search

canonical / chisel

GNU Affero General Public License v3.0
248 stars 39 forks source link

Support OpenPGP keyrings in release #100

Closed woky closed 9 months ago

woky commented 9 months ago

Support OpenPGP keyrings in release

This commit extends the chisel release with keyring definitions. Keyrings are defined in ASCII armored format in the top-level public-keys property by name. Keyrings are referenced by name in the public-keys list property in archive definitions. An example of the extended chisel release file is at the bottom.

This commit uses the newly added github.com/ProtonMail/go-crypto/openpgp package dependency[1]. This package is a maintained fork of the deprecated golang.org/x/crypto/openpgp package[2][3].

[1] https://github.com/ProtonMail/go-crypto [2] https://pkg.go.dev/golang.org/x/crypto/openpgp [3] https://golang.org/issue/44226

Example chisel.yaml:

  format: chisel-v1
  archives:
    ubuntu:
      version: 22.04
      components: [main, universe]
      suites: [jammy, jammy-updates, jammy-security]
      public-keys: [ubuntu]
    ubuntu-fips:
      version: 22.04
      pro: fips
      components: [main]
      suites: [jammy]
      public-keys: [ubuntu-fips]
  public-keys:
    ubuntu: |
      -----BEGIN PGP PUBLIC KEY BLOCK-----

      mQINBFzZxGABEADSWmX0+K//0cosKPyr5m1ewmwWKjRo/KBPTyR8icHhbBWfFd8T
      DtYggvQHPU0YnKRcWits0et8JqSgZttNa28s7SaSUTBzfgzFJZgULAi/4i8u8TUj
      +KH2zSoUX55NKC9aozba1cR66jM6O/BHXK5YoZzTpmiY1AHlIWAJ9s6cCClhnYMR
      ...
      E+SWDGxtgwixyPziL56UavL/eeYJWeS/WqvGzZzsAtgSujFVLKWyUaRi0NvYW3h/
      I50Tzj0Pkm8GtgvP2UqAWvy+iRpeUQ2ji0Nc
      =j6+P
      -----END PGP PUBLIC KEY BLOCK-----
    ubuntu-fips: |
      -----BEGIN PGP PUBLIC KEY BLOCK-----

      mQINBE+tgXgBEADfiL1KNFHT4H4Dw0OR9LemR8ebsFl+b9E44IpGhgWYDufj0gaM
      /UJ1Ti3bHfRT39VVZ6cv1P4mQy0bnAKFbYz/wo+GhzjBWtn6dThYv7n+KL8bptSC
      Xgg1a6en8dCCIA/pwtS2Ut/g4Eu6Z467dvYNlMgCqvg+prKIrXf5ibio48j3AFvd
      ...
      mguPI1KLfnVnXnsT5JYMbG2DCLHI/OIvnpRq8v955glZ5L9aq8bNnOwC2BK6MVUs
      pbJRpGLQ29hbeH8jnRPOPQ+Sbwa2C8/ZSoBa/L6JGl5RDaOLQ1w=
      =6Bkw
      -----END PGP PUBLIC KEY BLOCK-----
woky commented 9 months ago

The tests are failing because we are missing the keys in the chisel-releases' chisel.yaml file right?

Indeed. I've split the commit that adds signature verification into #102. That way, this PR can be merged with CI checks passed. Then, after keyrings are merged into chisel-releases (see the PRs), #102 can be merged.