Concatenated keyrings #10
Conversation
Because concatenated armored keys are not supported by Go [1], whose
dearmor code only reads a single block and does not support reading
subsequent blocks [2].
Generated with:
$ for FILE in keys/*; do DATA="$(cat "${FILE}")"; echo "${DATA}" | gpg --dearmor >"${FILE}"; done
Verifying concatenation:
$ cat keys/verifier-public-key-redhat-release keys/verifier-public-key-redhat-beta-2 | gpg --list-packets
:public key packet:
version 4, algo 1, created 1256212795, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: 199E2F91FD431D51
:user ID packet: "Red Hat, Inc. (release key 2) <security@redhat.com>"
:signature packet: algo 1, keyid 199E2F91FD431D51
version 4, created 1256212795, md5len 0, sigclass 0x13
digest algo 2, begin of digest 6c e9
hashed subpkt 2 len 4 (sig created 2009-10-22)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (key server preferences: 80)
subpkt 16 len 8 (issuer key ID 199E2F91FD431D51)
data: [4095 bits]
:public key packet:
version 4, algo 1, created 1235485488, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: 938A80CAF21541EB
:user ID packet: "Red Hat, Inc. (beta key 2) <security@redhat.com>"
:signature packet: algo 1, keyid 938A80CAF21541EB
version 4, created 1246901223, md5len 0, sigclass 0x13
digest algo 2, begin of digest ff 6d
hashed subpkt 2 len 4 (sig created 2009-07-06)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (key server preferences: 80)
subpkt 16 len 8 (issuer key ID 938A80CAF21541EB)
data: [4096 bits]
[1]: https://github.com/golang/crypto/blob/20be4c3c3ed52bfccdb2d59a412ee1a936d175a7/openpgp/keys.go#L237
[2]: https://github.com/golang/crypto/blob/20be4c3c3ed52bfccdb2d59a412ee1a936d175a7/openpgp/armor/armor.go#L155
Avoiding: mktemp: too few X's in template ‘keys’ on my: $ mktemp --version mktemp (GNU coreutils) 8.22 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by Jim Meyering and Eric Blake. Also, $$ to get the expansion in the recipe shell, instead of having Make expand it for us while constructing the recipe.
Generated with: $ make
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: wking If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
size/L
|
#11 shows that you only need |
|
@wking: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
2 participants
Because concatenated armored keys are not supported by Go, whose dearmor code only reads a single block and does not support reading subsequent blocks.
As it stands, this will require a CVO change to unpack the no-longer-ASCII-armored keyrings. We could avoid that by ASCII-armoring the concatenated keyring, but I dunno if we have
gpgavailable in our base image. We could use Go to armor the keys, or armor them ourselves in shell, but I don't have time to work those up tonight.