-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: GPG remote trusted key updating #2260
base: main
Are you sure you want to change the base?
Commits on Oct 18, 2019
-
lib/repo: Factor out GPG verifier key imports
Currently the verifier only imports all the GPG keys when verifying data, but it would also be useful for inspecting the trusted keys.
Configuration menu - View commit details
-
Copy full SHA for e9a0ebb - Browse repository at this point
Copy the full SHA e9a0ebbView commit details -
lib/repo: Factor out GPG verifier preparation
In order to use the GPG verifier, it needs to be seeded with GPG keys after instantation. Currently this is only used for verifying data, but it will also be used for getting a list of trusted GPG keys in a subsequent commit.
Configuration menu - View commit details
-
Copy full SHA for dff3c24 - Browse repository at this point
Copy the full SHA dff3c24View commit details -
lib/repo: Add ostree_repo_remote_get_gpg_keys()
This function enumerates the trusted GPG keys for a remote and returns an array of `GVariant`s describing them. This is useful to see which keys are collected by ostree for a particular remote. The same information can be gathered with `gpg`. However, since ostree allows multiple keyring locations, that's only really useful if you have knowledge of how ostree collects GPG keyrings. The format of the variants is documented in `OSTREE_GPG_KEY_GVARIANT_FORMAT`. This format is primarily a copy of selected fields within `gpgme_key_t` and its subtypes. The fields are placed within vardicts rather than using a more efficient tuple of concrete types. This will allow flexibility if more components of `gpgme_key_t` are desired in the future.
Configuration menu - View commit details
-
Copy full SHA for 7397b18 - Browse repository at this point
Copy the full SHA 7397b18View commit details
Commits on Oct 21, 2019
-
bin/remote: Add list-gpg-keys subcommand
This provides a wrapper for the `ostree_repo_remote_get_gpg_keys` function to show the GPG keys associated with a remote. This is particularly useful for validating the GPG key updates have been applied.
Configuration menu - View commit details
-
Copy full SHA for a122429 - Browse repository at this point
Copy the full SHA a122429View commit details -
Configuration menu - View commit details
-
Copy full SHA for 655f738 - Browse repository at this point
Copy the full SHA 655f738View commit details -
libotutil: Import implementation of zbase32 encoding
This will be used to implement the PGP Web Key Directory (WKD) URL generation. This is a slightly cleaned up implementation[1] taken from the zbase32 author's original implementation[2]. It provides a single zbase32_encode API to convert a set of bytes to the zbase32 encoding. I believe this should be acceptable for inclusion in ostree. The license in the source files is BSD style while the original repo LICENSE file claims the Creative Commons CC0 1.0 Universal license, which is public domain. 1. https://github.com/dbnicholson/libbase32/tree/for-ostree 2. https://github.com/zooko/libbase32
Configuration menu - View commit details
-
Copy full SHA for da1b903 - Browse repository at this point
Copy the full SHA da1b903View commit details -
libotutil: Add helper for GPG WKD update URLs
Calculate the advanced and direct update URLs for the key discovery portion[1] of the OpenPGP Web Key Directory specification, and include the URLs in the key listing in ostree_repo_remote_get_gpg_keys(). These URLs can be used to locate updated GPG keys for the remote. 1. https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-08#section-3.1
Configuration menu - View commit details
-
Copy full SHA for e807714 - Browse repository at this point
Copy the full SHA e807714View commit details -
lib/repo: Include WKD update URLs in GPG key listing
If the key UID contains a valid email address, include the GPG WKD update URLs in GVariant returned by ostree_repo_remote_get_gpg_keys().
Configuration menu - View commit details
-
Copy full SHA for 6e05583 - Browse repository at this point
Copy the full SHA 6e05583View commit details -
Configuration menu - View commit details
-
Copy full SHA for 932a556 - Browse repository at this point
Copy the full SHA 932a556View commit details -
Configuration menu - View commit details
-
Copy full SHA for 7bac5b8 - Browse repository at this point
Copy the full SHA 7bac5b8View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0f5d5ee - Browse repository at this point
Copy the full SHA 0f5d5eeView commit details -
bin/remote: Add update-gpg-keys subcommand
This provides a wrapper for the `ostree_repo_remote_update_gpg_keys` API to update a remote's GPG trusted keys using the PGP Web Key Directory protocol.
Configuration menu - View commit details
-
Copy full SHA for 2cf3985 - Browse repository at this point
Copy the full SHA 2cf3985View commit details -
lib/gpg: Allow local server override for WKD URLs
In order to test `ostree_remote_update_gpg_keys`, we need to be able to fetch the keys from a local test server. This inherently requires introducing a backdoor to the update process. If the _OSTREE_GPG_UPDATE_LOCAL_PORT environment variable is set, change the server to http://127.0.0.1:<port> after validating that the port is numerical. This should keep any attack local by not allowing the URL to be changed to an arbitrary remote server.
Configuration menu - View commit details
-
Copy full SHA for 7a9aca9 - Browse repository at this point
Copy the full SHA 7a9aca9View commit details -
Configuration menu - View commit details
-
Copy full SHA for 27202db - Browse repository at this point
Copy the full SHA 27202dbView commit details
Commits on Nov 19, 2019
-
Configuration menu - View commit details
-
Copy full SHA for 6d46edf - Browse repository at this point
Copy the full SHA 6d46edfView commit details