GPG2 signer

[g-k]

Changes:

• Adds a new signer with type gpg2 that shells out to a gpg2 binary to handle the RelEng use case and as a reference for a pure golang implementation if we decide to do that in the future. Per the signer readme it expects a passphrase, key ID, and public key in addition to the armored private key.

• Changes Travis CI to build a container and run tests inside it (we need gpg > 2.1 and Travis CI doesn't support the Ubuntu Bionic base image where it's the default tracked in https://travis-ci.community/t/ubuntu-18-04-1-lts-bionic-beaver/1270 I didn't see a 2.2 pkg in backports and continuing to mess around with aliasing or building from source seemed worse)

• Adds an autograph config with just the APK signers for the CircleCI testsignapk job to workaround CircleCI only having gpg 2.1 in (which resulted in a permissions error creating the subkey at test gpg2 signer init)

NB: this will require a monitor deploy since it adds a new signer type

Implementation-wise:

• at signer init / app start we
  • create a temp dir /tmp/autograph_gpg2_<signer_id>
  • write public and private keys to gpg2_publickey and gpg2_privatekey in that dir
  • import the keys into gpg2 key and secrings
  • this creates {autograph_gpg2_keyring.gpg,autograph_gpg2_secring.gpg} in that dir and the keys are not deleted at app exit (since we're assuming we're running in a container, but someone running locally with sensitive keys might want to clean those up)
• For each request input data is written to a tempfile in /tmp/autograph_gpg2_<signer_id>/ and removed at SignData fn exit
• when that app is terminated with SIGTERM, or the platform-generalized os.Interrupt, os.Kill signals (which should translate to SIGINT and SIGKILL on unix) the signer's temp dir is cleaned up (edit: SIGKILL isn't caught)

Functional Test:

• go through the steps in the readme to sign and verify a detached signature using the subkey

r? @jvehent

[coveralls]

Pull Request Test Coverage Report for Build 1322

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at ?%

---

Totals
Change from base Build 1312:	0.0%
Covered Lines:
Relevant Lines:	0

---

💛 - Coveralls

[hwine]

@g-k any reason not to go to ubuntu bionic? That has gpg 2.2

[g-k]

@hwine per https://travis-ci.community/t/ubuntu-18-04-1-lts-bionic-beaver/1270 Travis CI doesn't support it yet.

[g-k]

NB: The Travis CI jobs have a failing test, but the overall CI job is passing (maybe due to moving the test inside a container)

--- FAIL: TestStartMain (0.36s)
    main_test.go:296: Get http://localhost:8000/__heartbeat__: dial tcp 127.0.0.1:8000: connect: connection refused

[jvehent]

This looks good, modulo the concern on having the secring on disk.

[jvehent]

bold move

[g-k]

fixes a docker warning

[jvehent]

why is this new config file needed?

[g-k]

Because creating the keyring on app start depends on gpg2 > 2.1 and this was a workaround for trying to get that installed on the test image

[g-k]

We can remove it when either the testapksigner image circle uses a gpg2 > 2.1 or we switch to running the tests against containerized autograph

[jvehent]

I'm concern that we're putting the secring on disk with no way to clean it up should autograph crash and the instance get recycled. Other signers keep their configurations in memory so we have no artifact left on disk that could eventually leak secrets. This is harder to do here, because I don't think Go can register a function to run on shutdown/crash. Maybe the passphrase protects the key sufficiently that we don't have to worry about it? Or maybe we can put the secring on a tmpfs?

[g-k]

It is in the tmp dir for the signer.

With Python I'd register an atexit handler. With golang we can handle interrupts and clean up on sigterm, sigint, and sigkill though there might be ways to have it not run and I'd expect docker to duplicate the clean up when it's run in container.

Alternatively, the initial implementation 5a4c7ac#diff-5c7805a5493d8e612e5a2c5e5974d363L70 creates and cleans up the key and sec rings for each run, so we could revert to that with the caveats that 1) we'd need to namespace and manage rings per request (e.g. by include the request ID in the files) and 2) it would increase per request latency since we're doing more IO for each request. That might be cleanest though.

[hwine]

You can't catch sigkill, so that leaves a uncovered corner case.

[g-k]

OK added a cleanup handler and checked that the temp dir is cleaned up.

For multiple gpg2 signers or if other signers add a cleanup handler that calls os.Exit we create a race condition. Assuming cleanup is the way we want to go we'll want to:

1. move interrupt handling to main
2. add a cleanup/teardown interface for signers
3. have the main interrupt handler call each that fn for each signer

[g-k]

OK went ahead and made the above change so we can support multiple gpg2 signers and confirmed that kill -SIGKILL did leave the rings around.

I think our advice should be to run autograph in the container in general and especially if you're testing dep or prod gpg keys, since we've expanded the app boundary to include the filesystem and gpg.

[jvehent]

would this catch autograph itself panicking?

[g-k]

It should just catch the int, kill, and term signals (though Hal pointed out that kill isn't catchable).

If there's a way to panic and trigger those signals I assume they'd be caught, but other signals
like SIGBUS, SIGFPE, and SIGSEGV get converted into runtime panics as usual.

This does mean we'd leave the sec and key rings on disk, but I think they'd be helpful for debugging and don't want to mask actual panics.

https://golang.org/pkg/os/signal/#hdr-Types_of_signals

[jvehent]

please add: gpg2 supports hesoteric key formats that the pgp signer doesn't understand, but it comes at the cost of writing private keys to disk in order to shell out to the gnupg binary. The pgp signer will keep keys in memory at all times, which is more secure. Try using it first and only switch to gpg2 if needed.

[jvehent]

can the passphrase be omitted?

[g-k]

It can be the empty string, but we're assuming there's a passphrase and keyid for this signer and people will use the golang one otherwise.

[jvehent]

nit: missing leading spaces

[jvehent]

nit: do those need to be exported?

[jvehent]

should we care about command injection via malicious config files? I'm thinking not, but the paranoid in me still thinks enforcing alphanumerical here would be good.

[g-k]

Can't hurt. The paths are built from the signer Type (hardcoded) and KeyID (added alphanumeric validation in New), golang TempDir (can trust), and hardcoded file names. I suppose we could additionally validate them at each call site in case how they're constructed changes.

[jvehent]

removeall can return an error, so maybe just do return os.RemoveAll(s.tmpDir) ?

[jvehent]

nit: gofmt

[g-k]

gofmt -d signer/signer.go isn't giving me anything

[jvehent]

webui quirk? the string of Certificate is misaligned: https://screenshots.firefox.com/lz6CVo8LSu2Rb7GH/github.com

[g-k]

oh that's bizarre I'm seeing : https://screenshots.firefox.com/aPYW8lY8SKavqYSE/github.com

[jvehent]

r+ w/ nits

[g-k]

huh we aren't getting coverage data https://coveralls.io/jobs/43793714