-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alternative signing system #1878
Conversation
Can one of the admins verify this patch? |
Can one of the admins verify this patch?
|
bot, add author to whitelist |
Only skimmed this so far, I think it is looking reasonable. Let's split off the ability to disable gpgme as a separate PR first? Did you consider my suggestion to support a "plugin" mechanism that's just fork/exec of an external process? Like The advantage is simplicity and libostree isn't linked against any additional libraries. The downside is less integration. But to be clear I'm fine with this approach as well. |
Thanks for reviewing!
Ok. May be a bit later -- going to vacation, so it would be delayed.
Yes, I thought about it, and it was a fallback variant tbh ;) Since you think that current approach is reasonable enough -- it wouldn't be a hard task to add a module for implementing that approach as well if needed.
Thanks! glad to know that. Will proceed with cleanup first. |
Added the first step in PR #1889 -- ability to build libostree without GPGME. |
☔ The latest upstream changes (presumably cf7fc0e) made this pull request unmergeable. Please resolve the merge conflicts. |
☔ The latest upstream changes (presumably 71e1e9d) made this pull request unmergeable. Please resolve the merge conflicts. |
bdf4b08
to
d3cae6e
Compare
☔ The latest upstream changes (presumably bdbce9d) made this pull request unmergeable. Please resolve the merge conflicts. |
9442f5e
to
6c8f51d
Compare
Remove unneeded public declaration for ed25519 signing engine. Signed-off-by: Denis Pynkin <[email protected]>
Add more precise error handling for ed25519 initialization. Check the initialization status at the beginning of every public function provided by ed25519 engine. Signed-off-by: Denis Pynkin <[email protected]>
Return the collected errors from signing engines in case if verification failed for the commit. Signed-off-by: Denis Pynkin <[email protected]>
Improve error handling for signatures checks -- passthrough real reasons from signature engines instead of using common messages. Signed-off-by: Denis Pynkin <[email protected]>
Like we do with other features.
The "new style" code generally avoids `goto err` because it conflicts with `__attribute__((cleanup))`. This fixes a compiler warning.
This keeps the code style consistent.
This type of thing is better done via `gdb` and/or userspace tracing (systemtap/bpftrace etc.)
Additional test of signatures check behavior during the pull with keys file containing wrong signatures and correct verification key. Both are set as a part of remote's configuration. Signed-off-by: Denis Pynkin <[email protected]>
The "new style" code generally avoids `goto err` because it conflicts with `__attribute__((cleanup))`. This fixes a compiler warning. Signed-off-by: Denis Pynkin <[email protected]>
Return TRUE as soon as any signature verified. Signed-off-by: Denis Pynkin <[email protected]>
The "new style" code generally avoids `goto err` because it conflicts with `__attribute__((cleanup))`. This fixes a compiler warning. Signed-off-by: Denis Pynkin <[email protected]>
Pull should to fail if no known signature available in remote's configuration or well-known places. Signed-off-by: Denis Pynkin <[email protected]>
Do not mask implementation anymore since we have a working engines integrated with pulling mechanism. Signed-off-by: Denis Pynkin <[email protected]>
Use glnx_* functions in signature related pull code for clear error handling. Signed-off-by: Denis Pynkin <[email protected]>
Correctly return "error" from `ostree_repo_sign_commit()` in case if GPG is not enabled. Use glnx_* functions in signature related pull code for clear error handling if GPG isn't enabled. Signed-off-by: Denis Pynkin <[email protected]>
hmmm... @cgwalters, just a reminder about this PR ;) |
/test sanity OK at this point I think we can commit to getting this in the next release, there will likely be followup work around this, but we can do it in master. Thanks for all of the work on this! And sorry about being slow on getting it in. /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cgwalters, d4s The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
That's weird, I don't know what's going on with the |
/refresh |
/refresh |
Proposed the implementation of alternative signing system (as followup of #1233)
Approach is pretty simple: have a common interface for signing and verification, with implementation of particular sign/verify in separate modules.
--with-libsodium
option is needed to build with support ofed25515
signing engineCurrent status:
ostree sign
(inspired by "ostree gpg-sign") allowing to sign and verify commitsnot implemented:
New configuration keys
For repository and remotes:
sign-verify
-- global and per-remote to trigger signature verification of updatesverification-key
-- per-remote -- fored25519
: base64 encoded public key to use for verificationverification-file
-- per-remote -- fored25519
: file with the list of base64 public keys to use for verificationDummy engine
Accept any ASCII string as public/secret key. Used mostly for testing the signing interface itself. Support only single public key for verification.
Ed25519
Added "well-known" system places for
ed25519
public keys -- expected 1 base64 key per line:/etc/ostree/trusted.ed25519
DATADIR + /ostree/trusted.ed25519
/etc/ostree/trusted.ed25519.d
DATADIR + /ostree/trusted.ed25519.d
The same is for revoked keys:
/etc/ostree/revoked.ed25519
/etc/ostree/revoked.ed25519.d
DATADIR + /ostree/revoked.ed25519
DATADIR + /ostree/rvokeded.ed25519.d
Current logic for verification during the commits/summary file pulling:
verification-key
if it exists in configurationverification-file
if it exists in configuration