From 70c45775cb62c44d962a2546b1132f4f1fd32c42 Mon Sep 17 00:00:00 2001 From: Mustafa Gezen Date: Tue, 16 Aug 2022 14:45:03 +0200 Subject: [PATCH] Remove verification step from keykeeper Signed-off-by: Mustafa Gezen --- peridot/keykeeper/v1/keywarming.go | 23 ----- peridot/keykeeper/v1/sign.go | 130 +++++++++++------------------ 2 files changed, 50 insertions(+), 103 deletions(-) diff --git a/peridot/keykeeper/v1/keywarming.go b/peridot/keykeeper/v1/keywarming.go index dee276ad..f95ce133 100644 --- a/peridot/keykeeper/v1/keywarming.go +++ b/peridot/keykeeper/v1/keywarming.go @@ -85,24 +85,6 @@ func (s *Server) importGpgKey(armoredKey string) error { return err } -func (s *Server) importRpmKey(publicKey string) error { - tmpFile, err := ioutil.TempFile("/tmp", "peridot-key-") - if err != nil { - return err - } - defer os.Remove(tmpFile.Name()) - _, err = tmpFile.Write([]byte(publicKey)) - if err != nil { - return err - } - cmd := gpgCmdEnv(exec.Command("rpm", "--import", tmpFile.Name())) - out, err := logCmdRun(cmd) - if err != nil { - s.log.Errorf("failed to import rpm key: %s", out.String()) - } - return err -} - // WarmGPGKey warms up a specific GPG key // This involves shelling out to GPG to import the key func (s *Server) WarmGPGKey(key string, armoredKey string, gpgKey *crypto.Key, db *models.Key) (*LoadedKey, error) { @@ -120,11 +102,6 @@ func (s *Server) WarmGPGKey(key string, armoredKey string, gpgKey *crypto.Key, d return nil, err } - err = s.importRpmKey(db.PublicKey) - if err != nil { - return nil, err - } - if cachedKey == nil { s.keys[key] = &LoadedKey{ keyUuid: db.ID, diff --git a/peridot/keykeeper/v1/sign.go b/peridot/keykeeper/v1/sign.go index 32dcbac1..5c007190 100644 --- a/peridot/keykeeper/v1/sign.go +++ b/peridot/keykeeper/v1/sign.go @@ -188,90 +188,60 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke switch ext { case ".rpm": - rpmSign := func() (*keykeeperpb.SignedArtifact, error) { - var outBuf bytes.Buffer - opts := []string{ - "--define", "_gpg_name " + keyName, - "--define", "_peridot_keykeeper_key " + key.keyUuid.String(), - "--addsign", localPath, - } - cmd := gpgCmdEnv(exec.Command("rpm", opts...)) - cmd.Stdout = &outBuf - cmd.Stderr = &outBuf - err := cmd.Run() - if err != nil { - s.log.Errorf("failed to sign artifact %s: %v", artifact.Name, err) - statusErr := status.New(codes.Internal, "failed to sign artifact") - statusErr, err2 := statusErr.WithDetails(&errdetails.ErrorInfo{ - Reason: "rpmsign-failed", - Domain: "keykeeper.peridot.resf.org", - Metadata: map[string]string{ - "logs": outBuf.String(), - "err": err.Error(), - }, - }) - if err2 != nil { - s.log.Errorf("failed to add error details to status: %v", err2) - } - return nil, statusErr.Err() - } - _, err = s.storage.PutObject(newObjectKey, localPath) - if err != nil { - s.log.Errorf("failed to upload artifact %s: %v", newObjectKey, err) - return nil, fmt.Errorf("failed to upload artifact %s: %v", newObjectKey, err) - } - - f, err := os.Open(localPath) - if err != nil { - return nil, err - } - - hasher := sha256.New() - _, err = io.Copy(hasher, f) - if err != nil { - return nil, err - } - hash := hex.EncodeToString(hasher.Sum(nil)) - - err = s.db.CreateTaskArtifactSignature(artifact.ID.String(), key.keyUuid.String(), hash) - if err != nil { - s.log.Errorf("failed to create task artifact signature: %v", err) - return nil, fmt.Errorf("failed to create task artifact signature: %v", err) - } - - return &keykeeperpb.SignedArtifact{ - Path: newObjectKey, - HashSha256: hash, - }, nil + var outBuf bytes.Buffer + opts := []string{ + "--define", "_gpg_name " + keyName, + "--define", "_peridot_keykeeper_key " + key.keyUuid.String(), + "--addsign", localPath, } - verifySig := func() error { - opts := []string{ - "--define", "_gpg_name " + keyName, - "--define", "_peridot_keykeeper_key " + key.keyUuid.String(), - "--checksig", localPath, + cmd := gpgCmdEnv(exec.Command("rpm", opts...)) + cmd.Stdout = &outBuf + cmd.Stderr = &outBuf + err := cmd.Run() + if err != nil { + s.log.Errorf("failed to sign artifact %s: %v", artifact.Name, err) + statusErr := status.New(codes.Internal, "failed to sign artifact") + statusErr, err2 := statusErr.WithDetails(&errdetails.ErrorInfo{ + Reason: "rpmsign-failed", + Domain: "keykeeper.peridot.resf.org", + Metadata: map[string]string{ + "logs": outBuf.String(), + "err": err.Error(), + }, + }) + if err2 != nil { + s.log.Errorf("failed to add error details to status: %v", err2) } - cmd := gpgCmdEnv(exec.Command("rpm", opts...)) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - err := cmd.Run() - if err != nil { - s.log.Errorf("failed to verify artifact %s: %v", artifact.Name, err) - return fmt.Errorf("failed to verify artifact %s: %v", artifact.Name, err) - } - return nil + return nil, statusErr.Err() } - var tries int - for { - res, _ := rpmSign() - err := verifySig() - if err == nil { - return res, nil - } - if err != nil && tries > 3 { - return nil, err - } - tries++ + _, err = s.storage.PutObject(newObjectKey, localPath) + if err != nil { + s.log.Errorf("failed to upload artifact %s: %v", newObjectKey, err) + return nil, fmt.Errorf("failed to upload artifact %s: %v", newObjectKey, err) } + + f, err := os.Open(localPath) + if err != nil { + return nil, err + } + + hasher := sha256.New() + _, err = io.Copy(hasher, f) + if err != nil { + return nil, err + } + hash := hex.EncodeToString(hasher.Sum(nil)) + + err = s.db.CreateTaskArtifactSignature(artifact.ID.String(), key.keyUuid.String(), hash) + if err != nil { + s.log.Errorf("failed to create task artifact signature: %v", err) + return nil, fmt.Errorf("failed to create task artifact signature: %v", err) + } + + return &keykeeperpb.SignedArtifact{ + Path: newObjectKey, + HashSha256: hash, + }, nil default: s.log.Infof("skipping artifact %s, extension %s not supported", artifact.Name, ext) return nil, ErrUnsupportedExtension