Add handler script to support signing apt repository with multiple keys. #137
Conversation
Reprepro will handle signing if an individual key is specified or if the default gpg can be used, but signing a release with multiple keys requires the use of a handler script. The handler script is added as a static script which relies on a new shell configuration file to set variables dictating the keys used via adding them to KEY_OPTS. Additional GPG options can also be set in the GPG_OPTS variable although this is currently unused. The config file is intended to be used as a chef template which will incorporate the keys to be used.
nuclearsandwich
force-pushed
the
nuclearsandwich/apt-multisign
branch
from
b7b439a to
575b7e2
Compare
| it { should exist } | ||
| end | ||
|
|
||
| describe command('su - jenkins-agent -c "gpg --verify /var/repos/ubuntu/main/dists/focal/InRelease"') do |
There was a problem hiding this comment.
Running this as the jenkins-agent user, whose keyring has the public and private signing keys on it, verifies that the signatures are all valid.
There was a problem hiding this comment.
Could be the case that this verifies that only a single signature is present and valid but we are not verifying in the PR that we are indeed signing the file with multiple keys?
| @@ -0,0 +1,7 @@ | |||
| { | |||
| "id": "test-beta", | |||
| "default": true, | |||
There was a problem hiding this comment.
I stuck the default tag on the "middle" key to make sure that it works when not the first or the last. The "default" key is the one that our ros-archive-keyring package should set SignedBy= for.
| <% if @signing_key_ids.size != 0 -%> | ||
| <% @signing_key_ids.each do |fingerprint| -%> | ||
| KEY_OPTS="$KEY_OPTS -u <%= fingerprint %>" | ||
| <% end -%> | ||
| <% end -%> |
There was a problem hiding this comment.
This could be templated out another way, but I think this is a reasonable pattern.
I realize as I write that the test for a non-zero size is vestigial from when I was planning to make this
| <% if @signing_key_ids.size != 0 -%> | |
| <% @signing_key_ids.each do |fingerprint| -%> | |
| KEY_OPTS="$KEY_OPTS -u <%= fingerprint %>" | |
| <% end -%> | |
| <% end -%> | |
| <% if @signing_key_ids.size != 0 -%> | |
| KEY_OPTS="$KEY_OPTS -u <%= @signing_key_ids.join(" -u ") %>" | |
| <% end -%> |
and thus can be removed. Of course, if this version is preferred then the loop can be removed instead.
| # Set up ssh authorized keys for publish over ssh. | ||
| directory "/home/#{agent_username}/.ssh" do |
There was a problem hiding this comment.
This is diff artifacting. There is no relationship to the added cookbook_file. This section was moved up to line 115 to allow the ssh directory to be used for GPG private keys.
| @@ -111,35 +111,100 @@ | |||
| triggers_reload true | |||
There was a problem hiding this comment.
This file appears to suffer from a pretty clumsy rebase. Please hold off on review of it for now.
| @@ -173,12 +238,15 @@ | |||
| only_if { ::File.symlink?("/home/#{agent_username}/.gnupg/S.gpg-agent") } | |||
| end | |||
|
|
|||
| # Set up ssh authorized keys for publish over ssh. | |||
| directory "/home/#{agent_username}/.ssh" do | |||
| cookbook_file "/home/#{agent_username}/reprepro-sign.sh" do | |||
There was a problem hiding this comment.
The path is used also in a template command a bit below. Could be a good idea to store it in a single place/var to facilitate maintenance and changes.
| @@ -268,12 +336,22 @@ | |||
| mode '0600' | |||
| variables Hash[ | |||
| architectures: node['ros_buildfarm']['apt_repos']['architectures'], | |||
| signing_key: gpg_key['fingerprint'], | |||
| signing_key: "! /home/#{agent_username}/reprepro-sign.sh", | |||
There was a problem hiding this comment.
| signing_key: "! /home/#{agent_username}/reprepro-sign.sh", | |
| # The ! + script notation is defined in the reprepro manpage when using external scripts | |
| signing_key: "! /home/#{agent_username}/reprepro-sign.sh", |
| Chef::Log.warn("Support for multiple GPG keys has changed the layout if this data bag.") | ||
| Chef::Log.warn("Please see the Changelog entry Forthcoming for details.") | ||
| Chef::Log.warn("The sole key will be assumed the default.") | ||
| gpg_keys = search('ros_buildfarm_repository_signing_keys', "id:#{node.chef_environment}") |
There was a problem hiding this comment.
same command than in 121, is this intentional?
| it { should exist } | ||
| end | ||
|
|
||
| describe command('su - jenkins-agent -c "gpg --verify /var/repos/ubuntu/main/dists/focal/InRelease"') do |
There was a problem hiding this comment.
Could be the case that this verifies that only a single signature is present and valid but we are not verifying in the PR that we are indeed signing the file with multiple keys?
Reprepro will handle signing if an individual key is specified or if the default gpg can be used, but signing a release with multiple keys requires the use of a handler script.
The handler script is added as a static script which relies on a new shell configuration file to set variables dictating the keys used via adding them to KEY_OPTS.
Additional GPG options can also be set in the GPG_OPTS variable although this is currently unused.
The config file is intended to be used as a chef template which will incorporate the keys to be used.
Caveats
I actually wrote this on an omnibus branch that included #136 and #135 because the pulp removal simplifies a lot of the GPG configuration. I'm not sure if this branch rebased onto latest will build.
Unsupported as of now is the ability to use multiple signatures on the rpm repositories.
For the time being they are only signed with the key designated "default".
It would be nice to try and resurrect the gpg-vault setup from #55, reverted in #82 because of consistency issues. I don't want to block on that but I would like to port the GPG vault approach forward and see if we have the same issues on a test farm in a future PR.