-
Notifications
You must be signed in to change notification settings - Fork 7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add GPG signature verification to install script #7944
Conversation
The script fetches the KEYS file from GitHub, as well as the .asc files on the release and verifies the release artifacts are signed by a valid key. Added new boolean config options in the install script which allow for fine-grained control over verification and output: - DEBUG: sets -x in the bash script (default: false) - VERIFY_CHECKSUM: verifies checksum (default: true) - VERIFY_SIGNATURE: verifies signature (default: true) Also reduced check for curl/wget to only one time. Resolves helm#7943. Resolves helm#7838. Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
I'm wondering if I should push the GPG output into /dev/null? Turns the output of the script from just 3 lines to ~30 and displays all the maintainers emails ... maybe only if DEBUG is enabled, show GPG output? |
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
f146f9c
to
5f721c9
Compare
I've silenced the GPG output unless DEBUG=true, now the output looks like this:
|
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
Modified the script. No longer auto-imports KEYS file, just expects you've done this prior to running the script. |
scripts/get-helm-3
Outdated
if [ "${DEBUG}" == "true" ]; then | ||
gpg_stderr_device="/dev/stderr" | ||
fi | ||
gpg --import "${HELM_TMP_ROOT}/${keys_filename}" 2> "${gpg_stderr_device}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is going to add the keys to the users active GPG keyring. The gpg verification below will use these keys plus all the other keys in the keyring to look for a good signature.
The gpg keys from the Helm project should not be imported into the users keyring. Instead, a keyring only containing the Helm maintainers should be created, used for verification, and deleted afterwards as part of cleanup. This script should not try to use keys in the users existing keyring and should not alter their environment.
The linux kernel script does this. You can look at it for ideas... https://git.kernel.org/pub/scm/linux/kernel/git/mricon/korg-helpers.git/tree/get-verified-tarball
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This script should not try to use keys in the users existing keyring and should not alter their environment.
Alright. Thanks for the example script.
So then, should we modify this to take a filepath to a .asc file? Or auto-fetch KEYS file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think what you're saying is at odds with @bacongobbler 's suggestion?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes and no. I wasn't aware that the process was to create a separate keyring as opposed to using your existing keyring, but I fully agree that these keys shouldn't be added to the user's keyring using either approach.
If that's the recommendation at the linux kernel, then that should work for us.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's possible to have a separate keyring used for gpg verification calls. It's a couple steps to set it up. We should make it so the only keys in the keyring are those from the maintainers. This way the good verification can only come from that set of keys and not any key in the users personal keyring.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more nitpick, then this looks good!
><> export VERIFY_SIGNATURES=true
><> ./get-helm-3
Helm v3.2.0 is available. Changing from version v3.1.2.
Downloading https://get.helm.sh/helm-v3.2.0-darwin-amd64.tar.gz
Verifying checksum... Done.
Verifying signatures... Done.
Preparing to install helm into /usr/local/bin
Password: ^C
Failed to install helm
For support, go to https://github.com/helm/helm.
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
@bacongobbler @mattfarina this should be good to go now. Running into an issue on Mac, which I will file once this is closed:
Appears to be fixed if the temp gpg home is somewhere under the users home? The ownership on the temp dir seem find.. Found some conversation about it here: https://sourceforge.net/p/macgpg/mailman/message/18850673/ So for now, I've put a check in place which requires Linux if using VERIFY_SIGNATURES=true (false by default) For proof this isnt messing with the user's active keyring:
|
local num_goodlines_sha=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)') | ||
if [[ ${num_goodlines_sha} -lt 2 ]]; then | ||
echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256!" | ||
echo -e "${error_text}" | ||
exit 1 | ||
fi | ||
local num_goodlines_tar=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)') | ||
if [[ ${num_goodlines_tar} -lt 2 ]]; then | ||
echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz!" | ||
echo -e "${error_text}" | ||
exit 1 | ||
fi | ||
echo "Done." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this strange grep + line count check was taken directly from the linux kernel script https://git.kernel.org/pub/scm/linux/kernel/git/mricon/korg-helpers.git/tree/get-verified-tarball#n164
@mattfarina @bacongobbler want to try to get this into the install script for 3.3? |
exit 1 | ||
fi | ||
if [ "${OS}" != "linux" ]; then | ||
echo "Signature verification is currently only supported on Linux." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why only linux support when there's native gpg support for MacOS? Can you please elaborate what needs to change to add MacOS support?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does not work. Please test your changes before asking for a review.
><> docker run -it ubuntu bash
root@c5a6147940e8:/# apt update && apt install wget git openssl gpg
root@c5a6147940e8:/# wget https://raw.githubusercontent.com/jdolitsky/helm/validate-signature/scripts/get-helm-3
root@c5a6147940e8:/# chmod 755 get-helm-3
root@c5a6147940e8:/# VERIFY_SIGNATURES=true ./get-helm-3
Downloading https://get.helm.sh/helm-v3.2.4-linux-amd64.tar.gz
Verifying checksum... Done.
Verifying signatures... https://raw.githubusercontent.com/helm/helm/master/KEYS: No such file or directory
Failed to install helm
For support, go to https://github.com/helm/helm.
Signed-off-by: jdolitsky <393494+jdolitsky@users.noreply.github.com>
@bacongobbler - apologies. Was testing on a Linux system with curl for the 2nd revision and didn't catch the bad syntax with wget commands. I just updated and tested it on system with just curl, and system with just wget Regarding Mac support - it's not clear to me what the issue is. Here is the output when using
It appears to hang on If I modify
So it's something related to using
I could definitely use some help figuring this out. But I do think this PR still provides value for Linux users, especially in the context of CI etc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
re-tested using the same instructions. Works now. I think this is in a workable state to move forward. We can address the MacOS issue in a follow-up.
* Add GPG signature verification to install script The script fetches the KEYS file from GitHub, as well as the .asc files on the release and verifies the release artifacts are signed by a valid key. Added new boolean config options in the install script which allow for fine-grained control over verification and output: - DEBUG: sets -x in the bash script (default: false) - VERIFY_CHECKSUM: verifies checksum (default: true) - VERIFY_SIGNATURE: verifies signature (default: true) Also reduced check for curl/wget to only one time. Resolves helm#7943. Resolves helm#7838. Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com> * disable signature verification by default Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com> * remove repeated line Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com> * fix typo Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com> * do not auto-import GPG keys Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com> * silence errors about missing commands Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com> * use a temporary gpg keyring Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com> * Fix wget commands for VERIFY_SIGNATURES=true Signed-off-by: jdolitsky <393494+jdolitsky@users.noreply.github.com>
* Add GPG signature verification to install script The script fetches the KEYS file from GitHub, as well as the .asc files on the release and verifies the release artifacts are signed by a valid key. Added new boolean config options in the install script which allow for fine-grained control over verification and output: - DEBUG: sets -x in the bash script (default: false) - VERIFY_CHECKSUM: verifies checksum (default: true) - VERIFY_SIGNATURE: verifies signature (default: true) Also reduced check for curl/wget to only one time. Resolves helm#7943. Resolves helm#7838. Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com> * disable signature verification by default Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com> * remove repeated line Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com> * fix typo Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com> * do not auto-import GPG keys Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com> * silence errors about missing commands Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com> * use a temporary gpg keyring Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com> * Fix wget commands for VERIFY_SIGNATURES=true Signed-off-by: jdolitsky <393494+jdolitsky@users.noreply.github.com>
The script fetches the KEYS file from GitHub, as well as the .asc files on the release and verifies the
release artifacts are signed by a valid key.
Added new boolean config options in the install script which allow for fine-grained control over verification and output:
Also reduced check for curl/wget to only one time.
Resolves #7943.
Resolves #7838.