This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch main in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7b8719d19b3c5b080588865dd0b181e2fdf1dc77 The following commit(s) were added to refs/heads/main by this push: new 7b8719d19 Dpkg::OpenPGP: Add Stateless OpenPGP (SOP) backend support 7b8719d19 is described below commit 7b8719d19b3c5b080588865dd0b181e2fdf1dc77 (HEAD -> main) Author: Guillem Jover <[email protected]> AuthorDate: Thu Jul 21 02:11:35 2022 +0200 Dpkg::OpenPGP: Add Stateless OpenPGP (SOP) backend support This adds support for the Stateless OpenPGP Command-Line Interface, as drafted at: https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/ as a new OpenPGP backend. Multiple SOP implementations can be supported, as long as they support the required draft version and interfaces. This commit currently only explicitly probes for the pgpainless-cli SOP implementation, as the one that conforms to our expectations. --- README | 1 + debian/control | 14 +++-- man/dpkg-buildpackage.pod | 3 + scripts/Dpkg/OpenPGP.pm | 2 + scripts/Dpkg/OpenPGP/Backend/SOP.pm | 110 ++++++++++++++++++++++++++++++++++++ scripts/Makefile.am | 1 + scripts/t/Dpkg_OpenPGP.t | 2 + 7 files changed, 129 insertions(+), 4 deletions(-) diff --git a/README b/README index 4097cfcbb..267d46ec4 100644 --- a/README +++ b/README @@ -106,6 +106,7 @@ software might be needed: codespell (optional, author) cppcheck (optional, author) fakeroot (optional) + sop [pgpainless-cli] (optional) sq (from Sequoia-PGP, optional) gpg (optional) i18nspector (optional, author) diff --git a/debian/control b/debian/control index c46bfbc0e..f4e67a634 100644 --- a/debian/control +++ b/debian/control @@ -110,8 +110,8 @@ Recommends: build-essential, gcc | c-compiler, fakeroot, - gnupg | sq, - gpgv | sq, + gnupg | sq | pgpainless-cli, + gpgv | sq | pgpainless-cli, # Used by dpkg-mergechangelogs. libalgorithm-merge-perl, Suggests: @@ -121,6 +121,9 @@ Breaks: debhelper (<< 10.10.1~), # Uses new sq features, w/o requiring a hard dependency on sq. sq (<< 0.25.0~), +# Uses required SOP feautres, w/o requiring a hard dependency on pgpainless. + pgpainless-cli (<< 1.3.13~), + libsop-java-java (<< 4.0.7~), Description: Debian package development tools This package provides the development tools (including dpkg-source) required to unpack, build and upload Debian source packages. @@ -147,8 +150,8 @@ Recommends: xz-utils, Suggests: debian-keyring, - gnupg | sq, - gpgv | sq, + gnupg | sq | pgpainless-cli, + gpgv | sq | pgpainless-cli, gcc | c-compiler, binutils, patch, @@ -167,6 +170,9 @@ Breaks: dgit (<< 3.13~), # Uses new sq features, w/o requiring a hard dependency on sq. sq (<< 0.25.0~), +# Uses required SOP feautres, w/o requiring a hard dependency on pgpainless. + pgpainless-cli (<< 1.3.13~), + libsop-java-java (<< 4.0.7~), Description: Dpkg perl modules This package provides the perl modules used by the scripts in dpkg-dev. They cover a wide range of functionality. Among them diff --git a/man/dpkg-buildpackage.pod b/man/dpkg-buildpackage.pod index f6b7d109d..88169a6c0 100644 --- a/man/dpkg-buildpackage.pod +++ b/man/dpkg-buildpackage.pod @@ -527,6 +527,8 @@ The specific OpenPGP backends supported in order of preference are: =over 2 +=item B<sop> (any conforming Stateless OpenPGP implementation) + =item B<sq> (from Sequoia-PGP) =item B<gpg> (from GnuPG) @@ -789,5 +791,6 @@ B<dpkg-genbuildinfo>(1), B<dpkg-genchanges>(1), B<fakeroot>(1), B<lintian>(1), +L<https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/>, B<sq>(1), B<gpg>(1). diff --git a/scripts/Dpkg/OpenPGP.pm b/scripts/Dpkg/OpenPGP.pm index dea37b645..2e12ea75b 100644 --- a/scripts/Dpkg/OpenPGP.pm +++ b/scripts/Dpkg/OpenPGP.pm @@ -28,10 +28,12 @@ use Dpkg::Path qw(find_command); our $VERSION = '0.01'; my @BACKENDS = qw( + sop sq gpg ); my %BACKEND = ( + sop => 'SOP', sq => 'Sequoia', gpg => 'GnuPG', ); diff --git a/scripts/Dpkg/OpenPGP/Backend/SOP.pm b/scripts/Dpkg/OpenPGP/Backend/SOP.pm new file mode 100644 index 000000000..d87adca78 --- /dev/null +++ b/scripts/Dpkg/OpenPGP/Backend/SOP.pm @@ -0,0 +1,110 @@ +# Copyright © 2021-2022 Guillem Jover <[email protected]> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +package Dpkg::OpenPGP::Backend::SOP; + +use strict; +use warnings; + +our $VERSION = '0.01'; + +use POSIX qw(:sys_wait_h); + +use Dpkg::ErrorHandling; +use Dpkg::IPC; +use Dpkg::OpenPGP::ErrorCodes; + +use parent qw(Dpkg::OpenPGP::Backend); + +# - Once "sqop" fixes armor idempotency, add as alternative. +# Ref: https://gitlab.com/sequoia-pgp/sequoia-sop/-/issues/20 +# - Once "gosop" implements inline-verify and inline-sign, add as alternative. +# Ref: https://github.com/ProtonMail/gosop/issues/6 +# - Once "hop" implements the new SOP draft, add as alternative. +# Ref: https://salsa.debian.org/clint/hopenpgp-tools/-/issues/4 +# - Once the SOP MR !23 is finalized and merged, implement a way to select +# whether the SOP instance supports the expected draft. +# Ref: https://gitlab.com/dkg/openpgp-stateless-cli/-/merge_requests/23 +# - Once the SOP issue #42 is resolved we can perhaps remove the alternative +# dependencies and commands to check? +# Ref: https://gitlab.com/dkg/openpgp-stateless-cli/-/issues/42 + +sub DEFAULT_CMD { + return [ qw(pgpainless-cli) ]; +} + +sub _sop_exec +{ + my ($self, $io, @exec) = @_; + + return OPENPGP_MISSING_CMD unless $self->{cmd}; + + $io->{out} //= '/dev/null'; + my $stderr; + spawn(exec => [ $self->{cmd}, @exec ], + wait_child => 1, nocheck => 1, timeout => 10, + from_file => $io->{in}, to_file => $io->{out}, + error_to_string => \$stderr); + if (WIFEXITED($?)) { + my $status = WEXITSTATUS($?); + print { *STDERR } "$stderr" if $status; + return $status; + } else { + subprocerr("$self->{cmd} @exec"); + } +} + +sub armor +{ + my ($self, $type, $in, $out) = @_; + + # We ignore the $type, and let "sop" handle this automatically. + return $self->_sop_exec({ in => $in, out => $out }, 'armor'); +} + +sub dearmor +{ + my ($self, $type, $in, $out) = @_; + + # We ignore the $type, and let "sop" handle this automatically. + return $self->_sop_exec({ in => $in, out => $out }, 'dearmor'); +} + +sub inline_verify +{ + my ($self, $inlinesigned, $data, @certs) = @_; + + return $self->_sop_exec({ in => $inlinesigned, out => $data }, + 'inline-verify', @certs); +} + +sub verify +{ + my ($self, $data, $sig, @certs) = @_; + + return $self->_sop_exec({ in => $data }, 'verify', $sig, @certs); +} + +sub inline_sign +{ + my ($self, $data, $inlinesigned, $key) = @_; + + return OPENPGP_NEEDS_KEYSTORE if $key->needs_keystore(); + + return $self->_sop_exec({ in => $data, out => $inlinesigned }, + qw(inline-sign --as clearsigned --), $key->handle); +} + +1; diff --git a/scripts/Makefile.am b/scripts/Makefile.am index b508219da..9a78c4b6f 100644 --- a/scripts/Makefile.am +++ b/scripts/Makefile.am @@ -108,6 +108,7 @@ nobase_dist_perllib_DATA = \ Dpkg/OpenPGP.pm \ Dpkg/OpenPGP/Backend.pm \ Dpkg/OpenPGP/Backend/GnuPG.pm \ + Dpkg/OpenPGP/Backend/SOP.pm \ Dpkg/OpenPGP/Backend/Sequoia.pm \ Dpkg/OpenPGP/ErrorCodes.pm \ Dpkg/OpenPGP/KeyHandle.pm \ diff --git a/scripts/t/Dpkg_OpenPGP.t b/scripts/t/Dpkg_OpenPGP.t index fc4085820..ce05553b6 100644 --- a/scripts/t/Dpkg_OpenPGP.t +++ b/scripts/t/Dpkg_OpenPGP.t @@ -28,11 +28,13 @@ use Dpkg::OpenPGP::KeyHandle; my @backend_cmds = qw( gpg sq + pgpainless-cli ); my %backend_cmd = ( auto => 'auto', gpg => 'gpg', sq => 'sq', + 'pgpainless-cli' => 'sop', ); my @cmds = grep { find_command($_) } @backend_cmds; if (@cmds == 0) { -- Dpkg.Org's dpkg
