search

canonical / chisel

GNU Affero General Public License v3.0
270 stars 42 forks source link

feat: integrity checks for Ubuntu Release files #106

Closed letFunny closed 8 months ago

letFunny commented 10 months ago

Chisel will download InRelease files instead of Release files, the former being the signed version of the latter. For each archive and its components/suites, the signature in the InRelease file will be verified against the public keys associated with that archive.

These public keys will be stored in the chisel-release chisel.yaml file, as a new top-level property called public-keys. Keys themselves will be stored in ASCII armored format together with their key id. Lastly, the archive definition will reference these public keys by name.

Example chisel.yaml:

    format: chisel-v1
    archives:
      ubuntu:
    version: 22.04
    components: [main, universe]
    suites: [jammy, jammy-updates, jammy-security]
    public-keys: [ubuntu]

    public-keys:
      ubuntu:
    id: C2B15A6A7FCD95FD
    armor: |
      -----BEGIN PGP PUBLIC KEY BLOCK-----

      mQINBFzZxGABEADSWmX0+K//0cosKPyr5m1ewmwWKjRo/KBPTyR8icHhbBWfFd8T
      DtYggvQHPU0YnKRcWits0et8JqSgZttNa28s7SaSUTBzfgzFJZgULAi/4i8u8TUj
      +KH2zSoUX55NKC9aozba1cR66jM6O/BHXK5YoZzTpmiY1AHlIWAJ9s6cCClhnYMR
      ...
      E+SWDGxtgwixyPziL56UavL/eeYJWeS/WqvGzZzsAtgSujFVLKWyUaRi0NvYW3h/
      I50Tzj0Pkm8GtgvP2UqAWvy+iRpeUQ2ji0Nc
      =j6+P
      -----END PGP PUBLIC KEY BLOCK-----
letFunny commented 10 months ago

spread test is failing as expected because of chisel-releases only having the v1 format at the moment. Error in CI run is (link):

error: chisel.yaml: expected format "chisel-v2", got "chisel-v1"
letFunny commented 10 months ago

Agree, those updates are currently in progress as far as I know.

cjdcordeiro commented 9 months ago

Once approved and before merging, please wait for the corresponding chisel-releases PRs to be merged so that we can re-run the Spread tests

letFunny commented 9 months ago

@cjdcordeiro Sure it just caught me by surprise because that was not the plan last time we discussed. I will amend the PRs and timelines to match the new direction.

cjdcordeiro commented 9 months ago

@cjdcordeiro Sure it just caught me by surprise because that was not the plan last time we discussed. I will amend the PRs and timelines to match the new direction.

Y sry about that @letFunny . I think only #106 would need to be amended though

cjdcordeiro commented 9 months ago

FYI: note the updated comment above (https://github.com/canonical/chisel/pull/106#pullrequestreview-1782027147) - we shall update the chisel-releases format to v1 instead of chisel-v2. This will still create the desired disruption while making the versioning terminology clearer between the chisel-releases "format" and chisel tool releases.

letFunny commented 8 months ago

According to the new plan:

  1. In this PR change the yaml key to v1-public-keys while the format remains chisel-v1.
  2. Wait until chisel-releases has the new format.
  3. Uncomment the tests and merge this one.
  4. Create a new PR that supports both formats chisel-v1 and v1 where the difference is that v1-public-keys becomes public-keys.
  5. After the latter PR is merged we can tag version v0.9.0 which supports both formats.
cjdcordeiro commented 8 months ago

Y agreed. We'll wait for a coming PR with those changes before releasing v0.9.0