Skip to content

Commit

Permalink
signer: gpg2: add debsign mode
Browse files Browse the repository at this point in the history
  • Loading branch information
Greg Guthe committed Oct 4, 2021
1 parent 8c421f1 commit c847624
Show file tree
Hide file tree
Showing 13 changed files with 1,669 additions and 39 deletions.
338 changes: 338 additions & 0 deletions autograph.yaml

Large diffs are not rendered by default.

10 changes: 10 additions & 0 deletions bin/run_integration_tests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,16 @@ docker-compose run \
--entrypoint ./integration_test_api.sh \
app-hsm

echo "checking gpg signing"
docker-compose run \
--rm \
--user 0 \
-e AUTOGRAPH_URL=http://app:8000 \
--workdir /app/src/autograph/tools/autograph-client \
--entrypoint ./integration_test_gpg2_signer.sh \
app
# TODO: add HSM support for GPG signing keys and test here

echo "checking XPI signing"
docker-compose run \
--rm \
Expand Down
4 changes: 4 additions & 0 deletions docs/endpoints.md
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,10 @@ field:
signer uses a different format, so refer to their documentation
for more information.

TODO: document restrictions

alphanumeric + -_ and single dots

## /sign/file

### Request
Expand Down
6 changes: 4 additions & 2 deletions handlers_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -517,6 +517,8 @@ func TestDebug(t *testing.T) {
func TestHandleGetAuthKeyIDs(t *testing.T) {
t.Parallel()

const autographDevAliceKeyIDsJSON = "[\"apk_cert_with_ecdsa_sha256\",\"apk_cert_with_ecdsa_sha256_v3\",\"appkey1\",\"appkey2\",\"dummyrsa\",\"dummyrsapss\",\"extensions-ecdsa\",\"extensions-ecdsa-expired-chain\",\"legacy_apk_with_rsa\",\"normandy\",\"pgpsubkey\",\"pgpsubkey-debsign\",\"randompgp\",\"randompgp-debsign\",\"remote-settings\",\"testapp-android\",\"testapp-android-legacy\",\"testapp-android-v3\",\"testauthenticode\",\"testmar\",\"testmarecdsa\",\"webextensions-rsa\",\"webextensions-rsa-with-recommendation\"]"

var testcases = []struct {
name string
method string
Expand Down Expand Up @@ -584,7 +586,7 @@ func TestHandleGetAuthKeyIDs(t *testing.T) {
body: "",
authorizeID: "alice",
expectedStatus: http.StatusOK,
expectedBody: "[\"apk_cert_with_ecdsa_sha256\",\"apk_cert_with_ecdsa_sha256_v3\",\"appkey1\",\"appkey2\",\"dummyrsa\",\"dummyrsapss\",\"extensions-ecdsa\",\"extensions-ecdsa-expired-chain\",\"legacy_apk_with_rsa\",\"normandy\",\"pgpsubkey\",\"randompgp\",\"remote-settings\",\"testapp-android\",\"testapp-android-legacy\",\"testapp-android-v3\",\"testauthenticode\",\"testmar\",\"testmarecdsa\",\"webextensions-rsa\",\"webextensions-rsa-with-recommendation\"]",
expectedBody: autographDevAliceKeyIDsJSON,
expectedHeaders: http.Header{"Content-Type": []string{"application/json"}},
},
{
Expand Down Expand Up @@ -658,7 +660,7 @@ func TestHandleGetAuthKeyIDs(t *testing.T) {
nilBody: true,
authorizeID: "alice",
expectedStatus: http.StatusOK,
expectedBody: "[\"apk_cert_with_ecdsa_sha256\",\"apk_cert_with_ecdsa_sha256_v3\",\"appkey1\",\"appkey2\",\"dummyrsa\",\"dummyrsapss\",\"extensions-ecdsa\",\"extensions-ecdsa-expired-chain\",\"legacy_apk_with_rsa\",\"normandy\",\"pgpsubkey\",\"randompgp\",\"remote-settings\",\"testapp-android\",\"testapp-android-legacy\",\"testapp-android-v3\",\"testauthenticode\",\"testmar\",\"testmarecdsa\",\"webextensions-rsa\",\"webextensions-rsa-with-recommendation\"]",
expectedBody: autographDevAliceKeyIDsJSON,
expectedHeaders: http.Header{"Content-Type": []string{"application/json"}},
},
}
Expand Down
90 changes: 77 additions & 13 deletions signer/gpg2/README.md
Original file line number Diff line number Diff line change
@@ -1,19 +1,13 @@
# PGP Signing with GPG2

This signer implements the Pretty Good Privacy signature format. It
accepts data on the `/sign/data` interface and returns
armored detached signatures like the `pgp` signer.
This signer implements the Pretty Good Privacy signature format and
Debian GPG signing using `debsign`.

**Try the \`pgp\` signer first since it keeps private keys in memory,
which is more secure.**
When configured in `gpg2` mode it accepts data on the `/sign/data`
interface and returns armored detached signatures.

Only use the this signer if the `pgp` signer doesn\'t
understand your key format and you need to load private keys with
passphrases exported with the [unsupported and non-standard gnu-dummy
S2K algorithm](https://github.com/golang/go/issues/13605) and sign with
a subkey. Also prefer the `pgp` signer, since this signer 1)
requires a the gpg2 binary with version \>2.1, 2) writes private keys to
keyrings on disk, and 3) shells out to the `gpg2` binary.
In `debsign` mode it accepts files on the `/sign/files` interface and
returns the clearsigned files.

Example Usage:

Expand Down Expand Up @@ -69,9 +63,34 @@ signers:
-----END PGP PUBLIC KEY BLOCK-----
```
The **optional** field `mode` it can be either `gpg2` or
`debsign`. When empty or missing it defaults to `gpg2` and should use
the full key fingerprint in the `keyid` field. For example:

```yaml
- id: some-pgp-key
type: gpg2
mode: debsign
keyid: A2910E4FBEA076009BCDE536DD0A5D99AAAB1F1A
passphrase: abcdef123
privatekey: |
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQOYBFuW9xABCACzCLYHwgGba7hi+lwhD/Hr5qqpg+UuN+88NclYgLWyl1nPpx2D
...
HQASoA7mirON
=vJUu
-----END PGP PRIVATE KEY BLOCK-----
publickey: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
=459B
-----END PGP PUBLIC KEY BLOCK-----
```

## Signature request

This signer only supports the `/sign/data/` endpoint.
This signer only supports the `/sign/data/` endpoint in `gpg2` mode:

``` json
[
Expand All @@ -82,6 +101,27 @@ This signer only supports the `/sign/data/` endpoint.
]
```

This signer only supports the `/sign/files/` endpoint in `debsign` mode:

``` json
[
{
"input": "",
"keyid": "pgpsubkey-debsign",
"signed_files": [
{
"name": "sphinx_1.7.2-1.dsc",
"content": "LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTS..."
},
{
"name": "sphinx_1.7.2-1_amd64.buildinfo",
"content": "LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTS..."
}
]
}
]
```

## Signature response

The response to a data signing request contains a PGP armored detached
Expand All @@ -100,3 +140,27 @@ recover the standard armored signature that gnupg expects.
}
]
```

In `debsign` mode responses are at the field `signed_files`:

```json
[
{
"ref": "boxfa5qavzf11p6zme2pd74tn",
"type": "gpg2",
"mode": "debsign",
"signer_id": "pgpsubkey-debsign",
"public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQINBFwaoDMBEAC0FVHFLTVYFSr8ZpCWOKyF+Xrpcr032pOr3p3rBH6Ld9ZTpaLS...",
"signed_files": [
{
"name": "sphinx_1.7.2-1.dsc",
"content": "LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTS..."
},
{
"name": "sphinx_1.7.2-1_amd64.buildinfo",
"content": "LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTS..."
}
]
}
]
```
Loading

0 comments on commit c847624

Please sign in to comment.