From ab4c4728864343ca075799fc370cb19538a42f8e Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Fri, 18 Jan 2019 15:15:26 +0100 Subject: [PATCH 1/2] Add default layout and update README Add default layout that may be used for any debian package. It - is unsigned (should be signed by downstream maintainer), - authorizes the two currently available rebuilders, - defines a threshold of two (i.e. requires two rebuild links), - expires in two years. This commit also adds layout usage notes to the README. --- README.md | 43 +++++++++++++---------- data/root.layout | 88 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 114 insertions(+), 17 deletions(-) create mode 100644 data/root.layout diff --git a/README.md b/README.md index 8ff7415..623b22f 100644 --- a/README.md +++ b/README.md @@ -30,34 +30,43 @@ chmod 755 /usr/lib/apt/methods/intoto ### Configuration --- -**NOTE:** *Once this transport is a Debian package, default configuration may -be performed upon installation (#11). Also take a look at #13 for a discussion -about defaults, especially about the layout and layout keys.* +**NOTE:** *Once this transport is available as Debian package, default +configuration and installation of required metadata may be performed +automatically on installation of the package +(see [#11](https://github.com/in-toto/apt-transport-in-toto/issues/1)).* --- #### Layout To define the requirement of reproducibility for a package, an in-toto layout -is used. It specifies what kind of evidence is required to attest for -reproducibility, and who is authorized to produce that evidence. -Such a layout must be available on the client, in order for the transport -to perform verification. The path to the layout must be specified in the -configuration file as described below. An exemplary such layout can be found in -[`tests/data/root.layout`](tests/data/root.layout) and may be used for any -package. +must be available on the client at verification time and its path must be +specified in the apt configuration file (see +[*Options*](https://github.com/in-toto/apt-transport-in-toto#options) below). + +A generic rebuild layout can be found in [`data/root.layout`](data/root.layout) +and may be used to verify any package. It contains public keys to verify the +authenticity and integrity of rebuilder link metadata and a threshold that +specifies how many authorized rebuilders need to agree on their result. + +--- +**NOTE:** *Update the layout to add or revoke rebuilder authorizations. +See discussion in [#13](https://github.com/in-toto/apt-transport-in-toto/issues/13) +for further details.* + +--- #### Layout keys For a successful verification the layout requires at least one valid signature. The signing key(s) are the root of trust and must be available in a gpg keyring -on the client. The corresponding keyid(s) must be specified in the configuration file as -described below. +on the client. The corresponding keyid(s) must be specified in the apt +configuration file (see +[*Options*](https://github.com/in-toto/apt-transport-in-toto#options) below). --- -**NOTE:** *The example layout above is signed with a test key that is publicly available -in [`tests/data/gpg_keyring`](tests/data/gpg_keyring) and thus **not -secret (!!)**. For testing purposes its public part may be imported to the -client gpg keychain using `gpg --import tests/data/alice.asc`. The corresponding -keyid is `88876A89E3D4698F83D3DB0E72E33CA3E0E04E46`.* +**NOTE:** *Downstream maintainers should manually verify the validity of +[`data/root.layout`](data/root.layout) and sign it with their maintainer key. +See discussion in [#13](https://github.com/in-toto/apt-transport-in-toto/issues/13) +for further details.* --- diff --git a/data/root.layout b/data/root.layout new file mode 100644 index 0000000..8e121f1 --- /dev/null +++ b/data/root.layout @@ -0,0 +1,88 @@ +{ + "signatures": [ + ], + "signed": { + "_type": "layout", + "expires": "2021-01-06T18:30:57Z", + "inspect": [ + { + "_type": "inspection", + "expected_materials": [ + [ + "MATCH", + "*.deb", + "WITH", + "PRODUCTS", + "FROM", + "rebuild" + ], + [ + "DISALLOW", + "*.deb" + ] + ], + "expected_products": [], + "name": "verify-reprobuilds", + "run": [ + "/usr/bin/true" + ] + } + ], + "keys": { + "2e7be98291270e3b7fca429a2210e99cff22017e": { + "hashes": [ + "pgp+SHA2" + ], + "keyid": "2e7be98291270e3b7fca429a2210e99cff22017e", + "keyval": { + "private": "", + "public": { + "e": "010001", + "n": "e0da84becb294c355f9d586cb9c14e4e7707db0ccd301d41b4926d34602a35e62f26b5c092c7bb48b8c196e2506c45882b3098788f81663b079eadc61e2a40b7059032c9865059e967d7fa01a816849c646f8d9d5b7f7c0a57920bb05e2aec8e5c7116a09f693d4ed39c13fe7f53191035f4265d1f3b68e37987da5c300aa03b987b86a9d3d7e10e48a67b5631386e10b2d2832a984ddb3706d672c49575c78f8d3d1ce0a195466feb7604a2e04a28b1aa44879c812b180c453cd1d5494e48fde42cc3970d0267a39e41ba4e5e116812e3ade8dcc5e6875cb1df12349f9936d849d6dd3e11ca1067ab70c0dfd0a3770c49d239fa7fdb2a5d47963578deb5c8a6ab1460d986d9bef4ea42b90913b35d7b121bc83ef21f6872ea5bb898fdaa5ccd028a2c7ea5c89c30202b035a7bd5eededca1475a77c565092d8629d1250a9d658373fd9026b2bb72662835fb09bcf73c4256931435f72040e771f3ecaab3b3056ffe699290385211cf276528b5867e868a5df5ec1e5631313b3145de9faed46544653f9073ec55c2da962e6fbc8f9f603348e3d8b55eec078af83b2e6d0d15adacbb4bf212a3e72c806322e84255c85ea3e33d1702942833837afdf71f0068c3bdf9a2b6c3ab3bae309b13466a05ebad14c1cd37c993af0d2a34f42ba10c3630cf2da6a0804186bc2cfd2e4be1995c631527fc61e28bdf7a62e9f3f3f5e5f27f" + } + }, + "method": "pgp+rsa-pkcsv1.5", + "type": "rsa" + }, + "918b19596d24161290d531addc4a0582b3590165": { + "hashes": [ + "pgp+SHA2" + ], + "keyid": "918b19596d24161290d531addc4a0582b3590165", + "keyval": { + "private": "", + "public": { + "e": "010001", + "n": "c12e8775178aef5249f654de9a0168a6790ca6fbf7540d8209e70330542085132d5df6c3ec7753d90dc7fd63758ae91e3cd0abb03f24c57aabd35adfc6a2161e4cf5cc59c68a7b80dd4784fa78c2c4ce19c22e298f818c429537d57b9f000c2b7febe6985a5da6436bf6a8e195eb5f082fc73bbe3e639b5be826d727664c6e0d3801109a526c5215996cd7d80ed79db4308ab732f813d5f9ab2afb3e6a66c4bd3c6b5481c87f98ca206006e5fbed85edb3a63710459007e3e234b2cf4412eb46dbadf7c5859d93c35d95a50a487b759714359026ee74b30c6df500dc23bd6cc13aedecafe915389a4f563d7150a0771bfed91d96117225d68ae23911099442576e800c3d02393be6d0c1aef0ae8cc00675f64a23e9e418348b73bc9c992ce0ffe5d14385346381cbbcaad1978c740b4f0c33165989ac232ddc23a3fec4d8d75484bfc4867716e86d365e08b21b069a4bf3a06bb86066ed45ca417a42766e4ecb0cd6a21e7f2ff2aed14cc9728f6959fa7c6bd0560fc36947a5ce7d60f90ae2eb1e8890e63f600f36aed345002fed0a59ec8531a16ce803caaf77caf466e089bc606068cdefe931fd5b5353c75f4aa540eafc4464aaec94efee7fb24d3c7b9c8db6024d2527accfb4fa79eff61082011fa48aa5c7b5cab022328cfcde25f341b231537351c18bdb82dbf36c74ec6af50353c0a97ad34cad610ee05156c19d3cf1" + } + }, + "method": "pgp+rsa-pkcsv1.5", + "type": "rsa" + } + }, + "readme": "", + "steps": [ + { + "_type": "step", + "expected_command": [], + "expected_materials": [], + "expected_products": [ + [ + "CREATE", + "*.deb" + ], + [ + "DISALLOW", + "*.deb" + ] + ], + "name": "rebuild", + "pubkeys": [ + "2e7be98291270e3b7fca429a2210e99cff22017e", + "918b19596d24161290d531addc4a0582b3590165" + ], + "threshold": 2 + } + ] + } +} \ No newline at end of file From 6bddf4e7b70e8df87fc5df0b33486e4e6b42d15a Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Fri, 18 Jan 2019 15:20:00 +0100 Subject: [PATCH 2/2] Rename test layouts Rename unsecure offline and online (docker) test layouts to better distinguish them from the included generic layout that may be used for package verification. The test layouts are signed with a test key that is included in this repo. Hence they should not be use used to verify any package. --- tests/Dockerfile | 2 +- tests/data/{root.layout => test.layout} | 0 tests/data/{root.layout.docker => test.layout.docker} | 0 tests/test_intoto.py | 2 +- 4 files changed, 2 insertions(+), 2 deletions(-) rename tests/data/{root.layout => test.layout} (100%) rename tests/data/{root.layout.docker => test.layout.docker} (100%) diff --git a/tests/Dockerfile b/tests/Dockerfile index b2d3b2c..39b2fb9 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -13,7 +13,7 @@ RUN chmod +x /usr/lib/apt/methods/intoto # Copy apt configuration file, root layout and root layout key # FIXME: These should be added when installing the intoto transport COPY tests/data/intoto.conf.docker /etc/apt/apt.conf.d/intoto -COPY tests/data/root.layout.docker /etc/intoto/root.layout +COPY tests/data/test.layout.docker /etc/intoto/root.layout COPY tests/data/alice.asc /etc/intoto/alice.asc RUN gpg --import /etc/intoto/alice.asc diff --git a/tests/data/root.layout b/tests/data/test.layout similarity index 100% rename from tests/data/root.layout rename to tests/data/test.layout diff --git a/tests/data/root.layout.docker b/tests/data/test.layout.docker similarity index 100% rename from tests/data/root.layout.docker rename to tests/data/test.layout.docker diff --git a/tests/test_intoto.py b/tests/test_intoto.py index 3240002..a3c902c 100644 --- a/tests/test_intoto.py +++ b/tests/test_intoto.py @@ -67,7 +67,7 @@ "log_level": LOG_LEVEL, "rebuilder1": "http://127.0.0.1:8081", "rebuilder2": "http://127.0.0.1:8082", - "layout_path": os.path.join(TEST_DATA_PATH, "root.layout"), + "layout_path": os.path.join(TEST_DATA_PATH, "test.layout"), "layout_keyid": "88876A89E3D4698F83D3DB0E72E33CA3E0E04E46", "gpg_home": os.path.join(TEST_DATA_PATH, "gpg_keyring"), "no_fail": "false"