Remove verification step from keykeeper

Signed-off-by: Mustafa Gezen <mustafa@ctrliq.com>
This commit is contained in:
Mustafa Gezen 2022-08-16 14:45:03 +02:00
parent 302c68a383
commit 70c45775cb
Signed by untrusted user who does not match committer: mustafa
GPG Key ID: DCDF010D946438C1
2 changed files with 50 additions and 103 deletions

View File

@ -85,24 +85,6 @@ func (s *Server) importGpgKey(armoredKey string) error {
return err return err
} }
func (s *Server) importRpmKey(publicKey string) error {
tmpFile, err := ioutil.TempFile("/tmp", "peridot-key-")
if err != nil {
return err
}
defer os.Remove(tmpFile.Name())
_, err = tmpFile.Write([]byte(publicKey))
if err != nil {
return err
}
cmd := gpgCmdEnv(exec.Command("rpm", "--import", tmpFile.Name()))
out, err := logCmdRun(cmd)
if err != nil {
s.log.Errorf("failed to import rpm key: %s", out.String())
}
return err
}
// WarmGPGKey warms up a specific GPG key // WarmGPGKey warms up a specific GPG key
// This involves shelling out to GPG to import the key // This involves shelling out to GPG to import the key
func (s *Server) WarmGPGKey(key string, armoredKey string, gpgKey *crypto.Key, db *models.Key) (*LoadedKey, error) { func (s *Server) WarmGPGKey(key string, armoredKey string, gpgKey *crypto.Key, db *models.Key) (*LoadedKey, error) {
@ -120,11 +102,6 @@ func (s *Server) WarmGPGKey(key string, armoredKey string, gpgKey *crypto.Key, d
return nil, err return nil, err
} }
err = s.importRpmKey(db.PublicKey)
if err != nil {
return nil, err
}
if cachedKey == nil { if cachedKey == nil {
s.keys[key] = &LoadedKey{ s.keys[key] = &LoadedKey{
keyUuid: db.ID, keyUuid: db.ID,

View File

@ -188,90 +188,60 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
switch ext { switch ext {
case ".rpm": case ".rpm":
rpmSign := func() (*keykeeperpb.SignedArtifact, error) { var outBuf bytes.Buffer
var outBuf bytes.Buffer opts := []string{
opts := []string{ "--define", "_gpg_name " + keyName,
"--define", "_gpg_name " + keyName, "--define", "_peridot_keykeeper_key " + key.keyUuid.String(),
"--define", "_peridot_keykeeper_key " + key.keyUuid.String(), "--addsign", localPath,
"--addsign", localPath,
}
cmd := gpgCmdEnv(exec.Command("rpm", opts...))
cmd.Stdout = &outBuf
cmd.Stderr = &outBuf
err := cmd.Run()
if err != nil {
s.log.Errorf("failed to sign artifact %s: %v", artifact.Name, err)
statusErr := status.New(codes.Internal, "failed to sign artifact")
statusErr, err2 := statusErr.WithDetails(&errdetails.ErrorInfo{
Reason: "rpmsign-failed",
Domain: "keykeeper.peridot.resf.org",
Metadata: map[string]string{
"logs": outBuf.String(),
"err": err.Error(),
},
})
if err2 != nil {
s.log.Errorf("failed to add error details to status: %v", err2)
}
return nil, statusErr.Err()
}
_, err = s.storage.PutObject(newObjectKey, localPath)
if err != nil {
s.log.Errorf("failed to upload artifact %s: %v", newObjectKey, err)
return nil, fmt.Errorf("failed to upload artifact %s: %v", newObjectKey, err)
}
f, err := os.Open(localPath)
if err != nil {
return nil, err
}
hasher := sha256.New()
_, err = io.Copy(hasher, f)
if err != nil {
return nil, err
}
hash := hex.EncodeToString(hasher.Sum(nil))
err = s.db.CreateTaskArtifactSignature(artifact.ID.String(), key.keyUuid.String(), hash)
if err != nil {
s.log.Errorf("failed to create task artifact signature: %v", err)
return nil, fmt.Errorf("failed to create task artifact signature: %v", err)
}
return &keykeeperpb.SignedArtifact{
Path: newObjectKey,
HashSha256: hash,
}, nil
} }
verifySig := func() error { cmd := gpgCmdEnv(exec.Command("rpm", opts...))
opts := []string{ cmd.Stdout = &outBuf
"--define", "_gpg_name " + keyName, cmd.Stderr = &outBuf
"--define", "_peridot_keykeeper_key " + key.keyUuid.String(), err := cmd.Run()
"--checksig", localPath, if err != nil {
s.log.Errorf("failed to sign artifact %s: %v", artifact.Name, err)
statusErr := status.New(codes.Internal, "failed to sign artifact")
statusErr, err2 := statusErr.WithDetails(&errdetails.ErrorInfo{
Reason: "rpmsign-failed",
Domain: "keykeeper.peridot.resf.org",
Metadata: map[string]string{
"logs": outBuf.String(),
"err": err.Error(),
},
})
if err2 != nil {
s.log.Errorf("failed to add error details to status: %v", err2)
} }
cmd := gpgCmdEnv(exec.Command("rpm", opts...)) return nil, statusErr.Err()
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
err := cmd.Run()
if err != nil {
s.log.Errorf("failed to verify artifact %s: %v", artifact.Name, err)
return fmt.Errorf("failed to verify artifact %s: %v", artifact.Name, err)
}
return nil
} }
var tries int _, err = s.storage.PutObject(newObjectKey, localPath)
for { if err != nil {
res, _ := rpmSign() s.log.Errorf("failed to upload artifact %s: %v", newObjectKey, err)
err := verifySig() return nil, fmt.Errorf("failed to upload artifact %s: %v", newObjectKey, err)
if err == nil {
return res, nil
}
if err != nil && tries > 3 {
return nil, err
}
tries++
} }
f, err := os.Open(localPath)
if err != nil {
return nil, err
}
hasher := sha256.New()
_, err = io.Copy(hasher, f)
if err != nil {
return nil, err
}
hash := hex.EncodeToString(hasher.Sum(nil))
err = s.db.CreateTaskArtifactSignature(artifact.ID.String(), key.keyUuid.String(), hash)
if err != nil {
s.log.Errorf("failed to create task artifact signature: %v", err)
return nil, fmt.Errorf("failed to create task artifact signature: %v", err)
}
return &keykeeperpb.SignedArtifact{
Path: newObjectKey,
HashSha256: hash,
}, nil
default: default:
s.log.Infof("skipping artifact %s, extension %s not supported", artifact.Name, ext) s.log.Infof("skipping artifact %s, extension %s not supported", artifact.Name, ext)
return nil, ErrUnsupportedExtension return nil, ErrUnsupportedExtension