-
Notifications
You must be signed in to change notification settings - Fork 379
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
signature: add OpenPGP signing mechanism based on Sequoia
This adds a new OpenPGP signing mechanism based Sequoia[1]. As Sequoia is written in Rust and doesn't provide a stable C FFI, this integration uses a minimal shared library as a "point solution". To build, first follow the instruction at [2] and install `libpodman_sequoia.so*` into the library path, and then build with the following command from the top-level directory: $ make BUILDTAGS="btrfs_noversion libdm_no_deferred_remove containers_image_sequoia" Note also that, for testing on Fedora, crypto-policies settings might need to be modified to explictly allow SHA-1 and 1024 bit RSA, as the testing keys in signature/fixtures are using those legacy algorithms. 1. https://sequoia-pgp.org/ 2. https://github.com/ueno/podman-sequoia Signed-off-by: Daiki Ueno <[email protected]>
- Loading branch information
Showing
6 changed files
with
142 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,134 @@ | ||
//go:build containers_image_sequoia | ||
// +build containers_image_sequoia | ||
|
||
package signature | ||
|
||
import ( | ||
"github.com/containers/storage/pkg/homedir" | ||
"github.com/ueno/podman-sequoia/go/sequoia" | ||
"os" | ||
"path" | ||
) | ||
|
||
// A GPG/OpenPGP signing mechanism, implemented using Sequoia. | ||
type sequoiaSigningMechanism struct { | ||
inner *sequoia.SigningMechanism | ||
migratedDir string // If not "", a directory to be removed on Close() | ||
} | ||
|
||
// newGPGSigningMechanismInDirectory returns a new GPG/OpenPGP signing mechanism, using optionalDir if not empty. | ||
// The caller must call .Close() on the returned SigningMechanism. | ||
func newGPGSigningMechanismInDirectory(optionalDir string) (signingMechanismWithPassphrase, error) { | ||
// Migrate GnuPG home directory into a Sequoia format. | ||
dir, err := os.MkdirTemp("", "containers-ephemeral-gpg-") | ||
if err != nil { | ||
return nil, err | ||
} | ||
removeDir := true | ||
defer func() { | ||
if removeDir { | ||
os.RemoveAll(dir) | ||
} | ||
}() | ||
mech, err := sequoia.NewMechanismFromDirectory(dir) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
gpgHome := optionalDir | ||
if gpgHome == "" { | ||
gpgHome = os.Getenv("GNUPGHOME") | ||
if gpgHome == "" { | ||
gpgHome = path.Join(homedir.Get(), ".gnupg") | ||
} | ||
} | ||
for _, keyring := range []string{"pubring.gpg", "secring.gpg"} { | ||
blob, err := os.ReadFile(path.Join(gpgHome, keyring)) | ||
if err != nil { | ||
if !os.IsNotExist(err) { | ||
return nil, err | ||
} | ||
} else if _, err := mech.ImportKeys(blob); err != nil { | ||
return nil, err | ||
} | ||
} | ||
|
||
removeDir = false | ||
return &sequoiaSigningMechanism{ | ||
inner: mech, | ||
migratedDir: dir, | ||
}, nil | ||
} | ||
|
||
// newEphemeralGPGSigningMechanism returns a new GPG/OpenPGP signing mechanism which | ||
// recognizes _only_ public keys from the supplied blobs, and returns the identities | ||
// of these keys. | ||
// The caller must call .Close() on the returned SigningMechanism. | ||
func newEphemeralGPGSigningMechanism(blobs [][]byte) (signingMechanismWithPassphrase, []string, error) { | ||
mech, err := sequoia.NewEphemeralMechanism() | ||
if err != nil { | ||
return nil, nil, err | ||
} | ||
keyIdentities := []string{} | ||
for _, blob := range blobs { | ||
ki, err := mech.ImportKeys(blob) | ||
if err != nil { | ||
return nil, nil, err | ||
} | ||
keyIdentities = append(keyIdentities, ki...) | ||
} | ||
|
||
return &sequoiaSigningMechanism{ | ||
inner: mech, | ||
migratedDir: "", | ||
}, keyIdentities, nil | ||
} | ||
|
||
func (m *sequoiaSigningMechanism) Close() error { | ||
err := m.inner.Close() | ||
if err != nil { | ||
return err | ||
} | ||
if m.migratedDir != "" { | ||
os.RemoveAll(m.migratedDir) // Ignore an error, if any | ||
} | ||
return nil | ||
} | ||
|
||
// SupportsSigning returns nil if the mechanism supports signing, or a SigningNotSupportedError. | ||
func (m *sequoiaSigningMechanism) SupportsSigning() error { | ||
return m.inner.SupportsSigning() | ||
} | ||
|
||
// Sign creates a (non-detached) signature of input using keyIdentity and passphrase. | ||
// Fails with a SigningNotSupportedError if the mechanism does not support signing. | ||
func (m *sequoiaSigningMechanism) SignWithPassphrase(input []byte, keyIdentity string, passphrase string) ([]byte, error) { | ||
return m.inner.SignWithPassphrase(input, keyIdentity, passphrase) | ||
} | ||
|
||
// Sign creates a (non-detached) signature of input using keyIdentity. | ||
// Fails with a SigningNotSupportedError if the mechanism does not support signing. | ||
func (m *sequoiaSigningMechanism) Sign(input []byte, keyIdentity string) ([]byte, error) { | ||
return m.inner.Sign(input, keyIdentity) | ||
} | ||
|
||
// Verify parses unverifiedSignature and returns the content and the signer's identity | ||
func (m *sequoiaSigningMechanism) Verify(unverifiedSignature []byte) (contents []byte, keyIdentity string, err error) { | ||
return m.inner.Verify(unverifiedSignature) | ||
} | ||
|
||
// UntrustedSignatureContents returns UNTRUSTED contents of the signature WITHOUT ANY VERIFICATION, | ||
// along with a short identifier of the key used for signing. | ||
// WARNING: The short key identifier (which corresponds to "Key ID" for OpenPGP keys) | ||
// is NOT the same as a "key identity" used in other calls to this interface, and | ||
// the values may have no recognizable relationship if the public key is not available. | ||
func (m *sequoiaSigningMechanism) UntrustedSignatureContents(untrustedSignature []byte) (untrustedContents []byte, shortKeyIdentifier string, err error) { | ||
return gpgUntrustedSignatureContents(untrustedSignature) | ||
} | ||
|
||
func init() { | ||
err := sequoia.Init() | ||
if err != nil { | ||
panic("sequoia cannot be loaded") | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters