Remove verification step from keykeeper

Signed-off-by: Mustafa Gezen <mustafa@ctrliq.com>
2022-08-16 14:45:03 +02:00 · 2022-08-16 14:45:03 +02:00 · 70c45775cb
parent 302c68a383
commit 70c45775cb
2 changed files with 50 additions and 103 deletions
--- a/peridot/keykeeper/v1/keywarming.go
+++ b/peridot/keykeeper/v1/keywarming.go
@ -85,24 +85,6 @@ func (s *Server) importGpgKey(armoredKey string) error {
 	return err
 }

-func (s *Server) importRpmKey(publicKey string) error {
-	tmpFile, err := ioutil.TempFile("/tmp", "peridot-key-")
-	if err != nil {
-		return err
-	}
-	defer os.Remove(tmpFile.Name())
-	_, err = tmpFile.Write([]byte(publicKey))
-	if err != nil {
-		return err
-	}
-	cmd := gpgCmdEnv(exec.Command("rpm", "--import", tmpFile.Name()))
-	out, err := logCmdRun(cmd)
-	if err != nil {
-		s.log.Errorf("failed to import rpm key: %s", out.String())
-	}
-	return err
-}
-
 // WarmGPGKey warms up a specific GPG key
 // This involves shelling out to GPG to import the key
 func (s *Server) WarmGPGKey(key string, armoredKey string, gpgKey *crypto.Key, db *models.Key) (*LoadedKey, error) {
@ -120,11 +102,6 @@ func (s *Server) WarmGPGKey(key string, armoredKey string, gpgKey *crypto.Key, d
 		return nil, err
 	}

-	err = s.importRpmKey(db.PublicKey)
-	if err != nil {
-		return nil, err
-	}
-
 	if cachedKey == nil {
 		s.keys[key] = &LoadedKey{
 			keyUuid: db.ID,
--- a/peridot/keykeeper/v1/sign.go
+++ b/peridot/keykeeper/v1/sign.go
@ -188,90 +188,60 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke

 	switch ext {
 	case ".rpm":
-		rpmSign := func() (*keykeeperpb.SignedArtifact, error) {
-			var outBuf bytes.Buffer
-			opts := []string{
-				"--define", "_gpg_name " + keyName,
-				"--define", "_peridot_keykeeper_key " + key.keyUuid.String(),
-				"--addsign", localPath,
-			}
-			cmd := gpgCmdEnv(exec.Command("rpm", opts...))
-			cmd.Stdout = &outBuf
-			cmd.Stderr = &outBuf
-			err := cmd.Run()
-			if err != nil {
-				s.log.Errorf("failed to sign artifact %s: %v", artifact.Name, err)
-				statusErr := status.New(codes.Internal, "failed to sign artifact")
-				statusErr, err2 := statusErr.WithDetails(&errdetails.ErrorInfo{
-					Reason: "rpmsign-failed",
-					Domain: "keykeeper.peridot.resf.org",
-					Metadata: map[string]string{
-						"logs": outBuf.String(),
-						"err":  err.Error(),
-					},
-				})
-				if err2 != nil {
-					s.log.Errorf("failed to add error details to status: %v", err2)
-				}
-				return nil, statusErr.Err()
-			}
-			_, err = s.storage.PutObject(newObjectKey, localPath)
-			if err != nil {
-				s.log.Errorf("failed to upload artifact %s: %v", newObjectKey, err)
-				return nil, fmt.Errorf("failed to upload artifact %s: %v", newObjectKey, err)
-			}
-
-			f, err := os.Open(localPath)
-			if err != nil {
-				return nil, err
-			}
-
-			hasher := sha256.New()
-			_, err = io.Copy(hasher, f)
-			if err != nil {
-				return nil, err
-			}
-			hash := hex.EncodeToString(hasher.Sum(nil))
-
-			err = s.db.CreateTaskArtifactSignature(artifact.ID.String(), key.keyUuid.String(), hash)
-			if err != nil {
-				s.log.Errorf("failed to create task artifact signature: %v", err)
-				return nil, fmt.Errorf("failed to create task artifact signature: %v", err)
-			}
-
-			return &keykeeperpb.SignedArtifact{
-				Path:       newObjectKey,
-				HashSha256: hash,
-			}, nil
+		var outBuf bytes.Buffer
+		opts := []string{
+			"--define", "_gpg_name " + keyName,
+			"--define", "_peridot_keykeeper_key " + key.keyUuid.String(),
+			"--addsign", localPath,
 		}
-		verifySig := func() error {
-			opts := []string{
-				"--define", "_gpg_name " + keyName,
-				"--define", "_peridot_keykeeper_key " + key.keyUuid.String(),
-				"--checksig", localPath,
+		cmd := gpgCmdEnv(exec.Command("rpm", opts...))
+		cmd.Stdout = &outBuf
+		cmd.Stderr = &outBuf
+		err := cmd.Run()
+		if err != nil {
+			s.log.Errorf("failed to sign artifact %s: %v", artifact.Name, err)
+			statusErr := status.New(codes.Internal, "failed to sign artifact")
+			statusErr, err2 := statusErr.WithDetails(&errdetails.ErrorInfo{
+				Reason: "rpmsign-failed",
+				Domain: "keykeeper.peridot.resf.org",
+				Metadata: map[string]string{
+					"logs": outBuf.String(),
+					"err":  err.Error(),
+				},
+			})
+			if err2 != nil {
+				s.log.Errorf("failed to add error details to status: %v", err2)
 			}
-			cmd := gpgCmdEnv(exec.Command("rpm", opts...))
-			cmd.Stdout = os.Stdout
-			cmd.Stderr = os.Stderr
-			err := cmd.Run()
-			if err != nil {
-				s.log.Errorf("failed to verify artifact %s: %v", artifact.Name, err)
-				return fmt.Errorf("failed to verify artifact %s: %v", artifact.Name, err)
-			}
-			return nil
+			return nil, statusErr.Err()
 		}
-		var tries int
-		for {
-			res, _ := rpmSign()
-			err := verifySig()
-			if err == nil {
-				return res, nil
-			}
-			if err != nil && tries > 3 {
-				return nil, err
-			}
-			tries++
+		_, err = s.storage.PutObject(newObjectKey, localPath)
+		if err != nil {
+			s.log.Errorf("failed to upload artifact %s: %v", newObjectKey, err)
+			return nil, fmt.Errorf("failed to upload artifact %s: %v", newObjectKey, err)
 		}
+
+		f, err := os.Open(localPath)
+		if err != nil {
+			return nil, err
+		}
+
+		hasher := sha256.New()
+		_, err = io.Copy(hasher, f)
+		if err != nil {
+			return nil, err
+		}
+		hash := hex.EncodeToString(hasher.Sum(nil))
+
+		err = s.db.CreateTaskArtifactSignature(artifact.ID.String(), key.keyUuid.String(), hash)
+		if err != nil {
+			s.log.Errorf("failed to create task artifact signature: %v", err)
+			return nil, fmt.Errorf("failed to create task artifact signature: %v", err)
+		}
+
+		return &keykeeperpb.SignedArtifact{
+			Path:       newObjectKey,
+			HashSha256: hash,
+		}, nil
 	default:
 		s.log.Infof("skipping artifact %s, extension %s not supported", artifact.Name, ext)
 		return nil, ErrUnsupportedExtension