Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authenticate releases using the embedded verification key. #192

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

PiotrSikora
Copy link

Fixes #15.

Signed-off-by: Piotr Sikora piotrsikora@google.com

@PiotrSikora
Copy link
Author

@philwo PTAL

Fixes bazelbuild#15.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
@PiotrSikora
Copy link
Author

Sample output:

2020/10/29 22:54:04 Downloading https://releases.bazel.build/3.7.0/release/bazel-3.7.0-linux-x86_64...
2020/10/29 22:54:06 Signed by Bazel Developer (Bazel APT repository key) <bazel-dev@googlegroups.com>

@philwo
Copy link
Member

philwo commented Nov 9, 2020

Thank you @PiotrSikora! I was on vacation - will look into this PR this week!

@PiotrSikora
Copy link
Author

@philwo friendly ping.

@philwo
Copy link
Member

philwo commented Dec 7, 2020

This looks really nice, thank you! It's great that we don't need to call gnupg to verify the signature and the code is very clean.

The only thing I'm wondering - what will happen when the embedded key expires? In the past this meant we had to extend the key and then everyone had to reimport the extended one into their GnuPG keychain (see https://groups.google.com/g/bazel-discuss/c/XzeKUSkMCDk/m/GiOj6ariEgAJ for some former discussion).

Would it mean that older Bazelisk releases will suddenly fail to fetch Bazel releases until we update the embedded key and users update to a newer version? 🤔

@PiotrSikora
Copy link
Author

The only thing I'm wondering - what will happen when the embedded key expires? In the past this meant we had to extend the key and then everyone had to reimport the extended one into their GnuPG keychain (see https://groups.google.com/g/bazel-discuss/c/XzeKUSkMCDk/m/GiOj6ariEgAJ for some former discussion).

Would it mean that older Bazelisk releases will suddenly fail to fetch Bazel releases until we update the embedded key and users update to a newer version? 🤔

Effectively, yes. They could always update Bazelisk to get the new key, or you could embed multiple public keys and do a rolling update, but that requires knowing the "next" key ahead of time.

A bit longer solution would be to redesign the signing infrastructure to use subkeys for signatures and rotate it periodically (see: https://www.gnupg.org/gph/en/manual/c481.html) and have the primary key without expiration date. It doesn't really serve anybody if the primary signing key is changed every year or two.

@philwo
Copy link
Member

philwo commented Dec 8, 2020

Thanks for the explanation!

Unfortunately we're deep in "I have no idea what I'm actually doing here, except copy & pasting various GnuPG command-lines from the internet and hope they will fix whatever is broken" territory when it comes to our code signing stuff and every time I have to extend the lifetime of the key, I just hope it doesn't break everything. 😬

I'll read up about GnuPG best practices in the next weeks, something I always wanted to do. If it's OK with you, I'd leave this PR open just a bit longer, while I figure out how we want to handle our signing key - from the code and feature side, this is very much great and ready to merge imho :) Thank you for this!

@PiotrSikora
Copy link
Author

Yeah, no rush.

@PiotrSikora
Copy link
Author

@philwo friendly ping 😄

@PiotrSikora
Copy link
Author

@philwo ping.

@jlisee
Copy link

jlisee commented Dec 17, 2021

As independent verification I rebased this patch against v.11.0 and it works:

2021/12/17 21:45:09 Downloading https://releases.bazel.build/4.2.2/rc1/bazel-4.2.2rc1-linux-x86_64...                                                                                                                                                                                                                         
2021/12/17 21:45:10 Signed by Bazel Developer (Bazel APT repository key) <bazel-dev@googlegroups.com>

The only real change was getClient().Get(signatureURL) to get(signatureUrl, "").

…signature

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
@PiotrSikora
Copy link
Author

@philwo @fweikert could you take a look at this?

}

if len(keys) != 1 {
return "", fmt.Errorf("failed to load the embedded Verification Key")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for putting this together, @PiotrSikora! We'd love to leverage this too.

Three ideas for handling an expired embedded key:

  1. Add an error message on failure (bonus points for specifically looking if the key is expir,ed) pointing users to look for a new release since the embedded verification key may be expired.
  2. Add a --no-verify flag to skip verification entirely 😅
  3. Add a --verification-signature-file flag as a "break glass" method to use a different key, which folks can use to pull from a fork.

Before adding those workarounds, it'd likely be better to avoid the complexity if possible! If there's anyone who won't be able to upgrade bazelisk to get a new key, it'd be great to hear about that use case! The only actual caveat I can think of is remembering to upgrade this tool every N years with the new key, but that's well worth the tradeoff to me! 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Signature verification support
4 participants