remote-add: Add --sign-verify=KEYTYPE=[inline|file]:PUBKEYREF

Per https://github.com/ostreedev/ostree/issues/2080#issuecomment-623614483

A huge benefit of ed25519 (and ECC in general) is that keys are very
short - short enough that it's completely reasonable to inline
them into a command line argument.

And I think that's a good model; it makes the keys very visible.

For example, someone could easily copy-paste a commandline
argument from a webpage (secured via TLS) that says to run
`ostree remote add --sign-verify=ed25519=inline:KEY`.

diff --git a/src/ostree/ot-remote-builtin-add.c b/src/ostree/ot-remote-builtin-add.c
index e4634710cf2a477fa4472d830b8bfe863bb38171..a885336ad1c221cb834efd7649f2e249181f872d 100644 (file)
--- a/src/ostree/ot-remote-builtin-add.c
+++ b/src/ostree/ot-remote-builtin-add.c
@@ -32,6 +32,7 @@ static gboolean opt_no_sign_verify;
 static gboolean opt_if_not_exists;
 static gboolean opt_force;
 static char *opt_gpg_import;
+static char **opt_sign_verify;
 static char *opt_contenturl;
 static char *opt_collection_id;
 static char *opt_sysroot;
@@ -46,6 +47,7 @@ static GOptionEntry option_entries[] = {
   { "set", 0, 0, G_OPTION_ARG_STRING_ARRAY, &opt_set, "Set config option KEY=VALUE for remote", "KEY=VALUE" },
   { "no-gpg-verify", 0, 0, G_OPTION_ARG_NONE, &opt_no_gpg_verify, "Disable GPG verification", NULL },
   { "no-sign-verify", 0, 0, G_OPTION_ARG_NONE, &opt_no_sign_verify, "Disable signature verification", NULL },
+  { "sign-verify", 0, 0, G_OPTION_ARG_STRING_ARRAY, &opt_sign_verify, "Verify signatures using KEYTYPE=inline:PUBKEY or KEYTYPE=file:/path/to/key", "KEYTYPE=[inline|file]:PUBKEY" },
   { "if-not-exists", 0, 0, G_OPTION_ARG_NONE, &opt_if_not_exists, "Do nothing if the provided remote exists", NULL },
   { "force", 0, 0, G_OPTION_ARG_NONE, &opt_force, "Replace the provided remote if it exists", NULL },
   { "gpg-import", 0, 0, G_OPTION_ARG_FILENAME, &opt_gpg_import, "Import GPG key from FILE", "FILE" },
@@ -57,6 +59,42 @@ static GOptionEntry option_entries[] = {
   { NULL }
 };
 
+static gboolean
+add_verify_opt (GVariantBuilder *builder,
+                const char *keyspec,
+                GError **error)
+{
+  g_auto(GStrv) parts = g_strsplit (keyspec, "=", 2);
+  g_assert (parts && *parts);
+  const char *keytype = parts[0];
+  if (!parts[1])
+    return glnx_throw (error, "Failed to parse KEYTYPE=[inline|file]:DATA in %s", keyspec);
+
+  g_autoptr(OstreeSign) sign = ostree_sign_get_by_name (keytype, error);
+  if (!sign)
+    return FALSE;
+
+  const char *rest = parts[1];
+  g_assert (!parts[2]);
+  g_auto(GStrv) keyparts = g_strsplit (rest, ":", 2);
+  g_assert (keyparts && *keyparts);
+  const char *keyref = keyparts[0];
+  g_assert (keyref);
+  g_autofree char *optname = NULL;
+  if (g_str_equal (keyref, "inline"))
+    optname = g_strdup_printf ("verification-%s-key", keytype);
+  else if (g_str_equal (keyref, "file"))
+    optname = g_strdup_printf ("verification-%s-file", keytype);
+  else
+    return glnx_throw (error, "Invalid key reference %s, expected inline|file", keyref);
+
+  g_assert (keyparts[1] && !keyparts[2]);
+  g_variant_builder_add (builder, "{s@v}",
+                         optname,
+                         g_variant_new_variant (g_variant_new_string (keyparts[1])));
+  return TRUE;
+}
+
 gboolean
 ot_remote_builtin_add (int argc, char **argv, OstreeCommandInvocation *invocation, GCancellable *cancellable, GError **error)
 {
@@ -144,9 +182,24 @@ ot_remote_builtin_add (int argc, char **argv, OstreeCommandInvocation *invocatio
 #endif /* OSTREE_DISABLE_GPGME */
 
   if (opt_no_sign_verify)
+    {
+      if (opt_sign_verify)
+        return glnx_throw (error, "Cannot specify both --sign-verify and --no-sign-verify");
+      g_variant_builder_add (optbuilder, "{s@v}",
+                            "sign-verify",
+                            g_variant_new_variant (g_variant_new_boolean (FALSE)));
+    }
+
+  for (char **iter = opt_sign_verify; iter && *iter; iter++)
+    {
+      const char *keyspec = *iter;
+      if (!add_verify_opt (optbuilder, keyspec, error))
+        return FALSE;
+    }
+  if (opt_sign_verify)
     g_variant_builder_add (optbuilder, "{s@v}",
-                           "sign-verify",
-                           g_variant_new_variant (g_variant_new_boolean (FALSE)));
+                          "sign-verify",
+                          g_variant_new_variant (g_variant_new_boolean (TRUE)));
 
   if (opt_collection_id != NULL)
     g_variant_builder_add (optbuilder, "{s@v}", "collection-id",

diff --git a/tests/test-signed-pull.sh b/tests/test-signed-pull.sh
index 075c5f2bd62090463fdd319560f019457c4ecd2e..b207eac252c71fadea139555f5b2897c0489f6f7 100755 (executable)
--- a/tests/test-signed-pull.sh
+++ b/tests/test-signed-pull.sh
@@ -23,7 +23,7 @@ set -euo pipefail
 
 . $(dirname $0)/libtest.sh
 
-echo "1..11"
+echo "1..16"
 
 # This is explicitly opt in for testing
 export OSTREE_DUMMY_SIGN_ENABLED=1
@@ -54,7 +54,7 @@ function test_signed_pull() {
     localsig=repo/$objpath
     mv $remotesig $remotesig.bak
     if ${CMD_PREFIX} ostree --repo=repo --depth=0 pull origin main; then
-        assert_not_reached "pull with sign-verify unexpectedly succeeded?"
+        assert_not_reached "pull with sign-verify and no commitmeta unexpectedly succeeded?"
     fi
     # ok now check that we can pull correctly
     mv $remotesig.bak $remotesig
@@ -98,6 +98,25 @@ ${CMD_PREFIX} ostree --repo=repo config set 'remote "origin"'.verification-dummy
 ${CMD_PREFIX} ostree --repo=repo config unset 'remote "origin"'.verification-dummy-file
 test_signed_pull "dummy" ""
 
+# Another test with the --verify option directly
+repo_init --sign-verify=dummy=inline:${DUMMYSIGN}
+test_signed_pull "dummy" "from remote opt"
+
+repo_init
+if ${CMD_PREFIX} ostree --repo=repo remote add other --sign-verify=trustme=inline:ok http://localhost 2>err.txt; then
+    assert_not_reached "remote add with invalid keytype succeeded"
+fi
+assert_file_has_content err.txt 'Requested signature type is not implemented'
+if ${CMD_PREFIX} ostree --repo=repo remote add other --sign-verify=dummy http://localhost 2>err.txt; then
+    assert_not_reached "remote add with invalid keytype succeeded"
+fi
+assert_file_has_content err.txt 'Failed to parse KEYTYPE'
+if ${CMD_PREFIX} ostree --repo=repo remote add other --sign-verify=dummy=foo:bar http://localhost 2>err.txt; then
+    assert_not_reached "remote add with invalid keytype succeeded"
+fi
+assert_file_has_content err.txt 'Invalid key reference'
+echo "ok remote add errs"
+
 if ! has_sign_ed25519; then
     echo "ok ed25519-key pull signed commit # SKIP due libsodium unavailability"
     echo "ok ed25519-key re-pull signature for stored commit # SKIP due libsodium unavailability"
@@ -105,6 +124,8 @@ if ! has_sign_ed25519; then
     echo "ok ed25519-key+file re-pull signature for stored commit # SKIP due libsodium unavailability"
     echo "ok ed25519-file pull signed commit # SKIP due libsodium unavailability"
     echo "ok ed25519-file re-pull signature for stored commit # SKIP due libsodium unavailability"
+    echo "ok ed25519-inline # SKIP due libsodium unavailability"
+    echo "ok ed25519-inline # SKIP due libsodium unavailability"
     exit 0
 fi
 
@@ -140,3 +161,5 @@ repo_init --set=sign-verify=true
 ${CMD_PREFIX} ostree --repo=repo config set 'remote "origin"'.verification-ed25519-file "${PUBKEYS}"
 test_signed_pull "ed25519" "file"
 
+repo_init --sign-verify=ed25519=inline:"${ED25519PUBLIC}"
+test_signed_pull "ed25519" "--verify-ed25519"