lib/sign: add support of file with valid keys for remote
Allow to use custom file with public keys for remote. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
This commit is contained in:
Denis Pynkin
parent
91cc294d05
commit
073876d9b2
|
|
@ -1527,6 +1527,7 @@ ostree_verify_unwritten_commit (OtPullData *pull_data,
|
||||||
g_autofree gchar *signature_key = NULL;
|
g_autofree gchar *signature_key = NULL;
|
||||||
g_autofree GVariantType *signature_format = NULL;
|
g_autofree GVariantType *signature_format = NULL;
|
||||||
g_autofree gchar *pk_ascii = NULL;
|
g_autofree gchar *pk_ascii = NULL;
|
||||||
|
g_autofree gchar *pk_file = NULL;
|
||||||
|
|
||||||
if ((sign = ostree_sign_get_by_name (names[i], error)) == NULL)
|
if ((sign = ostree_sign_get_by_name (names[i], error)) == NULL)
|
||||||
{
|
{
|
||||||
|
|
@ -1543,7 +1544,25 @@ ostree_verify_unwritten_commit (OtPullData *pull_data,
|
||||||
if (!signatures)
|
if (!signatures)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
/* TODO: load keys for remote here */
|
/* Load keys for remote from file */
|
||||||
|
ostree_repo_get_remote_option (pull_data->repo,
|
||||||
|
pull_data->remote_name,
|
||||||
|
"verification-file", NULL,
|
||||||
|
&pk_file, NULL);
|
||||||
|
if (pk_file != NULL)
|
||||||
|
{
|
||||||
|
g_autoptr (GVariantBuilder) builder = NULL;
|
||||||
|
g_autoptr (GVariant) options = NULL;
|
||||||
|
|
||||||
|
builder = g_variant_builder_new (G_VARIANT_TYPE ("a{sv}"));
|
||||||
|
g_variant_builder_add (builder, "{sv}", "filename", g_variant_new_string (pk_file));
|
||||||
|
options = g_variant_builder_end (builder);
|
||||||
|
|
||||||
|
if (!ostree_sign_load_pk (sign, options, error))
|
||||||
|
g_clear_error (error);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Override key if it is set explicitly */
|
||||||
ostree_repo_get_remote_option (pull_data->repo,
|
ostree_repo_get_remote_option (pull_data->repo,
|
||||||
pull_data->remote_name,
|
pull_data->remote_name,
|
||||||
"verification-key", NULL,
|
"verification-key", NULL,
|
||||||
|
|
@ -1931,13 +1950,32 @@ scan_commit_object (OtPullData *pull_data,
|
||||||
{
|
{
|
||||||
g_autoptr (OstreeSign) sign = NULL;
|
g_autoptr (OstreeSign) sign = NULL;
|
||||||
g_autofree gchar *pk_ascii = NULL;
|
g_autofree gchar *pk_ascii = NULL;
|
||||||
|
g_autofree gchar *pk_file = NULL;
|
||||||
|
|
||||||
if ((sign = ostree_sign_get_by_name (names[i], error)) == NULL)
|
if ((sign = ostree_sign_get_by_name (names[i], error)) == NULL)
|
||||||
{
|
{
|
||||||
g_clear_error (error);
|
g_clear_error (error);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
/* TODO: load keys for remote here */
|
|
||||||
|
/* Load keys for remote from file */
|
||||||
|
ostree_repo_get_remote_option (pull_data->repo,
|
||||||
|
pull_data->remote_name,
|
||||||
|
"verification-file", NULL,
|
||||||
|
&pk_file, NULL);
|
||||||
|
if (pk_file != NULL)
|
||||||
|
{
|
||||||
|
g_autoptr (GVariantBuilder) builder = NULL;
|
||||||
|
g_autoptr (GVariant) options = NULL;
|
||||||
|
|
||||||
|
builder = g_variant_builder_new (G_VARIANT_TYPE ("a{sv}"));
|
||||||
|
g_variant_builder_add (builder, "{sv}", "filename", g_variant_new_string (pk_file));
|
||||||
|
options = g_variant_builder_end (builder);
|
||||||
|
|
||||||
|
if (!ostree_sign_load_pk (sign, options, error))
|
||||||
|
g_clear_error (error);
|
||||||
|
}
|
||||||
|
|
||||||
ostree_repo_get_remote_option (pull_data->repo,
|
ostree_repo_get_remote_option (pull_data->repo,
|
||||||
pull_data->remote_name,
|
pull_data->remote_name,
|
||||||
"verification-key", NULL,
|
"verification-key", NULL,
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@ set -euo pipefail
|
||||||
|
|
||||||
. $(dirname $0)/libtest.sh
|
. $(dirname $0)/libtest.sh
|
||||||
|
|
||||||
echo "1..4"
|
echo "1..7"
|
||||||
|
|
||||||
setup_fake_remote_repo1 "archive"
|
setup_fake_remote_repo1 "archive"
|
||||||
|
|
||||||
|
|
@ -90,3 +90,19 @@ repo_init --set=sign-verify=true
|
||||||
${CMD_PREFIX} ostree --repo=repo config set 'remote "origin"'.verification-key "${PUBLIC}"
|
${CMD_PREFIX} ostree --repo=repo config set 'remote "origin"'.verification-key "${PUBLIC}"
|
||||||
test_signed_pull "ed25519"
|
test_signed_pull "ed25519"
|
||||||
|
|
||||||
|
# Prepare files with public ed25519 signatures
|
||||||
|
PUBKEYS="$(mktemp -p ${test_tmpdir} ed25519_XXXXXX.ed25519)"
|
||||||
|
|
||||||
|
# Test the file with multiple keys without a valid public key
|
||||||
|
for((i=0;i<100;i++)); do
|
||||||
|
# Generate a list with some public signatures
|
||||||
|
openssl genpkey -algorithm ED25519 | openssl pkey -outform DER | tail -c 32 | base64
|
||||||
|
done > ${PUBKEYS}
|
||||||
|
# Add correct key into the list
|
||||||
|
echo ${PUBLIC} >> ${PUBKEYS}
|
||||||
|
|
||||||
|
repo_init --set=sign-verify=true
|
||||||
|
${CMD_PREFIX} ostree --repo=repo config set 'remote "origin"'.verification-file "${PUBKEYS}"
|
||||||
|
test_signed_pull "ed25519"
|
||||||
|
|
||||||
|
echo "ok verify ed25519 keys file"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue