Skip to content

Concatenate keys into a single armored block #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 31, 2019
Merged

Concatenate keys into a single armored block #11

merged 2 commits into from
May 31, 2019

Conversation

@crawford
Copy link
Contributor

@crawford crawford commented May 31, 2019

The ReadArmoredKeyRing() function from Golang's OpenPGP library only
supports reading from a single armored block. Instead of concatenating
the two armored keys together, the keys need to be dearmored,
concatenated, and then armored. This will allow the OpenPGP library to
read both keys into the keyring.

The resulting armored block looks as follows:

$ gpg --list-packets
:public key packet:
	version 4, algo 1, created 1256212795, expires 0
	pkey[0]: [4096 bits]
	pkey[1]: [17 bits]
	keyid: 199E2F91FD431D51
:user ID packet: "Red Hat, Inc. (release key 2) <security@redhat.com>"
:signature packet: algo 1, keyid 199E2F91FD431D51
	version 4, created 1256212795, md5len 0, sigclass 0x13
	digest algo 2, begin of digest 6c e9
	hashed subpkt 2 len 4 (sig created 2009-10-22)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
	hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	subpkt 16 len 8 (issuer key ID 199E2F91FD431D51)
	data: [4095 bits]
:public key packet:
	version 4, algo 1, created 1235485488, expires 0
	pkey[0]: [4096 bits]
	pkey[1]: [17 bits]
	keyid: 938A80CAF21541EB
:user ID packet: "Red Hat, Inc. (beta key 2) <security@redhat.com>"
:signature packet: algo 1, keyid 938A80CAF21541EB
	version 4, created 1246901223, md5len 0, sigclass 0x13
	digest algo 2, begin of digest ff 6d
	hashed subpkt 2 len 4 (sig created 2009-07-06)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
	hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	subpkt 16 len 8 (issuer key ID 938A80CAF21541EB)
	data: [4096 bits]

@openshift-ci-robot openshift-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label May 31, 2019
crawford added 2 commits May 30, 2019 22:45
@crawford
Concatenate keys into a single armored block
1bf6887 
The `ReadArmoredKeyRing()` function from Golang's OpenPGP library only
supports reading from a single armored block. Instead of concatenating
the two armored keys together, the keys need to be dearmored,
concatenated, and then armored. This will allow the OpenPGP library to
read both keys into the keyring.
@crawford
Regenerate the Red Hat update ConfigMap
598a0cd 
The resulting armored block looks as follows:

```
$ gpg --list-packets
:public key packet:
	version 4, algo 1, created 1256212795, expires 0
	pkey[0]: [4096 bits]
	pkey[1]: [17 bits]
	keyid: 199E2F91FD431D51
:user ID packet: "Red Hat, Inc. (release key 2) <security@redhat.com>"
:signature packet: algo 1, keyid 199E2F91FD431D51
	version 4, created 1256212795, md5len 0, sigclass 0x13
	digest algo 2, begin of digest 6c e9
	hashed subpkt 2 len 4 (sig created 2009-10-22)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
	hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	subpkt 16 len 8 (issuer key ID 199E2F91FD431D51)
	data: [4095 bits]
:public key packet:
	version 4, algo 1, created 1235485488, expires 0
	pkey[0]: [4096 bits]
	pkey[1]: [17 bits]
	keyid: 938A80CAF21541EB
:user ID packet: "Red Hat, Inc. (beta key 2) <security@redhat.com>"
:signature packet: algo 1, keyid 938A80CAF21541EB
	version 4, created 1246901223, md5len 0, sigclass 0x13
	digest algo 2, begin of digest ff 6d
	hashed subpkt 2 len 4 (sig created 2009-07-06)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
	hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	subpkt 16 len 8 (issuer key ID 938A80CAF21541EB)
	data: [4096 bits]
```
@openshift-ci-robot openshift-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels May 31, 2019
@wking
Copy link
Member

wking commented May 31, 2019

/lgtm

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented May 31, 2019

@wking: changing LGTM is restricted to assignees, and only openshift/cluster-update-keys repo collaborators may be assigned issues.

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@wking wking mentioned this pull request May 31, 2019
Closed
@abhinavdahiya
Copy link

abhinavdahiya commented May 31, 2019

/lgtm

/cherry-pick release-4.1

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented May 31, 2019

@abhinavdahiya: changing LGTM is restricted to assignees, and only openshift/cluster-update-keys repo collaborators may be assigned issues.

In response to this:

/lgtm

/cherry-pick release-4.1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@crawford
Copy link
Contributor Author

crawford commented May 31, 2019

/assign @abhinavdahiya

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented May 31, 2019

@crawford: GitHub didn't allow me to assign the following users: abhinavdahiya.

Note that only openshift members and repo collaborators can be assigned and that issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @abhinavdahiya

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@smarterclayton
Copy link
Contributor

smarterclayton commented May 31, 2019
edited
Loading

We should just change to the beta2 key only.

That’s lower risk than this (or at least, reduces the risk to a minimal amount and we can subsequently deliver this in a later z). But I’m not opposed to this change as is, as long as we add a unit test in cvo to catch this

smarterclayton
smarterclayton reviewed May 31, 2019
View reviewed changes
manifests.rhel/0000_90_cluster-update-keys_configmap.yaml
CAqWkbJSgKFccsjPoTbLyxhuMSNkEZFHvlZrSK9vnPzmfiRH0Orx3wYpMQ==
=21pb
-----END PGP PUBLIC KEY BLOCK-----
dzdA27UUYjWvx42w9menJwh/0jeQcTecIUd0d0rFcw/c1pvgMMl/Q73yzKgKY5kC
Copy link
Contributor

@smarterclayton smarterclayton May 31, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes it much harder to review visually, unfortunately.

@smarterclayton
Copy link
Contributor

smarterclayton commented May 31, 2019

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label May 31, 2019
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented May 31, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhinavdahiya, crawford, smarterclayton, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 31, 2019
@openshift-merge-robot openshift-merge-robot merged commit ff56a2d into openshift:master May 31, 2019
@eparis eparis mentioned this pull request Jun 18, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@smarterclayton smarterclayton smarterclayton left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@smarterclayton smarterclayton

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@crawford @wking @openshift-ci-robot @abhinavdahiya @smarterclayton @openshift-merge-robot