mirror of
https://github.com/ostreedev/ostree.git
synced 2025-01-10 05:18:30 +03:00
remote-add: Add --sign-verify=KEYTYPE=[inline|file]:PUBKEYREF
Per https://github.com/ostreedev/ostree/issues/2080#issuecomment-623614483 A huge benefit of ed25519 (and ECC in general) is that keys are very short - short enough that it's completely reasonable to inline them into a command line argument. And I think that's a good model; it makes the keys very visible. For example, someone could easily copy-paste a commandline argument from a webpage (secured via TLS) that says to run `ostree remote add --sign-verify=ed25519=inline:KEY`.
This commit is contained in:
Colin Walters
parent
4c01c0385f
commit
588f42e8c6
@ -32,6 +32,7 @@ static gboolean opt_no_sign_verify;
|
||||
static gboolean opt_if_not_exists;
|
||||
static gboolean opt_force;
|
||||
static char *opt_gpg_import;
|
||||
static char **opt_sign_verify;
|
||||
static char *opt_contenturl;
|
||||
static char *opt_collection_id;
|
||||
static char *opt_sysroot;
|
||||
@ -46,6 +47,7 @@ static GOptionEntry option_entries[] = {
|
||||
{ "set", 0, 0, G_OPTION_ARG_STRING_ARRAY, &opt_set, "Set config option KEY=VALUE for remote", "KEY=VALUE" },
|
||||
{ "no-gpg-verify", 0, 0, G_OPTION_ARG_NONE, &opt_no_gpg_verify, "Disable GPG verification", NULL },
|
||||
{ "no-sign-verify", 0, 0, G_OPTION_ARG_NONE, &opt_no_sign_verify, "Disable signature verification", NULL },
|
||||
{ "sign-verify", 0, 0, G_OPTION_ARG_STRING_ARRAY, &opt_sign_verify, "Verify signatures using KEYTYPE=inline:PUBKEY or KEYTYPE=file:/path/to/key", "KEYTYPE=[inline|file]:PUBKEY" },
|
||||
{ "if-not-exists", 0, 0, G_OPTION_ARG_NONE, &opt_if_not_exists, "Do nothing if the provided remote exists", NULL },
|
||||
{ "force", 0, 0, G_OPTION_ARG_NONE, &opt_force, "Replace the provided remote if it exists", NULL },
|
||||
{ "gpg-import", 0, 0, G_OPTION_ARG_FILENAME, &opt_gpg_import, "Import GPG key from FILE", "FILE" },
|
||||
@ -57,6 +59,42 @@ static GOptionEntry option_entries[] = {
|
||||
{ NULL }
|
||||
};
|
||||
|
||||
static gboolean
|
||||
add_verify_opt (GVariantBuilder *builder,
|
||||
const char *keyspec,
|
||||
GError **error)
|
||||
{
|
||||
g_auto(GStrv) parts = g_strsplit (keyspec, "=", 2);
|
||||
g_assert (parts && *parts);
|
||||
const char *keytype = parts[0];
|
||||
if (!parts[1])
|
||||
return glnx_throw (error, "Failed to parse KEYTYPE=[inline|file]:DATA in %s", keyspec);
|
||||
|
||||
g_autoptr(OstreeSign) sign = ostree_sign_get_by_name (keytype, error);
|
||||
if (!sign)
|
||||
return FALSE;
|
||||
|
||||
const char *rest = parts[1];
|
||||
g_assert (!parts[2]);
|
||||
g_auto(GStrv) keyparts = g_strsplit (rest, ":", 2);
|
||||
g_assert (keyparts && *keyparts);
|
||||
const char *keyref = keyparts[0];
|
||||
g_assert (keyref);
|
||||
g_autofree char *optname = NULL;
|
||||
if (g_str_equal (keyref, "inline"))
|
||||
optname = g_strdup_printf ("verification-%s-key", keytype);
|
||||
else if (g_str_equal (keyref, "file"))
|
||||
optname = g_strdup_printf ("verification-%s-file", keytype);
|
||||
else
|
||||
return glnx_throw (error, "Invalid key reference %s, expected inline|file", keyref);
|
||||
|
||||
g_assert (keyparts[1] && !keyparts[2]);
|
||||
g_variant_builder_add (builder, "{s@v}",
|
||||
optname,
|
||||
g_variant_new_variant (g_variant_new_string (keyparts[1])));
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
gboolean
|
||||
ot_remote_builtin_add (int argc, char **argv, OstreeCommandInvocation *invocation, GCancellable *cancellable, GError **error)
|
||||
{
|
||||
@ -144,9 +182,24 @@ ot_remote_builtin_add (int argc, char **argv, OstreeCommandInvocation *invocatio
|
||||
#endif /* OSTREE_DISABLE_GPGME */
|
||||
|
||||
if (opt_no_sign_verify)
|
||||
{
|
||||
if (opt_sign_verify)
|
||||
return glnx_throw (error, "Cannot specify both --sign-verify and --no-sign-verify");
|
||||
g_variant_builder_add (optbuilder, "{s@v}",
|
||||
"sign-verify",
|
||||
g_variant_new_variant (g_variant_new_boolean (FALSE)));
|
||||
}
|
||||
|
||||
for (char **iter = opt_sign_verify; iter && *iter; iter++)
|
||||
{
|
||||
const char *keyspec = *iter;
|
||||
if (!add_verify_opt (optbuilder, keyspec, error))
|
||||
return FALSE;
|
||||
}
|
||||
if (opt_sign_verify)
|
||||
g_variant_builder_add (optbuilder, "{s@v}",
|
||||
"sign-verify",
|
||||
g_variant_new_variant (g_variant_new_boolean (FALSE)));
|
||||
"sign-verify",
|
||||
g_variant_new_variant (g_variant_new_boolean (TRUE)));
|
||||
|
||||
if (opt_collection_id != NULL)
|
||||
g_variant_builder_add (optbuilder, "{s@v}", "collection-id",
|
||||
|
||||
@ -23,7 +23,7 @@ set -euo pipefail
|
||||
|
||||
. $(dirname $0)/libtest.sh
|
||||
|
||||
echo "1..11"
|
||||
echo "1..16"
|
||||
|
||||
# This is explicitly opt in for testing
|
||||
export OSTREE_DUMMY_SIGN_ENABLED=1
|
||||
@ -54,7 +54,7 @@ function test_signed_pull() {
|
||||
localsig=repo/$objpath
|
||||
mv $remotesig $remotesig.bak
|
||||
if ${CMD_PREFIX} ostree --repo=repo --depth=0 pull origin main; then
|
||||
assert_not_reached "pull with sign-verify unexpectedly succeeded?"
|
||||
assert_not_reached "pull with sign-verify and no commitmeta unexpectedly succeeded?"
|
||||
fi
|
||||
# ok now check that we can pull correctly
|
||||
mv $remotesig.bak $remotesig
|
||||
@ -98,6 +98,25 @@ ${CMD_PREFIX} ostree --repo=repo config set 'remote "origin"'.verification-dummy
|
||||
${CMD_PREFIX} ostree --repo=repo config unset 'remote "origin"'.verification-dummy-file
|
||||
test_signed_pull "dummy" ""
|
||||
|
||||
# Another test with the --verify option directly
|
||||
repo_init --sign-verify=dummy=inline:${DUMMYSIGN}
|
||||
test_signed_pull "dummy" "from remote opt"
|
||||
|
||||
repo_init
|
||||
if ${CMD_PREFIX} ostree --repo=repo remote add other --sign-verify=trustme=inline:ok http://localhost 2>err.txt; then
|
||||
assert_not_reached "remote add with invalid keytype succeeded"
|
||||
fi
|
||||
assert_file_has_content err.txt 'Requested signature type is not implemented'
|
||||
if ${CMD_PREFIX} ostree --repo=repo remote add other --sign-verify=dummy http://localhost 2>err.txt; then
|
||||
assert_not_reached "remote add with invalid keytype succeeded"
|
||||
fi
|
||||
assert_file_has_content err.txt 'Failed to parse KEYTYPE'
|
||||
if ${CMD_PREFIX} ostree --repo=repo remote add other --sign-verify=dummy=foo:bar http://localhost 2>err.txt; then
|
||||
assert_not_reached "remote add with invalid keytype succeeded"
|
||||
fi
|
||||
assert_file_has_content err.txt 'Invalid key reference'
|
||||
echo "ok remote add errs"
|
||||
|
||||
if ! has_sign_ed25519; then
|
||||
echo "ok ed25519-key pull signed commit # SKIP due libsodium unavailability"
|
||||
echo "ok ed25519-key re-pull signature for stored commit # SKIP due libsodium unavailability"
|
||||
@ -105,6 +124,8 @@ if ! has_sign_ed25519; then
|
||||
echo "ok ed25519-key+file re-pull signature for stored commit # SKIP due libsodium unavailability"
|
||||
echo "ok ed25519-file pull signed commit # SKIP due libsodium unavailability"
|
||||
echo "ok ed25519-file re-pull signature for stored commit # SKIP due libsodium unavailability"
|
||||
echo "ok ed25519-inline # SKIP due libsodium unavailability"
|
||||
echo "ok ed25519-inline # SKIP due libsodium unavailability"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
@ -140,3 +161,5 @@ repo_init --set=sign-verify=true
|
||||
${CMD_PREFIX} ostree --repo=repo config set 'remote "origin"'.verification-ed25519-file "${PUBKEYS}"
|
||||
test_signed_pull "ed25519" "file"
|
||||
|
||||
repo_init --sign-verify=ed25519=inline:"${ED25519PUBLIC}"
|
||||
test_signed_pull "ed25519" "--verify-ed25519"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user