Alternative signing system #1878
Conversation
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch?
|
|
bot, add author to whitelist |
|
Only skimmed this so far, I think it is looking reasonable. Let's split off the ability to disable gpgme as a separate PR first? Did you consider my suggestion to support a "plugin" mechanism that's just fork/exec of an external process? Like The advantage is simplicity and libostree isn't linked against any additional libraries. The downside is less integration. But to be clear I'm fine with this approach as well. |
|
Thanks for reviewing!
Ok. May be a bit later -- going to vacation, so it would be delayed.
Yes, I thought about it, and it was a fallback variant tbh ;) Since you think that current approach is reasonable enough -- it wouldn't be a hard task to add a module for implementing that approach as well if needed.
Thanks! glad to know that. Will proceed with cleanup first. |
|
Added the first step in PR #1889 -- ability to build libostree without GPGME. |
|
☔ The latest upstream changes (presumably cf7fc0e) made this pull request unmergeable. Please resolve the merge conflicts. |
|
☔ The latest upstream changes (presumably 71e1e9d) made this pull request unmergeable. Please resolve the merge conflicts. |
d4s
force-pushed
the
wip/d4s/no_gpg
branch
3 times, most recently
from
bdf4b08
to
d3cae6e
Compare
|
☔ The latest upstream changes (presumably bdbce9d) made this pull request unmergeable. Please resolve the merge conflicts. |
d4s
force-pushed
the
wip/d4s/no_gpg
branch
2 times, most recently
from
9442f5e
to
6c8f51d
Compare
Remove unneeded public declaration for ed25519 signing engine. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
Add more precise error handling for ed25519 initialization. Check the initialization status at the beginning of every public function provided by ed25519 engine. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
Return the collected errors from signing engines in case if verification failed for the commit. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
Improve error handling for signatures checks -- passthrough real reasons from signature engines instead of using common messages. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
Like we do with other features.
The "new style" code generally avoids `goto err` because it conflicts with `__attribute__((cleanup))`. This fixes a compiler warning.
This keeps the code style consistent.
This type of thing is better done via `gdb` and/or userspace tracing (systemtap/bpftrace etc.)
Additional test of signatures check behavior during the pull with keys file containing wrong signatures and correct verification key. Both are set as a part of remote's configuration. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
The "new style" code generally avoids `goto err` because it conflicts with `__attribute__((cleanup))`. This fixes a compiler warning. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
Return TRUE as soon as any signature verified. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
The "new style" code generally avoids `goto err` because it conflicts with `__attribute__((cleanup))`. This fixes a compiler warning. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
Pull should to fail if no known signature available in remote's configuration or well-known places. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
Do not mask implementation anymore since we have a working engines integrated with pulling mechanism. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
Use glnx_* functions in signature related pull code for clear error handling. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
Correctly return "error" from `ostree_repo_sign_commit()` in case if GPG is not enabled. Use glnx_* functions in signature related pull code for clear error handling if GPG isn't enabled. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
|
hmmm... @cgwalters, just a reminder about this PR ;) |
|
/test sanity OK at this point I think we can commit to getting this in the next release, there will likely be followup work around this, but we can do it in master. Thanks for all of the work on this! And sorry about being slow on getting it in. /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cgwalters, d4s The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
That's weird, I don't know what's going on with the |
|
/refresh |
|
/refresh |
Proposed the implementation of alternative signing system (as followup of #1233)
Approach is pretty simple: have a common interface for signing and verification, with implementation of particular sign/verify in separate modules.
--with-libsodiumoption is needed to build with support ofed25515signing engineCurrent status:
ostree sign(inspired by "ostree gpg-sign") allowing to sign and verify commitsnot implemented:
New configuration keys
For repository and remotes:
sign-verify-- global and per-remote to trigger signature verification of updatesverification-key-- per-remote -- fored25519: base64 encoded public key to use for verificationverification-file-- per-remote -- fored25519: file with the list of base64 public keys to use for verificationDummy engine
Accept any ASCII string as public/secret key. Used mostly for testing the signing interface itself. Support only single public key for verification.
Ed25519
Added "well-known" system places for
ed25519public keys -- expected 1 base64 key per line:/etc/ostree/trusted.ed25519DATADIR + /ostree/trusted.ed25519/etc/ostree/trusted.ed25519.dDATADIR + /ostree/trusted.ed25519.dThe same is for revoked keys:
/etc/ostree/revoked.ed25519/etc/ostree/revoked.ed25519.dDATADIR + /ostree/revoked.ed25519DATADIR + /ostree/rvokeded.ed25519.dCurrent logic for verification during the commits/summary file pulling:
verification-keyif it exists in configurationverification-fileif it exists in configuration