Static-delta's superblock signature support #1985
Conversation
|
Hi @fdanis-oss. Thanks for your PR. I'm waiting for a ostreedev member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Can one of the admins verify this patch?
|
|
Hi @cgwalters |
|
☔ The latest upstream changes (presumably 7db7cfc) made this pull request unmergeable. Please resolve the merge conflicts. |
fdanis-oss
force-pushed
the
wip/fda/sign_delta_metadata
branch
from
2eafb69
to
d22a84c
Compare
|
☔ The latest upstream changes (presumably #2041) made this pull request unmergeable. Please resolve the merge conflicts. |
fdanis-oss
force-pushed
the
wip/fda/sign_delta_metadata
branch
from
d22a84c
to
545cc8d
Compare
fdanis-oss
force-pushed
the
wip/fda/sign_delta_metadata
branch
4 times, most recently
from
fcb814a
to
1ce9ee7
Compare
fdanis-oss
force-pushed
the
wip/fda/sign_delta_metadata
branch
2 times, most recently
from
97aaf38
to
2ab7ed5
Compare
fdanis-oss
force-pushed
the
wip/fda/sign_delta_metadata
branch
from
2ab7ed5
to
6ee753e
Compare
fdanis-oss
force-pushed
the
wip/fda/sign_delta_metadata
branch
from
6ee753e
to
abd2960
Compare
|
Hi @cgwalters , can I kindly ask you a review of those commits, please? |
|
Right, this came up before...I'd have to really dig to find it, but I think where we ended up was to say to use signed summary files. The summary file contains a checksum of the deltas (though I'd want to double check all this). There is also ensuring transport integrity - signing is a great "backstop", but I've been pushing "pinned TLS", see e.g. #707 and ... https://pagure.io/fedora-infrastructure/issue/5372 (which links to this thread https://mail.gnome.org/archives/ostree-list/2016-September/msg00015.html ) Is that not sufficient for you? Anything involving "inline" signatures quickly gets into exactly the problem you're talking about and we'd need to carefully review the code. |
|
@cgwalters this is for other use case. In this case the user need to have only a single file |
|
Finally found a correct way to load keys from well-known directories, similar to the signed commit verification. |
fdanis-oss
force-pushed
the
wip/fda/sign_delta_metadata
branch
2 times, most recently
from
22a4a73
to
9265baf
Compare
|
/approve |
|
/ok-to-test |
| @@ -438,13 +446,63 @@ ot_static_delta_builtin_apply_offline (int argc, char **argv, OstreeCommandInvoc | |||
| return FALSE; | |||
| } | |||
|
|
|||
| #if defined(HAVE_LIBSODIUM) | |||
| /* Initialize crypto system */ | |||
| opt_sign_name = opt_sign_name ?: OSTREE_SIGN_NAME_ED25519; | |||
There was a problem hiding this comment.
Hmm...we don't have this default elsewhere I don't think. Is it really necessary? In other code the default comes from the repository configuration or the CLI and that's it.
There was a problem hiding this comment.
This is initialized this way in ostree_builtin_commit(), ostree_builtin_sign() and ostree_builtin_summary().
Iiuc, the default crypto system is only defined in configuration file for remote repositories.
When we try to apply a static delta offline, there's no reference to a remote repository.
|
|
||
| if (!ostree_sign_load_pk (sign, options, error)) | ||
| { | ||
| /* If it fails to load system default public keys, consider there no signature engine */ |
There was a problem hiding this comment.
I really don't like silently masking errors. This is one of the reasons for the refactoring done after the initial signapi landed, see e.g. #2105
Basically if the system is explicitly configured to use e.g. ed25519, then if we somehow fail to load that key, that should be a fatal error.
While the commits contained in the single static-delta file are signed so
we can check them and operate on trusted data, the superblock isn't signed
in any way, so it end up operating on untrusted data to:
1. actually find where the trusted data is, and
2. check whether the update is fit for the current device by looking at
the collection id stored in the metadata
This commit generates signatures of all static data, and concatenate them
to the existing static delta format, i.e. as a GVariant layout `a{sv}ay`
where
- a{sv}: signatures
- ay: existing delta variant
Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
Add signing ability to "static-delta generate" builtin. Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
This retrieves the signatures and pass the static delta block as an array of bytes to ostree_sign_data_verify(). Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
Add new "static-delta verify" sub-command. This supports multiple keys to verify the static-delta file. Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
This checks if the static delta file is signed or not to be able to correctly get the superblock to apply. Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
This checks if the static delta file is signed or not to be able to correctly get the superblock to dump. Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
Add tests to generate signed deltas and verify them using 'dummy' signature engine. Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
Add tests to generate signed deltas and verify them using 'ed25519' signature engine. Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
Add a new function `ostree_repo_static_delta_execute_offline_with_signature` which takes a signature engine to verify the delta before applying it. The `ostree_repo_static_delta_execute_offline` is just a wrapper to this new function, passing a NULL signature engine. When this function is called without signature engine, but with a sign delta, it will only fails if `sign-verify-deltas` is set to true in repo core options. This commits move signature existence check and delta signature verification to share common parts between existing APIs and the new function. Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
This allows to check the delta signature before applying it. Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
Add new test to apply offline signed deltas. Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
fdanis-oss
force-pushed
the
wip/fda/sign_delta_metadata
branch
from
9265baf
to
ecbfe08
Compare
|
OK I think we can get this in an address some things as followups. Thanks for your patience on this! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cgwalters, d4s, fdanis-oss The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Followup in #2203 |
While the commits contained in the single
static-deltafile are signed so we can check them and operate on trusted data, thesuperblockisn't signed in any way, so it end up operating on untrusted data to:These commits generate a signature of all
superblockdata (serialized), except inline commits and the signature, then add the signature to thesuperblockitself as an additional metadata field.New APIs are added to check if a
superblockis signed, and to verify its signature.This is part of the Add support for alternative signature systems #1233 and is based on top of Alternative signing system #1878
Fixes: #1977