diff --git a/README.md b/README.md index 8ff7415..623b22f 100644 --- a/README.md +++ b/README.md @@ -30,34 +30,43 @@ chmod 755 /usr/lib/apt/methods/intoto ### Configuration --- -**NOTE:** *Once this transport is a Debian package, default configuration may -be performed upon installation (#11). Also take a look at #13 for a discussion -about defaults, especially about the layout and layout keys.* +**NOTE:** *Once this transport is available as Debian package, default +configuration and installation of required metadata may be performed +automatically on installation of the package +(see [#11](https://github.com/in-toto/apt-transport-in-toto/issues/1)).* --- #### Layout To define the requirement of reproducibility for a package, an in-toto layout -is used. It specifies what kind of evidence is required to attest for -reproducibility, and who is authorized to produce that evidence. -Such a layout must be available on the client, in order for the transport -to perform verification. The path to the layout must be specified in the -configuration file as described below. An exemplary such layout can be found in -[`tests/data/root.layout`](tests/data/root.layout) and may be used for any -package. +must be available on the client at verification time and its path must be +specified in the apt configuration file (see +[*Options*](https://github.com/in-toto/apt-transport-in-toto#options) below). + +A generic rebuild layout can be found in [`data/root.layout`](data/root.layout) +and may be used to verify any package. It contains public keys to verify the +authenticity and integrity of rebuilder link metadata and a threshold that +specifies how many authorized rebuilders need to agree on their result. + +--- +**NOTE:** *Update the layout to add or revoke rebuilder authorizations. +See discussion in [#13](https://github.com/in-toto/apt-transport-in-toto/issues/13) +for further details.* + +--- #### Layout keys For a successful verification the layout requires at least one valid signature. The signing key(s) are the root of trust and must be available in a gpg keyring -on the client. The corresponding keyid(s) must be specified in the configuration file as -described below. +on the client. The corresponding keyid(s) must be specified in the apt +configuration file (see +[*Options*](https://github.com/in-toto/apt-transport-in-toto#options) below). --- -**NOTE:** *The example layout above is signed with a test key that is publicly available -in [`tests/data/gpg_keyring`](tests/data/gpg_keyring) and thus **not -secret (!!)**. For testing purposes its public part may be imported to the -client gpg keychain using `gpg --import tests/data/alice.asc`. The corresponding -keyid is `88876A89E3D4698F83D3DB0E72E33CA3E0E04E46`.* +**NOTE:** *Downstream maintainers should manually verify the validity of +[`data/root.layout`](data/root.layout) and sign it with their maintainer key. +See discussion in [#13](https://github.com/in-toto/apt-transport-in-toto/issues/13) +for further details.* --- diff --git a/data/root.layout b/data/root.layout new file mode 100644 index 0000000..8e121f1 --- /dev/null +++ b/data/root.layout @@ -0,0 +1,88 @@ +{ + "signatures": [ + ], + "signed": { + "_type": "layout", + "expires": "2021-01-06T18:30:57Z", + "inspect": [ + { + "_type": "inspection", + "expected_materials": [ + [ + "MATCH", + "*.deb", + "WITH", + "PRODUCTS", + "FROM", + "rebuild" + ], + [ + "DISALLOW", + "*.deb" + ] + ], + "expected_products": [], + "name": "verify-reprobuilds", + "run": [ + "/usr/bin/true" + ] + } + ], + "keys": { + "2e7be98291270e3b7fca429a2210e99cff22017e": { + "hashes": [ + "pgp+SHA2" + ], + "keyid": "2e7be98291270e3b7fca429a2210e99cff22017e", + "keyval": { + "private": "", + "public": { + "e": "010001", + "n": "e0da84becb294c355f9d586cb9c14e4e7707db0ccd301d41b4926d34602a35e62f26b5c092c7bb48b8c196e2506c45882b3098788f81663b079eadc61e2a40b7059032c9865059e967d7fa01a816849c646f8d9d5b7f7c0a57920bb05e2aec8e5c7116a09f693d4ed39c13fe7f53191035f4265d1f3b68e37987da5c300aa03b987b86a9d3d7e10e48a67b5631386e10b2d2832a984ddb3706d672c49575c78f8d3d1ce0a195466feb7604a2e04a28b1aa44879c812b180c453cd1d5494e48fde42cc3970d0267a39e41ba4e5e116812e3ade8dcc5e6875cb1df12349f9936d849d6dd3e11ca1067ab70c0dfd0a3770c49d239fa7fdb2a5d47963578deb5c8a6ab1460d986d9bef4ea42b90913b35d7b121bc83ef21f6872ea5bb898fdaa5ccd028a2c7ea5c89c30202b035a7bd5eededca1475a77c565092d8629d1250a9d658373fd9026b2bb72662835fb09bcf73c4256931435f72040e771f3ecaab3b3056ffe699290385211cf276528b5867e868a5df5ec1e5631313b3145de9faed46544653f9073ec55c2da962e6fbc8f9f603348e3d8b55eec078af83b2e6d0d15adacbb4bf212a3e72c806322e84255c85ea3e33d1702942833837afdf71f0068c3bdf9a2b6c3ab3bae309b13466a05ebad14c1cd37c993af0d2a34f42ba10c3630cf2da6a0804186bc2cfd2e4be1995c631527fc61e28bdf7a62e9f3f3f5e5f27f" + } + }, + "method": "pgp+rsa-pkcsv1.5", + "type": "rsa" + }, + "918b19596d24161290d531addc4a0582b3590165": { + "hashes": [ + "pgp+SHA2" + ], + "keyid": "918b19596d24161290d531addc4a0582b3590165", + "keyval": { + "private": "", + "public": { + "e": "010001", + "n": "c12e8775178aef5249f654de9a0168a6790ca6fbf7540d8209e70330542085132d5df6c3ec7753d90dc7fd63758ae91e3cd0abb03f24c57aabd35adfc6a2161e4cf5cc59c68a7b80dd4784fa78c2c4ce19c22e298f818c429537d57b9f000c2b7febe6985a5da6436bf6a8e195eb5f082fc73bbe3e639b5be826d727664c6e0d3801109a526c5215996cd7d80ed79db4308ab732f813d5f9ab2afb3e6a66c4bd3c6b5481c87f98ca206006e5fbed85edb3a63710459007e3e234b2cf4412eb46dbadf7c5859d93c35d95a50a487b759714359026ee74b30c6df500dc23bd6cc13aedecafe915389a4f563d7150a0771bfed91d96117225d68ae23911099442576e800c3d02393be6d0c1aef0ae8cc00675f64a23e9e418348b73bc9c992ce0ffe5d14385346381cbbcaad1978c740b4f0c33165989ac232ddc23a3fec4d8d75484bfc4867716e86d365e08b21b069a4bf3a06bb86066ed45ca417a42766e4ecb0cd6a21e7f2ff2aed14cc9728f6959fa7c6bd0560fc36947a5ce7d60f90ae2eb1e8890e63f600f36aed345002fed0a59ec8531a16ce803caaf77caf466e089bc606068cdefe931fd5b5353c75f4aa540eafc4464aaec94efee7fb24d3c7b9c8db6024d2527accfb4fa79eff61082011fa48aa5c7b5cab022328cfcde25f341b231537351c18bdb82dbf36c74ec6af50353c0a97ad34cad610ee05156c19d3cf1" + } + }, + "method": "pgp+rsa-pkcsv1.5", + "type": "rsa" + } + }, + "readme": "", + "steps": [ + { + "_type": "step", + "expected_command": [], + "expected_materials": [], + "expected_products": [ + [ + "CREATE", + "*.deb" + ], + [ + "DISALLOW", + "*.deb" + ] + ], + "name": "rebuild", + "pubkeys": [ + "2e7be98291270e3b7fca429a2210e99cff22017e", + "918b19596d24161290d531addc4a0582b3590165" + ], + "threshold": 2 + } + ] + } +} \ No newline at end of file diff --git a/tests/Dockerfile b/tests/Dockerfile index b2d3b2c..39b2fb9 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -13,7 +13,7 @@ RUN chmod +x /usr/lib/apt/methods/intoto # Copy apt configuration file, root layout and root layout key # FIXME: These should be added when installing the intoto transport COPY tests/data/intoto.conf.docker /etc/apt/apt.conf.d/intoto -COPY tests/data/root.layout.docker /etc/intoto/root.layout +COPY tests/data/test.layout.docker /etc/intoto/root.layout COPY tests/data/alice.asc /etc/intoto/alice.asc RUN gpg --import /etc/intoto/alice.asc diff --git a/tests/data/root.layout b/tests/data/test.layout similarity index 100% rename from tests/data/root.layout rename to tests/data/test.layout diff --git a/tests/data/root.layout.docker b/tests/data/test.layout.docker similarity index 100% rename from tests/data/root.layout.docker rename to tests/data/test.layout.docker diff --git a/tests/test_intoto.py b/tests/test_intoto.py index 3240002..a3c902c 100644 --- a/tests/test_intoto.py +++ b/tests/test_intoto.py @@ -67,7 +67,7 @@ "log_level": LOG_LEVEL, "rebuilder1": "http://127.0.0.1:8081", "rebuilder2": "http://127.0.0.1:8082", - "layout_path": os.path.join(TEST_DATA_PATH, "root.layout"), + "layout_path": os.path.join(TEST_DATA_PATH, "test.layout"), "layout_keyid": "88876A89E3D4698F83D3DB0E72E33CA3E0E04E46", "gpg_home": os.path.join(TEST_DATA_PATH, "gpg_keyring"), "no_fail": "false"