Verify default bundles downloaded from mirror.openshift.com #3605
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anjannath
force-pushed
the
issue_3493
branch
2 times, most recently
from
a156222
to
a0ffa1c
Compare
cfergeau
reviewed
Apr 27, 2023
| return "", fmt.Errorf("Invalid signature: %w", err) | ||
| } | ||
| logging.Debugf("Got valid signature from key id: %s", id.PrimaryKey.KeyIdString()) | ||
| return trimEachLine(string(clearTextMsg)), nil |
There was a problem hiding this comment.
return canonicalizedMsgText, nil maybe?
There was a problem hiding this comment.
canonicalizedMsgText will have \r\n line endings
it feels a bit easier to deal with lines ending in \n especially in the unit test
it adds GetVerifiedClearsignedMsgV3() which returns clear text msg and no error if the signature is valid for the supplied pubkey this uses the golang.org/x/crypto/openpgp library as the maintained fork of it that is previously used doesn't support the old v3 signs the other fork of x/crypto at github.com/keybase/go-crypto has less active contributions
this adds getVerifiedDefaultBundleHash() which downloads the signed sha256sum.txt file from mirror.openshift.com and verifies that it's signed with the redhat release key2, then from the verified hashes it returns the hash for the default bundle
this removes the hardcoded hashes for each bundle and instead directly gets the bundle hash from the sha256sum.txt.sig file at mirror.openshift.com by using the helper from the previous commit which returns gpg verified hash for the default bundle
|
/test e2e-crc |
praveenkumar
approved these changes
May 5, 2023
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: praveenkumar The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #3493