Support OpenPGP keyrings in release #100
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
benhoyt
approved these changes
Oct 19, 2023
There was a problem hiding this comment.
Just one comment about (not) including all the test data in the test.go file.
Also, I've reviewed for Go style and it looks good, but I don't have a good handle on the domain or security implications. Would be worth getting a security / PGP expert to look over this!
cjdcordeiro
reviewed
Oct 20, 2023
This commit extends the chisel release with keyring definitions. Keyrings are defined in ASCII armored format in the top-level public-keys property by name. Keyrings are referenced by name in the public-keys list property in archive definitions. An example of the extended chisel release file is at the bottom. This commit uses the newly added github.com/ProtonMail/go-crypto/openpgp package dependency[1]. This package is a maintained fork of the deprecated golang.org/x/crypto/openpgp package[2][3]. [1] https://github.com/ProtonMail/go-crypto [2] https://pkg.go.dev/golang.org/x/crypto/openpgp [3] https://golang.org/issue/44226 Example chisel.yaml: format: chisel-v1 archives: ubuntu: version: 22.04 components: [main, universe] suites: [jammy, jammy-updates, jammy-security] public-keys: [ubuntu] ubuntu-fips: version: 22.04 pro: fips components: [main] suites: [jammy] public-keys: [ubuntu-fips] public-keys: ubuntu: | -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFzZxGABEADSWmX0+K//0cosKPyr5m1ewmwWKjRo/KBPTyR8icHhbBWfFd8T DtYggvQHPU0YnKRcWits0et8JqSgZttNa28s7SaSUTBzfgzFJZgULAi/4i8u8TUj +KH2zSoUX55NKC9aozba1cR66jM6O/BHXK5YoZzTpmiY1AHlIWAJ9s6cCClhnYMR ... E+SWDGxtgwixyPziL56UavL/eeYJWeS/WqvGzZzsAtgSujFVLKWyUaRi0NvYW3h/ I50Tzj0Pkm8GtgvP2UqAWvy+iRpeUQ2ji0Nc =j6+P -----END PGP PUBLIC KEY BLOCK----- ubuntu-fips: | -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBE+tgXgBEADfiL1KNFHT4H4Dw0OR9LemR8ebsFl+b9E44IpGhgWYDufj0gaM /UJ1Ti3bHfRT39VVZ6cv1P4mQy0bnAKFbYz/wo+GhzjBWtn6dThYv7n+KL8bptSC Xgg1a6en8dCCIA/pwtS2Ut/g4Eu6Z467dvYNlMgCqvg+prKIrXf5ibio48j3AFvd ... mguPI1KLfnVnXnsT5JYMbG2DCLHI/OIvnpRq8v955glZ5L9aq8bNnOwC2BK6MVUs pbJRpGLQ29hbeH8jnRPOPQ+Sbwa2C8/ZSoBa/L6JGl5RDaOLQ1w= =6Bkw -----END PGP PUBLIC KEY BLOCK-----
woky
added a commit
to canonical/chisel-releases
that referenced
this pull request
Oct 20, 2023
This commit adds Ubuntu archive signing keys.
The keyring was obtained by running the following command on Ubuntu jammy:
gpg --no-default-keyring \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg \
--export --armor
This commit depends on Chisel support for OpenPGP keyrings. This
feature is currently under review[1].
[1] canonical/chisel#100
woky
added a commit
to canonical/chisel-releases
that referenced
this pull request
Oct 20, 2023
This commit adds Ubuntu archive signing keys.
The keyring was obtained by running the following command on Ubuntu jammy:
gpg --no-default-keyring \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg \
--export --armor
This commit depends on Chisel support for OpenPGP keyrings. This
feature is currently under review[1].
[1] canonical/chisel#100
woky
added a commit
to woky/chisel-releases
that referenced
this pull request
Oct 20, 2023
This commit adds Ubuntu archive signing keys.
The keyring was obtained by running the following command on Ubuntu jammy:
gpg --no-default-keyring \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg \
--export --armor
This commit depends on Chisel support for OpenPGP keyrings. This
feature is currently under review[1].
[1] canonical/chisel#100
woky
added a commit
to woky/chisel-releases
that referenced
this pull request
Oct 20, 2023
This commit adds Ubuntu archive signing keys.
The keyring was obtained by running the following command on Ubuntu jammy:
gpg --no-default-keyring \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg \
--export --armor
This commit depends on Chisel support for OpenPGP keyrings. This
feature is currently under review[1].
[1] canonical/chisel#100
This was referenced Oct 20, 2023
woky
added a commit
to woky/chisel-releases
that referenced
this pull request
Oct 20, 2023
This commit adds Ubuntu archive signing keys.
The keyring was obtained by running the following command on Ubuntu jammy:
gpg --no-default-keyring \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg \
--export --armor
This commit depends on Chisel support for OpenPGP keyrings. This
feature is currently under review[1].
[1] canonical/chisel#100
woky
added a commit
to woky/chisel-releases
that referenced
this pull request
Oct 20, 2023
This commit adds Ubuntu archive signing keys.
The keyring was obtained by running the following command on Ubuntu jammy:
gpg --no-default-keyring \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg \
--export --armor
This commit depends on Chisel support for OpenPGP keyrings. This
feature is currently under review[1].
[1] canonical/chisel#100
woky
added a commit
to woky/chisel-releases
that referenced
this pull request
Oct 20, 2023
This commit adds Ubuntu archive signing keys.
The keyring was obtained by running the following command on Ubuntu jammy:
gpg --no-default-keyring \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg \
--export --armor
This commit depends on Chisel support for OpenPGP keyrings. This
feature is currently under review[1].
[1] canonical/chisel#100
woky
added a commit
to woky/chisel-releases
that referenced
this pull request
Oct 20, 2023
This commit adds Ubuntu archive signing keys.
The keyring was obtained by running the following command on Ubuntu jammy:
gpg --no-default-keyring \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg \
--export --armor
This commit depends on Chisel support for OpenPGP keyrings. This
feature is currently under review[1].
[1] canonical/chisel#100
woky
added a commit
to woky/chisel-releases
that referenced
this pull request
Oct 20, 2023
This commit adds Ubuntu archive signing keys.
The keyring was obtained by running the following command on Ubuntu jammy:
gpg --no-default-keyring \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg \
--export --armor
This commit depends on Chisel support for OpenPGP keyrings. This
feature is currently under review[1].
[1] canonical/chisel#100
woky
added a commit
to woky/chisel-releases
that referenced
this pull request
Oct 20, 2023
This commit adds Ubuntu archive signing keys.
The keyring was obtained by running the following command on Ubuntu jammy:
gpg --no-default-keyring \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg \
--export --armor
This commit depends on Chisel support for OpenPGP keyrings. This
feature is currently under review[1].
[1] canonical/chisel#100
woky
added a commit
to woky/chisel-releases
that referenced
this pull request
Oct 20, 2023
This commit adds Ubuntu archive signing keys.
The keyring was obtained by running the following command on Ubuntu jammy:
gpg --no-default-keyring \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg \
--export --armor
This commit depends on Chisel support for OpenPGP keyrings. This
feature is currently under review[1].
[1] canonical/chisel#100
woky
added a commit
to woky/chisel-releases
that referenced
this pull request
Oct 20, 2023
This commit adds Ubuntu archive signing keys.
The keyring was obtained by running the following command on Ubuntu jammy:
gpg --no-default-keyring \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg \
--export --armor
This commit depends on Chisel support for OpenPGP keyrings. This
feature is currently under review[1].
[1] canonical/chisel#100
woky
added a commit
to woky/chisel-releases
that referenced
this pull request
Oct 20, 2023
This commit adds Ubuntu archive signing keys.
The keyring was obtained by running the following command on Ubuntu jammy:
gpg --no-default-keyring \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg \
--keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg \
--export --armor
This commit depends on Chisel support for OpenPGP keyrings. This
feature is currently under review[1].
[1] canonical/chisel#100
Indeed. I've split the commit that adds signature verification into #102. That way, this PR can be merged with CI checks passed. Then, after keyrings are merged into chisel-releases (see the PRs), #102 can be merged. |
niemeyer
approved these changes
Oct 20, 2023
rebornplusplus
added a commit
to rebornplusplus/chisel
that referenced
this pull request
Dec 1, 2023
This reverts commit 6bf6d46.
letFunny
pushed a commit
to letFunny/chisel
that referenced
this pull request
Dec 11, 2023
This reverts commit 6bf6d46.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Support OpenPGP keyrings in release
This commit extends the chisel release with keyring definitions.
Keyrings are defined in ASCII armored format in the top-level
public-keys property by name. Keyrings are referenced by name in the
public-keys list property in archive definitions. An example of the
extended chisel release file is at the bottom.
This commit uses the newly added github.com/ProtonMail/go-crypto/openpgp
package dependency[1]. This package is a maintained fork of the
deprecated golang.org/x/crypto/openpgp package[2][3].
[1] https://github.com/ProtonMail/go-crypto
[2] https://pkg.go.dev/golang.org/x/crypto/openpgp
[3] https://golang.org/issue/44226
Example chisel.yaml: