Support priv_key_uri as CLI argument #533

lukpueh · 2023-01-17T11:05:16Z

Description of issue or feature request:
The new securesystemslib v0.26.0 signer API allows loading arbitrary signing providers from private key URIs. Supporting a private key URI argument in relevant in-toto CLI allows adding and removing support for arbitrary signing providers in the future, without changing the CLI. Relevant CLI are: in-toto-run, in-toto-record.

IMPORTANT: Coordinate with #532!

Current behavior:
Relevant CLI don't support private key URI argument.

Expected behavior:
Relevant CLI support private key URI argument.

Optional expected behavior:
Deprecate existing signing arguments in relevant CLI (e.g. --key, --gpg,--gpg-home).

The text was updated successfully, but these errors were encountered:

IMPORTANT: Requires unlreleased securesystemslib code from secure-systems-lab/securesystemslib#590 Adds optional signer (Signer) arg to runlib's run/record functions, as alternative way of signing resulting link metadata, instead of using signing_key, gpg_keyid, or use_default_gpg. Closes in-toto#532 **Addtional notes:** In in_toto_record_stop, the public_key (Key) field of the signer is used to verify the preliminary link metadata file. The field is not yet part of the interface, although all signer implementations in secureystemslib have it: secure-systems-lab/securesystemslib#605 The patch aims to be minimally invasive, and thus barely refactors any of the existing signing argument handling in the relevant functions. Although, it was tempting to simplify the code, it turned out harder than thought, and therefor not worth the effort, given that these arguments are bound to deprecation. This is patch is part of a series of patches to prepare for the planned removal of securesystemslib legacy interfaces, see secure-systems-lab/securesystemslib#604 for details. **TODO (follow-up)** - add deprecation warning for legacy key args and legacy gpg formats (only show on API use, not on CLI use!) - add Metadata.verify(public_key: Key), if necessary (maybe we can just do this in runlib/verifylib), and use in in_toto_record_stop instead of passing `signer.public_key.to_dict()` to `Metadata.verify_signature(...)` - prepare for ssslib legacy interface removal in other parts of in_toto: - in-toto-run, in-toto-record (in-toto#533) - verifylib / in-toto-verify - in-toto-sign - Metadata API / docs - ... Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>

lukpueh · 2023-10-24T12:13:50Z

Turns out, "priv_key_uri" does not do what I had in mind when writing this issue. That is, it does not encode all necessary information to load a signer.

Instead, the API, which takes the URI, also requires a secrets handler and a related public key

We could work around this by taking addtional options, which, together with the URI, would allow us to construct the required public key and secrets handler first. For all currently available signers, these options should work:

--uri <uri>  # private key uri, can also be (ab)used to infer pubkey
[--secret [<secret>]  # takes None, password, or toggles prompt
[--keyid <keyid>]  # optional non-default keyid
[--scheme <scheme>]  # optional non-default signing scheme

But it does not seem so desirable anymore, for various reasons:

We can't use the 'Signer.from_priv_key_uri' interface as is, and it probably does not make sense to change this upstream, because its usage pattern just does not fit (see securesystemslib#664).
We don't know for sure if new signers, won't need yet additional options. So the original flexibility argument becomes less strong.
The UX of manually creating and passing signer URIs is questionable to start with. If the user has to pass addtional options, it becomes even more complex for no reason.

Taking all this into account I suggest we just add new per-signer options and ask upstream to provide the corresponding API to load signer + pubkey (also see securesystemslib#664)

Adds optional signer (Signer) arg to runlib's run/record functions, as alternative way of signing resulting link metadata, instead of using signing_key, gpg_keyid, or use_default_gpg. Closes in-toto#532 **Addtional notes:** In in_toto_record_stop, the public_key (Key) field of the signer is used to verify the preliminary link metadata file. The field is not yet part of the interface, although all signer implementations in secureystemslib have it: secure-systems-lab/securesystemslib#605 The patch aims to be minimally invasive, and thus barely refactors any of the existing signing argument handling in the relevant functions. Although, it was tempting to simplify the code, it turned out harder than thought, and therefor not worth the effort, given that these arguments are bound to deprecation. This patch is part of a series of patches to prepare for the planned removal of securesystemslib legacy interfaces, see secure-systems-lab/securesystemslib#604 for details. **TODO (follow-up)** - add deprecation warning for legacy key args and legacy gpg formats (only show on API use, not on CLI use!) - add Metadata.verify(public_key: Key), if necessary (maybe we can just do this in runlib/verifylib), and use in in_toto_record_stop instead of passing `signer.public_key.to_dict()` to `Metadata.verify_signature(...)` - prepare for ssslib legacy interface removal in other parts of in_toto: - in-toto-run, in-toto-record (in-toto#533) - verifylib / in-toto-verify - in-toto-sign - Metadata API / docs - ... Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>

See in-toto#649, which does the same thing for in-toto. Blocks on in-toto#649 Fixes in-toto#533 together with in-toto#649. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>

…-run. Blocks on in-toto#649 Fixes in-toto#533 together with in-toto#649. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>

This was referenced Jan 17, 2023

Add custom Key, Signer and Signature implementations for in-toto flavored GPG #534

Closed

Fix inconsistencies in spec in-toto/specification#69

Merged

This was referenced Mar 22, 2023

key size argument silently ignored in in-toto-keygen #568

Closed

inconsistent use of GnuPG #569

Open

lukpueh mentioned this issue Jul 4, 2023

runlib: add signer kwarg to run and record methods #612

Merged

lukpueh mentioned this issue Nov 20, 2023

Add --signing-key (pkcs8) arg to in-toto-run #649

Merged

lukpueh mentioned this issue Nov 21, 2023

Add --signing-key (pkcs8) arg to in-toto-record #651

Merged

lukpueh closed this as completed in #651 Dec 5, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support priv_key_uri as CLI argument #533

Support priv_key_uri as CLI argument #533

lukpueh commented Jan 17, 2023

lukpueh commented Oct 24, 2023

Support priv_key_uri as CLI argument #533

Support priv_key_uri as CLI argument #533

Comments

lukpueh commented Jan 17, 2023

lukpueh commented Oct 24, 2023