signer: During close, lookup correct root keys

jku / repository-playground

Community artifact repository workflow experiments

Other

7 stars 4 forks source link

signer: During close, lookup correct root keys #104

Closed jku closed 1 year ago

jku commented 1 year ago

root is a special case since the signing keys are stored in root itself: we should be using both new and old keys in that case

The final PR ended up changing the signing and closing:

when roles are saved with SignerRepository.close() they are no longer signed even if keys are available
those roles are added to the unsigned list
after delegation changes (also after accepting an invite), all unsigned roles are explicitly signed

Comment below lists some advantages of this.

Fixes #103

Issues:

There is no test yet: #106
There is a related issue: if you run playground-sign to sign a change where your key has been removed from root, it probably won't notice you should sign: _user_signature_needed() should handle the special case of root (and check keys from the known good version as well): #107

jku commented 1 year ago

Still thinking about the cleanest implementation here. There are three possible sources of keys:

the keys in un-saved metadata we are signing
the keys defined in current signing event
the keys defined in known-good metadata (i.e. main branch)

The interesting thing is that

in non-root case we want to sign with case 2 (if targets keys have changed in this signing event we want to sign targets with those keys).
in root case we want to sign with 1 and 3 instead!

Case 1 would merge to case 2 if we did not do automated signing in close and instead required explicit signing. This seems to make more and more sense

jku commented 1 year ago

I have rewritten this PR:

don't sign at all during RepositorySigner.close(), just keep track of whether we need to sign or not
explicitly sign in the end of playground-delegate

This still requires keeping track of the different key sets but has some nice side effects:

no longer needed to sign multiple times (this is why expected results change)
once the playground-sign output is improved, these improvements also apply to playground-delegate
easier to follow when signing happens
signing is now always a separate commit

I've filed a new issue for the extra test

jku commented 1 year ago

An alternative to tracking the "unsigned" state while doing the metadata modifications would be to not do that and instead run _user_signature_needed() just before signing... this would likely be the simplest result but I think I'll leave that for future refactoring (since that means SignerRepository state tracking changes)