lib/sign: add support of file with valid keys for remote
Allow to use custom file with public keys for remote. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
This commit is contained in:
Denis Pynkin
parent
91cc294d05
commit
073876d9b2
|
|
@ -1527,6 +1527,7 @@ ostree_verify_unwritten_commit (OtPullData *pull_data,
|
|||
g_autofree gchar *signature_key = NULL;
|
||||
g_autofree GVariantType *signature_format = NULL;
|
||||
g_autofree gchar *pk_ascii = NULL;
|
||||
g_autofree gchar *pk_file = NULL;
|
||||
|
||||
if ((sign = ostree_sign_get_by_name (names[i], error)) == NULL)
|
||||
{
|
||||
|
|
@ -1543,7 +1544,25 @@ ostree_verify_unwritten_commit (OtPullData *pull_data,
|
|||
if (!signatures)
|
||||
continue;
|
||||
|
||||
/* TODO: load keys for remote here */
|
||||
/* Load keys for remote from file */
|
||||
ostree_repo_get_remote_option (pull_data->repo,
|
||||
pull_data->remote_name,
|
||||
"verification-file", NULL,
|
||||
&pk_file, NULL);
|
||||
if (pk_file != NULL)
|
||||
{
|
||||
g_autoptr (GVariantBuilder) builder = NULL;
|
||||
g_autoptr (GVariant) options = NULL;
|
||||
|
||||
builder = g_variant_builder_new (G_VARIANT_TYPE ("a{sv}"));
|
||||
g_variant_builder_add (builder, "{sv}", "filename", g_variant_new_string (pk_file));
|
||||
options = g_variant_builder_end (builder);
|
||||
|
||||
if (!ostree_sign_load_pk (sign, options, error))
|
||||
g_clear_error (error);
|
||||
}
|
||||
|
||||
/* Override key if it is set explicitly */
|
||||
ostree_repo_get_remote_option (pull_data->repo,
|
||||
pull_data->remote_name,
|
||||
"verification-key", NULL,
|
||||
|
|
@ -1931,13 +1950,32 @@ scan_commit_object (OtPullData *pull_data,
|
|||
{
|
||||
g_autoptr (OstreeSign) sign = NULL;
|
||||
g_autofree gchar *pk_ascii = NULL;
|
||||
g_autofree gchar *pk_file = NULL;
|
||||
|
||||
if ((sign = ostree_sign_get_by_name (names[i], error)) == NULL)
|
||||
{
|
||||
g_clear_error (error);
|
||||
continue;
|
||||
}
|
||||
/* TODO: load keys for remote here */
|
||||
|
||||
/* Load keys for remote from file */
|
||||
ostree_repo_get_remote_option (pull_data->repo,
|
||||
pull_data->remote_name,
|
||||
"verification-file", NULL,
|
||||
&pk_file, NULL);
|
||||
if (pk_file != NULL)
|
||||
{
|
||||
g_autoptr (GVariantBuilder) builder = NULL;
|
||||
g_autoptr (GVariant) options = NULL;
|
||||
|
||||
builder = g_variant_builder_new (G_VARIANT_TYPE ("a{sv}"));
|
||||
g_variant_builder_add (builder, "{sv}", "filename", g_variant_new_string (pk_file));
|
||||
options = g_variant_builder_end (builder);
|
||||
|
||||
if (!ostree_sign_load_pk (sign, options, error))
|
||||
g_clear_error (error);
|
||||
}
|
||||
|
||||
ostree_repo_get_remote_option (pull_data->repo,
|
||||
pull_data->remote_name,
|
||||
"verification-key", NULL,
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ set -euo pipefail
|
|||
|
||||
. $(dirname $0)/libtest.sh
|
||||
|
||||
echo "1..4"
|
||||
echo "1..7"
|
||||
|
||||
setup_fake_remote_repo1 "archive"
|
||||
|
||||
|
|
@ -90,3 +90,19 @@ repo_init --set=sign-verify=true
|
|||
${CMD_PREFIX} ostree --repo=repo config set 'remote "origin"'.verification-key "${PUBLIC}"
|
||||
test_signed_pull "ed25519"
|
||||
|
||||
# Prepare files with public ed25519 signatures
|
||||
PUBKEYS="$(mktemp -p ${test_tmpdir} ed25519_XXXXXX.ed25519)"
|
||||
|
||||
# Test the file with multiple keys without a valid public key
|
||||
for((i=0;i<100;i++)); do
|
||||
# Generate a list with some public signatures
|
||||
openssl genpkey -algorithm ED25519 | openssl pkey -outform DER | tail -c 32 | base64
|
||||
done > ${PUBKEYS}
|
||||
# Add correct key into the list
|
||||
echo ${PUBLIC} >> ${PUBKEYS}
|
||||
|
||||
repo_init --set=sign-verify=true
|
||||
${CMD_PREFIX} ostree --repo=repo config set 'remote "origin"'.verification-file "${PUBKEYS}"
|
||||
test_signed_pull "ed25519"
|
||||
|
||||
echo "ok verify ed25519 keys file"
|
||||
|
|
|
|||
Loading…
Reference in New Issue