Hi!
On Mon, 2024-09-30 at 20:01:25 +0200, Timo Weingärtner wrote:
> 30.09.24 02:18 Guillem Jover:
> > I've prepared a few patches to improve the OpenPGP support. I think at
> > least the one fixing the gpgv usage means that part is probably
> > currently unusable? Attached the patch series.
>
> You have removed the "|| exit 1" in the sopv path. That was there for a
> reason: If a users have temporary errors ignored via EXIT_IGNORE they might
> still want to see verification errors.
Ah sorry, I stopped on that one for a bit, but assumed (incorrectly)
that this was related to gpgv exit codes, and not a feature of the
framework. Given your explanation now and digging further into the
code I see now how this is supposed to work, and why it's a problem.
The other reason was that I didn't want to lose the richer exit codes
from sopv, which are well specified (unlike the gpgv ones):
https://dkg.gitlab.io/openpgp-stateless-cli/#name-failure-modes
> Solving the problem of overlapping return codes would need a more complicated
> plugin interface.
Right. I think ideally the OpenPGP verification would be split into
its own plugin, that could stack over the other ones, then it could
have its own exit codes, and not be mixed with the main plugin tool.
Although using the exit codes like they are currently used means the
plugins can mostly run a single tool, otherwise such conflicts can
easily arise (which is not really a problem except for the OpenPGP
verification anyway :).
> I guess for now I would re-add the "|| exit 1" and improve documentation in
> the examples with "OpenPGP verification failure is always 1".
>
> What's your opninion on this?
Barring a rework of the plugin logic, I've restored this, and tried to
improve the comment for future readers. :) Attached revised upstream
patch series.
Thanks,
Guillem
From b32b285019eb749cfc650748fa4a4ce3b4fda736 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@hadrons.org>
Date: Mon, 30 Sep 2024 01:36:22 +0200
Subject: [PATCH 1/4] Use OpenPGP when referring to the standard or objects
These are OpenPGP signatures that any conforming implementation should
be able to handle. They are not specific to GnuPG, which is one of many
implementations, even though a very prominent one.
---
examples/curl | 2 +-
examples/rsync | 2 +-
plugins/curl | 4 ++--
plugins/rsync | 4 ++--
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/examples/curl b/examples/curl
index 18ed01b..b8f6d96 100644
--- a/examples/curl
+++ b/examples/curl
@@ -6,4 +6,4 @@ URL='https://www.example.com/known_hosts'
# optional:
SIGURL='http://www.example.com/known_hosts.sig'
-KEYRING='/path/to/gpgv-compatible.keyring'
+KEYRING='/path/to/openpgp-compatible.keyring'
diff --git a/examples/rsync b/examples/rsync
index 1d9fd4c..cbb6d64 100644
--- a/examples/rsync
+++ b/examples/rsync
@@ -11,5 +11,5 @@ URL='rsync://rsync.example.com/pub/known_hosts'
# optional:
SIGURL='rsync://rsync.example.com/pub/known_hosts.sig'
-KEYRING='/path/to/gpgv-compatible.keyring'
+KEYRING='/path/to/openpgp-compatible.keyring'
diff --git a/plugins/curl b/plugins/curl
index 9c47601..989891a 100755
--- a/plugins/curl
+++ b/plugins/curl
@@ -5,8 +5,8 @@
# ENVIRONMENT VARIABLES:
# URL URL to download known_hosts file from
# CURL_OPTIONS options passed to curl
-# SIGURL URL of the GnuPG signature
-# KEYRING path to the keyring for use by gpgv
+# SIGURL URL of the OpenPGP signature
+# KEYRING path to the OpenPGP keyring with certificates
#
set -e
diff --git a/plugins/rsync b/plugins/rsync
index 1a57660..2ff5c1a 100755
--- a/plugins/rsync
+++ b/plugins/rsync
@@ -4,8 +4,8 @@
#
# ENVIRONMENT VARIABLES:
# URL URL to download known_hosts file from
-# SIGURL URL of the GnuPG signature
-# KEYRING path to the keyring for use by gpgv
+# SIGURL URL of the OpenPGP signature
+# KEYRING path to the OpenPGP keyring with certificates
#
set -e
--
2.45.2
From 06ef4f03e5e898faa2e56cca67880960b44b61d8 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@hadrons.org>
Date: Mon, 30 Sep 2024 02:00:58 +0200
Subject: [PATCH 2/4] Current gpgv requires the datafile for detached
signatures
Otherwise we get the following error:
gpgv: no signed data
gpgv: can't hash datafile: No data
---
plugins/curl | 2 +-
plugins/rsync | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/plugins/curl b/plugins/curl
index 989891a..b9dd2cb 100755
--- a/plugins/curl
+++ b/plugins/curl
@@ -14,7 +14,7 @@ set -e
if [ "${SIGURL}" ]; then
curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new.sig "${SIGURL}" -o new "${URL}"
[ -e new ] || exit 0
- gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1
+ gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
# return 1 because it's not clear what other codes may used
else
curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new "${URL}"
diff --git a/plugins/rsync b/plugins/rsync
index 2ff5c1a..1c2cae2 100755
--- a/plugins/rsync
+++ b/plugins/rsync
@@ -15,7 +15,7 @@ rsync -vt --timeout=300 "${URL}" new
if [ "${SIGURL}" ]; then
rsync -vt --timeout=300 "${SIGURL}" new.sig
- gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1
+ gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
# return 1 because it's not clear what other codes may used
fi
--
2.45.2
From c08de46759be8ef329c5497fbde66d4326187f40 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@hadrons.org>
Date: Wed, 2 Oct 2024 03:32:13 +0200
Subject: [PATCH 3/4] Clarify comment on exit code override to workaround
overlapping codes
The framework expects to be able to ignore specific exit codes from the
plugins, but if we are possibly returning exit codes from different
tools, then it's hard to untangle what tool generated which exit code.
In the plugins at hand the exit code 1 seems like a safe one, given both
curl and rsync usage, so we currently turn any OpenPGP verification
error into that.
---
plugins/curl | 3 ++-
plugins/rsync | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/plugins/curl b/plugins/curl
index b9dd2cb..29c0ace 100755
--- a/plugins/curl
+++ b/plugins/curl
@@ -15,7 +15,8 @@ if [ "${SIGURL}" ]; then
curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new.sig "${SIGURL}" -o new "${URL}"
[ -e new ] || exit 0
gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
- # return 1 because it's not clear what other codes may used
+ # return 1 because it's not clear what other codes may be safe to
+ # use that do not overlap with codes from curl.
else
curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new "${URL}"
fi
diff --git a/plugins/rsync b/plugins/rsync
index 1c2cae2..6aec09c 100755
--- a/plugins/rsync
+++ b/plugins/rsync
@@ -16,7 +16,8 @@ rsync -vt --timeout=300 "${URL}" new
if [ "${SIGURL}" ]; then
rsync -vt --timeout=300 "${SIGURL}" new.sig
gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
- # return 1 because it's not clear what other codes may used
+ # return 1 because it's not clear what other codes may be safe to
+ # use that do not overlap with codes from rsync.
fi
# vim:set ft=sh:
--
2.45.2
From a810318436233fa91d7ca4b79daac7ff22250954 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@hadrons.org>
Date: Mon, 30 Sep 2024 01:39:13 +0200
Subject: [PATCH 4/4] Add sopv support
This is a subset of the Stateless OpenPGP CLI
<https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/>,
that can easily replace the GnuPG usage.
There are multiple implementations providing this interface.
---
plugins/curl | 6 +++++-
plugins/rsync | 6 +++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/plugins/curl b/plugins/curl
index 29c0ace..3ae028c 100755
--- a/plugins/curl
+++ b/plugins/curl
@@ -14,7 +14,11 @@ set -e
if [ "${SIGURL}" ]; then
curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new.sig "${SIGURL}" -o new "${URL}"
[ -e new ] || exit 0
- gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
+ if command -v sopv >/dev/null; then
+ sopv verify new.sig "${KEYRING}" <new || exit 1
+ else
+ gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
+ fi
# return 1 because it's not clear what other codes may be safe to
# use that do not overlap with codes from curl.
else
diff --git a/plugins/rsync b/plugins/rsync
index 6aec09c..1ee6831 100755
--- a/plugins/rsync
+++ b/plugins/rsync
@@ -15,7 +15,11 @@ rsync -vt --timeout=300 "${URL}" new
if [ "${SIGURL}" ]; then
rsync -vt --timeout=300 "${SIGURL}" new.sig
- gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
+ if command -v sopv >/dev/null; then
+ sopv verify new.sig "${KEYRING}" <new || exit 1
+ else
+ gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
+ fi
# return 1 because it's not clear what other codes may be safe to
# use that do not overlap with codes from rsync.
fi
--
2.45.2
