Implement verification of sources signed with GPG/PGP keys

[Cynical-Optimist]

See original issue on GitLab In GitLab by [Gitlab user @ghost1] on Feb 7, 2019, 22:09

Background

Currently buildstream checks hash of downloaded files/git commits which guarantee integrity but doesn't verify cryptographic signatures (if upstream provides them) which would guarantee authenticity and thus harden security of software supply chain.

Task description

This can be solved by adding new (optional) variables to all kind of sources:

1. path to the signature file
2. fingerprint(s) of the public key(s) which were used to sign the source - those key(s) (and only those) will be trusted for a given source
3. path(s) to upstream public key(s) (local or remote)

Not all of the above may be applicable to all kinds, i.e. 1. wouldn't be applicable for git. The upstream public key (matching fingerprint) should be either downloaded automatically from public keyservers or get from the provided path.

Acceptance Criteria

It's possible to verify source authenticity with cryptographic signatures in buildstream.

---

[Cynical-Optimist]

In GitLab by [Gitlab user @ghost1] on Feb 8, 2019, 10:10

changed the description

[Cynical-Optimist]

In GitLab by [Gitlab user @ghost1] on Feb 8, 2019, 10:11

changed the description