Merge pull request #22 from lukpueh/add-default-layout

Add generic default layout
in-toto · Jan 23, 2019 · bce4593 · bce4593
2 parents e2de532 + 6bddf4e
commit bce4593
Show file tree

Hide file tree

Showing 6 changed files with 116 additions and 19 deletions.
diff --git a/README.md b/README.md
@@ -30,34 +30,43 @@ chmod 755 /usr/lib/apt/methods/intoto
 
 ### Configuration
 ---
-**NOTE:** *Once this transport is a Debian package, default configuration may
-be performed upon installation (#11). Also take a look at #13 for a discussion
-about defaults, especially about the layout and layout keys.*
+**NOTE:** *Once this transport is available as Debian package, default
+configuration and installation of required metadata may be performed
+automatically on installation of the package
+(see [#11](https://github.com/in-toto/apt-transport-in-toto/issues/1)).*
 
 ---
 
 #### Layout
 To define the requirement of reproducibility for a package, an in-toto layout
-is used. It specifies what kind of evidence is required to attest for
-reproducibility, and who is authorized to produce that evidence.
-Such a layout must be available on the client, in order for the transport
-to perform verification. The path to the layout must be specified in the
-configuration file as described below. An exemplary such layout can be found in
-[`tests/data/root.layout`](tests/data/root.layout) and may be used for any
-package.
+must be available on the client at verification time and its path must be
+specified in the apt configuration file (see
+[*Options*](https://github.com/in-toto/apt-transport-in-toto#options) below).
+
+A generic rebuild layout can be found in [`data/root.layout`](data/root.layout)
+and may be used to verify any package. It contains public keys to verify the
+authenticity and integrity of rebuilder link metadata and a threshold that
+specifies how many authorized rebuilders need to agree on their result.
+
+---
+**NOTE:** *Update the layout to add or revoke rebuilder authorizations.
+See discussion in [#13](https://github.com/in-toto/apt-transport-in-toto/issues/13)
+for further details.*
+
+---
 
 #### Layout keys
 For a successful verification the layout requires at least one valid signature.
 The signing key(s) are the root of trust and must be available in a gpg keyring
-on the client. The corresponding keyid(s) must be specified in the configuration file as
-described below.
+on the client. The corresponding keyid(s) must be specified in the apt
+configuration file (see
+[*Options*](https://github.com/in-toto/apt-transport-in-toto#options) below).
 
 ---
-**NOTE:** *The example layout above is signed with a test key that is publicly available
-in [`tests/data/gpg_keyring`](tests/data/gpg_keyring) and thus **not
-secret (!!)**. For testing purposes its public part may be imported to the
-client gpg keychain using `gpg --import tests/data/alice.asc`. The corresponding
-keyid is `88876A89E3D4698F83D3DB0E72E33CA3E0E04E46`.*
+**NOTE:** *Downstream maintainers should manually verify the validity of
+[`data/root.layout`](data/root.layout) and sign it with their maintainer key.
+See discussion in [#13](https://github.com/in-toto/apt-transport-in-toto/issues/13)
+for further details.*
 
 ---
 

diff --git a/data/root.layout b/data/root.layout
@@ -0,0 +1,88 @@
+{
+ "signatures": [
+ ],
+ "signed": {
+  "_type": "layout",
+  "expires": "2021-01-06T18:30:57Z",
+  "inspect": [
+   {
+    "_type": "inspection",
+    "expected_materials": [
+     [
+      "MATCH",
+      "*.deb",
+      "WITH",
+      "PRODUCTS",
+      "FROM",
+      "rebuild"
+     ],
+     [
+      "DISALLOW",
+      "*.deb"
+     ]
+    ],
+    "expected_products": [],
+    "name": "verify-reprobuilds",
+    "run": [
+     "/usr/bin/true"
+    ]
+   }
+  ],
+  "keys": {
+   "2e7be98291270e3b7fca429a2210e99cff22017e": {
+    "hashes": [
+     "pgp+SHA2"
+    ],
+    "keyid": "2e7be98291270e3b7fca429a2210e99cff22017e",
+    "keyval": {
+     "private": "",
+     "public": {
+      "e": "010001",
+      "n": "e0da84becb294c355f9d586cb9c14e4e7707db0ccd301d41b4926d34602a35e62f26b5c092c7bb48b8c196e2506c45882b3098788f81663b079eadc61e2a40b7059032c9865059e967d7fa01a816849c646f8d9d5b7f7c0a57920bb05e2aec8e5c7116a09f693d4ed39c13fe7f53191035f4265d1f3b68e37987da5c300aa03b987b86a9d3d7e10e48a67b5631386e10b2d2832a984ddb3706d672c49575c78f8d3d1ce0a195466feb7604a2e04a28b1aa44879c812b180c453cd1d5494e48fde42cc3970d0267a39e41ba4e5e116812e3ade8dcc5e6875cb1df12349f9936d849d6dd3e11ca1067ab70c0dfd0a3770c49d239fa7fdb2a5d47963578deb5c8a6ab1460d986d9bef4ea42b90913b35d7b121bc83ef21f6872ea5bb898fdaa5ccd028a2c7ea5c89c30202b035a7bd5eededca1475a77c565092d8629d1250a9d658373fd9026b2bb72662835fb09bcf73c4256931435f72040e771f3ecaab3b3056ffe699290385211cf276528b5867e868a5df5ec1e5631313b3145de9faed46544653f9073ec55c2da962e6fbc8f9f603348e3d8b55eec078af83b2e6d0d15adacbb4bf212a3e72c806322e84255c85ea3e33d1702942833837afdf71f0068c3bdf9a2b6c3ab3bae309b13466a05ebad14c1cd37c993af0d2a34f42ba10c3630cf2da6a0804186bc2cfd2e4be1995c631527fc61e28bdf7a62e9f3f3f5e5f27f"
+     }
+    },
+    "method": "pgp+rsa-pkcsv1.5",
+    "type": "rsa"
+   },
+   "918b19596d24161290d531addc4a0582b3590165": {
+    "hashes": [
+     "pgp+SHA2"
+    ],
+    "keyid": "918b19596d24161290d531addc4a0582b3590165",
+    "keyval": {
+     "private": "",
+     "public": {
+      "e": "010001",
+      "n": "c12e8775178aef5249f654de9a0168a6790ca6fbf7540d8209e70330542085132d5df6c3ec7753d90dc7fd63758ae91e3cd0abb03f24c57aabd35adfc6a2161e4cf5cc59c68a7b80dd4784fa78c2c4ce19c22e298f818c429537d57b9f000c2b7febe6985a5da6436bf6a8e195eb5f082fc73bbe3e639b5be826d727664c6e0d3801109a526c5215996cd7d80ed79db4308ab732f813d5f9ab2afb3e6a66c4bd3c6b5481c87f98ca206006e5fbed85edb3a63710459007e3e234b2cf4412eb46dbadf7c5859d93c35d95a50a487b759714359026ee74b30c6df500dc23bd6cc13aedecafe915389a4f563d7150a0771bfed91d96117225d68ae23911099442576e800c3d02393be6d0c1aef0ae8cc00675f64a23e9e418348b73bc9c992ce0ffe5d14385346381cbbcaad1978c740b4f0c33165989ac232ddc23a3fec4d8d75484bfc4867716e86d365e08b21b069a4bf3a06bb86066ed45ca417a42766e4ecb0cd6a21e7f2ff2aed14cc9728f6959fa7c6bd0560fc36947a5ce7d60f90ae2eb1e8890e63f600f36aed345002fed0a59ec8531a16ce803caaf77caf466e089bc606068cdefe931fd5b5353c75f4aa540eafc4464aaec94efee7fb24d3c7b9c8db6024d2527accfb4fa79eff61082011fa48aa5c7b5cab022328cfcde25f341b231537351c18bdb82dbf36c74ec6af50353c0a97ad34cad610ee05156c19d3cf1"
+     }
+    },
+    "method": "pgp+rsa-pkcsv1.5",
+    "type": "rsa"
+   }
+  },
+  "readme": "",
+  "steps": [
+   {
+    "_type": "step",
+    "expected_command": [],
+    "expected_materials": [],
+    "expected_products": [
+     [
+      "CREATE",
+      "*.deb"
+     ],
+     [
+      "DISALLOW",
+      "*.deb"
+     ]
+    ],
+    "name": "rebuild",
+    "pubkeys": [
+     "2e7be98291270e3b7fca429a2210e99cff22017e",
+     "918b19596d24161290d531addc4a0582b3590165"
+    ],
+    "threshold": 2
+   }
+  ]
+ }
+}
diff --git a/tests/Dockerfile b/tests/Dockerfile
@@ -13,7 +13,7 @@ RUN chmod +x /usr/lib/apt/methods/intoto
 # Copy apt configuration file, root layout and root layout key
 # FIXME: These should be added when installing the intoto transport
 COPY tests/data/intoto.conf.docker /etc/apt/apt.conf.d/intoto
-COPY tests/data/root.layout.docker /etc/intoto/root.layout
+COPY tests/data/test.layout.docker /etc/intoto/root.layout
 COPY tests/data/alice.asc /etc/intoto/alice.asc
 RUN gpg --import /etc/intoto/alice.asc
 

diff --git a/tests/data/root.layout → tests/data/test.layout b/tests/data/root.layout → tests/data/test.layout
diff --git a/tests/data/root.layout.docker → tests/data/test.layout.docker b/tests/data/root.layout.docker → tests/data/test.layout.docker
diff --git a/tests/test_intoto.py b/tests/test_intoto.py
@@ -67,7 +67,7 @@
   "log_level": LOG_LEVEL,
   "rebuilder1": "http://127.0.0.1:8081",
   "rebuilder2": "http://127.0.0.1:8082",
-  "layout_path": os.path.join(TEST_DATA_PATH, "root.layout"),
+  "layout_path": os.path.join(TEST_DATA_PATH, "test.layout"),
   "layout_keyid": "88876A89E3D4698F83D3DB0E72E33CA3E0E04E46",
   "gpg_home": os.path.join(TEST_DATA_PATH, "gpg_keyring"),
   "no_fail": "false"