-
Notifications
You must be signed in to change notification settings - Fork 315
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow specifying OpenPGP implementation to use for signing #3094
base: main
Are you sure you want to change the base?
Conversation
88fd737
to
2f5e5db
Compare
2f5e5db
to
c57403e
Compare
I'm curious about hardware tokens. Will those be supported with a unified CLI interface as well? |
c57403e
to
3b88281
Compare
Yes, I actually tested that with my Yubikey and found a couple of issues I fixed. This, of course, depends on the underlying SOP implementation that's used. |
Okay folks, thanks for the great feedback! I need to install the type-checking tools locally not to spam the CI. I'll be back with the adjustments (all valid points! 🙇 ) |
3b88281
to
43a85d8
Compare
5028264
to
49e8075
Compare
49e8075
to
84a0f98
Compare
7de844c
to
efc0a77
Compare
aa13165
to
efc0a77
Compare
9231cb6
to
a949723
Compare
4d22ef7
to
e8a316e
Compare
54b75d1
to
08f4128
Compare
08f4128
to
8f10d7d
Compare
@@ -4562,6 +4569,7 @@ def summary(config: Config) -> str: | |||
Passphrase: {none_to_none(config.passphrase)} | |||
Checksum: {yes_no(config.checksum)} | |||
Sign: {yes_no(config.sign)} | |||
OpenPGP Tool: ({config.openpgp_tool or "gpg"}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just so we don't forget: This also needs an entry in the man page.
pytest.skip("Needs `sqop` binary in PATH to perform sop tests.") | ||
with tempfile.TemporaryDirectory() as path, Image(config) as image: | ||
tmp_path = Path(path) | ||
tmp_path.chmod(0o755) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not that it matters a lot in the test, but why does the directory holding the key need to be world readable?
tests/test_signing.py
Outdated
def test_signing_checksums_with_gpg(config: ImageConfig) -> None: | ||
with tempfile.TemporaryDirectory() as path, Image(config) as image: | ||
tmp_path = Path(path) | ||
tmp_path.chmod(0o777) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's really not have a world-writable thing, even in tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The issue here is that gpg
during its operation writes temporary files to that directory and since the tests starts as root but then switch user during image.build
the directory must be readable to both root and that temporary build user.
I'll try to minimize the number of chmod
s. With the sop
case the key and cert files need to be just readable by both users but in GPG case it needs writeable access sadly :/
658bcbf
to
63822d2
Compare
This is especially useful when the test fails and it is likely that the `stderr` contains debugging info.
63822d2
to
9662ce7
Compare
Okay, I think I minimized it as much as possible. Removed all dependencies to the point where removing anything else triggers CI failures. One thing that is consistently failing is the opensuse/arch build with a rather peculiar message:
If you have any ideas on what to optimize here I'm all ears. Sadly the GnuPG tests require world-writable dirs (since the dir is setup before the Thanks for your time! 👋 |
Hi 👋
I'm pushing a first preview of SOP signing for SHA256SUMs. I've tested that locally and also added tests for rsop and old gpg (just in case) and will begin to refactor this a bit. Since I'm new to both mkosi and Python I think it's good to get feedback earlier in the process if something looks particularly wrong here.
Note that I've tried to make it as minimal as possible with no nice-to-have adjustments mentioned in #3042.
Fixes: #3042
CC: @dvzrv