signer: gpg2: add debsign mode

bin/run_integration_tests.sh

@@ -68,6 +68,16 @@ docker-compose run \
 	       --entrypoint ./integration_test_api.sh \
 	       app-hsm
 
+echo "checking gpg signing"
+docker-compose run \
+	       --rm \
+	       --user 0 \
+	       -e AUTOGRAPH_URL=http://app:8000 \
+	       --workdir /app/src/autograph/tools/autograph-client \
+	       --entrypoint ./integration_test_gpg2_signer.sh \
+	       app
+# TODO: add HSM support for GPG signing keys and test here
+
 echo "checking XPI signing"
 docker-compose run \
 	       --rm \

docs/endpoints.md

@@ -172,6 +172,10 @@ field:
     signer uses a different format, so refer to their documentation
     for more information.
 
+TODO: document restrictions
+
+alphanumeric + -_ and single dots
+
 ## /sign/file
 
 ### Request

handlers_test.go

@@ -566,6 +566,8 @@ func TestDebug(t *testing.T) {
 func TestHandleGetAuthKeyIDs(t *testing.T) {
 	t.Parallel()
 
+	const autographDevAliceKeyIDsJSON = "[\"apk_cert_with_ecdsa_sha256\",\"apk_cert_with_ecdsa_sha256_v3\",\"appkey1\",\"appkey2\",\"dummyrsa\",\"dummyrsapss\",\"extensions-ecdsa\",\"extensions-ecdsa-expired-chain\",\"legacy_apk_with_rsa\",\"normandy\",\"pgpsubkey\",\"pgpsubkey-debsign\",\"randompgp\",\"randompgp-debsign\",\"remote-settings\",\"testapp-android\",\"testapp-android-legacy\",\"testapp-android-v3\",\"testauthenticode\",\"testmar\",\"testmarecdsa\",\"webextensions-rsa\",\"webextensions-rsa-with-recommendation\"]"
+
 	var testcases = []struct {
 		name   string
 		method string
@@ -633,7 +635,7 @@ func TestHandleGetAuthKeyIDs(t *testing.T) {
 			body:            "",
 			authorizeID:     "alice",
 			expectedStatus:  http.StatusOK,
-			expectedBody:    "[\"apk_cert_with_ecdsa_sha256\",\"apk_cert_with_ecdsa_sha256_v3\",\"appkey1\",\"appkey2\",\"dummyrsa\",\"dummyrsapss\",\"extensions-ecdsa\",\"extensions-ecdsa-expired-chain\",\"legacy_apk_with_rsa\",\"normandy\",\"pgpsubkey\",\"randompgp\",\"remote-settings\",\"testapp-android\",\"testapp-android-legacy\",\"testapp-android-v3\",\"testauthenticode\",\"testmar\",\"testmarecdsa\",\"webextensions-rsa\",\"webextensions-rsa-with-recommendation\"]",
+			expectedBody:    autographDevAliceKeyIDsJSON,
 			expectedHeaders: http.Header{"Content-Type": []string{"application/json"}},
 		},
 		{
@@ -707,7 +709,7 @@ func TestHandleGetAuthKeyIDs(t *testing.T) {
 			nilBody:         true,
 			authorizeID:     "alice",
 			expectedStatus:  http.StatusOK,
-			expectedBody:    "[\"apk_cert_with_ecdsa_sha256\",\"apk_cert_with_ecdsa_sha256_v3\",\"appkey1\",\"appkey2\",\"dummyrsa\",\"dummyrsapss\",\"extensions-ecdsa\",\"extensions-ecdsa-expired-chain\",\"legacy_apk_with_rsa\",\"normandy\",\"pgpsubkey\",\"randompgp\",\"remote-settings\",\"testapp-android\",\"testapp-android-legacy\",\"testapp-android-v3\",\"testauthenticode\",\"testmar\",\"testmarecdsa\",\"webextensions-rsa\",\"webextensions-rsa-with-recommendation\"]",
+			expectedBody:    autographDevAliceKeyIDsJSON,
 			expectedHeaders: http.Header{"Content-Type": []string{"application/json"}},
 		},
 	}

signer/gpg2/README.md

@@ -1,19 +1,13 @@
 # PGP Signing with GPG2
 
-This signer implements the Pretty Good Privacy signature format. It
-accepts data on the `/sign/data` interface and returns
-armored detached signatures like the `pgp` signer.
+This signer implements the Pretty Good Privacy signature format and
+Debian GPG signing using `debsign`.
 
-**Try the \`pgp\` signer first since it keeps private keys in memory,
-which is more secure.**
+When configured in `gpg2` mode it accepts data on the `/sign/data`
+interface and returns armored detached signatures.
 
-Only use the this signer if the `pgp` signer doesn\'t
-understand your key format and you need to load private keys with
-passphrases exported with the [unsupported and non-standard gnu-dummy
-S2K algorithm](https://github.com/golang/go/issues/13605) and sign with
-a subkey. Also prefer the `pgp` signer, since this signer 1)
-requires a the gpg2 binary with version \>2.1, 2) writes private keys to
-keyrings on disk, and 3) shells out to the `gpg2` binary.
+In `debsign` mode it accepts files on the `/sign/files` interface and
+returns the clearsigned files.
 
 Example Usage:
 
@@ -69,9 +63,34 @@ signers:
     -----END PGP PUBLIC KEY BLOCK-----
 ```
 
+The **optional** field `mode` it can be either `gpg2` or
+`debsign`. When empty or missing it defaults to `gpg2` and should use
+the full key fingerprint in the `keyid` field. For example:
+
+```yaml
+- id: some-pgp-key
+  type: gpg2
+  mode: debsign
+  keyid: A2910E4FBEA076009BCDE536DD0A5D99AAAB1F1A
+  passphrase: abcdef123
+  privatekey: |
+    -----BEGIN PGP PRIVATE KEY BLOCK-----
+
+    lQOYBFuW9xABCACzCLYHwgGba7hi+lwhD/Hr5qqpg+UuN+88NclYgLWyl1nPpx2D
+    ...
+    HQASoA7mirON
+    =vJUu
+    -----END PGP PRIVATE KEY BLOCK-----
+  publickey: |
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+    ...
+    =459B
+    -----END PGP PUBLIC KEY BLOCK-----
+```
+
 ## Signature request
 
-This signer only supports the `/sign/data/` endpoint.
+This signer only supports the `/sign/data/` endpoint in `gpg2` mode:
 
 ``` json
 [
@@ -82,6 +101,27 @@ This signer only supports the `/sign/data/` endpoint.
 ]
 ```
 
+This signer only supports the `/sign/files/` endpoint in `debsign` mode:
+
+``` json
+[
+    {
+        "input": "",
+        "keyid": "pgpsubkey-debsign",
+        "signed_files": [
+          {
+            "name": "sphinx_1.7.2-1.dsc",
+            "content": "LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTS..."
+          },
+          {
+            "name": "sphinx_1.7.2-1_amd64.buildinfo",
+            "content": "LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTS..."
+          }
+        ]
+    }
+]
+```
+
 ## Signature response
 
 The response to a data signing request contains a PGP armored detached
@@ -100,3 +140,27 @@ recover the standard armored signature that gnupg expects.
   }
 ]
 ```
+
+In `debsign` mode responses are at the field `signed_files`:
+
+```json
+[
+  {
+    "ref": "boxfa5qavzf11p6zme2pd74tn",
+    "type": "gpg2",
+    "mode": "debsign",
+    "signer_id": "pgpsubkey-debsign",
+    "public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQINBFwaoDMBEAC0FVHFLTVYFSr8ZpCWOKyF+Xrpcr032pOr3p3rBH6Ld9ZTpaLS...",
+    "signed_files": [
+      {
+        "name": "sphinx_1.7.2-1.dsc",
+        "content": "LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTS..."
+      },
+      {
+        "name": "sphinx_1.7.2-1_amd64.buildinfo",
+        "content": "LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTS..."
+      }
+    ]
+  }
+]
+```