On 07/17/2013 05:21 PM, Lucas Meneghel Rodrigues wrote:
Michael pointed out that there are 2 problems with the currently implementation of the signed tags verification:
typo, current. I'll fix it.
1) If the tag is signed by Malicious.Hacker@somewhere and you trick gpg into downloading this key, it will still happily accept the tag as long as it's in the server. 2) If one runs this test from her/his account, it will add random stuff to her/his .gnupg directory. In order to bypass chain of trust issues, the user will specify directly which keys are allowed, those keys will be copied to a special shared location on virt test (shared/gpg), the environment variable GNUPGHOME will be set to a temporary directory, the specified key will be imported and then the tag will be verified. CC: Michael S. Tirskin <[email protected]> Signed-off-by: Lucas Meneghel Rodrigues <[email protected]> --- qemu/cfg/build.cfg | 4 +++- virttest/build_helper.py | 28 +++++++++++++++++----------- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/qemu/cfg/build.cfg b/qemu/cfg/build.cfg index 5fbd1af..10ed6b1 100644 --- a/qemu/cfg/build.cfg +++ b/qemu/cfg/build.cfg @@ -49,7 +49,9 @@ variants: #git_repo_qemu_tag = for_anthony # If tag_signed is provided, then we will be strict and verify the # tag. If the tag verification fails, the entire build test will fail. - #git_repo_qemu_tag_signed = pgp.mit.edu:AFBE8E67 + # A file with the trusted GPG keys should be put at shared/gpg. The + # build test will look for it. If not found, the test will fail. + #git_repo_qemu_tag_signed = mst.keys # SPICE installation from a GIT repo git_repo_spice_uri = git://anongit.freedesktop.org/spice/spice diff --git a/virttest/build_helper.py b/virttest/build_helper.py index 2879908..928e11f 100644 --- a/virttest/build_helper.py +++ b/virttest/build_helper.py @@ -75,8 +75,7 @@ class GitRepoParamHelper(git.GitRepoHelper): else: logging.debug('Git repo %s tag: %s' % (self.name, self.tag)) - self.key_id = None - self.key_server = None + self.key_file = None tag_signed = self.params.get('%s_tag_signed' % config_prefix) if tag_signed is None: logging.warning('Git repo %s tag is not signed' % self.name) @@ -84,10 +83,15 @@ class GitRepoParamHelper(git.GitRepoHelper): 'made by whomever claims to have made it ' '(dangerous)') else: - self.key_server, self.key_id = tag_signed.split(":") - logging.debug('Git repo %s tag %s was signed with GPG key ID %s ' - 'present on key server %s', self.name, self.tag, - self.key_id, self.key_server) + self.key_file = os.path.join(data_dir.get_data_dir(), 'gpg', + tag_signed) + if os.path.isfile(self.key_file): + logging.debug('Git repo %s tag %s will be verified with public ' + 'key file %s', self.name, self.tag, self.key_file) + else: + raise error.TestError('GPG public key file %s not found, will ' + 'not proceed with testing' % + self.key_file) self.cmd = os_dep.command('git') @@ -106,12 +110,14 @@ class GitRepoParamHelper(git.GitRepoHelper): if self.tag: utils.system('git checkout %s' % self.tag) - if self.key_server is not None and self.key_id is not None: + if self.key_file is not None: try: - logging.debug('Downloading GPG key ID %s from key server ' - '%s', self.key_id, self.key_server) - utils.system('gpg --batch --keyserver %s --recv-keys %s' % - (self.key_server, self.key_id)) + gnupg_home = os.path.join(os.path.dirname(self.key_file), + 'gnupg') + if not os.path.isdir(gnupg_home): + os.makedirs(gnupg_home) + os.environ['GNUPGHOME'] = gnupg_home + utils.system('gpg --import %s' % self.key_file) logging.debug('Verifying if tag is actually signed with ' 'GPG key ID %s' % self.key_id) utils.system('git tag -v %s' % self.tag)
_______________________________________________ Virt-test-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/virt-test-devel
