msb-public
/
helm
mirror of https://github.com/helm/helm
1
0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '57a1bb80e5'
${ noResults }
helm/pkg/provenance/sign.go

428 lines
11 KiB
Raw Normal View History Unescape

feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
/*
change copyright to "Copyright The Helm Authors"
6 years ago
Copyright The Helm Authors.
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package provenance
import (
"bytes"
"crypto"
"encoding/hex"
"io"
"os"
"path/filepath"
feat(helm): add signature support to 'helm package'
8 years ago
"strings"
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
feat(*): print stacktrace on error with debug enabled
7 years ago
"github.com/pkg/errors"
Add nolint comments Signed-off-by: Josh Dolitsky <josh@dolit.ski>
3 years ago
"golang.org/x/crypto/openpgp" //nolint
"golang.org/x/crypto/openpgp/clearsign" //nolint
"golang.org/x/crypto/openpgp/packet" //nolint
Replaced ghodss/yaml with sigs.k8s.io/yaml This commit replaces usage of github.com/ghodss/yaml with it's forked version maintained by SIG community. The replaced library has low-to-none support activity unlike the latter. We believe the new Helm branch could benefit from using the community-supported version on a long-term run as yaml parser is a key component of Helm chart rendering engine. This commit locks sigs.k8s.io/yaml dependency version on 1.1.0 which is backwards compatible with ghodss/yaml 1.0.0. This change also resolves the outdated dependency version lock for ghodss/yaml (currently 1.0.0) and makes it possible to port changes from https://github.com/helm/helm/pull/6010 to dev-v3. Signed-off-by: Oleg Sidorov <oleg.sidorov@booking.com>
5 years ago
"sigs.k8s.io/yaml"
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
Updating the module for v3 as the major version Signed-off-by: Matt Farina <matt@mattfarina.com>
5 years ago
hapi "helm.sh/helm/v3/pkg/chart"
"helm.sh/helm/v3/pkg/chart/loader"
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
)
var defaultPGPConfig = packet.Config{
DefaultHash: crypto.SHA512,
}
feat(helm): add --verify flag to commands This adds the --verify and --keyring flags to: helm fetch helm inspect helm install helm upgrade Each of these commands can now make cryptographic verification a prerequisite for using a chart.
8 years ago
// SumCollection represents a collection of file and image checksums.
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
//
// Files are of the form:
Bump the Go version Needed to gofmt source to meet changes in style Signed-off-by: Matt Farina <matt.farina@suse.com>
2 years ago
//
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
// FILENAME: "sha256:SUM"
Bump the Go version Needed to gofmt source to meet changes in style Signed-off-by: Matt Farina <matt.farina@suse.com>
2 years ago
//
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
// Images are of the form:
Bump the Go version Needed to gofmt source to meet changes in style Signed-off-by: Matt Farina <matt.farina@suse.com>
2 years ago
//
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
// "IMAGE:TAG": "sha256:SUM"
Bump the Go version Needed to gofmt source to meet changes in style Signed-off-by: Matt Farina <matt.farina@suse.com>
2 years ago
//
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
// Docker optionally supports sha512, and if this is the case, the hash marker
// will be 'sha512' instead of 'sha256'.
type SumCollection struct {
Files map[string]string `json:"files"`
Images map[string]string `json:"images,omitempty"`
}
feat(helm): add --verify flag to commands This adds the --verify and --keyring flags to: helm fetch helm inspect helm install helm upgrade Each of these commands can now make cryptographic verification a prerequisite for using a chart.
8 years ago
// Verification contains information about a verification operation.
type Verification struct {
// SignedBy contains the entity that signed a chart.
SignedBy *openpgp.Entity
// FileHash is the hash, prepended with the scheme, for the file that was verified.
FileHash string
feat(helm): remove the requirement that fetch/install need version This removes the requirement that a fetch or install command must explicitly state the version number to install. Instead, this goes to the strategy used by OS package managers: Install the latest until told to do otherwise. Closes #1198
8 years ago
// FileName is the name of the file that FileHash verifies.
FileName string
feat(helm): add --verify flag to commands This adds the --verify and --keyring flags to: helm fetch helm inspect helm install helm upgrade Each of these commands can now make cryptographic verification a prerequisite for using a chart.
8 years ago
}
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
// Signatory signs things.
//
// Signatories can be constructed from a PGP private key file using NewFromFiles
// or they can be constructed manually by setting the Entity to a valid
// PGP entity.
//
// The same Signatory can be used to sign or validate multiple charts.
type Signatory struct {
// The signatory for this instance of Helm. This is used for signing.
Entity *openpgp.Entity
// The keyring for this instance of Helm. This is used for verification.
KeyRing openpgp.EntityList
}
// NewFromFiles constructs a new Signatory from the PGP key in the given filename.
//
// This will emit an error if it cannot find a valid GPG keyfile (entity) at the
// given location.
//
// Note that the keyfile may have just a public key, just a private key, or
// both. The Signatory methods may have different requirements of the keys. For
// example, ClearSign must have a valid `openpgp.Entity.PrivateKey` before it
// can sign something.
func NewFromFiles(keyfile, keyringfile string) (*Signatory, error) {
e, err := loadKey(keyfile)
if err != nil {
return nil, err
}
ring, err := loadKeyRing(keyringfile)
if err != nil {
return nil, err
}
return &Signatory{
Entity: e,
KeyRing: ring,
}, nil
}
feat(helm): add signature support to 'helm package'
8 years ago
// NewFromKeyring reads a keyring file and creates a Signatory.
//
// If id is not the empty string, this will also try to find an Entity in the
// keyring whose name matches, and set that as the signing entity. It will return
// an error if the id is not empty and also not found.
func NewFromKeyring(keyringfile, id string) (*Signatory, error) {
ring, err := loadKeyRing(keyringfile)
if err != nil {
return nil, err
}
s := &Signatory{KeyRing: ring}
// If the ID is empty, we can return now.
if id == "" {
return s, nil
}
// We're gonna go all GnuPG on this and look for a string that _contains_. If
// two or more keys contain the string and none are a direct match, we error
// out.
var candidate *openpgp.Entity
vague := false
for _, e := range ring {
for n := range e.Identities {
if n == id {
s.Entity = e
return s, nil
}
if strings.Contains(n, id) {
if candidate != nil {
vague = true
}
candidate = e
}
}
}
if vague {
feat(*): print stacktrace on error with debug enabled
7 years ago
return s, errors.Errorf("more than one key contain the id %q", id)
feat(helm): add signature support to 'helm package'
8 years ago
}
fix(helm): read passphrase from prompt This prompts the user to enter a passphrase if the given PGP key is encrypted. Closes #1447
8 years ago
feat(helm): add signature support to 'helm package'
8 years ago
s.Entity = candidate
return s, nil
}
fix(helm): read passphrase from prompt This prompts the user to enter a passphrase if the given PGP key is encrypted. Closes #1447
8 years ago
// PassphraseFetcher returns a passphrase for decrypting keys.
//
// This is used as a callback to read a passphrase from some other location. The
// given name is the Name field on the key, typically of the form:
//
// USER_NAME (COMMENT) <EMAIL>
type PassphraseFetcher func(name string) ([]byte, error)
// DecryptKey decrypts a private key in the Signatory.
//
// If the key is not encrypted, this will return without error.
//
// If the key does not exist, this will return an error.
//
// If the key exists, but cannot be unlocked with the passphrase returned by
// the PassphraseFetcher, this will return an error.
//
// If the key is successfully unlocked, it will return nil.
func (s *Signatory) DecryptKey(fn PassphraseFetcher) error {
fix(helm): give different error if key is not private Previously, a "not found" error was returned if a key exists, but is not a private key. Updated the error to better indicate the case.
8 years ago
if s.Entity == nil {
fix(helm): read passphrase from prompt This prompts the user to enter a passphrase if the given PGP key is encrypted. Closes #1447
8 years ago
return errors.New("private key not found")
fix(helm): give different error if key is not private Previously, a "not found" error was returned if a key exists, but is not a private key. Updated the error to better indicate the case.
8 years ago
} else if s.Entity.PrivateKey == nil {
improved the error message for failed package signing (#6948) Signed-off-by: Matt Butcher <matt.butcher@microsoft.com>
5 years ago
return errors.New("provided key is not a private key. Try providing a keyring with secret keys")
fix(helm): read passphrase from prompt This prompts the user to enter a passphrase if the given PGP key is encrypted. Closes #1447
8 years ago
}
// Nothing else to do if key is not encrypted.
if !s.Entity.PrivateKey.Encrypted {
return nil
}
fname := "Unknown"
for i := range s.Entity.Identities {
if i != "" {
fname = i
break
}
}
p, err := fn(fname)
if err != nil {
return err
}
return s.Entity.PrivateKey.Decrypt(p)
}
feat(helm): add signature support to 'helm package'
8 years ago
// ClearSign signs a chart with the given key.
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
//
// This takes the path to a chart archive file and a key, and it returns a clear signature.
//
// The Signatory must have a valid Entity.PrivateKey for this to work. If it does
// not, an error will be returned.
func (s *Signatory) ClearSign(chartpath string) (string, error) {
fix(helm): give different error if key is not private Previously, a "not found" error was returned if a key exists, but is not a private key. Updated the error to better indicate the case.
8 years ago
if s.Entity == nil {
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
return "", errors.New("private key not found")
fix(helm): give different error if key is not private Previously, a "not found" error was returned if a key exists, but is not a private key. Updated the error to better indicate the case.
8 years ago
} else if s.Entity.PrivateKey == nil {
improved the error message for failed package signing (#6948) Signed-off-by: Matt Butcher <matt.butcher@microsoft.com>
5 years ago
return "", errors.New("provided key is not a private key. Try providing a keyring with secret keys")
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
}
if fi, err := os.Stat(chartpath); err != nil {
return "", err
} else if fi.IsDir() {
return "", errors.New("cannot sign a directory")
}
out := bytes.NewBuffer(nil)
b, err := messageBlock(chartpath)
if err != nil {
add more error checks during the signing process Before this change, several of the potential errors during the process of signing a package were skipped. Crucially, `Close()`ing the ReadCloser from the gpg clearsigner is the call which actually does the signing, and so has several points of failure which are ignored; for example, if there's a problem with the format of the key. Also changes the error from messageBlock() to be propagated rather than being swallowed, and adds a test for the case where a signer fails to sign. Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
3 years ago
return "", err
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
}
// Sign the buffer
w, err := clearsign.Encode(out, s.Entity.PrivateKey, &defaultPGPConfig)
if err != nil {
return "", err
}
add more error checks during the signing process Before this change, several of the potential errors during the process of signing a package were skipped. Crucially, `Close()`ing the ReadCloser from the gpg clearsigner is the call which actually does the signing, and so has several points of failure which are ignored; for example, if there's a problem with the format of the key. Also changes the error from messageBlock() to be propagated rather than being swallowed, and adds a test for the case where a signer fails to sign. Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
3 years ago
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
_, err = io.Copy(w, b)
add more error checks during the signing process Before this change, several of the potential errors during the process of signing a package were skipped. Crucially, `Close()`ing the ReadCloser from the gpg clearsigner is the call which actually does the signing, and so has several points of failure which are ignored; for example, if there's a problem with the format of the key. Also changes the error from messageBlock() to be propagated rather than being swallowed, and adds a test for the case where a signer fails to sign. Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
3 years ago
if err != nil {
// NB: We intentionally don't call `w.Close()` here! `w.Close()` is the method which
// actually does the PGP signing, and therefore is the part which uses the private key.
// In other words, if we call Close here, there's a risk that there's an attempt to use the
// private key to sign garbage data (since we know that io.Copy failed, `w` won't contain
// anything useful).
return "", errors.Wrap(err, "failed to write to clearsign encoder")
}
err = w.Close()
if err != nil {
return "", errors.Wrap(err, "failed to either sign or armor message block")
}
return out.String(), nil
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
}
feat(helm): add signature support to 'helm package'
8 years ago
// Verify checks a signature and verifies that it is legit for a chart.
feat(helm): add --verify flag to commands This adds the --verify and --keyring flags to: helm fetch helm inspect helm install helm upgrade Each of these commands can now make cryptographic verification a prerequisite for using a chart.
8 years ago
func (s *Signatory) Verify(chartpath, sigpath string) (*Verification, error) {
ver := &Verification{}
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
for _, fname := range []string{chartpath, sigpath} {
if fi, err := os.Stat(fname); err != nil {
feat(helm): add --verify flag to commands This adds the --verify and --keyring flags to: helm fetch helm inspect helm install helm upgrade Each of these commands can now make cryptographic verification a prerequisite for using a chart.
8 years ago
return ver, err
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
} else if fi.IsDir() {
feat(*): print stacktrace on error with debug enabled
7 years ago
return ver, errors.Errorf("%s cannot be a directory", fname)
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
}
}
// First verify the signature
sig, err := s.decodeSignature(sigpath)
if err != nil {
feat(*): print stacktrace on error with debug enabled
7 years ago
return ver, errors.Wrap(err, "failed to decode signature")
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
}
by, err := s.verifySignature(sig)
if err != nil {
feat(helm): add --verify flag to commands This adds the --verify and --keyring flags to: helm fetch helm inspect helm install helm upgrade Each of these commands can now make cryptographic verification a prerequisite for using a chart.
8 years ago
return ver, err
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
}
feat(helm): add --verify flag to commands This adds the --verify and --keyring flags to: helm fetch helm inspect helm install helm upgrade Each of these commands can now make cryptographic verification a prerequisite for using a chart.
8 years ago
ver.SignedBy = by
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
// Second, verify the hash of the tarball.
feat(chartutils): add support for requirements.yaml
8 years ago
sum, err := DigestFile(chartpath)
feat(helm): add --verify flag to commands This adds the --verify and --keyring flags to: helm fetch helm inspect helm install helm upgrade Each of these commands can now make cryptographic verification a prerequisite for using a chart.
8 years ago
if err != nil {
return ver, err
}
_, sums, err := parseMessageBlock(sig.Plaintext)
if err != nil {
return ver, err
}
sum = "sha256:" + sum
basename := filepath.Base(chartpath)
if sha, ok := sums.Files[basename]; !ok {
feat(*): print stacktrace on error with debug enabled
7 years ago
return ver, errors.Errorf("provenance does not contain a SHA for a file named %q", basename)
feat(helm): add --verify flag to commands This adds the --verify and --keyring flags to: helm fetch helm inspect helm install helm upgrade Each of these commands can now make cryptographic verification a prerequisite for using a chart.
8 years ago
} else if sha != sum {
feat(*): print stacktrace on error with debug enabled
7 years ago
return ver, errors.Errorf("sha256 sum does not match for %s: %q != %q", basename, sha, sum)
feat(helm): add --verify flag to commands This adds the --verify and --keyring flags to: helm fetch helm inspect helm install helm upgrade Each of these commands can now make cryptographic verification a prerequisite for using a chart.
8 years ago
}
ver.FileHash = sum
feat(helm): remove the requirement that fetch/install need version This removes the requirement that a fetch or install command must explicitly state the version number to install. Instead, this goes to the strategy used by OS package managers: Install the latest until told to do otherwise. Closes #1198
8 years ago
ver.FileName = basename
feat(helm): add --verify flag to commands This adds the --verify and --keyring flags to: helm fetch helm inspect helm install helm upgrade Each of these commands can now make cryptographic verification a prerequisite for using a chart.
8 years ago
// TODO: when image signing is added, verify that here.
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
feat(helm): add --verify flag to commands This adds the --verify and --keyring flags to: helm fetch helm inspect helm install helm upgrade Each of these commands can now make cryptographic verification a prerequisite for using a chart.
8 years ago
return ver, nil
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
}
func (s *Signatory) decodeSignature(filename string) (*clearsign.Block, error) {
Updating the Go version in go.mod At this time both Go 1.19 and 1.20 are supported. The version specified in the go.mod file is the minimum version we expect Helm to be compiled against. This is the oldest supported version to support environments where others compile Helm. The Helm project is using Go 1.20 to build Helm itself. Updating to Go 1.19 also includes dealing with io/ioutil deprecation and some additional linting issues around staticcheck. All the staticcheck issues were in test files so linting was skipped for those. Signed-off-by: Matt Farina <matt.farina@suse.com>
2 years ago
data, err := os.ReadFile(filename)
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
if err != nil {
return nil, err
}
block, _ := clearsign.Decode(data)
if block == nil {
// There was no sig in the file.
return nil, errors.New("signature block not found")
}
return block, nil
}
// verifySignature verifies that the given block is validly signed, and returns the signer.
func (s *Signatory) verifySignature(block *clearsign.Block) (*openpgp.Entity, error) {
return openpgp.CheckDetachedSignature(
s.KeyRing,
bytes.NewBuffer(block.Bytes),
block.ArmoredSignature.Body,
)
}
func messageBlock(chartpath string) (*bytes.Buffer, error) {
var b *bytes.Buffer
// Checksum the archive
feat(chartutils): add support for requirements.yaml
8 years ago
chash, err := DigestFile(chartpath)
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
if err != nil {
return b, err
}
base := filepath.Base(chartpath)
sums := &SumCollection{
Files: map[string]string{
base: "sha256:" + chash,
},
}
// Load the archive into memory.
ref(*): refactor chart/chartutil ref(chartutil): move chart loading out of chartutil into new package add chart loader interface to allow lazy loading feat(chart): create chart accessors ref(*): cleanup requirements ref(tiller): remove optional template engines ref(tiller): simplify sorting releases and hooks ref(*): code simplification ref(hapi): move chart package out of hapi ref(chart): add requirements and lock to Chart struct
6 years ago
chart, err := loader.LoadFile(chartpath)
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
if err != nil {
return b, err
}
// Buffer a hash + checksums YAML file
data, err := yaml.Marshal(chart.Metadata)
if err != nil {
return b, err
}
// FIXME: YAML uses ---\n as a file start indicator, but this is not legal in a PGP
// clearsign block. So we use ...\n, which is the YAML document end marker.
// http://yaml.org/spec/1.2/spec.html#id2800168
b = bytes.NewBuffer(data)
b.WriteString("\n...\n")
data, err = yaml.Marshal(sums)
if err != nil {
return b, err
}
b.Write(data)
return b, nil
}
// parseMessageBlock
func parseMessageBlock(data []byte) (*hapi.Metadata, *SumCollection, error) {
// This sucks.
parts := bytes.Split(data, []byte("\n...\n"))
if len(parts) < 2 {
return nil, nil, errors.New("message block must have at least two parts")
}
md := &hapi.Metadata{}
sc := &SumCollection{}
if err := yaml.Unmarshal(parts[0], md); err != nil {
return md, sc, err
}
err := yaml.Unmarshal(parts[1], sc)
return md, sc, err
}
// loadKey loads a GPG key found at a particular path.
func loadKey(keypath string) (*openpgp.Entity, error) {
f, err := os.Open(keypath)
if err != nil {
return nil, err
}
defer f.Close()
pr := packet.NewReader(f)
return openpgp.ReadEntity(pr)
}
func loadKeyRing(ringpath string) (openpgp.EntityList, error) {
f, err := os.Open(ringpath)
if err != nil {
return nil, err
}
defer f.Close()
return openpgp.ReadKeyRing(f)
}
feat(chartutils): add support for requirements.yaml
8 years ago
// DigestFile calculates a SHA256 hash (like Docker) for a given file.
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
//
// It takes the path to the archive file, and returns a string representation of
// the SHA256 sum.
//
// The intended use of this function is to generate a sum of a chart TGZ file.
feat(chartutils): add support for requirements.yaml
8 years ago
func DigestFile(filename string) (string, error) {
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
f, err := os.Open(filename)
if err != nil {
return "", err
}
defer f.Close()
feat(chartutils): add support for requirements.yaml
8 years ago
return Digest(f)
}
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
feat(chartutils): add support for requirements.yaml
8 years ago
// Digest hashes a reader and returns a SHA256 digest.
//
// Helm uses SHA256 as its default hash for all non-cryptographic applications.
func Digest(in io.Reader) (string, error) {
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
hash := crypto.SHA256.New()
fix(provenance): Ports error check for `Digest` to v3 This is a port of #5672 Signed-off-by: Taylor Thomas <taylor.thomas@microsoft.com>
5 years ago
if _, err := io.Copy(hash, in); err != nil {
return "", nil
}
feat(pkg/provenance): add OpenPGP signatures This adds support for OpenPGP signatures containing provenance data. Such information can be used to verify the integrity of a Chart by testing that its file hash, metadata, and images are correct. This first PR does not contain all of the tooling necessary for end-to-end chart integrity. It contains just the library. See #983
8 years ago
return hex.EncodeToString(hash.Sum(nil)), nil
}