-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lib/repo: Search a list of paths in gpgkeypath for gpg keys #1773
Conversation
19fc1f5
to
d0e4065
Compare
is that a semi-colon |
@dustymabe Initially I was thinking the keyfile where |
This allows specifying gpgpath as list of paths that can point to a file or a directory. If a directory path is given, paths to all regular files in the directory are added to the remote as gpg ascii keys. If the path is not a directory, the file is directly added (whether regular file, empty - errors will be reported later when verifying gpg keys e.g. when pulling). Adding the gpgkeypath property looks like: ostree --repo=repo remote add --set=gpgpath="/path/key1.asc,/path/keys.d" R1 https://example.com/some/remote/ostree/repo Closes ostreedev#773
d0e4065
to
a7ca497
Compare
Thanks @cgwalters for the review and helpful comments! I pushed a couple of fixup commits. The first e75ac9d addresses the changes doing things the first way I had - not using the The second, I used |
Pushed another fixup which cleans up the loop in This changes behaviour when coming across a path that does not exist. Previously, the path to a file that did not exist would give a message Now, if the path does not exist, the path does not get added to the verifier. No error message indicates this, so this is silent. A benefit of having The downside is there is no specific error message given letting the user know a path was imported that doesn't exist. Either having |
^ Latest commits address the decl-and-inits, and I changed the nonexistent path handling to give Sorry for all the flip-flopping in the recent changes, will keep the changes settled now. |
Updated the manpage. There are 2 last questions I have:
|
Hmm, it would be nice to support both I think, since traditionally keyfiles use semicolons for lists. So that's an easy gotcha to fall into. What do you think of something like:
?
I think the original reason for this ask was to support just passing |
Thanks @jlebon !
I like that idea, so
+1 |
1e120d2
to
caebd5b
Compare
Sure, making it an error SGTM! |
⬆️ fixup to add the check for both The function |
src/libostree/ostree-gpg-verifier.c
Outdated
if (dent->d_type != DT_REG) | ||
continue; | ||
|
||
g_autofree char *iter_path = g_strjoin (sep, path, dent->d_name, NULL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can use g_build_filename
for this and drop the need for sep
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, though strictly speaking...since we're doing fd-relative here, a cleaner approach would be to open the file here, stashing it an another array, and then later using gpgme_data_new_from_fd()
just like we do for paths.
Or even more strongly, open every file here and then change the verifier to just iterate over the fds.
(This is an optional followup)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ahh, the utility functions are handy. Added this in.
Storing the fds while reading the paths and later iterating over those once added to the verifier sounds clean, saves doing the intermediate work of storing the path. I added a TODO for this.
This looks good to me. Nice work! 👍 |
Very nice, thanks! |
📋 Looks like this PR is still in progress, ignoring approval |
⚡ Test exempted: merge already tested. |
Thanks for the review @cgwalters and @jlebon ! |
woot! Nice work @rfairley |
This allows specifying gpgpath as a list of
paths that can point to a file or a directory. If a directory path
is given, paths to all regular files in the directory are added
to the remote as gpg ascii keys. If the path is not a directory,
the file is directly added (whether regular file, empty - errors
will be reported later when verifying gpg keys e.g. when pulling).
Adding the gpgkeypath property looks like:
ostree --repo=repo remote add --set=gpgpath="/path/key1.asc,/path/keys.d" R1 https://example.com/some/remote/ostree/repo
Closes #773
Still left to do
Other considerations
_ostree_gpg_verifier_add_key_ascii_file
and if/how checks will be reported. Right now, entries in the list that are not directories are added automatically (whether regular, or don't exist, ...) (same as before). If the entry is a directory, all regular files in that directory are added, without traversing directories