Support gpg signatures (copied from in-toto project) #163
Conversation
|
@danixeee, thanks for your PR! It would be good to know the in-toto commit id at which you copied the gpg subpackage. It seems like it was pre-in-toto/in-toto@4830a3a, which fixed minor packet parsing bugs and added support for new format lengths (see in-toto/in-toto#255) Please also take notice of two further gpg related PRs that are still under active development in-toto/in-toto#245 and in-toto/in-toto#257. |
|
@lukpueh Thank you for a quick response. Last commit that I pulled is in-toto/in-toto@32ec88b, so, yes, it was before those fixes. Do you recommend waiting for those PRs to get merged and then to update the all changes on securesystemslib's side? Also, do you have an estimated timeline for those PRs? NOTE: I needed to change |
|
I'd at least pull in the bug fixes from in-toto/in-toto#255. As for the other PRs, I'd pause here until they are merged, but they still need some work, so it depends on how urgently we want gpg in Note that especially in-toto/in-toto#257 brings up a couple of further issues (see Caveats/TODOs in the PR description, and one of @aaaaalbert's review comments). I would like to at least tackle the "proper testing" todo item over in the in-toto repo. But I'm open for ticketizing and working off the other issues here. Regarding |
|
@lukpueh That's fine, let's drop 3.4 |
danixeee
force-pushed
the
danixeee/integrate-gpg-from-in-toto
branch
2 times, most recently
from
842e729
to
6a6aa9e
Compare
|
I have added the latest changes from in-toto which are related to GPG code (32ec88b...ab1e904) and removed python 3.4 from @lukpueh CI failed because test coverage dropped to 99% (on my local PC is 100%, not sure what is the difference), so, do we need more tests or we should skip coverage for that part? |
|
Oh yes, that's due to a I meant to add a test in in-toto/in-toto#257 or a follow-up PR. But I'd of course appreciate help. :) Note that it might be a bit tricky to test, because those lines are only touched if a signature carries subpacket 33 (Issuer Fingerprint), which is not part of RFC4880 (but is mentioned in its update draft since RFC488-bis-01). I haven't checked yet which implementations have adopted it. I have also considered to manually craft test signature data for |
renatav
force-pushed
the
danixeee/integrate-gpg-from-in-toto
branch
from
739ea07
to
184d4e7
Compare
danixeee
force-pushed
the
danixeee/integrate-gpg-from-in-toto
branch
from
4e1f75a
to
184d4e7
Compare
danixeee
force-pushed
the
danixeee/integrate-gpg-from-in-toto
branch
from
184d4e7
to
56bbc48
Compare
|
@lukpueh I would love to help, but I am not an expert on this subject. :) |
|
@danixeee, sorry for my late reply! GPG self-signature verification has been reviewed and merged with in-toto/in-toto#257. That PR also removes a bunch of I also just wrapped up key expiration parsing (from verified self-signatures) and verification. The PR can be found at in-toto/in-toto#266. Once that's reviewed (feel free to leave comments) and merged over there, I'd say we move everything over here, including related issues/feature requests such as in-toto/in-toto#263 and in-toto/in-toto#126. |
|
Closing here in favor of #174. Thanks for leading the initiative, @danixeee! :) Note that I didn't adapt ANY_SIGNATURE_SCHEMA = securesystemslib.schema.OneOf([
securesysemslib.formats.SIGNATURE_SCHEMA,
securesysemslib.formats.GPG_SIGNATURE_SCHEMA,
])Also, I suspect you will have to do something similar for |
This PR relates to #55. I have mostly just copied and modified (where needed) gpg signing implementation from in-toto project and kept it in separate module. Relevant tests are also added with some new ones to increase test coverage to 100%.
I have slightly changed SIGNATURE_SCHEMA in order to support adding gpg signatures with append_signature function to TUF metadata.
I need some directions, do we want gpg as a separate module, or
gpg/formats.pyshould be added to existingformats.py, etc. ?