4
0
Fork 0
mirror of https://github.com/rocky-linux/peridot.git synced 2025-01-08 01:50:55 +00:00

Merge pull request #62 from mstg/keykeeper-fix

Import RPM key to verify signature and stop blocking on failure
This commit is contained in:
resf-prow[bot] 2022-11-07 01:00:46 +00:00 committed by GitHub
commit 96d2a2d736
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 41 additions and 5 deletions
peridot/keykeeper/v1

View file

@ -38,6 +38,8 @@ import (
"fmt"
"github.com/ProtonMail/gopenpgp/v2/crypto"
"github.com/google/uuid"
"io/ioutil"
"os"
"os/exec"
"peridot.resf.org/peridot/db/models"
"peridot.resf.org/utils"
@ -75,6 +77,24 @@ func (s *Server) importGpgKey(armoredKey string) error {
return err
}
func (s *Server) importRpmKey(publicKey string) error {
tmpFile, err := ioutil.TempFile("/tmp", "peridot-key-")
if err != nil {
return err
}
defer os.Remove(tmpFile.Name())
_, err = tmpFile.Write([]byte(publicKey))
if err != nil {
return err
}
cmd := gpgCmdEnv(exec.Command("rpm", "--import", tmpFile.Name()))
out, err := logCmdRun(cmd)
if err != nil {
s.log.Errorf("failed to import rpm key: %s", out.String())
}
return err
}
// WarmGPGKey warms up a specific GPG key
// This involves shelling out to GPG to import the key
func (s *Server) WarmGPGKey(key string, armoredKey string, gpgKey *crypto.Key, db *models.Key) (*LoadedKey, error) {
@ -89,6 +109,11 @@ func (s *Server) WarmGPGKey(key string, armoredKey string, gpgKey *crypto.Key, d
return nil, err
}
err = s.importRpmKey(db.PublicKey)
if err != nil {
return nil, err
}
cachedKey := &LoadedKey{
keyUuid: db.ID,
gpgId: gpgKey.GetHexKeyID(),

View file

@ -188,6 +188,13 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
switch ext {
case ".rpm":
beginTx, err := s.db.Begin()
if err != nil {
s.log.Errorf("failed to begin transaction: %v", err)
return nil, status.Error(codes.Internal, "failed to begin transaction")
}
tx := s.db.UseTransaction(beginTx)
rpmSign := func() (*keykeeperpb.SignedArtifact, error) {
var outBuf bytes.Buffer
opts := []string{
@ -233,7 +240,7 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
}
hash := hex.EncodeToString(hasher.Sum(nil))
err = s.db.CreateTaskArtifactSignature(artifact.ID.String(), key.keyUuid.String(), hash)
err = tx.CreateTaskArtifactSignature(artifact.ID.String(), key.keyUuid.String(), hash)
if err != nil {
s.log.Errorf("failed to create task artifact signature: %v", err)
return nil, fmt.Errorf("failed to create task artifact signature: %v", err)
@ -257,22 +264,26 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
err := cmd.Run()
if err != nil {
s.log.Errorf("failed to verify artifact %s: %v", artifact.Name, err)
s.log.Errorf("buf: %s", outBuf.String())
return fmt.Errorf("failed to verify artifact %s: %v", artifact.Name, err)
}
if !strings.Contains(outBuf.String(), "digest signatures OK") {
s.log.Errorf("artifact %s not signed(?), retrying", artifact.Name)
return fmt.Errorf("artifact %s not signed(?), retrying", artifact.Name)
}
return nil
}
res, err := rpmSign()
if err != nil {
_ = beginTx.Rollback()
return nil, err
}
err = verifySig()
if err != nil {
_ = beginTx.Rollback()
return nil, err
}
err = beginTx.Commit()
if err != nil {
s.log.Errorf("failed to commit transaction: %v", err)
return nil, status.Error(codes.Internal, "failed to commit transaction")
}
return res, nil
default: