| Sysop: | Amessyroom |
|---|---|
| Location: | Fayetteville, NC |
| Users: | 40 |
| Nodes: | 6 (0 / 6) |
| Uptime: | 09:25:46 |
| Calls: | 291 |
| Files: | 910 |
| Messages: | 76,419 |
On Wed, 2024-11-27 at 15:30 -0500, Eli Schwartz wrote:
The current state of verify-sig support is a bit awkward. We rely on
validating distfiles against a known trusted keyring, but creating the
known trusted keyring is basically all manual verification. We somehow
decide an ascii armored key is good enough without any portage
assistance, then arrange to download it and trust it by Manifest hash.
How do we know when updating a key is actually safe?
This eclass handles the problem in a manner inspired in part by pacman.
We require an eclass variable that lists all permitted PGP fingerprints,
and the eclass is responsible checking that list against the keys we
will install. It comes with a mechanism for computing SRC_URI for a
couple of well known locations, or you can append your own in the
ebuild.
How about adding a src_test() that would check if the key needs bumping,
i.e. if an online update triggers any meaningful changes?
The current state of verify-sig support is a bit awkward. We rely on validating distfiles against a known trusted keyring, but creating the
known trusted keyring is basically all manual verification. We somehow
decide an ascii armored key is good enough without any portage
assistance, then arrange to download it and trust it by Manifest hash.
How do we know when updating a key is actually safe?
This eclass handles the problem in a manner inspired in part by pacman.
We require an eclass variable that lists all permitted PGP fingerprints,
and the eclass is responsible checking that list against the keys we
will install. It comes with a mechanism for computing SRC_URI for a
couple of well known locations, or you can append your own in the
ebuild.
The current state of verify-sig support is a bit awkward. We rely on validating distfiles against a known trusted keyring, but creating the
known trusted keyring is basically all manual verification. We somehow
decide an ascii armored key is good enough without any portage
assistance, then arrange to download it and trust it by Manifest hash.
How do we know when updating a key is actually safe?
This eclass handles the problem in a manner inspired in part by pacman.
We require an eclass variable that lists all permitted PGP fingerprints,
and the eclass is responsible checking that list against the keys we
will install. It comes with a mechanism for computing SRC_URI for a
couple of well known locations, or you can append your own in the
ebuild.
Key rotations, both expected and malicious, are easily detected by
checking the git log for changes to declared finterprints in a bump. The
former can be rationalized in the commit message. So can the latter, but
in most cases those will be rejected during peer review.
Signed-off-by: Eli Schwartz <eschwartz@gentoo.org>
---
eclass/sec-keys.eclass | 150 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 150 insertions(+)
create mode 100644 eclass/sec-keys.eclass
diff --git a/eclass/sec-keys.eclass b/eclass/sec-keys.eclass
new file mode 100644
index 000000000000..95e1b4a92c0e
--- /dev/null
+++ b/eclass/sec-keys.eclass
@@ -0,0 +1,150 @@
+# Copyright 2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# @ECLASS: sec-keys.eclass
+# @MAINTAINER:
+# Eli Schwartz <eschwartz@gentoo.org>
+# @AUTHOR:
+# Eli Schwartz <eschwartz@gentoo.org>
+# @SUPPORTED_EAPIS: 8
+# @BLURB: Provides a uniform way of handling ebuilds which package PGP key material
+# @DESCRIPTION:
+# This eclass provides a streamlined approach to finding suitable source material
+# for OpenPGP keys used by the verify-sig eclass. Its primary purpose is to permit
+# developers to easily and securely package new sec-keys/* packages. The eclass
+# removes the risk of developers accidentally packaging malformed key material, or
+# neglecting to notice when PGP identities have changed.
+#
+# To use the eclass, define SEC_KEYS_VALIDPGPKEYS to contain the fingerprint of
+# the key and the short name of the key's owner.
+#
+# @EXAMPLE:
+# Example use:
+#
+# @CODE
+# SEC_KEYS_VALIDPGPKEYS=(
+# '4EC8A4DB7D2E01C00AF36C49E5C587B5E286C65A:jsmith:github'
+# )
+#
+# inherit sec-keys
+# @CODE
+
+case ${EAPI} in
+ 8) ;;
+ *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
+esac
+
+if [[ ! ${_SEC_KEYS_ECLASS} ]]; then
+_SEC_KEYS_ECLASS=1
+
+inherit edo
+
+# @ECLASS_VARIABLE: SEC_KEYS_VALIDPGPKEYS
+# @PRE_INHERIT
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Mapping of fingerprints, name, and optional location of PGP keys to include,
+# separated by colons. The allowed values for a location are:
+#
+# - github -- fetch key from github.com/${name}.pgp
+#
+# - openpgp -- fetch key by fingerprint from https://keys.openpgp.org
+#
+# - ubuntu -- fetch key by fingerprint from http://keyserver.ubuntu.com (the default)
+#
+# - none -- do not add to SRC_URI, the ebuild will provide a custom download location
+_sec_keys_set_globals() {
+ if [[ ${SEC_KEYS_VALIDPGPKEYS[*]} ]]; then
+ local key fingerprint name loc locations=() remote
+ for key in "${SEC_KEYS_VALIDPGPKEYS[@]}"; do
+ fingerprint=${key%%:*}
+ name=${key#${fingerprint}:}; name=${name%%:*}
+ IFS=: read -r -a locations <<<"${key##*:}"
+ [[ ${locations[@]} ]] || locations=(ubuntu)
+ for loc in "${locations[@]}"; do
+ case ${loc} in
+ github) remote="https://github.com/${name}.gpg";;
+ openpgp) remote="https://keys.openpgp.org/vks/v1/by-fingerprint/${fingerprint}";;
+ ubuntu) remote="https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x${fingerprint}";;
+ # provided via manual SRC_URI
+ none) continue;;
+ *) die "${ECLASS}: unknown PGP key remote: ${loc}";;
+
+ esac
+ SRC_URI+="
+ ${remote} -> openpgp-keys-${name}-${loc}-${PV}.asc
+ "
+ done
+ done
+ fi
+}
+_sec_keys_set_globals
+unset -f _sec_keys_set_globals
+
+BDEPEND="app-crypt/gnupg"
+S=${WORKDIR}
+
+LICENSE="public-domain"
+SLOT="0"
+
+
+# @FUNCTION: sec-keys_src_compile
+# @DESCRIPTION:
+# Default src_compile override that imports all public keys into a keyring, +# and validates that they are listed in SEC_KEYS_VALIDPGPKEYS. +sec-keys_src_compile() {
+ local -x GNUPGHOME=${WORKDIR}/gnupg
+ mkdir -m700 -p "${GNUPGHOME}" || die
+
+ pushd "${DISTDIR}" >/dev/null || die
+ gpg --import ${A} || die
+ popd >/dev/null || die
+
+ local line imported_keys=() found=0
+ while IFS=: read -r -a line; do
+ if [[ ${line[0]} = pub ]]; then
+ # new key
+ found=0
+ elif [[ ${found} = 0 && ${line[0]} = fpr ]]; then
+ # primary fingerprint
+ imported_keys+=("${line[9]}")
+ found=1
+ fi
+ done < <(gpg --batch --list-keys --keyid-format=long --with-colons || die)
+
+ printf '%s\n' "${imported_keys[@]}" | sort > imported_keys.list || die + printf '%s\n' "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}" | sort > allowed_keys.list || die
+
+ local extra_keys=($(comm -23 imported_keys.list allowed_keys.list || die))
+ local missing_keys=($(comm -13 imported_keys.list allowed_keys.list || die))
+
+ if [[ ${#extra_keys[@]} != 0 ]]; then
+ die "too many keys found. Suspicious keys: ${extra_keys[@]}"
+ fi
+ if [[ ${#missing_keys[@]} != 0 ]]; then
+ die "too few keys found. Unavailable keys: ${missing_keys[@]}" + fi
+}
+
+# @FUNCTION: sec-keys_src_install
+# @DESCRIPTION:
+# Default src_install override that minifies and exports all PGP public keys +# into an ascii-armored keyfile installed to the standard /usr/share/openpgp-keys.
+sec-keys_src_install() {
+ local -x GNUPGHOME=${WORKDIR}/gnupg
+ local fingerprint
+ local gpg_command=(gpg --no-permission-warning --export-options export-minimal)
+
+ for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do
+ local uids=()
+ mapfile -t uids < <("${gpg_command[@]}" --list-key --with-colons ${fingerprint} | awk -F: '/^uid/{print $10}' || die)
+ edo "${gpg_command[@]}" "${uids[@]/#/--comment=}" --export --armor "${fingerprint}" >> ${PN#openpgp-keys-}.asc || die
+ done
+
+ insinto /usr/share/openpgp-keys
+ doins ${PN#openpgp-keys-}.asc
+}
+
+fi
+
+EXPORT_FUNCTIONS src_compile src_install
On Wed, 2024-11-27 at 15:30 -0500, Eli Schwartz wrote:
The current state of verify-sig support is a bit awkward. We rely on
validating distfiles against a known trusted keyring, but creating the
known trusted keyring is basically all manual verification. We somehow
decide an ascii armored key is good enough without any portage
assistance, then arrange to download it and trust it by Manifest hash.
How do we know when updating a key is actually safe?
This eclass handles the problem in a manner inspired in part by pacman.
We require an eclass variable that lists all permitted PGP fingerprints,
and the eclass is responsible checking that list against the keys we
will install. It comes with a mechanism for computing SRC_URI for a
couple of well known locations, or you can append your own in the
ebuild.
How about adding a src_test() that would check if the key needs bumping,
i.e. if an online update triggers any meaningful changes?
Eli Schwartz <eschwartz@gentoo.org> writes:
+# @EXAMPLE:
+# Example use:
+#
+# @CODE
+# SEC_KEYS_VALIDPGPKEYS=(
+# '4EC8A4DB7D2E01C00AF36C49E5C587B5E286C65A:jsmith:github'
+# )
Can you expand the example(s) here maybe with some comments in the array
to help people see when it might be suitable to use e.g. none with a mix
of github?
+# @FUNCTION: sec-keys_src_compile
+# @DESCRIPTION:
+# Default src_compile override that imports all public keys into a keyring, >> +# and validates that they are listed in SEC_KEYS_VALIDPGPKEYS.
+sec-keys_src_compile() {
+ local -x GNUPGHOME=${WORKDIR}/gnupg
+ mkdir -m700 -p "${GNUPGHOME}" || die
Is there any value in using gemato's gpg-wrap for this function?
+ local extra_keys=($(comm -23 imported_keys.list allowed_keys.list || die))
+ local missing_keys=($(comm -13 imported_keys.list allowed_keys.list || die))
Any reason to not readarray this instead?
+ for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do
+ local uids=()
+ mapfile -t uids < <("${gpg_command[@]}" --list-key --with-colons ${fingerprint} | awk -F: '/^uid/{print $10}' || die)
+ edo "${gpg_command[@]}" "${uids[@]/#/--comment=}" --export --armor "${fingerprint}" >> ${PN#openpgp-keys-}.asc || die
No need for the die here.
On Wed, 27 Nov 2024, Eli Schwartz wrote:
--- /dev/null
+++ b/eclass/sec-keys.eclass
@@ -0,0 +1,150 @@
+# Copyright 2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# @ECLASS: sec-keys.eclass
+# @MAINTAINER:
+# Eli Schwartz <eschwartz@gentoo.org>
+# @AUTHOR:
+# Eli Schwartz <eschwartz@gentoo.org>
+# @SUPPORTED_EAPIS: 8
+# @BLURB: Provides a uniform way of handling ebuilds which package PGP key material
+# @DESCRIPTION:
+# This eclass provides a streamlined approach to finding suitable source material
+# for OpenPGP keys used by the verify-sig eclass. Its primary purpose is to permit
+# developers to easily and securely package new sec-keys/* packages. The eclass
+# removes the risk of developers accidentally packaging malformed key material, or
+# neglecting to notice when PGP identities have changed.
+#
+# To use the eclass, define SEC_KEYS_VALIDPGPKEYS to contain the fingerprint of
+# the key and the short name of the key's owner.
+#
+# @EXAMPLE:
+# Example use:
+#
+# @CODE
+# SEC_KEYS_VALIDPGPKEYS=(
+# '4EC8A4DB7D2E01C00AF36C49E5C587B5E286C65A:jsmith:github'
+# )
+#
+# inherit sec-keys
+# @CODE
+
+case ${EAPI} in
+ 8) ;;
+ *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
+esac
+
+if [[ ! ${_SEC_KEYS_ECLASS} ]]; then
+_SEC_KEYS_ECLASS=1
+
+inherit edo
+
+# @ECLASS_VARIABLE: SEC_KEYS_VALIDPGPKEYS
+# @PRE_INHERIT
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Mapping of fingerprints, name, and optional location of PGP keys to include,
+# separated by colons. The allowed values for a location are:
+#
+# - github -- fetch key from github.com/${name}.pgp
+#
+# - openpgp -- fetch key by fingerprint from https://keys.openpgp.org
+#
+# - ubuntu -- fetch key by fingerprint from http://keyserver.ubuntu.com (the default)
+#
+# - none -- do not add to SRC_URI, the ebuild will provide a custom download location
+_sec_keys_set_globals() {
+ if [[ ${SEC_KEYS_VALIDPGPKEYS[*]} ]]; then
+ local key fingerprint name loc locations=() remote
+ for key in "${SEC_KEYS_VALIDPGPKEYS[@]}"; do
+ fingerprint=${key%%:*}
+ name=${key#${fingerprint}:}; name=${name%%:*}
+ IFS=: read -r -a locations <<<"${key##*:}"
+ [[ ${locations[@]} ]] || locations=(ubuntu)
+ for loc in "${locations[@]}"; do
+ case ${loc} in
+ github) remote="https://github.com/${name}.gpg";;
+ openpgp) remote="https://keys.openpgp.org/vks/v1/by-fingerprint/${fingerprint}";;
+ ubuntu) remote="https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x${fingerprint}";;
+ # provided via manual SRC_URI
+ none) continue;;
+ *) die "${ECLASS}: unknown PGP key remote: ${loc}";;
+
+ esac
+ SRC_URI+="
+ ${remote} -> openpgp-keys-${name}-${loc}-${PV}.asc
+ "
+ done
+ done
+ fi
+}
+_sec_keys_set_globals
+unset -f _sec_keys_set_globals
+
+BDEPEND="app-crypt/gnupg"
+S=${WORKDIR}
+
+LICENSE="public-domain"
+SLOT="0"
+
+
+# @FUNCTION: sec-keys_src_compile
+# @DESCRIPTION:
+# Default src_compile override that imports all public keys into a keyring, +# and validates that they are listed in SEC_KEYS_VALIDPGPKEYS. +sec-keys_src_compile() {
+ local -x GNUPGHOME=${WORKDIR}/gnupg
+ mkdir -m700 -p "${GNUPGHOME}" || die
+
+ pushd "${DISTDIR}" >/dev/null || die
+ gpg --import ${A} || die
+ popd >/dev/null || die
+
+ local line imported_keys=() found=0
+ while IFS=: read -r -a line; do
+ if [[ ${line[0]} = pub ]]; then
+ # new key
+ found=0
+ elif [[ ${found} = 0 && ${line[0]} = fpr ]]; then
+ # primary fingerprint
+ imported_keys+=("${line[9]}")
+ found=1
+ fi
+ done < <(gpg --batch --list-keys --keyid-format=long --with-colons || die)
+
+ printf '%s\n' "${imported_keys[@]}" | sort > imported_keys.list || die + printf '%s\n' "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}" | sort > allowed_keys.list || die
+
+ local extra_keys=($(comm -23 imported_keys.list allowed_keys.list || die))
+ local missing_keys=($(comm -13 imported_keys.list allowed_keys.list || die))
+
+ if [[ ${#extra_keys[@]} != 0 ]]; then
+ die "too many keys found. Suspicious keys: ${extra_keys[@]}"
+ fi
+ if [[ ${#missing_keys[@]} != 0 ]]; then
+ die "too few keys found. Unavailable keys: ${missing_keys[@]}" + fi
+}
+
+# @FUNCTION: sec-keys_src_install
+# @DESCRIPTION:
+# Default src_install override that minifies and exports all PGP public keys +# into an ascii-armored keyfile installed to the standard /usr/share/openpgp-keys.
+sec-keys_src_install() {
+ local -x GNUPGHOME=${WORKDIR}/gnupg
+ local fingerprint
+ local gpg_command=(gpg --no-permission-warning --export-options export-minimal)
+
+ for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do
+ local uids=()
+ mapfile -t uids < <("${gpg_command[@]}" --list-key --with-colons ${fingerprint} | awk -F: '/^uid/{print $10}' || die)
+ edo "${gpg_command[@]}" "${uids[@]/#/--comment=}" --export --armor "${fingerprint}" >> ${PN#openpgp-keys-}.asc || die
+ done
+
+ insinto /usr/share/openpgp-keys
+ doins ${PN#openpgp-keys-}.asc
+}
+
+fi
+
+EXPORT_FUNCTIONS src_compile src_install
On Wed, 27 Nov 2024, Eli Schwartz wrote:
--- /dev/null
+++ b/eclass/sec-keys.eclass
@@ -0,0 +1,150 @@
+# Copyright 2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# @ECLASS: sec-keys.eclass
+# @MAINTAINER:
+# Eli Schwartz <eschwartz@gentoo.org>
+# @AUTHOR:
+# Eli Schwartz <eschwartz@gentoo.org>
+# @SUPPORTED_EAPIS: 8
+# @BLURB: Provides a uniform way of handling ebuilds which package PGP key material
+# @DESCRIPTION:
+# This eclass provides a streamlined approach to finding suitable source material
+# for OpenPGP keys used by the verify-sig eclass. Its primary purpose is to permit
+# developers to easily and securely package new sec-keys/* packages. The eclass
+# removes the risk of developers accidentally packaging malformed key material, or
+# neglecting to notice when PGP identities have changed.
+#
+# To use the eclass, define SEC_KEYS_VALIDPGPKEYS to contain the fingerprint of
+# the key and the short name of the key's owner.
Please wrap these comment lines to a line length of 70-ish characters
for readability.
Also, there should be two spaces after every full stop (except when it's followed by a newline), so groff can recognise the sentence end in the generated man page.
+_sec_keys_set_globals() {
+ if [[ ${SEC_KEYS_VALIDPGPKEYS[*]} ]]; then
Why is the if needed? If the array is empty, the following for loop
won't execute.
+ printf '%s\n' "${imported_keys[@]}" | sort > imported_keys.list || die >> + printf '%s\n' "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}" | sort > allowed_keys.list || die
Maybe create these files in ${T} instead?