mirror of
https://github.com/rocky-linux/peridot.git
synced 2024-12-21 02:08:29 +00:00
Merge pull request #62 from mstg/keykeeper-fix
Import RPM key to verify signature and stop blocking on failure
This commit is contained in:
commit
96d2a2d736
@ -38,6 +38,8 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"github.com/ProtonMail/gopenpgp/v2/crypto"
|
"github.com/ProtonMail/gopenpgp/v2/crypto"
|
||||||
"github.com/google/uuid"
|
"github.com/google/uuid"
|
||||||
|
"io/ioutil"
|
||||||
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"peridot.resf.org/peridot/db/models"
|
"peridot.resf.org/peridot/db/models"
|
||||||
"peridot.resf.org/utils"
|
"peridot.resf.org/utils"
|
||||||
@ -75,6 +77,24 @@ func (s *Server) importGpgKey(armoredKey string) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *Server) importRpmKey(publicKey string) error {
|
||||||
|
tmpFile, err := ioutil.TempFile("/tmp", "peridot-key-")
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
defer os.Remove(tmpFile.Name())
|
||||||
|
_, err = tmpFile.Write([]byte(publicKey))
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
cmd := gpgCmdEnv(exec.Command("rpm", "--import", tmpFile.Name()))
|
||||||
|
out, err := logCmdRun(cmd)
|
||||||
|
if err != nil {
|
||||||
|
s.log.Errorf("failed to import rpm key: %s", out.String())
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
// WarmGPGKey warms up a specific GPG key
|
// WarmGPGKey warms up a specific GPG key
|
||||||
// This involves shelling out to GPG to import the key
|
// This involves shelling out to GPG to import the key
|
||||||
func (s *Server) WarmGPGKey(key string, armoredKey string, gpgKey *crypto.Key, db *models.Key) (*LoadedKey, error) {
|
func (s *Server) WarmGPGKey(key string, armoredKey string, gpgKey *crypto.Key, db *models.Key) (*LoadedKey, error) {
|
||||||
@ -89,6 +109,11 @@ func (s *Server) WarmGPGKey(key string, armoredKey string, gpgKey *crypto.Key, d
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
err = s.importRpmKey(db.PublicKey)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
cachedKey := &LoadedKey{
|
cachedKey := &LoadedKey{
|
||||||
keyUuid: db.ID,
|
keyUuid: db.ID,
|
||||||
gpgId: gpgKey.GetHexKeyID(),
|
gpgId: gpgKey.GetHexKeyID(),
|
||||||
|
@ -188,6 +188,13 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
|
|||||||
|
|
||||||
switch ext {
|
switch ext {
|
||||||
case ".rpm":
|
case ".rpm":
|
||||||
|
beginTx, err := s.db.Begin()
|
||||||
|
if err != nil {
|
||||||
|
s.log.Errorf("failed to begin transaction: %v", err)
|
||||||
|
return nil, status.Error(codes.Internal, "failed to begin transaction")
|
||||||
|
}
|
||||||
|
tx := s.db.UseTransaction(beginTx)
|
||||||
|
|
||||||
rpmSign := func() (*keykeeperpb.SignedArtifact, error) {
|
rpmSign := func() (*keykeeperpb.SignedArtifact, error) {
|
||||||
var outBuf bytes.Buffer
|
var outBuf bytes.Buffer
|
||||||
opts := []string{
|
opts := []string{
|
||||||
@ -233,7 +240,7 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
|
|||||||
}
|
}
|
||||||
hash := hex.EncodeToString(hasher.Sum(nil))
|
hash := hex.EncodeToString(hasher.Sum(nil))
|
||||||
|
|
||||||
err = s.db.CreateTaskArtifactSignature(artifact.ID.String(), key.keyUuid.String(), hash)
|
err = tx.CreateTaskArtifactSignature(artifact.ID.String(), key.keyUuid.String(), hash)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
s.log.Errorf("failed to create task artifact signature: %v", err)
|
s.log.Errorf("failed to create task artifact signature: %v", err)
|
||||||
return nil, fmt.Errorf("failed to create task artifact signature: %v", err)
|
return nil, fmt.Errorf("failed to create task artifact signature: %v", err)
|
||||||
@ -257,22 +264,26 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
|
|||||||
err := cmd.Run()
|
err := cmd.Run()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
s.log.Errorf("failed to verify artifact %s: %v", artifact.Name, err)
|
s.log.Errorf("failed to verify artifact %s: %v", artifact.Name, err)
|
||||||
|
s.log.Errorf("buf: %s", outBuf.String())
|
||||||
return fmt.Errorf("failed to verify artifact %s: %v", artifact.Name, err)
|
return fmt.Errorf("failed to verify artifact %s: %v", artifact.Name, err)
|
||||||
}
|
}
|
||||||
if !strings.Contains(outBuf.String(), "digest signatures OK") {
|
|
||||||
s.log.Errorf("artifact %s not signed(?), retrying", artifact.Name)
|
|
||||||
return fmt.Errorf("artifact %s not signed(?), retrying", artifact.Name)
|
|
||||||
}
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
res, err := rpmSign()
|
res, err := rpmSign()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
_ = beginTx.Rollback()
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
err = verifySig()
|
err = verifySig()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
_ = beginTx.Rollback()
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
err = beginTx.Commit()
|
||||||
|
if err != nil {
|
||||||
|
s.log.Errorf("failed to commit transaction: %v", err)
|
||||||
|
return nil, status.Error(codes.Internal, "failed to commit transaction")
|
||||||
|
}
|
||||||
|
|
||||||
return res, nil
|
return res, nil
|
||||||
default:
|
default:
|
||||||
|
Loading…
Reference in New Issue
Block a user