Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable signature support in 'kiss update'. #60

Closed
dylanaraps opened this issue Oct 2, 2019 · 6 comments

Comments

@dylanaraps
Copy link
Member

@dylanaraps dylanaraps commented Oct 2, 2019

From now all commits to the kisslinux repositories are signed. This is further enforced by GitHub using branch protections to deny any unsigned commits.

On kiss update a git fetch and git merge --verify-signatures will be done in place of git pull. This only allows a merge of remote changes if

  1. commits are signed.
  2. commits can be verified.

Signing will also be an opt-in feature to begin. This allows a testing period for existing users with an easy method of reverting back to the current update process.

I'm leaning towards this being the default afterwards though I'm still thinking about it.


Hurdles to overcome before this will reach users:

  • Issue 1: This can't be implemented for at the very least two weeks. 'git merge --verify-signatures' aborts since there's a mix of signed/unsigned commits so it'll take some time until all present unsigned commits have been pulled by users.

    • Ugly solution: Go back and sign every commit in the repository.
      • Can this be done without destroying the current history?
    • SOLVED, users can opt-in now.

  • Issue 2: Detecting whether or not the repository should have signatures verified (ie a user repository not signing commits).

    • Possible solution: Check git log --show-signature for the presence of signed commits.
    • SOLVED through the user setting git config merge.verifySignatures true.

  • Issue 3: Handling the import and trust of the public key.

    • SOLVED through the user manually importing and trusting the key.

Notes:

  • gnupg1 can be installed by default in new KISS installs.

    • Requires no additional dependencies (KISS includes them all in the base).
    • Is still fine for use (source).
      • GnuPG 1.4 ("classic") will stay for embedded and server usage, as it brings less dependencies and smaller binaries. Earlier, it was often installed as gpg, today it is more often named gpg1 (depending on distribution).

@dylanaraps

This comment has been minimized.

Copy link
Member Author

@dylanaraps dylanaraps commented Oct 2, 2019

Was just informed of this tool: https://z3bra.org/sick

Leaving this here as a note.

@dylanaraps

This comment has been minimized.

Copy link
Member Author

@dylanaraps dylanaraps commented Oct 2, 2019

NOTE: this will also involve signing the kiss-chroot tarballs.

@dylanaraps

This comment has been minimized.

Copy link
Member Author

@dylanaraps dylanaraps commented Oct 4, 2019

Repository signing is fully functional as of kiss 0.41.1, however it is currently opt-in.

This is an example update (just a single new commit).

-> Updating repositories
-> /var/db/kiss/repo Updating repository
-> /var/db/kiss/repo Need root to update
Commit 41f27e0 has a good GPG signature by Dylan Araps <dylan.araps@gmail.com>
Updating e2c00a9..41f27e0
Fast-forward
 core/kiss/checksums | 2 +-
 core/kiss/sources   | 2 +-
 core/kiss/version   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)
-> Checking for new package versions
-> Everything is up to date

The specific line to look at is:

Commit 41f27e0 has a good GPG signature by Dylan Araps <dylan.araps@gmail.com>
@dylanaraps

This comment has been minimized.

Copy link
Member Author

@dylanaraps dylanaraps commented Oct 4, 2019

Opting into package signing for the system-wide repository:

NOTE: sudo/root is required to use signing with /var/db/kiss/repo, as root is needed to pull system-wide updates. You can alternatively clone https://github.com/kisslinux/repo somewhere in your $HOME and modify $KISS_PATH to do this solely as a normal user.

NOTE: root is only used during updates to run git fetch, git merge (runs gpg) and to install packages.

  1. Run kiss u beforehand and ensure your repositories are up to date.
    • This ensures you pull the last of the unsigned commits.
  2. Update the package manager to kiss 0.41.2.
    • Step #1 should handle this too.
  3. Build and install gnupg1.
  4. Change user to root.
    • su
  5. Import my key the keyring.
    • gpg --recv-key 46D62DD9F1DE636E.
  6. Trust my public key.
    • echo "trusted-key 0x46d62dd9f1de636e" >> /root/.gnupg/gpg.conf
  7. Go to the system-wide repository.
    • cd /var/db/kiss/repo.
  8. Enable signature verification.
    • git config merge.verifySignatures true.

Use of kiss u will now verify signatures for the system repositories.

@dylanaraps

This comment has been minimized.

Copy link
Member Author

@dylanaraps dylanaraps commented Oct 4, 2019

@dylanaraps

This comment has been minimized.

Copy link
Member Author

@dylanaraps dylanaraps commented Oct 14, 2019

This is done.

@dylanaraps dylanaraps closed this Oct 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
1 participant
You can’t perform that action at this time.