable and simpler for provider and client implementors.

WKD would require an email address and public pubkeyservers often do not provide additional data to verify the pubkey.

@bernhardreiter
Copy link
Collaborator Author

changes towards csd02

The standard document has meanwhile changed to be more explicit about this:

https://docs.oasis-open.org/csaf/csaf/v2.0/csd02/csaf-v2.0-csd02.html#7120-requirement-20-public-openpgp-key :

The public part of the OpenPGP key used to sign the CSAF documents MUST be available. It SHOULD also be available at a public key server.

For example, the public part of the OpenPGP key could be placed in a directory openpgp adjacent to the provider-metadata.json.

https://docs.oasis-open.org/csaf/csaf/v2.0/csd02/csaf-v2.0-csd02.html#717-requirement-7-provider-metadatajson :

 "public_openpgp_keys": [
      {
        "fingerprint": "8F5F267907B2C4559DB360DB2294BA7D2B2298B1",
        "url": "https://keys.example.net/vks/v1/by-fingerprint/8F5F267907B2C4559DB360DB2294BA7D2B2298B1"
      }
    ],

technical approach

  • We can use the long fingerprint as filename in the openpgp directory.
  • The csaf_provider can use the create step to copy over the current public key in the directory, if it is not in there. Previous pubkeys stay in there.
  • The aggregator will copy all pubkeys in mirror mode and add its own pubkey if it does additional signatures.
  • The provider-metadata.json shall list all pubkeys in that directory.

@s-l-teichmann s-l-teichmann mentioned this issue Jun 7, 2022
Merged
@bernhardreiter bernhardreiter linked a pull request Jun 9, 2022 that will close this issue
Openpgp folder #161
Merged
bernhardreiter pushed a commit that referenced this issue Jun 9, 2022
@s-l-teichmann
Change openpgp key providing code to use local directory
69f0f34 
* Adjust provider and aggregator to copy the used openpgp pubkey into a locally
  provided directory `openpgp` beside the `prodiver-metadata.json`.
  This more robust and self-reliant than using a public pubkey server,
  which is the reason why the CSAF 2.0 csd02 mentions it as example in
  "7.1.20 Requirement 20: Public OpenPGP Key".
 * Improve aggregator by removing a typo `aggreator` from one written paths.
   (Done with this change as it also affects the openpgp/ paths writing.)

solve #85
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@s-l-teichmann s-l-teichmann

Labels
csaf_provider important
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Openpgp folder gocsaf/csaf
2 participants
@s-l-teichmann @bernhardreiter