diff --git a/pkg/cmd/dependency_build.go b/pkg/cmd/dependency_build.go index f572fbae1..3ccda1b9f 100644 --- a/pkg/cmd/dependency_build.go +++ b/pkg/cmd/dependency_build.go @@ -19,6 +19,7 @@ import ( "errors" "fmt" "io" + "io/fs" "os" "path/filepath" @@ -92,9 +93,26 @@ func newDependencyBuildCmd(out io.Writer) *cobra.Command { } // defaultKeyring returns the expanded path to the default keyring. +// +// The legacy pubring.gpg file is preferred and treated as absent only when +// stat fails with "not exist" — any other stat error (e.g. permissions) +// keeps the legacy path so the real error surfaces when the file is opened. +// If the legacy file is absent, the keybox file maintained by modern GnuPG +// (2.1+) takes over under the same rule. When neither exists, the legacy +// path is returned so that error messages keep pointing at the traditional +// default. func defaultKeyring() string { + gnupgHome := filepath.Join(homedir.HomeDir(), ".gnupg") if v, ok := os.LookupEnv("GNUPGHOME"); ok { - return filepath.Join(v, "pubring.gpg") + gnupgHome = v } - return filepath.Join(homedir.HomeDir(), ".gnupg", "pubring.gpg") + legacy := filepath.Join(gnupgHome, "pubring.gpg") + if _, err := os.Stat(legacy); !errors.Is(err, fs.ErrNotExist) { + return legacy + } + keybox := filepath.Join(gnupgHome, "pubring.kbx") + if _, err := os.Stat(keybox); !errors.Is(err, fs.ErrNotExist) { + return keybox + } + return legacy } diff --git a/pkg/cmd/dependency_build_test.go b/pkg/cmd/dependency_build_test.go index a3473301d..bb90d4473 100644 --- a/pkg/cmd/dependency_build_test.go +++ b/pkg/cmd/dependency_build_test.go @@ -19,6 +19,7 @@ import ( "fmt" "os" "path/filepath" + "runtime" "strings" "testing" @@ -162,3 +163,84 @@ func TestDependencyBuildCmdWithHelmV2Hash(t *testing.T) { t.Fatal(err) } } + +func TestDefaultKeyring(t *testing.T) { + touch := func(t *testing.T, path string) { + t.Helper() + if err := os.WriteFile(path, []byte("test"), 0o644); err != nil { + t.Fatal(err) + } + } + + tests := []struct { + name string + files []string + want string + }{ + {"legacy keyring only", []string{"pubring.gpg"}, "pubring.gpg"}, + {"keybox only", []string{"pubring.kbx"}, "pubring.kbx"}, + {"legacy keyring preferred over keybox", []string{"pubring.gpg", "pubring.kbx"}, "pubring.gpg"}, + {"neither present falls back to legacy path", nil, "pubring.gpg"}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + dir := t.TempDir() + t.Setenv("GNUPGHOME", dir) + for _, f := range tt.files { + touch(t, filepath.Join(dir, f)) + } + if got, want := defaultKeyring(), filepath.Join(dir, tt.want); got != want { + t.Errorf("expected %q, got %q", want, got) + } + }) + } + + t.Run("stat error other than not-exist keeps the legacy path", func(t *testing.T) { + if runtime.GOOS == "windows" { + t.Skip("directory permissions are not enforced on Windows") + } + if os.Geteuid() == 0 { + t.Skip("root bypasses directory permissions") + } + + parent := t.TempDir() + dir := filepath.Join(parent, ".gnupg") + if err := os.MkdirAll(dir, 0o700); err != nil { + t.Fatal(err) + } + touch(t, filepath.Join(dir, "pubring.kbx")) + t.Setenv("GNUPGHOME", dir) + + // Make the directory unsearchable so stat on both keyrings fails + // with a permission error rather than "not exist". + if err := os.Chmod(dir, 0o000); err != nil { + t.Fatal(err) + } + t.Cleanup(func() { os.Chmod(dir, 0o700) }) + + if got, want := defaultKeyring(), filepath.Join(dir, "pubring.gpg"); got != want { + t.Errorf("expected %q, got %q", want, got) + } + }) + + t.Run("no GNUPGHOME falls back to the home directory", func(t *testing.T) { + home := t.TempDir() + t.Setenv("HOME", home) + t.Setenv("GNUPGHOME", home) // register restoration before unsetting + os.Unsetenv("GNUPGHOME") + + gnupgDir := filepath.Join(home, ".gnupg") + if err := os.MkdirAll(gnupgDir, 0o700); err != nil { + t.Fatal(err) + } + + if got, want := defaultKeyring(), filepath.Join(gnupgDir, "pubring.gpg"); got != want { + t.Errorf("expected %q, got %q", want, got) + } + + touch(t, filepath.Join(gnupgDir, "pubring.kbx")) + if got, want := defaultKeyring(), filepath.Join(gnupgDir, "pubring.kbx"); got != want { + t.Errorf("expected %q, got %q", want, got) + } + }) +} diff --git a/pkg/provenance/keybox.go b/pkg/provenance/keybox.go new file mode 100644 index 000000000..a788d14fe --- /dev/null +++ b/pkg/provenance/keybox.go @@ -0,0 +1,113 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package provenance + +import ( + "bytes" + "encoding/binary" + "errors" + "fmt" +) + +// GnuPG 2.1+ stores public keys in a "keybox" (pubring.kbx) — a container +// format that interleaves OpenPGP keyblocks with GnuPG-specific metadata. It +// is not an OpenPGP packet stream, so it cannot be handed to +// openpgp.ReadKeyRing directly. A keybox is a sequence of blobs, each starting +// with: +// +// byte 0..3 u32 blob length, big endian, including this header +// byte 4 u8 blob type (0 empty, 1 header, 2 OpenPGP, 3 X.509) +// byte 5 u8 blob version +// +// The first blob is a header carrying the "KBXf" magic at offset 8. OpenPGP +// blobs (type 2) record where the raw keyblock lives inside the blob: +// +// byte 8..11 u32 keyblock offset, relative to the blob start +// byte 12..15 u32 keyblock length +// +// Reference: kbx/keybox-blob.c in the GnuPG source tree. +const ( + kbxBlobTypeHeader = 1 + kbxBlobTypeOpenPGP = 2 + + // kbxBlobFlagEphemeral marks a blob GnuPG considers not (yet) part of + // the keyring, e.g. written during an interrupted keyserver operation + // (KEYBOX_FLAG_BLOB_EPHEMERAL in kbx/keybox.h). GnuPG skips such blobs + // on every normal read (kbx/keybox-search.c), and so do we. + kbxBlobFlagEphemeral = 0x0002 + + // kbxMinBlobLen covers the length and type fields present in every blob. + kbxMinBlobLen = 5 + + // kbxOpenPGPHeaderLen is how much of an OpenPGP blob header must be + // present for the flags, keyblock offset and keyblock length fields to + // be readable. + kbxOpenPGPHeaderLen = 16 +) + +// isKeybox reports whether data looks like a GnuPG keybox (pubring.kbx) +// image, identified by the "KBXf" magic in the mandatory first header blob. +func isKeybox(data []byte) bool { + return len(data) >= 12 && data[4] == kbxBlobTypeHeader && string(data[8:12]) == "KBXf" +} + +// isArmored reports whether data looks like an ASCII-armored keyring, as +// produced by `gpg --export --armor`. +func isArmored(data []byte) bool { + return bytes.HasPrefix(bytes.TrimSpace(data), []byte("-----BEGIN PGP")) +} + +// keyboxPublicKeys extracts the OpenPGP keyblocks embedded in a keybox image +// and returns them concatenated, ready for openpgp.ReadKeyRing. Blobs of any +// other type (header, X.509, empty) are skipped, as are blobs flagged +// ephemeral, which GnuPG itself ignores when reading the keyring. Malformed +// input yields an error, never a panic. +func keyboxPublicKeys(data []byte) ([]byte, error) { + var keyblocks bytes.Buffer + for offset := 0; offset < len(data); { + rest := data[offset:] + if len(rest) < kbxMinBlobLen { + return nil, fmt.Errorf("truncated blob header at offset %d", offset) + } + blobLen := binary.BigEndian.Uint32(rest) + if blobLen < kbxMinBlobLen { + return nil, fmt.Errorf("invalid blob length %d at offset %d", blobLen, offset) + } + if uint64(blobLen) > uint64(len(rest)) { + return nil, fmt.Errorf("blob at offset %d has length %d exceeding the %d remaining bytes", offset, blobLen, len(rest)) + } + blob := rest[:blobLen] + if blob[4] == kbxBlobTypeOpenPGP { + if len(blob) < kbxOpenPGPHeaderLen { + return nil, fmt.Errorf("OpenPGP blob at offset %d is too short", offset) + } + flags := binary.BigEndian.Uint16(blob[6:]) + keyblockOffset := binary.BigEndian.Uint32(blob[8:]) + keyblockLen := binary.BigEndian.Uint32(blob[12:]) + if uint64(keyblockOffset)+uint64(keyblockLen) > uint64(len(blob)) { + return nil, fmt.Errorf("OpenPGP blob at offset %d has an out-of-range keyblock", offset) + } + if flags&kbxBlobFlagEphemeral == 0 { + keyblocks.Write(blob[keyblockOffset : keyblockOffset+keyblockLen]) + } + } + offset += int(blobLen) + } + if keyblocks.Len() == 0 { + return nil, errors.New("keybox contains no OpenPGP keys") + } + return keyblocks.Bytes(), nil +} diff --git a/pkg/provenance/keybox_test.go b/pkg/provenance/keybox_test.go new file mode 100644 index 000000000..e2133d45a --- /dev/null +++ b/pkg/provenance/keybox_test.go @@ -0,0 +1,188 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package provenance + +import ( + "bytes" + "encoding/binary" + "os" + "testing" + + "github.com/ProtonMail/go-crypto/openpgp" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +const ( + // testKeybox is a GnuPG keybox (pubring.kbx) containing the helm-test + // public key. Regenerate with testdata/regen-keyring-formats.sh. + testKeybox = "testdata/helm-test-key.kbx" + + // testMixedKeybox is a keybox containing the RSA and Ed25519 test keys. + testMixedKeybox = "testdata/helm-mixed-keyring.kbx" + + // testArmoredPubfile is the ASCII-armored export of the helm-test key. + testArmoredPubfile = "testdata/helm-test-key.asc" + + // testMultiBlockArmored is two concatenated single-key armored exports + // (cat key1.asc key2.asc), covering the RSA and Ed25519 test keys. + testMultiBlockArmored = "testdata/helm-mixed-keyring.asc" +) + +func TestIsKeybox(t *testing.T) { + tests := []struct { + name string + file string + want bool + }{ + {"keybox", testKeybox, true}, + {"mixed keybox", testMixedKeybox, true}, + {"legacy binary keyring", testPubfile, false}, + {"armored keyring", testArmoredPubfile, false}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + data, err := os.ReadFile(tt.file) + require.NoError(t, err) + assert.Equal(t, tt.want, isKeybox(data)) + }) + } + + t.Run("degenerate inputs", func(t *testing.T) { + assert.False(t, isKeybox(nil)) + assert.False(t, isKeybox([]byte{})) + assert.False(t, isKeybox([]byte("KBXf"))) + assert.False(t, isKeybox([]byte("garbage that is longer than twelve bytes"))) + }) +} + +func TestIsArmored(t *testing.T) { + tests := []struct { + name string + file string + want bool + }{ + {"armored keyring", testArmoredPubfile, true}, + {"legacy binary keyring", testPubfile, false}, + {"keybox", testKeybox, false}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + data, err := os.ReadFile(tt.file) + require.NoError(t, err) + assert.Equal(t, tt.want, isArmored(data)) + }) + } + + t.Run("degenerate inputs", func(t *testing.T) { + assert.False(t, isArmored(nil)) + assert.False(t, isArmored([]byte("not a key"))) + assert.True(t, isArmored([]byte("\n\t -----BEGIN PGP PUBLIC KEY BLOCK-----"))) + }) +} + +func TestKeyboxPublicKeys(t *testing.T) { + data, err := os.ReadFile(testKeybox) + require.NoError(t, err) + + keys, err := keyboxPublicKeys(data) + require.NoError(t, err) + + ring, err := openpgp.ReadKeyRing(bytes.NewReader(keys)) + require.NoError(t, err) + + require.Len(t, ring, 1) + _, ok := ring[0].Identities[testKeyName] + assert.True(t, ok, "expected keybox to contain %q", testKeyName) +} + +func TestKeyboxPublicKeysEphemeral(t *testing.T) { + // GnuPG flags in-progress key material as ephemeral (bit 0x0002 of the + // blob flags at blob offset 6) and hides it from every normal read; the + // parser must do the same. + setFlags := func(t *testing.T, data []byte, blobStart int, flags uint16) []byte { + t.Helper() + require.Equal(t, byte(kbxBlobTypeOpenPGP), data[blobStart+4]) + mutated := bytes.Clone(data) + binary.BigEndian.PutUint16(mutated[blobStart+6:], flags) + return mutated + } + + t.Run("all blobs ephemeral means no keys", func(t *testing.T) { + valid, err := os.ReadFile(testKeybox) + require.NoError(t, err) + + _, err = keyboxPublicKeys(setFlags(t, valid, 32, kbxBlobFlagEphemeral)) + assert.ErrorContains(t, err, "no OpenPGP keys") + }) + + t.Run("ephemeral blob is skipped, others kept", func(t *testing.T) { + valid, err := os.ReadFile(testMixedKeybox) + require.NoError(t, err) + + // Flag only the first OpenPGP blob (the RSA helm-test key). + keys, err := keyboxPublicKeys(setFlags(t, valid, 32, kbxBlobFlagEphemeral)) + require.NoError(t, err) + + ring, err := openpgp.ReadKeyRing(bytes.NewReader(keys)) + require.NoError(t, err) + + require.Len(t, ring, 1) + _, ok := ring[0].Identities[testKeyName] + assert.False(t, ok, "expected the ephemeral-flagged %q blob to be skipped", testKeyName) + }) +} + +func TestKeyboxPublicKeysMalformed(t *testing.T) { + valid, err := os.ReadFile(testKeybox) + require.NoError(t, err) + + // The mutations below rely on the fixture layout: a 32-byte header blob + // followed by an OpenPGP blob. + const blobStart = 32 + require.Greater(t, len(valid), blobStart+16) + require.Equal(t, byte(kbxBlobTypeOpenPGP), valid[blobStart+4]) + + mutate := func(offset int, value uint32) []byte { + data := bytes.Clone(valid) + binary.BigEndian.PutUint32(data[offset:], value) + return data + } + + tests := []struct { + name string + data []byte + }{ + {"header only, no keys", valid[:blobStart]}, + {"truncated inside blob header", valid[:blobStart+2]}, + {"truncated inside blob body", valid[:blobStart+16]}, + {"zero blob length", mutate(blobStart, 0)}, + {"blob length below minimum", mutate(blobStart, 4)}, + {"blob length past end of data", mutate(blobStart, uint32(len(valid))+1)}, + {"keyblock offset out of range", mutate(blobStart+8, uint32(len(valid)))}, + {"keyblock length out of range", mutate(blobStart+12, uint32(len(valid)))}, + {"keyblock offset overflow", mutate(blobStart+8, ^uint32(0))}, + {"keyblock length overflow", mutate(blobStart+12, ^uint32(0))}, + {"openpgp blob shorter than its header", append(bytes.Clone(valid[:blobStart]), 0, 0, 0, 8, kbxBlobTypeOpenPGP, 1, 0, 0)}, + {"empty input", nil}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + _, err := keyboxPublicKeys(tt.data) + assert.Error(t, err) + }) + } +} diff --git a/pkg/provenance/sign.go b/pkg/provenance/sign.go index 9b3e774cb..411be4639 100644 --- a/pkg/provenance/sign.go +++ b/pkg/provenance/sign.go @@ -26,6 +26,7 @@ import ( "strings" "github.com/ProtonMail/go-crypto/openpgp" + "github.com/ProtonMail/go-crypto/openpgp/armor" "github.com/ProtonMail/go-crypto/openpgp/clearsign" "github.com/ProtonMail/go-crypto/openpgp/packet" "sigs.k8s.io/yaml" @@ -358,13 +359,65 @@ func loadKey(keypath string) (*openpgp.Entity, error) { return openpgp.ReadEntity(pr) } +// loadKeyRing loads a keyring from ringpath, auto-detecting its storage +// format. Three formats are supported: +// +// - the legacy binary OpenPGP packet stream (GnuPG's pubring.gpg) +// - a GnuPG keybox (pubring.kbx), the default public-key store since +// GnuPG 2.1 +// - an ASCII-armored keyring, as produced by `gpg --export --armor` func loadKeyRing(ringpath string) (openpgp.EntityList, error) { - f, err := os.Open(ringpath) + data, err := os.ReadFile(ringpath) if err != nil { return nil, err } - defer f.Close() - return openpgp.ReadKeyRing(f) + switch { + case isKeybox(data): + keys, err := keyboxPublicKeys(data) + if err != nil { + return nil, fmt.Errorf("reading keybox %s: %w", ringpath, err) + } + return openpgp.ReadKeyRing(bytes.NewReader(keys)) + case isArmored(data): + ring, err := loadArmoredKeyRing(data) + if err != nil { + return nil, fmt.Errorf("reading armored keyring %s: %w", ringpath, err) + } + return ring, nil + default: + return openpgp.ReadKeyRing(bytes.NewReader(data)) + } +} + +// loadArmoredKeyRing reads every armored block in data and merges the keys +// into a single keyring. Unlike openpgp.ReadArmoredKeyRing, which silently +// ignores everything after the first block, this handles keyrings assembled +// by concatenating exports (cat key1.asc key2.asc > keyring.asc), the same +// way GnuPG imports them. +func loadArmoredKeyRing(data []byte) (openpgp.EntityList, error) { + var ring openpgp.EntityList + r := bytes.NewReader(data) + for { + block, err := armor.Decode(r) + if errors.Is(err, io.EOF) { + break + } + if err != nil { + return nil, err + } + if block.Type != openpgp.PublicKeyType && block.Type != openpgp.PrivateKeyType { + return nil, fmt.Errorf("expected a public or private key block, got %q", block.Type) + } + entities, err := openpgp.ReadKeyRing(block.Body) + if err != nil { + return nil, err + } + ring = append(ring, entities...) + } + if len(ring) == 0 { + return nil, errors.New("no keys found") + } + return ring, nil } // DigestFile calculates a SHA256 hash (like Docker) for a given file. diff --git a/pkg/provenance/sign_test.go b/pkg/provenance/sign_test.go index 8784e6c12..2e87f9061 100644 --- a/pkg/provenance/sign_test.go +++ b/pkg/provenance/sign_test.go @@ -16,6 +16,7 @@ limitations under the License. package provenance import ( + "bytes" "crypto" "errors" "io" @@ -24,6 +25,7 @@ import ( "strings" "testing" + "github.com/ProtonMail/go-crypto/openpgp/armor" pgperrors "github.com/ProtonMail/go-crypto/openpgp/errors" "github.com/ProtonMail/go-crypto/openpgp/packet" "github.com/stretchr/testify/assert" @@ -168,6 +170,72 @@ func TestLoadKeyRing(t *testing.T) { } } +func TestLoadKeyRingKeybox(t *testing.T) { + k, err := loadKeyRing(testKeybox) + require.NoError(t, err) + + require.Len(t, k, 1) + _, ok := k[0].Identities[testKeyName] + assert.True(t, ok, "expected %q in keybox keyring", testKeyName) +} + +func TestLoadKeyRingMixedKeybox(t *testing.T) { + k, err := loadKeyRing(testMixedKeybox) + require.NoError(t, err) + + require.Len(t, k, 2) + + names := make([]string, 0, len(k)) + hasEdDSA := false + for _, e := range k { + for n := range e.Identities { + names = append(names, n) + } + if e.PrimaryKey != nil && e.PrimaryKey.PubKeyAlgo == packet.PubKeyAlgoEdDSA { + hasEdDSA = true + } + } + assert.Contains(t, names, testKeyName) + assert.True(t, hasEdDSA, "expected an Ed25519 key in %s", testMixedKeybox) +} + +func TestLoadKeyRingArmored(t *testing.T) { + k, err := loadKeyRing(testArmoredPubfile) + require.NoError(t, err) + + require.Len(t, k, 1) + _, ok := k[0].Identities[testKeyName] + assert.True(t, ok, "expected %q in armored keyring", testKeyName) +} + +func TestLoadKeyRingArmoredMultiBlock(t *testing.T) { + // A keyring assembled by concatenating exports (cat a.asc b.asc) must + // load every block, the same way gpg --import does. + k, err := loadKeyRing(testMultiBlockArmored) + require.NoError(t, err) + + require.Len(t, k, 2) + names := make([]string, 0, len(k)) + for _, e := range k { + for n := range e.Identities { + names = append(names, n) + } + } + assert.Contains(t, names, testKeyName) +} + +func TestLoadArmoredKeyRingRejectsNonKeyBlocks(t *testing.T) { + var buf bytes.Buffer + w, err := armor.Encode(&buf, "PGP MESSAGE", nil) + require.NoError(t, err) + _, err = w.Write([]byte("not a key")) + require.NoError(t, err) + require.NoError(t, w.Close()) + + _, err = loadArmoredKeyRing(buf.Bytes()) + assert.ErrorContains(t, err, "expected a public or private key block") +} + func TestDigest(t *testing.T) { f, err := os.Open(testChartfile) if err != nil { @@ -406,6 +474,31 @@ func TestVerify(t *testing.T) { } } +// TestVerifyKeyboxKeyring mirrors TestVerify with the keyring loaded from a +// GnuPG keybox instead of the legacy binary format. +func TestVerifyKeyboxKeyring(t *testing.T) { + signer, err := NewFromKeyring(testKeybox, "") + require.NoError(t, err) + + archiveData, err := os.ReadFile(testChartfile) + require.NoError(t, err) + + sigData, err := os.ReadFile(testSigBlock) + require.NoError(t, err) + + ver, err := signer.Verify(archiveData, sigData, filepath.Base(testChartfile)) + require.NoError(t, err) + require.NotNil(t, ver.SignedBy) + _, ok := ver.SignedBy.Identities[testKeyName] + assert.True(t, ok, "expected chart to verify as signed by %q", testKeyName) + + tamperedSigData, err := os.ReadFile(testTamperedSigBlock) + require.NoError(t, err) + + _, err = signer.Verify(archiveData, tamperedSigData, filepath.Base(testChartfile)) + assert.Error(t, err, "expected tampered signature to fail against keybox keyring") +} + // readSumFile reads a file containing a sum generated by the UNIX shasum tool. func readSumFile(sumfile string) (string, error) { data, err := os.ReadFile(sumfile) diff --git a/pkg/provenance/testdata/helm-mixed-keyring.asc b/pkg/provenance/testdata/helm-mixed-keyring.asc new file mode 100644 index 000000000..acde8ef18 --- /dev/null +++ b/pkg/provenance/testdata/helm-mixed-keyring.asc @@ -0,0 +1,40 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFeWbZ4BCADIsgNRyVBSWJkbH6h3UWWXsA9ce1u+YKvaCYFSjIujKycTAqCC +P7qUV2Oj/4E2zUcOD1/8/meDwuTnNTLzdSw4ujtFlKRSw7zelQE6sxvID0KM0pQK +7AxDTXsm/7Afd/fg4WNW0/hcbeiNz4TVmSWAnbqeLg8o8eljR5QhTk47H6Glo4hV +raeLCKG77qm2qOQ/m38ec+L5n9iUpoZZu1S5RXPUIanV5pLlx2rQsooIQEdJbTRF +Iv3+2Nj/56PFVdrw7E5ARqCD4PpzzYV7uj8vKumOp+VivFj95Ze6DFENh1WWy336 +jQEj0uTolgOYeQ6AdJobwSPUeYXGV6Sf2vwXABEBAAG0XUhlbG0gVGVzdGluZyAo +VGhpcyBrZXkgc2hvdWxkIG9ubHkgYmUgdXNlZCBmb3IgdGVzdGluZy4gRE8gTk9U +IFRSVVNULikgPGhlbG0tdGVzdGluZ0BoZWxtLnNoPokBNwQTAQoAIQUCV5ZtngIb +AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCEO7+YH8GHYolFCAC0+ejT5dIX +0juRl5AdG6XAlEf9IrehkVlo0s5bG1Ucea9jjNRafmmHyMravrxZVI9zGFhaNpxA ++McnnWAO8lx5yTgnGW269qvFBsj5n0ItPewILQZjTEgwLYf1oc2qCFpk+8ovBnxZ +Kaz3J5QKqU09zLO2yALuI5FTCCUupJ3OGIrKvLJ4H2jsRk/5jgqIgqJotW/4Baza +4zemFdQHj9FPvq9sVeW5lyxM48i638GtslIgc0y2Yd/bfiy0tfIkskWz/kS1U6c9 +Utr3UPwpBqHjXnakmpK7GMGlp5eDXgr63BEdLKxJJWWxIys35fR19XZXcAELrwMh +zkTzB/dvI375uQENBFeWbZ4BCADB6a8oiF2royWbvwmujBxSmD68QWziNZbSCuRs +M4WM1iy69kspJHRwJEVIE5pkoVfV6tIcwQQ0VkJmq6Pf/pyKeMAXp0u8bp5K0mVE +Yio1/adiLM3kX1yleoXLNUb1gNvsk6Kp6BZCUNRmjKlbKxapJKHmL+opX8UoeLeE +KSgJNL8jvo3nRgg+wIPnVDoizz7y03F0k4SbgNGdoA/FtZs/vcSrEfzOLgI2RxQS +dj/ePkxg9TvQygUSYgAVbYlASw6XMmd/zTjkfD9qa0l3WSejTisn85b611WryDpA +iYkYC3GzK8g7S9VwkAbtr79cbG+1djlA4aHASpil+zR12yEhABEBAAGJAR8EGAEK +AAkFAleWbZ4CGwwACgkQhDu/mB/Bh2LbNQgAiOOMNzmKzY4A7/ra8ppaH9oL8XIa +WvInivOsx22K09PPuPVqi/ooBiRGyRqhdVS4ShPOoOTR5tOsdfPpEMTHnGQ1+jW+ +Tw5MXv3oMckWw3YEYptnuvon3wT4bOXLr+eYlY4Z1ONs+pAXwMiQ2zXNuKHpA2fR +HsF8Wyw57rCVn7K5nQgZCbVxasYlzvFGnmt/itSC5w/AnIvICDOWcoGFKTieqhME +IkCyvu+DNrMAumnD2fqF2olsM4IzCEPSMEQqJIGzZTtQTseS8NSDioRGnG1AJQ94 +BssQVmTh0/hlpoTqXY803lR5wb1fr3RRnkOu+lbEI6AAUj51j5TAAo/1dA== +=bvcV +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEaMzP2xYJKwYBBAHaRw8BAQdAXkL0KKTOZoMaM+6HsrkWv93zmLmnMiIoQvR2 +F+bjx7G0KEhlbG0gRWQyNTUxOSBUZXN0IDxoZWxtLWVkMjU1MTlAaGVsbS5zaD6I +mQQTFgoAQRYhBEy+dUwlWAxsh43nEfuFaBLOL8tkBQJozM/bAhsDBQkFo5qABQsJ +CAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEPuFaBLOL8tktBYA/2cclE0N+BZV +Wymk6XfwFMjErM6olWAfwA8DfAGQ55+lAQCqSa+Tkjd4dmToVHcb0QAm+zwklAY4 +e6qWgGiivn77AA== +=wJ7K +-----END PGP PUBLIC KEY BLOCK----- diff --git a/pkg/provenance/testdata/helm-mixed-keyring.kbx b/pkg/provenance/testdata/helm-mixed-keyring.kbx new file mode 100644 index 000000000..300711cdb Binary files /dev/null and b/pkg/provenance/testdata/helm-mixed-keyring.kbx differ diff --git a/pkg/provenance/testdata/helm-test-key.asc b/pkg/provenance/testdata/helm-test-key.asc new file mode 100644 index 000000000..2d069d9b7 --- /dev/null +++ b/pkg/provenance/testdata/helm-test-key.asc @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFeWbZ4BCADIsgNRyVBSWJkbH6h3UWWXsA9ce1u+YKvaCYFSjIujKycTAqCC +P7qUV2Oj/4E2zUcOD1/8/meDwuTnNTLzdSw4ujtFlKRSw7zelQE6sxvID0KM0pQK +7AxDTXsm/7Afd/fg4WNW0/hcbeiNz4TVmSWAnbqeLg8o8eljR5QhTk47H6Glo4hV +raeLCKG77qm2qOQ/m38ec+L5n9iUpoZZu1S5RXPUIanV5pLlx2rQsooIQEdJbTRF +Iv3+2Nj/56PFVdrw7E5ARqCD4PpzzYV7uj8vKumOp+VivFj95Ze6DFENh1WWy336 +jQEj0uTolgOYeQ6AdJobwSPUeYXGV6Sf2vwXABEBAAG0XUhlbG0gVGVzdGluZyAo +VGhpcyBrZXkgc2hvdWxkIG9ubHkgYmUgdXNlZCBmb3IgdGVzdGluZy4gRE8gTk9U +IFRSVVNULikgPGhlbG0tdGVzdGluZ0BoZWxtLnNoPokBNwQTAQoAIQUCV5ZtngIb +AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCEO7+YH8GHYolFCAC0+ejT5dIX +0juRl5AdG6XAlEf9IrehkVlo0s5bG1Ucea9jjNRafmmHyMravrxZVI9zGFhaNpxA ++McnnWAO8lx5yTgnGW269qvFBsj5n0ItPewILQZjTEgwLYf1oc2qCFpk+8ovBnxZ +Kaz3J5QKqU09zLO2yALuI5FTCCUupJ3OGIrKvLJ4H2jsRk/5jgqIgqJotW/4Baza +4zemFdQHj9FPvq9sVeW5lyxM48i638GtslIgc0y2Yd/bfiy0tfIkskWz/kS1U6c9 +Utr3UPwpBqHjXnakmpK7GMGlp5eDXgr63BEdLKxJJWWxIys35fR19XZXcAELrwMh +zkTzB/dvI375uQENBFeWbZ4BCADB6a8oiF2royWbvwmujBxSmD68QWziNZbSCuRs +M4WM1iy69kspJHRwJEVIE5pkoVfV6tIcwQQ0VkJmq6Pf/pyKeMAXp0u8bp5K0mVE +Yio1/adiLM3kX1yleoXLNUb1gNvsk6Kp6BZCUNRmjKlbKxapJKHmL+opX8UoeLeE +KSgJNL8jvo3nRgg+wIPnVDoizz7y03F0k4SbgNGdoA/FtZs/vcSrEfzOLgI2RxQS +dj/ePkxg9TvQygUSYgAVbYlASw6XMmd/zTjkfD9qa0l3WSejTisn85b611WryDpA +iYkYC3GzK8g7S9VwkAbtr79cbG+1djlA4aHASpil+zR12yEhABEBAAGJAR8EGAEK +AAkFAleWbZ4CGwwACgkQhDu/mB/Bh2LbNQgAiOOMNzmKzY4A7/ra8ppaH9oL8XIa +WvInivOsx22K09PPuPVqi/ooBiRGyRqhdVS4ShPOoOTR5tOsdfPpEMTHnGQ1+jW+ +Tw5MXv3oMckWw3YEYptnuvon3wT4bOXLr+eYlY4Z1ONs+pAXwMiQ2zXNuKHpA2fR +HsF8Wyw57rCVn7K5nQgZCbVxasYlzvFGnmt/itSC5w/AnIvICDOWcoGFKTieqhME +IkCyvu+DNrMAumnD2fqF2olsM4IzCEPSMEQqJIGzZTtQTseS8NSDioRGnG1AJQ94 +BssQVmTh0/hlpoTqXY803lR5wb1fr3RRnkOu+lbEI6AAUj51j5TAAo/1dA== +=bvcV +-----END PGP PUBLIC KEY BLOCK----- diff --git a/pkg/provenance/testdata/helm-test-key.kbx b/pkg/provenance/testdata/helm-test-key.kbx new file mode 100644 index 000000000..f2bf73fa5 Binary files /dev/null and b/pkg/provenance/testdata/helm-test-key.kbx differ diff --git a/pkg/provenance/testdata/regen-keyring-formats.sh b/pkg/provenance/testdata/regen-keyring-formats.sh new file mode 100755 index 000000000..017f7d13e --- /dev/null +++ b/pkg/provenance/testdata/regen-keyring-formats.sh @@ -0,0 +1,26 @@ +#!/bin/sh +# Regenerate the modern-GnuPG keyring fixtures from the committed binary +# keyrings. Requires GnuPG 2.1+ (keybox support). +# +# helm-test-key.kbx keybox (pubring.kbx) containing the helm-test key +# helm-mixed-keyring.kbx keybox containing the RSA and Ed25519 test keys +# helm-test-key.asc ASCII-armored export of the helm-test key +# helm-mixed-keyring.asc two concatenated single-key armored exports +set -e + +GNUPGHOME=$(mktemp -d) +export GNUPGHOME +chmod 700 "$GNUPGHOME" +gpg --batch --no-tty --quiet --import helm-test-key.pub +cp "$GNUPGHOME/pubring.kbx" helm-test-key.kbx +gpg --batch --no-tty --export --armor helm-testing@helm.sh > helm-test-key.asc +rm -rf "$GNUPGHOME" + +GNUPGHOME=$(mktemp -d) +export GNUPGHOME +chmod 700 "$GNUPGHOME" +gpg --batch --no-tty --quiet --import helm-mixed-keyring.pub +cp "$GNUPGHOME/pubring.kbx" helm-mixed-keyring.kbx +gpg --batch --no-tty --export --armor helm-testing@helm.sh > helm-mixed-keyring.asc +gpg --batch --no-tty --export --armor helm-ed25519@helm.sh >> helm-mixed-keyring.asc +rm -rf "$GNUPGHOME"