Merge pull request #168 from escapewindow/unsigned

allow for unsigned cot artifacts when verify_cot_signature is False
mozilla-releng · Oct 20, 2017 · 12cedaa · 12cedaa
2 parents 237df10 + e77dd2f
commit 12cedaa
Show file tree

Hide file tree

Showing 7 changed files with 85 additions and 34 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,11 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [5.2.3] - 2017-10-20
+### Fixed
+- Made the exit status more explicit on exit code -11.
+- Fixed `verify_sig` to return the message body if `gpg.decrypt` returns an empty body.
+
 ## [5.2.2] - 2017-10-16
 ### Added
 - Added integration tests that run `verify_chain_of_trust` against production tasks, to make sure `cot.verify` changes are backwards compatible.

diff --git a/requirements-prod.txt b/requirements-prod.txt
@@ -14,20 +14,29 @@ PyYAML==3.12 \
     --hash=sha512:13733054619053893f4a8d75c1da020a87e1f697b007ab182be06b5b941b49c4cb3dc6f9ff131be6bc10fc727ad7334fa5401346f3a77140aed0f86280532fce \
     --hash=sha512:5ff411ddbbf733ad52334015a04eb061998803ff94ad474ea2d534a713aa302cdfadde908ff2bb1dbd4f13e1a1fb99786f8dd1be1e061fcb6a7c0f471e41591f \
     --hash=sha512:4ae6c5843688f45751ddb14a8b6f16f58b1f8a4805be430afa4035857b1826be95a8422395d64ac88282f9edd57f35fee5d1b6a4dab9093d47491d300d2079f3
-aiohttp==2.2.5 \
-    --hash=sha512:2fe1fd78bbf5df89661c942509a5fba4adf0037b4bcc8cb5d9779c5e6a0d175512a3ec0c281f8d80fca9cc4dbc8cf7cce8a80b5a24b1a5191407f22040ad5ebf \
-    --hash=sha512:531704e86637d6af97af8eba7969b59d955339288f268c1796145039a86e3e8af2f9e7c3f6ea002f2d743f3bb2ab49699e9597b456b648c506bbf26b10b09d01 \
-    --hash=sha512:68e944ba0bebbf150622abe6cbbf6b9969c6d0b96c8aea39ccff15936621dcb344207dc58db2c194db5ce4179949cb6ce0770095a440b76e8f7155341cc90eb6 \
-    --hash=sha512:2c54bc344866c78e56bea7a3bfc3ac7206930b193bad185799c584ef6e5c67b8c6adefce257ff5c1ceec945fe8261273bc646a84316cdd8de51a8f6d5f350956 \
-    --hash=sha512:9969495095d71a3e0594d573126d9d5bafe3d8c776e82d4b74537ac9bde560a2fa6ea1511f13de74be26b2a3318c44afdc13d7cb4730be9b1f1426ad6eef24ea \
-    --hash=sha512:a646d48a843f5b47df25cb302b1f5ebc1807afe49555b0a23eeb2ec0c57aebb977411bbf9ff8ba68a8b4cb876ee47895e443bbcceb21b4bbaa3dfdc62c9b11a4 \
-    --hash=sha512:b161481c8b5efbe8b2a97e4ed3103e0f99088dae57d58f4f2c88fa5ee26f90da52c6294638f74b471ca43c3d288d470fe0c542e300aad96e82e0c0507cda5c43 \
-    --hash=sha512:42061b93fe2ecd2b46d2531935b29a13bab8b5fbaaefd3856f13b3f9a206c4b4a00edb5d311796b8a85d9193266cf59706e99d997e3984885e022b96e047dce9 \
-    --hash=sha512:e165ae0b08a8cebac8b01d9ae676bd1294fd2d9e27a3e890f358c40959366e1d49f2621ef9d09dc733f4aa8917680f78199f75d0ca379e90c3bedbb3c559f8be \
-    --hash=sha512:925e01e405daa3b3994a4e27ded86f0ec4d0fabef3931a341e0e38ad0414ed2e35ded4d77ad61c3b5fa4f04050aa29349ae637056b6904fe167abc59522a2631 \
-    --hash=sha512:da9a015e0d4b23f7e9bc6ce7efeaca2e723fe554736525a8ffea117747fcae907b012c7a0b5c2a14d1141a2af0234bbcda86271fff67ac0003079954a3224ee1 \
-    --hash=sha512:a2cc0b9fe93d54dd4bf578396df4364f8e95204ab0ec5a10644a091f420f392fde5611244a5aa3c453b9a73769792d51f1d3fc648f568ff3633f3a67052e7bd5 \
-    --hash=sha512:88a064de1f7f634b5ab9ac2accddcc227189be0357ed87891f8917e2660887504ff14543ba38edc565e007a52c56bb992e7363eac55f4b07369619358883cf66
+aiohttp==2.3.1 \
+    --hash=sha512:9f0a65b84b369064db9f5baa190d95072e4ca7a0881249fe107affceac5c4ebfb8f1f925f7567920ecdef748abda6fbbece56543f984a459d8302914d3151c92 \
+    --hash=sha512:599b7bf77c67af967c33df6099a054fb0159c6998b8c369d7d604f84e2a174859196e2c68f4f19f6101f9ef3df4d444688fd18379f7ae4dc6ef8581b4a51e115 \
+    --hash=sha512:8b9c40d337d2b99274ce7f5b0c89ddfba192575696f07700429d61cf9addf14a7e64d5ba31913922aa6b2f1560ad1dde01f2c77ca8f337fb1157792a2a0c1178 \
+    --hash=sha512:b1ca5a2450600ac8cc811351a7291f5f814a030692eff1ba38b55bb896e36d53554ed747d58169146f9cc957f5638e1fcb11022d66c043be4448b0959b209178 \
+    --hash=sha512:463078b75c01258c11a52f87a19a9ba732f25d47b60e49e5d7f1fac0b010db922267be023cc073034c61493e758596be7c67a345cd4bb508de44672939b0f03a \
+    --hash=sha512:30e971fe276e98e9a866b0a877010ceebed6b2f85ba03c5a73b2a3678ff20e01ab574cb56d004eca70dfcbf11a8348d61a72b646396b6ba417fb32a608378be6 \
+    --hash=sha512:91ba788af6523d0df60da45c47f8b96fbdd847e915a46253d83880325bfbca79f0bf74d0d4d3af084da27086c09339c2c0ece0fdc6d4c21239bca4be94b57552 \
+    --hash=sha512:bc8fa5a175ca130a2483b5f73c80d3e9588b437a09686be378bcd97d0e2e302cdadb2d5ab801b88d5c0422b31be0b0f141b8dfc4234560475a4496f7fefbc42b \
+    --hash=sha512:6b30a05cddc3d146cbf2eeb279ef929ff1b464478f85a6cff4cf04f3b5528cf3fe8cd32d50300efd3902df0dc4bc54df8646d975382c537d970382b710629814 \
+    --hash=sha512:c133f9a4808569eb8fa2e0494f7d6ddb8bd51077df8edaf81c3925a819454e0b347f0a2ff13753cc87b1cf567f4d11e0d53d44db06c683f50832274b56b4e6e5 \
+    --hash=sha512:a07a77af21bd875d1d0ef7f7615ba8db49d635317345bc520e71ea4917e528cef5fa3f9d245be7d148d3433e44d86364c6671240deb0b483710262a6173bbfd4 \
+    --hash=sha512:e7be6c33bf21b1394505c9db7b383b3ddfc3f2a214ea39b1d806b5aa011c31862c779dd3d4e75354e2b7a87fbbbef718b19d6caca6cd5606567d7ba8d6c5a4c3 \
+    --hash=sha512:2857ca52b4a4596e82ed5f2620b5a211e106643cea511723c64d2f8fa0d964f74e56dd94d87b892c4073afc111bf5b160966eb0eebd193b3d43d3d88423853ff \
+    --hash=sha512:a682b3bf0bb0ded225689ca0cf2cba564ba9676a8935f4d8fdf0fece6adc1cc3fce853d4a472ae90ab3b057160afd11cb3968f1bbda0b7d54225fe3374539ca5 \
+    --hash=sha512:15fd3235d0b800c05bc766b536f3b86cd6301b3367c4e5bcec2caf83e94aef79879843d5b60f6b68dbbb106f7e6b3c4bbe3ba071d502b0cd6271ca22fd537e3f \
+    --hash=sha512:4c000a958086f2d3125325dfb7ef5ec0e599133a2197cc248437546ff99a41e1560479409dd80281a6ccdfe9b330bba585bb1bb502e70ec6d89ebe0140c7e463 \
+    --hash=sha512:584605d487e21981062d381af13c6cf71de50539f3d96f1bcf30b5b6ea42d9c12c143670fc7f007fb4b139c784dc7d568dbb6c5ffafd0c2b25b586d5f8b4b4fe \
+    --hash=sha512:dfb1f609c1f3933fe6ef328cd9757544718a4ca0392c17434cbb3854eb17fa360ea5b00968bd3a95555b224268c8a9c572fd26b6a91e3541af1ed7b99967fcfd \
+    --hash=sha512:41455dcd692e1ab3d115e24fd1e791980664dd97f2f9d2f079ba5df1cdb9764fb28af87acd457ab5152d751322acafe898a242bbdb1e5101e9f6f842670a27c0 \
+    --hash=sha512:4a7310f5ac54c2d042c3dd8b994e27ca95fe7d9d6baa736c8323dfe83272ea106233a9aa2a7939d0bd77e105448014f5f21ceca1499e0e34739312c16a01e7c0 \
+    --hash=sha512:d975cd020a5ce07097c90446de552ecc40ecebb0900600c86f7a48b7e294e50deb08733c968a6d8eba052a631dd3e7ddae61c98890516c124be18f03405b4112 \
+    --hash=sha512:1be4e2e9e7ba7dc59427fce60b98a026321a750011517fc6c044c0c5b0d6297b840c42f099224944dd19b00cda360a5f688cd022de73e98a03e3266afe9c5cf4
 arrow==0.10.0 \
     --hash=sha512:a2baa23f1424b21506f3b664f0ef02d09f91b9cfaf6e0badfa544f42c750ed51136ae0e8910ac24207c0265a1b233f10a6f3cbafee3124b5f5c4fd965cfd01c0
 async_timeout==2.0.0 \

diff --git a/requirements-test-prod.txt b/requirements-test-prod.txt
@@ -14,20 +14,29 @@ PyYAML==3.12 \
     --hash=sha512:13733054619053893f4a8d75c1da020a87e1f697b007ab182be06b5b941b49c4cb3dc6f9ff131be6bc10fc727ad7334fa5401346f3a77140aed0f86280532fce \
     --hash=sha512:5ff411ddbbf733ad52334015a04eb061998803ff94ad474ea2d534a713aa302cdfadde908ff2bb1dbd4f13e1a1fb99786f8dd1be1e061fcb6a7c0f471e41591f \
     --hash=sha512:4ae6c5843688f45751ddb14a8b6f16f58b1f8a4805be430afa4035857b1826be95a8422395d64ac88282f9edd57f35fee5d1b6a4dab9093d47491d300d2079f3
-aiohttp==2.2.5 \
-    --hash=sha512:2fe1fd78bbf5df89661c942509a5fba4adf0037b4bcc8cb5d9779c5e6a0d175512a3ec0c281f8d80fca9cc4dbc8cf7cce8a80b5a24b1a5191407f22040ad5ebf \
-    --hash=sha512:531704e86637d6af97af8eba7969b59d955339288f268c1796145039a86e3e8af2f9e7c3f6ea002f2d743f3bb2ab49699e9597b456b648c506bbf26b10b09d01 \
-    --hash=sha512:68e944ba0bebbf150622abe6cbbf6b9969c6d0b96c8aea39ccff15936621dcb344207dc58db2c194db5ce4179949cb6ce0770095a440b76e8f7155341cc90eb6 \
-    --hash=sha512:2c54bc344866c78e56bea7a3bfc3ac7206930b193bad185799c584ef6e5c67b8c6adefce257ff5c1ceec945fe8261273bc646a84316cdd8de51a8f6d5f350956 \
-    --hash=sha512:9969495095d71a3e0594d573126d9d5bafe3d8c776e82d4b74537ac9bde560a2fa6ea1511f13de74be26b2a3318c44afdc13d7cb4730be9b1f1426ad6eef24ea \
-    --hash=sha512:a646d48a843f5b47df25cb302b1f5ebc1807afe49555b0a23eeb2ec0c57aebb977411bbf9ff8ba68a8b4cb876ee47895e443bbcceb21b4bbaa3dfdc62c9b11a4 \
-    --hash=sha512:b161481c8b5efbe8b2a97e4ed3103e0f99088dae57d58f4f2c88fa5ee26f90da52c6294638f74b471ca43c3d288d470fe0c542e300aad96e82e0c0507cda5c43 \
-    --hash=sha512:42061b93fe2ecd2b46d2531935b29a13bab8b5fbaaefd3856f13b3f9a206c4b4a00edb5d311796b8a85d9193266cf59706e99d997e3984885e022b96e047dce9 \
-    --hash=sha512:e165ae0b08a8cebac8b01d9ae676bd1294fd2d9e27a3e890f358c40959366e1d49f2621ef9d09dc733f4aa8917680f78199f75d0ca379e90c3bedbb3c559f8be \
-    --hash=sha512:925e01e405daa3b3994a4e27ded86f0ec4d0fabef3931a341e0e38ad0414ed2e35ded4d77ad61c3b5fa4f04050aa29349ae637056b6904fe167abc59522a2631 \
-    --hash=sha512:da9a015e0d4b23f7e9bc6ce7efeaca2e723fe554736525a8ffea117747fcae907b012c7a0b5c2a14d1141a2af0234bbcda86271fff67ac0003079954a3224ee1 \
-    --hash=sha512:a2cc0b9fe93d54dd4bf578396df4364f8e95204ab0ec5a10644a091f420f392fde5611244a5aa3c453b9a73769792d51f1d3fc648f568ff3633f3a67052e7bd5 \
-    --hash=sha512:88a064de1f7f634b5ab9ac2accddcc227189be0357ed87891f8917e2660887504ff14543ba38edc565e007a52c56bb992e7363eac55f4b07369619358883cf66
+aiohttp==2.3.1 \
+    --hash=sha512:9f0a65b84b369064db9f5baa190d95072e4ca7a0881249fe107affceac5c4ebfb8f1f925f7567920ecdef748abda6fbbece56543f984a459d8302914d3151c92 \
+    --hash=sha512:599b7bf77c67af967c33df6099a054fb0159c6998b8c369d7d604f84e2a174859196e2c68f4f19f6101f9ef3df4d444688fd18379f7ae4dc6ef8581b4a51e115 \
+    --hash=sha512:8b9c40d337d2b99274ce7f5b0c89ddfba192575696f07700429d61cf9addf14a7e64d5ba31913922aa6b2f1560ad1dde01f2c77ca8f337fb1157792a2a0c1178 \
+    --hash=sha512:b1ca5a2450600ac8cc811351a7291f5f814a030692eff1ba38b55bb896e36d53554ed747d58169146f9cc957f5638e1fcb11022d66c043be4448b0959b209178 \
+    --hash=sha512:463078b75c01258c11a52f87a19a9ba732f25d47b60e49e5d7f1fac0b010db922267be023cc073034c61493e758596be7c67a345cd4bb508de44672939b0f03a \
+    --hash=sha512:30e971fe276e98e9a866b0a877010ceebed6b2f85ba03c5a73b2a3678ff20e01ab574cb56d004eca70dfcbf11a8348d61a72b646396b6ba417fb32a608378be6 \
+    --hash=sha512:91ba788af6523d0df60da45c47f8b96fbdd847e915a46253d83880325bfbca79f0bf74d0d4d3af084da27086c09339c2c0ece0fdc6d4c21239bca4be94b57552 \
+    --hash=sha512:bc8fa5a175ca130a2483b5f73c80d3e9588b437a09686be378bcd97d0e2e302cdadb2d5ab801b88d5c0422b31be0b0f141b8dfc4234560475a4496f7fefbc42b \
+    --hash=sha512:6b30a05cddc3d146cbf2eeb279ef929ff1b464478f85a6cff4cf04f3b5528cf3fe8cd32d50300efd3902df0dc4bc54df8646d975382c537d970382b710629814 \
+    --hash=sha512:c133f9a4808569eb8fa2e0494f7d6ddb8bd51077df8edaf81c3925a819454e0b347f0a2ff13753cc87b1cf567f4d11e0d53d44db06c683f50832274b56b4e6e5 \
+    --hash=sha512:a07a77af21bd875d1d0ef7f7615ba8db49d635317345bc520e71ea4917e528cef5fa3f9d245be7d148d3433e44d86364c6671240deb0b483710262a6173bbfd4 \
+    --hash=sha512:e7be6c33bf21b1394505c9db7b383b3ddfc3f2a214ea39b1d806b5aa011c31862c779dd3d4e75354e2b7a87fbbbef718b19d6caca6cd5606567d7ba8d6c5a4c3 \
+    --hash=sha512:2857ca52b4a4596e82ed5f2620b5a211e106643cea511723c64d2f8fa0d964f74e56dd94d87b892c4073afc111bf5b160966eb0eebd193b3d43d3d88423853ff \
+    --hash=sha512:a682b3bf0bb0ded225689ca0cf2cba564ba9676a8935f4d8fdf0fece6adc1cc3fce853d4a472ae90ab3b057160afd11cb3968f1bbda0b7d54225fe3374539ca5 \
+    --hash=sha512:15fd3235d0b800c05bc766b536f3b86cd6301b3367c4e5bcec2caf83e94aef79879843d5b60f6b68dbbb106f7e6b3c4bbe3ba071d502b0cd6271ca22fd537e3f \
+    --hash=sha512:4c000a958086f2d3125325dfb7ef5ec0e599133a2197cc248437546ff99a41e1560479409dd80281a6ccdfe9b330bba585bb1bb502e70ec6d89ebe0140c7e463 \
+    --hash=sha512:584605d487e21981062d381af13c6cf71de50539f3d96f1bcf30b5b6ea42d9c12c143670fc7f007fb4b139c784dc7d568dbb6c5ffafd0c2b25b586d5f8b4b4fe \
+    --hash=sha512:dfb1f609c1f3933fe6ef328cd9757544718a4ca0392c17434cbb3854eb17fa360ea5b00968bd3a95555b224268c8a9c572fd26b6a91e3541af1ed7b99967fcfd \
+    --hash=sha512:41455dcd692e1ab3d115e24fd1e791980664dd97f2f9d2f079ba5df1cdb9764fb28af87acd457ab5152d751322acafe898a242bbdb1e5101e9f6f842670a27c0 \
+    --hash=sha512:4a7310f5ac54c2d042c3dd8b994e27ca95fe7d9d6baa736c8323dfe83272ea106233a9aa2a7939d0bd77e105448014f5f21ceca1499e0e34739312c16a01e7c0 \
+    --hash=sha512:d975cd020a5ce07097c90446de552ecc40ecebb0900600c86f7a48b7e294e50deb08733c968a6d8eba052a631dd3e7ddae61c98890516c124be18f03405b4112 \
+    --hash=sha512:1be4e2e9e7ba7dc59427fce60b98a026321a750011517fc6c044c0c5b0d6297b840c42f099224944dd19b00cda360a5f688cd022de73e98a03e3266afe9c5cf4
 arrow==0.10.0 \
     --hash=sha512:a2baa23f1424b21506f3b664f0ef02d09f91b9cfaf6e0badfa544f42c750ed51136ae0e8910ac24207c0265a1b233f10a6f3cbafee3124b5f5c4fd965cfd01c0
 async_generator==1.8 \

diff --git a/scriptworker/gpg.py b/scriptworker/gpg.py
@@ -542,11 +542,13 @@ def get_body(gpg, signed_data, gpg_home=None, verify_sig=True, **kwargs):
         ScriptWorkerGPGException: on signature verification failure.
 
     """
-    # XXX remove verify_sig kwarg when pubkeys are in git repo
     if verify_sig:
         verify_signature(gpg, signed_data)
-    body = gpg.decrypt(signed_data, **kwargs)
-    return str(body)
+    body = str(gpg.decrypt(signed_data, **kwargs))
+    # On dev/dep scriptworker pools, the cot artifact often isn't signed at all
+    if not verify_sig and not body:
+        return(signed_data)
+    return body
 
 
 # key signature verification {{{1

diff --git a/scriptworker/test/test_gpg.py b/scriptworker/test/test_gpg.py
@@ -240,6 +240,7 @@ def test_verify_bad_signatures(base_context, params):
         sgpg.verify_signature(gpg, data)
 
 
+# get_body {{{1
 @pytest.mark.parametrize("text", [v for _, v in sorted(TEXT.items())])
 @pytest.mark.parametrize("params", GOOD_GPG_KEYS.items())
 @pytest.mark.parametrize("verify_sig", (True, False))
@@ -251,6 +252,31 @@ def test_get_body(base_context, text, params, verify_sig):
     assert sgpg.get_body(gpg, data, verify_sig=verify_sig) == text
 
 
+def test_get_body_cleartext(mocker):
+    d = {"a": "b"}
+    dstr = json.dumps(d)
+
+    def signed_body(*args, **kwargs):
+        return dstr
+
+    def unsigned_body(*args, **kwargs):
+        return ''
+
+    def check_body(gpg):
+        body = sgpg.get_body(gpg, dstr, verify_sig=False)
+        assert json.loads(body) == d
+
+    mocker.patch.object(sgpg, 'verify_signature', new=noop_sync)
+    gpg = mock.MagicMock()
+    # With a signed body, gpg.decrypt() will return the decrypted contents.
+    gpg.decrypt = signed_body
+    check_body(gpg)
+    # With an unsigned body, gpg.decrypt() will return an empty string.
+    # get_body should return the original string.
+    gpg.decrypt = unsigned_body
+    check_body(gpg)
+
+
 # create_gpg_conf {{{1
 @pytest.mark.parametrize("keyserver,fingerprint,expected", GPG_CONF_PARAMS)
 def test_create_gpg_conf(keyserver, fingerprint, expected, tmpdir):

diff --git a/scriptworker/version.py b/scriptworker/version.py
@@ -52,7 +52,7 @@ def get_version_string(version):
 
 # 1}}}
 # Semantic versioning 2.0.0  http://semver.org/
-__version__ = (5, 2, 2)
+__version__ = (5, 2, 3)
 __version_string__ = get_version_string(__version__)
 
 

diff --git a/version.json b/version.json
@@ -2,7 +2,7 @@
     "version": [
         5,
         2,
-        2
+        3
     ],
-    "version_string": "5.2.2"
+    "version_string": "5.2.3"
 }