Closed woky closed 9 months ago
This PR depends on #100
The CI will pass once chisel-releases contains valid Ubuntu keyrings. The PRs in chisel-releases are: https://github.com/canonical/chisel-releases/pulls?q=is%3Apr+is%3Aopen+%22Add+Ubuntu+archive+signing+keys%22+in%3Atitle
Unfortunately, it appears that clearsign.Block
is stateful (it uses io.Reader
for Body
), so running block.VerifySignature()
for the second time will read empty body, and hence the signature will be invalid. So if the first keyring fails to verify the signature, the remaining keyrings will fail too. I'm going to fix that and add a test for that. Converted to draft for now.
I've fixed the issue. Variables/functions/comments/messages are updated to refer to "public keys" instead of keyrings. I retained the openpgp.Keyring
type. See my comment about it here please: https://github.com/canonical/chisel/pull/102#discussion_r1370818724
This commit builds on the previous commit that introduces support for OpenPGP keyrings to verify signatures of archive release files. Previously, we used the Release file of each configured suite. With this commit, we fetch the InRelease file instead. This file is in clearsign format[1] and contains the Release file and its signature[2].
[1] https://www.gnupg.org/gph/en/manual/x135.html [2] https://www.chiark.greenend.org.uk/~cjwatson/blog/no-more-hash-sum-mismatch-errors.html