feat: integrity checks for Ubuntu Release files #106
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This reverts commit 6bf6d46.
This commit adds the functionalities to add public keys to validate
archive InRelease file signatures. Instead of downloading the "Release"
files for different suites, download the signed "InRelease" file and
validate the signature with the provided key(s).
This commit extends the chisel release with public keys definitions.
They are stored in ASCII armored format in the top-level public-keys
property by name. And they are referenced by name in the public-keys
list property in archive definitions. An example of the extended chisel
release file is at the bottom.
Example chisel.yaml:
format: chisel-v1
archives:
ubuntu:
version: 22.04
components: [main, universe]
suites: [jammy, jammy-updates, jammy-security]
public-keys: [ubuntu]
ubuntu-fips:
version: 22.04
pro: fips
components: [main]
suites: [jammy]
public-keys: [ubuntu-fips]
ubuntu-fips-updates:
version: 22.04
pro: fips-updates
components: [main]
suites: [jammy]
public-keys: [ubuntu-fips]
public-keys:
ubuntu:
id: C2B15A6A7FCD95FD
armor: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFzZxGABEADSWmX0+K//0cosKPyr5m1ewmwWKjRo/KBPTyR8icHhbBWfFd8T
DtYggvQHPU0YnKRcWits0et8JqSgZttNa28s7SaSUTBzfgzFJZgULAi/4i8u8TUj
+KH2zSoUX55NKC9aozba1cR66jM6O/BHXK5YoZzTpmiY1AHlIWAJ9s6cCClhnYMR
...
E+SWDGxtgwixyPziL56UavL/eeYJWeS/WqvGzZzsAtgSujFVLKWyUaRi0NvYW3h/
I50Tzj0Pkm8GtgvP2UqAWvy+iRpeUQ2ji0Nc
=j6+P
-----END PGP PUBLIC KEY BLOCK-----
ubuntu-fips:
id: E173597E2CAB05C1
armor: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBE+tgXgBEADfiL1KNFHT4H4Dw0OR9LemR8ebsFl+b9E44IpGhgWYDufj0gaM
/UJ1Ti3bHfRT39VVZ6cv1P4mQy0bnAKFbYz/wo+GhzjBWtn6dThYv7n+KL8bptSC
Xgg1a6en8dCCIA/pwtS2Ut/g4Eu6Z467dvYNlMgCqvg+prKIrXf5ibio48j3AFvd
...
mguPI1KLfnVnXnsT5JYMbG2DCLHI/OIvnpRq8v955glZ5L9aq8bNnOwC2BK6MVUs
pbJRpGLQ29hbeH8jnRPOPQ+Sbwa2C8/ZSoBa/L6JGl5RDaOLQ1w=
=6Bkw
-----END PGP PUBLIC KEY BLOCK-----
This commit introduces a new chisel-release yaml format named "chisel-v2". The major changes in this format is the introduction of the "public-keys" field, which is used in archive definitions to verify archive InRelease files.
|
spread test is failing as expected because of |
|
Agree, those updates are currently in progress as far as I know. |
rebornplusplus
added a commit
to rebornplusplus/chisel-releases
that referenced
this pull request
Dec 13, 2023
This commit adds the Ubuntu Archive Automatic Signing Key (2018) as a
"public-key" in the chisel.yaml. The armored data was obtained by
executing the following commands on a Ubuntu 22.04 machine:
$ gpg --keyserver keyserver.ubuntu.com --receive-keys 871920D1991BC93C
$ gpg --armor --export 871920D1991BC93C
BREAKING CHANGE: This commit introduces the new chisel yaml format
"chisel-v2", in which ``public-keys`` (top-level) and
``archive.<name>.public-keys`` fields are introduced. This changes is
related to the addition of integrity checks in chisel. [1]
[1] canonical/chisel#106
rebornplusplus
added a commit
to rebornplusplus/chisel-releases
that referenced
this pull request
Dec 13, 2023
This commit adds the Ubuntu Archive Automatic Signing Key (2018) as a
"public-key" in the chisel.yaml. The armored data was obtained by
executing the following commands on a Ubuntu 22.04 machine:
$ gpg --keyserver keyserver.ubuntu.com --receive-keys 871920D1991BC93C
$ gpg --armor --export 871920D1991BC93C
BREAKING CHANGE: This commit introduces the new chisel yaml format
"chisel-v2", in which ``public-keys`` (top-level) and
``archive.<name>.public-keys`` fields are introduced. This changes is
related to the addition of integrity checks in chisel. [1]
[1] canonical/chisel#106
rebornplusplus
added a commit
to rebornplusplus/chisel-releases
that referenced
this pull request
Dec 13, 2023
This commit adds the Ubuntu Archive Automatic Signing Key (2018) as a
"public-key" in the chisel.yaml. The armored data was obtained by
executing the following commands on a Ubuntu 22.04 machine:
$ gpg --keyserver keyserver.ubuntu.com --receive-keys 871920D1991BC93C
$ gpg --armor --export 871920D1991BC93C
BREAKING CHANGE: This commit introduces the new chisel yaml format
"chisel-v2", in which ``public-keys`` (top-level) and
``archive.<name>.public-keys`` fields are introduced. This changes is
related to the addition of integrity checks in chisel. [1]
[1] canonical/chisel#106
rebornplusplus
added a commit
to rebornplusplus/chisel-releases
that referenced
this pull request
Dec 13, 2023
This commit adds the Ubuntu Archive Automatic Signing Key (2018) as a
"public-key" in the chisel.yaml. The armored data was obtained by
executing the following commands on a Ubuntu 22.04 machine:
$ gpg --keyserver keyserver.ubuntu.com --receive-keys 871920D1991BC93C
$ gpg --armor --export 871920D1991BC93C
BREAKING CHANGE: This commit introduces the new chisel yaml format
"chisel-v2", in which ``public-keys`` (top-level) and
``archive.<name>.public-keys`` fields are introduced. This changes is
related to the addition of integrity checks in chisel. [1]
[1] canonical/chisel#106
rebornplusplus
added a commit
to rebornplusplus/chisel-releases
that referenced
this pull request
Dec 13, 2023
This commit adds the Ubuntu Archive Automatic Signing Key (2018) as a
"public-key" in the chisel.yaml. The armored data was obtained by
executing the following commands on a Ubuntu 22.04 machine:
$ gpg --keyserver keyserver.ubuntu.com --receive-keys 871920D1991BC93C
$ gpg --armor --export 871920D1991BC93C
BREAKING CHANGE: This commit introduces the new chisel yaml format
"chisel-v2", in which ``public-keys`` (top-level) and
``archive.<name>.public-keys`` fields are introduced. This changes is
related to the addition of integrity checks in chisel. [1]
[1] canonical/chisel#106
niemeyer
requested changes
Dec 13, 2023
internal/testutil/reindent_test.go
Outdated
| }, { | ||
| raw: "\n", | ||
| prefix: "\t", | ||
| result: "\t\n\t", |
There was a problem hiding this comment.
This doesn't look right. It's indenting an empty line with zero content, and may create actual issues depending on what else shows up after it. Imagine AddPrefix("foo\n") + "bar".
There was a problem hiding this comment.
I agree with you. We went for a naive implementation which produces strange cases. I have changed it and made it more complex.
|
Once approved and before merging, please wait for the corresponding chisel-releases PRs to be merged so that we can re-run the Spread tests |
1 task
cjdcordeiro
reviewed
Dec 14, 2023
There was a problem hiding this comment.
Just to recap the plan:
- v0.8.1 has just been released, including the fix for
KnownFields(false). This will give existing users a longer grace period for migrating to formatchisel-v2v1, whenever that comes - with v0.8.1 in place and communicated, we wait some time and then we can then update the
chisel-releases, adding thepublic-keysfields tochisel-v1. While v0.8 will fail, v0.8.1 will work (let's say early Jan 2024) - this PR can then also be merged
- after this PR, https://github.com/canonical/chisel/pull/108/files can also be reviewed and merged
- we'll then release Chisel v0.9.0 with support for both
chisel-v1andchisel-v2v1formats (at this stage, v0.8.1 still works) - after some time, we can then deprecate the
chisel-v1format fromchisel-releases. v0.8.0 and v0.8.1 will no longer work, but v0.9.0 will (let's also give it some time between the v0.9.0 release and the migration tochisel-v2v1)
|
@cjdcordeiro Sure it just caught me by surprise because that was not the plan last time we discussed. I will amend the PRs and timelines to match the new direction. |
Y sry about that @letFunny . I think only #106 would need to be amended though |
|
FYI: note the updated comment above (#106 (review)) - we shall update the chisel-releases format to |
niemeyer
approved these changes
Jan 8, 2024
internal/setup/fetch_test.go
Outdated
| @@ -12,6 +12,8 @@ import ( | |||
| // TODO Implement local test server instead of using live repository. | |||
|
|
|||
| func (s *S) TestFetch(c *C) { | |||
| c.Skip("TODO chisel-releases need to be updated with public-keys for this test to pass") | |||
There was a problem hiding this comment.
For our own tracking, this still needs addressing.
|
According to the new plan:
|
cjdcordeiro
pushed a commit
to canonical/chisel-releases
that referenced
this pull request
Jan 12, 2024
* feat(22.04): add ubuntu archive signing key 2018
This commit adds the Ubuntu Archive Automatic Signing Key (2018) as a
"public-key" in the chisel.yaml. The armored data was obtained by
executing the following commands on a Ubuntu 22.04 machine:
$ gpg --keyserver keyserver.ubuntu.com --receive-keys 871920D1991BC93C
$ gpg --armor --export 871920D1991BC93C
BREAKING CHANGE: This commit introduces the new chisel yaml format
"chisel-v2", in which ``public-keys`` (top-level) and
``archive.<name>.public-keys`` fields are introduced. This changes is
related to the addition of integrity checks in chisel. [1]
[1] canonical/chisel#106
* fix(22.04): revert chisel.yaml format to chisel-v1
* fix: rename public-keys to v1-public-keys
cjdcordeiro
pushed a commit
to canonical/chisel-releases
that referenced
this pull request
Jan 12, 2024
* feat(24.04): add ubuntu archive signing key 2018
This commit adds the Ubuntu Archive Automatic Signing Key (2018) as a
"public-key" in the chisel.yaml. The armored data was obtained by
executing the following commands on a Ubuntu 22.04 machine:
$ gpg --keyserver keyserver.ubuntu.com --receive-keys 871920D1991BC93C
$ gpg --armor --export 871920D1991BC93C
BREAKING CHANGE: This commit introduces the new chisel yaml format
"chisel-v2", in which ``public-keys`` (top-level) and
``archive.<name>.public-keys`` fields are introduced. This changes is
related to the addition of integrity checks in chisel. [1]
[1] canonical/chisel#106
* fix(24.04): revert chisel.yaml format to chisel-v1
* fix: rename public-keys to v1-public-keys
cjdcordeiro
pushed a commit
to canonical/chisel-releases
that referenced
this pull request
Jan 12, 2024
* feat(23.10): add ubuntu archive signing key 2018
This commit adds the Ubuntu Archive Automatic Signing Key (2018) as a
"public-key" in the chisel.yaml. The armored data was obtained by
executing the following commands on a Ubuntu 22.04 machine:
$ gpg --keyserver keyserver.ubuntu.com --receive-keys 871920D1991BC93C
$ gpg --armor --export 871920D1991BC93C
BREAKING CHANGE: This commit introduces the new chisel yaml format
"chisel-v2", in which ``public-keys`` (top-level) and
``archive.<name>.public-keys`` fields are introduced. This changes is
related to the addition of integrity checks in chisel. [1]
[1] canonical/chisel#106
* fix(23.10): revert chisel.yaml format to chisel-v1
* fix: rename public-keys to v1-public-keys
cjdcordeiro
pushed a commit
to canonical/chisel-releases
that referenced
this pull request
Jan 12, 2024
* feat(20.04): add ubuntu archive signing key 2018
This commit adds the Ubuntu Archive Automatic Signing Key (2018) as a
"public-key" in the chisel.yaml. The armored data was obtained by
executing the following commands on a Ubuntu 22.04 machine:
$ gpg --keyserver keyserver.ubuntu.com --receive-keys 871920D1991BC93C
$ gpg --armor --export 871920D1991BC93C
BREAKING CHANGE: This commit introduces the new chisel yaml format
"chisel-v2", in which ``public-keys`` (top-level) and
``archive.<name>.public-keys`` fields are introduced. This changes is
related to the addition of integrity checks in chisel. [1]
[1] canonical/chisel#106
* fix(20.04): revert chisel.yaml format to chisel-v1
* fix: rename public-keys to v1-public-keys
cjdcordeiro
pushed a commit
to canonical/chisel-releases
that referenced
this pull request
Jan 12, 2024
* feat(23.04): add ubuntu archive signing key 2018
This commit adds the Ubuntu Archive Automatic Signing Key (2018) as a
"public-key" in the chisel.yaml. The armored data was obtained by
executing the following commands on a Ubuntu 22.04 machine:
$ gpg --keyserver keyserver.ubuntu.com --receive-keys 871920D1991BC93C
$ gpg --armor --export 871920D1991BC93C
BREAKING CHANGE: This commit introduces the new chisel yaml format
"chisel-v2", in which ``public-keys`` (top-level) and
``archive.<name>.public-keys`` fields are introduced. This changes is
related to the addition of integrity checks in chisel. [1]
[1] canonical/chisel#106
* fix(23.04): revert chisel.yaml format to chisel-v1
* fix: rename public-keys to v1-public-keys
niemeyer
approved these changes
Jan 12, 2024
There was a problem hiding this comment.
Thanks, I'm merging this now per our agreement, but please DO NOT RELEASE THIS before both v1-public-keys and public-keys are supported. We don't want a release in the wild that supports one and not the other as otherwise we'll have introduced the need for a new transition.
|
Y agreed. We'll wait for a coming PR with those changes before releasing v0.9.0 |
gregory-schiano
pushed a commit
to gregory-schiano/chisel-releases
that referenced
this pull request
Jun 22, 2024
* feat(22.04): add ubuntu archive signing key 2018
This commit adds the Ubuntu Archive Automatic Signing Key (2018) as a
"public-key" in the chisel.yaml. The armored data was obtained by
executing the following commands on a Ubuntu 22.04 machine:
$ gpg --keyserver keyserver.ubuntu.com --receive-keys 871920D1991BC93C
$ gpg --armor --export 871920D1991BC93C
BREAKING CHANGE: This commit introduces the new chisel yaml format
"chisel-v2", in which ``public-keys`` (top-level) and
``archive.<name>.public-keys`` fields are introduced. This changes is
related to the addition of integrity checks in chisel. [1]
[1] canonical/chisel#106
* fix(22.04): revert chisel.yaml format to chisel-v1
* fix: rename public-keys to v1-public-keys
cjdcordeiro
pushed a commit
to ozanmakes/chisel-releases
that referenced
this pull request
Sep 27, 2024
* feat(22.04): add ubuntu archive signing key 2018
This commit adds the Ubuntu Archive Automatic Signing Key (2018) as a
"public-key" in the chisel.yaml. The armored data was obtained by
executing the following commands on a Ubuntu 22.04 machine:
$ gpg --keyserver keyserver.ubuntu.com --receive-keys 871920D1991BC93C
$ gpg --armor --export 871920D1991BC93C
BREAKING CHANGE: This commit introduces the new chisel yaml format
"chisel-v2", in which ``public-keys`` (top-level) and
``archive.<name>.public-keys`` fields are introduced. This changes is
related to the addition of integrity checks in chisel. [1]
[1] canonical/chisel#106
* fix(22.04): revert chisel.yaml format to chisel-v1
* fix: rename public-keys to v1-public-keys
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Chisel will download InRelease files instead of Release files, the former being the signed version of the latter. For each archive and its components/suites, the signature in the InRelease file will be verified against the public keys associated with that archive.
These public keys will be stored in the chisel-release chisel.yaml file, as a new top-level property called public-keys. Keys themselves will be stored in ASCII armored format together with their key id. Lastly, the archive definition will reference these public keys by name.
Example chisel.yaml: