Skip to content
Permalink
Browse files

verifier: Add public key verification of release image digests

Use the existing Atomic image signing protocol to read detached signatures
for images by digest from a remote location so that release images can
be verified before they are executed.

Add a Verifier interface to the CVO that abstracts checking for verified
updates. On start, check the payload for a config map with the annotation
release.openshift.io/verification-config-map set (value is ignored) and
load the set of all public keys that must be verified along with the http
or file store locations for detached signatures. Every key must be
verified to accept the payload. A subsequent commit will leverage the
Verifier to block downloading a new release image.
  • Loading branch information
smarterclayton committed Apr 20, 2019
1 parent 57bc227 commit 55e3cb450ff5ee188dc8351fd2a045122c40ae37
@@ -5,4 +5,4 @@ set -euo pipefail
base=$( dirname "${BASH_SOURCE[0]}")

go run "${base}/test-prerequisites.go"
TEST_INTEGRATION=1 go test ./... -test.run=^TestIntegration -args -alsologtostderr -v=5
TEST_INTEGRATION=1 go test ./... -test.run=^TestIntegration
@@ -7,9 +7,12 @@ import (
"sync"
"time"

"github.com/openshift/cluster-version-operator/pkg/verify"

"github.com/blang/semver"
"github.com/golang/glog"
"github.com/google/uuid"

corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -109,6 +112,10 @@ type Operator struct {
statusLock sync.Mutex
availableUpdates *availableUpdates

// verifier, if provided, will be used to check an update before it is executed.
// Any error will prevent an update payload from being accessed.
verifier verify.Interface

configSync ConfigSyncWorker
// statusInterval is how often the configSync worker is allowed to retrigger
// the main sync status loop.
@@ -197,6 +204,20 @@ func (optr *Operator) InitializeFromPayload() error {

optr.releaseCreated = update.ImageRef.CreationTimestamp.Time
optr.releaseVersion = update.ImageRef.Name

// attempt to load a verifier as defined in the payload
verifier, err := verify.LoadFromPayload(update)
if err != nil {
return err
}
if verifier != nil {
glog.Infof("Verifying release authenticity: %v", verifier)
} else {
glog.Warningf("WARNING: No release authenticity verification is configured, all releases are considered unverified")
verifier = verify.Reject
}
optr.verifier = verifier

return nil
}

@@ -3,6 +3,7 @@ package start
import (
"context"
"encoding/json"
"flag"
"fmt"
"io/ioutil"
"net/http"
@@ -17,6 +18,7 @@ import (
"time"

"github.com/google/uuid"

v1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -25,6 +27,7 @@ import (
randutil "k8s.io/apimachinery/pkg/util/rand"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/kubernetes"
"k8s.io/klog"

configv1 "github.com/openshift/api/config/v1"
clientset "github.com/openshift/client-go/config/clientset/versioned"
@@ -33,6 +36,12 @@ import (
"github.com/openshift/cluster-version-operator/pkg/cvo"
)

func init() {
klog.InitFlags(flag.CommandLine)
flag.CommandLine.Lookup("v").Value.Set("5")
flag.CommandLine.Lookup("alsologtostderr").Value.Set("true")
}

var (
version_0_0_1 = map[string]interface{}{
"release-manifests": map[string]interface{}{
@@ -0,0 +1,34 @@
pub 4096R/FD431D51 2009-10-22
Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51
uid Red Hat, Inc. (release key 2) <security@redhat.com>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)

mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF
0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF
0DNRB2ix3bXG9Rh/RXpFsNxDp2CEMdUvbYCzE79K1EnUTVh1L0Of023FtPSZXX0c
u7Pb5DI5lX5YeoXO6RoodrIGYJsVBQWnrWw4xNTconUfNPk0EGZtEnzvH2zyPoJh
XGF+Ncu9XwbalnYde10OCvSWAZ5zTCpoLMTvQjWpbCdWXJzCm6G+/hx9upke546H
5IjtYm4dTIVTnc3wvDiODgBKRzOl9rEOCIgOuGtDxRxcQkjrC+xvg5Vkqn7vBUyW
9pHedOU+PoF3DGOM+dqv+eNKBvh9YF9ugFAQBkcG7viZgvGEMGGUpzNgN7XnS1gj
/DPo9mZESOYnKceve2tIC87p2hqjrxOHuI7fkZYeNIcAoa83rBltFXaBDYhWAKS1
PcXS1/7JzP0ky7d0L6Xbu/If5kqWQpKwUInXtySRkuraVfuK3Bpa+X1XecWi24JY
HVtlNX025xx1ewVzGNCTlWn1skQN2OOoQTV4C8/qFpTW6DTWYurd4+fE0OJFJZQF
buhfXYwmRlVOgN5i77NTIJZJQfYFj38c/Iv5vZBPokO6mffrOTv3MHWVgQARAQAB
tDNSZWQgSGF0LCBJbmMuIChyZWxlYXNlIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0
LmNvbT6JAjYEEwECACAFAkrgSTsCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAK
CRAZni+R/UMdUWzpD/9s5SFR/ZF3yjY5VLUFLMXIKUztNN3oc45fyLdTI3+UClKC
2tEruzYjqNHhqAEXa2sN1fMrsuKec61Ll2NfvJjkLKDvgVIh7kM7aslNYVOP6BTf
C/JJ7/ufz3UZmyViH/WDl+AYdgk3JqCIO5w5ryrC9IyBzYv2m0HqYbWfphY3uHw5
un3ndLJcu8+BGP5F+ONQEGl+DRH58Il9Jp3HwbRa7dvkPgEhfFR+1hI+Btta2C7E
0/2NKzCxZw7Lx3PBRcU92YKyaEihfy/aQKZCAuyfKiMvsmzs+4poIX7I9NQCJpyE
IGfINoZ7VxqHwRn/d5mw2MZTJjbzSf+Um9YJyA0iEEyD6qjriWQRbuxpQXmlAJbh
8okZ4gbVFv1F8MzK+4R8VvWJ0XxgtikSo72fHjwha7MAjqFnOq6eo6fEC/75g3NL
Ght5VdpGuHk0vbdENHMC8wS99e5qXGNDued3hlTavDMlEAHl34q2H9nakTGRF5Ki
JUfNh3DVRGhg8cMIti21njiRh7gyFI2OccATY7bBSr79JhuNwelHuxLrCFpY7V25
OFktl15jZJaMxuQBqYdBgSay2G0U6D1+7VsWufpzd/Abx1/c3oi9ZaJvW22kAggq
dzdA27UUYjWvx42w9menJwh/0jeQcTecIUd0d0rFcw/c1pvgMMl/Q73yzKgKYw==
=zbHE
-----END PGP PUBLIC KEY BLOCK-----

@@ -0,0 +1,30 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFy9Q6sBCAD1MvcwX9f1Vu/M/dh+SJYbuAP4urtZZ7YoZOlzo6lw/xDF9z0E
ef8BXAtO7YMStfbxn5Rqb3kPnA20CRXraW4PqA5mB37ubDGThxb8catCTeWpd/5o
mrbjLMrKCpg0ODfTgNZYj9gRDyDTKPjlW2xjX9Cmj/lmmGPYDG4qdrNpeicmMjpY
XyYDVxFTRFMdifxTjHQRT5R9Pdq8WDFLrd3ZZWo4fN5Rb+ByWh8MusHj+FyHxA4J
fD/G6VHyn19T7xT/g53JfPobKLdaoXKdSaorCYKWuyGaGyLStAn1MXgchswcBZcU
92EegcoZY8K3cYhRbw7rQUUkx3p0yviS1DrPABEBAAG0DG9wZW5zaGlmdC1jaYkB
VAQTAQgAPhYhBNBHYbEWIDsMCFm2Fii3bgW5I4iOBQJcvUOrAhsDBQkDwmcABQsJ
CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJECi3bgW5I4iOqwUH+wTRXXZkB6PdksQ2
tF/x3vT3YAp1Fvm+aBt0L3+nUyI4W4wWmCvQ9mYqkXMDSx8rgSwMtwwJe7xJBkA1
fK8CoPeCqHc/omoLUS6/BjcbsXyS/ns6d5Zv0fKVHumZ23V2qVJwPpmNdpkdfBhw
HFKm0HLPaCyKM38fOPhrUwEW8OceVdHfBnkkAyYXA9+9qGF3gHC3MXMLkaH6pDYY
Nfx2P4+qYnMnTMSOOvKsJWY7t8Tnv1Qotag/uW8yWlIBSnvg1BQ7u1ZJs1EKSwhw
QbIrYj+eS+e8ddN7qSHJToMzHstTjSYQThA1iCVU6S+KHaLFeynf1d6PqkyeH/GD
bk+E+hu5AQ0EXL1DqwEIANhU5FczwquEAcjhA+kf+ni0Ul9Q2aq+rAL31dg+sGMZ
awcDu5aocwolXeBIkVl235GFfJSdYRzIbk5lSqVK+Wt5Yj4yOIO+QEAk5I51dzOC
5i3APTqOM0UPQ168ubcoT5LY/aWLJqnVAjgY/Sn2vXAwsYvkuJZMpeOPoNgocAWw
wGxXkPEy//OA3rwyy6PER2U7xLWL5SOH8oxjnsnHA98nF4iuOQqbwPTwfyWN7xr7
HAY6KiawHmD0T3ywswR1bEZ1CYn8KxpNMuHf7tbaMPONvawVEqM1xc9+4tB3ImdM
UB9eIiwIspq68mdE43eyUeM9f2foNR67Kj6F7hvBwDsAEQEAAYkBNgQYAQgAIBYh
BNBHYbEWIDsMCFm2Fii3bgW5I4iOBQJcvUOrAhsMAAoJECi3bgW5I4iOLCAIANNd
BwFFJpTaEZhOvDEsfOmHDFE+xG2fBq+SO53A4M/4xfJ6BVnpRvAgPvEu/ED8LMIB
buaMUpXjAwULIOnNEBsYem+m3IKcrZAIhfXAjI8EqzprjciUiVEx0+XR6eIbsFm2
gm61vHfbviKSyQg3hpKG8/g2sFgQ9CNi5DFghIYesp+7NwCC+UOVGBu90O4SIq+I
Ms2n3OTR2GIEz0LgEvC/3R7pkBNjLNTccExBNqOShJy3XnwntvYflxVwEBVsyEbK
LvLU2xtlIE/IdGssKQR8UFFsgFmGiX3t1TcahFnLlr6Et+vB4J02Xr+uvZ81v/Zq
1OHz7iIjrd28MslYu24=
=xMCa
-----END PGP PUBLIC KEY BLOCK-----
No changes.
Binary file not shown.
Binary file not shown.

0 comments on commit 55e3cb4

Please sign in to comment.
You can’t perform that action at this time.