Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: validate gpg key against existing list of providers #1423

Draft
wants to merge 23 commits into
base: main
Choose a base branch
from
Draft

feat: validate gpg key against existing list of providers #1423

wants to merge 23 commits into from

Conversation

diofeher
Copy link
Member

@diofeher diofeher commented Jan 4, 2025
edited
Loading

Closes #356

Depends on opentofu/libregistry#47

Code based on @cam72cam's work

Description

This code is used to verify if the provided key by the user is really signing the packages they meant to be signing. There were multiple instances when the user provided wrong keys and then commits had to be reverted in order to provide the right signing key.

Failing signature:
Screenshot 2025-01-10 at 12 44 55

Working signature:
Screenshot 2025-01-10 at 12 54 17

@diofeher
feat: add initial code for checkers
edf5b77 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher diofeher changed the title feat: add initial code for checkers feat: validate gpg key against existing list of providers Jan 4, 2025
@diofeher
verifying using shamsumsrl + shasumnurlsignatur
65886f3 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher
Using libregistry to validate the keys
5a6e562 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher
Passing the provider data dir
4b8d254 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher
Removing unused func
84c5a0a 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher
Removing unused funcs
484d1ea 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher diofeher mentioned this pull request Jan 10, 2025
Draft
@diofeher
Adding step per provider
19bcd93 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher
Rename to provider_verifier
6b3ddba 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher
unused code
e9f0f36 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher diofeher marked this pull request as ready for review January 10, 2025 15:55
@abstractionfactory
Copy link
Contributor

Thanks @diofeher I'm out for the weekend, I'll review first thing on Monday!

@abstractionfactory abstractionfactory self-assigned this Jan 10, 2025
@diofeher
using metadata api directly
ed6662e 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher diofeher force-pushed the validate-opentofu-keys branch from 23175ab to ed6662e Compare January 10, 2025 16:02
@diofeher
Copy link
Member Author

Thanks @abstractionfactory, enjoy your weekend!

abstractionfactory
abstractionfactory requested changes Jan 13, 2025
View reviewed changes
Copy link
Contributor

@abstractionfactory abstractionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your work @diofeher !

src/cmd/verify-gpg-key/main.go Outdated Show resolved Hide resolved
src/cmd/verify-gpg-key/verify-key-in-providers.go Outdated Show resolved Hide resolved
src/cmd/verify-gpg-key/verify-key-in-providers.go Outdated Show resolved Hide resolved
src/cmd/verify-gpg-key/verify-key-in-providers.go Show resolved Hide resolved
@diofeher
remove timeout from the httpclient
45ef284 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher
check only 10 versions
e269cde 
Signed-off-by: Diogenes Fernandes <[email protected]>
abstractionfactory
abstractionfactory approved these changes Jan 16, 2025
View reviewed changes
Copy link
Contributor

@abstractionfactory abstractionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, I'd like someone else familiar with the registry to also take a look.

@diofeher
merge
7f340d4 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher
merge
ed57b9c 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher
revert logger options
645ebe8 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher
removing parameter
8933f46 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher
moving provider data argument to the script
b7f7372 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher diofeher requested review from cam72cam and ollevche January 25, 2025 18:15
@diofeher diofeher requested a review from cam72cam January 29, 2025 12:39
@diofeher
updating method signature
60ce3ad 
Signed-off-by: Diogenes Fernandes <[email protected]>
@diofeher
adjusting to new signature
1953a2e 
Signed-off-by: Diogenes Fernandes <[email protected]>
@abstractionfactory abstractionfactory marked this pull request as draft January 30, 2025 10:54
@abstractionfactory
Copy link
Contributor

Moving back to draft since the PR in libregistry isn't merged yet. We will review this PR fully once the libregistry one is merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abstractionfactory abstractionfactory abstractionfactory approved these changes

@ollevche ollevche Awaiting requested review from ollevche

@cam72cam cam72cam Awaiting requested review from cam72cam

Assignees

@abstractionfactory abstractionfactory

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Validate uploaded GPG keys against providers
4 participants
@diofeher @abstractionfactory @cam72cam @ollevche