Skip to content

Commit

Permalink
lib/sign: add support of file with valid keys for remote
Browse files Browse the repository at this point in the history 
Allow to use custom file with public keys for remote.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
  • Loading branch information
@d4s
d4s committed Aug 27, 2019
1 parent 4d711c0 commit d3cae6e
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 3 deletions.
42 changes: 40 additions & 2 deletions src/libostree/ostree-repo-pull.c
View file
Expand Up @@ -1525,6 +1525,7 @@ ostree_verify_unwritten_commit (OtPullData *pull_data,
g_autofree gchar *signature_key = NULL;
g_autofree GVariantType *signature_format = NULL;
g_autofree gchar *pk_ascii = NULL;
g_autofree gchar *pk_file = NULL;

if ((sign = ostree_sign_get_by_name (names[i], error)) == NULL)
{
Expand All @@ -1541,7 +1542,25 @@ ostree_verify_unwritten_commit (OtPullData *pull_data,
if (!signatures)
continue;

/* TODO: load keys for remote here */
/* Load keys for remote from file */
ostree_repo_get_remote_option (pull_data->repo,
pull_data->remote_name,
"verification-file", NULL,
&pk_file, NULL);
if (pk_file != NULL)
{
g_autoptr (GVariantBuilder) builder = NULL;
g_autoptr (GVariant) options = NULL;

builder = g_variant_builder_new (G_VARIANT_TYPE ("a{sv}"));
g_variant_builder_add (builder, "{sv}", "filename", g_variant_new_string (pk_file));
options = g_variant_builder_end (builder);

if (!ostree_sign_load_pk (sign, options, error))
g_clear_error (error);
}

/* Override key if it is set explicitly */
ostree_repo_get_remote_option (pull_data->repo,
pull_data->remote_name,
"verification-key", NULL,
Expand Down Expand Up @@ -1929,13 +1948,32 @@ scan_commit_object (OtPullData *pull_data,
{
g_autoptr (OstreeSign) sign = NULL;
g_autofree gchar *pk_ascii = NULL;
g_autofree gchar *pk_file = NULL;

if ((sign = ostree_sign_get_by_name (names[i], error)) == NULL)
{
g_clear_error (error);
continue;
}
/* TODO: load keys for remote here */

/* Load keys for remote from file */
ostree_repo_get_remote_option (pull_data->repo,
pull_data->remote_name,
"verification-file", NULL,
&pk_file, NULL);
if (pk_file != NULL)
{
g_autoptr (GVariantBuilder) builder = NULL;
g_autoptr (GVariant) options = NULL;

builder = g_variant_builder_new (G_VARIANT_TYPE ("a{sv}"));
g_variant_builder_add (builder, "{sv}", "filename", g_variant_new_string (pk_file));
options = g_variant_builder_end (builder);

if (!ostree_sign_load_pk (sign, options, error))
g_clear_error (error);
}

ostree_repo_get_remote_option (pull_data->repo,
pull_data->remote_name,
"verification-key", NULL,
Expand Down
18 changes: 17 additions & 1 deletion tests/test-signed-pull.sh
View file
Expand Up @@ -23,7 +23,7 @@ set -euo pipefail

. $(dirname $0)/libtest.sh

echo "1..4"
echo "1..7"

setup_fake_remote_repo1 "archive"

Expand Down Expand Up @@ -90,3 +90,19 @@ repo_init --set=sign-verify=true
${CMD_PREFIX} ostree --repo=repo config set 'remote "origin"'.verification-key "${PUBLIC}"
test_signed_pull "ed25519"

# Prepare files with public ed25519 signatures
PUBKEYS="$(mktemp -p ${test_tmpdir} ed25519_XXXXXX.ed25519)"

# Test the file with multiple keys without a valid public key
for((i=0;i<100;i++)); do
# Generate a list with some public signatures
openssl genpkey -algorithm ED25519 | openssl pkey -outform DER | tail -c 32 | base64
done > ${PUBKEYS}
# Add correct key into the list
echo ${PUBLIC} >> ${PUBKEYS}

repo_init --set=sign-verify=true
${CMD_PREFIX} ostree --repo=repo config set 'remote "origin"'.verification-file "${PUBKEYS}"
test_signed_pull "ed25519"

echo "ok verify ed25519 keys file"

0 comments on commit d3cae6e

Please sign in to comment.