sbp commented on issue #5: URL: https://github.com/apache/tooling-docs/issues/5#issuecomment-3120132868
@dave2wave I've implemented a proof of concept of the envisaged command. An example of how the command works is attached below. Note the `--verbose` flag. Without it, the command only reports whether the signature is valid or not. If not, it also reports a brief summary of the issues. This command only works for artifacts which are known to the ATR. It doesn't use archive.a.o or downloads.a.o, but it can verify artifacts on those sites, or any other site, as long as the artifact and signature files are also in the ATR. The files in the ATR must be stored in either the _latest revisions_ of ongoing releases, or in finished releases. The signature provided by the user on the command line must contain a full fingerprint. Older signatures may only contain a key ID, which this command does not support. The ATR must know, i.e. contain within its database, the public OpenPGP key with that fingerprint. Internally the provenance API endpoint does a query to find all committees associated with that key, and then searches the committee release files until it finds a matching signature and artifact. There are, obviously, smarter and more efficient ways to do this, but this is just a proof of concept. ``` $ uv run atr verify https://127.0.0.1:8080/download/path/tooling/3.0.2+airflow/apache_airflow_core-3.0.2.tar.gz.asc --verbose You provided the signature file URL: https://127.0.0.1:8080/download/path/tooling/3.0.2+airflow/apache_airflow_core-3.0.2.tar.gz.asc And we will assume that the artifact file URL is here: https://127.0.0.1:8080/download/path/tooling/3.0.2+airflow/apache_airflow_core-3.0.2.tar.gz We will now download the artifact and then the signature from these URLs. The artifact file is 2,860,519 bytes in size, and its SHA3-256 is: ffa3107570a1b26906bf4757411de5d3d1a18d44e5d5102645198480f0076484 The signature file is 516 bytes in size, and its SHA3-256 is: c10ef1ade248a17489d395eeb8f8c0edbe6f39b1ed18186df4a7d06a7579b848 To verify the signature, we need the OpenPGP signing key from the ATR. To get the key, we are going to send the following API request: { "artifact_file_name": "apache_airflow_core-3.0.2.tar.gz", "artifact_sha3_256": "ffa3107570a1b26906bf4757411de5d3d1a18d44e5d5102645198480f0076484", "signature_file_name": "apache_airflow_core-3.0.2.tar.gz.asc", "signature_asc_text": "-----BEGIN PGP SIGNATURE-----\n\ni...", "signature_sha3_256": "c10ef1ade248a17489d395eeb8f8c0edbe6f39b1ed18186df4a7d06a7579b848" } The ATR found a matching OpenPGP key with the following fingerprint: CDE15C6E4D3A8EC4ECF4BA4B6674E08AD7DE406F This key is associated with these committees with a project containing the artifact: -- tooling -- KEYS URL: https://127.0.0.1:8080/downloads/tooling/KEYS SHA3-256: 165b4a7d1413ef16dcaef118395eed84e5a2d0afb6fe9e4e3cec184f6385f63e We can now try to verify the signature using the OpenPGP key from the ATR. Note that we ignore key expiry, so we consider expired key signatures to be valid. The signature is valid! This completes the verification process. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org For additional commands, e-mail: dev-h...@tooling.apache.org
