summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKonstantin Ryabitsev <konstantin@linuxfoundation.org>2020-11-20 16:54:49 -0500
committerKonstantin Ryabitsev <konstantin@linuxfoundation.org>2020-11-20 16:54:49 -0500
commit379d1d8a7c64f89282eb80edd3da1ba09d50c3f5 (patch)
tree1d20ec2ba1e692ed11ef1da243530d82ebad0e34
parentdd711f894fed036d1e1ffbc52c89a68530cde988 (diff)
downloadb4-379d1d8a7c64f89282eb80edd3da1ba09d50c3f5.tar.gz
Add attestation-check-dkim config option
Make it possible to turn off dkim verification entirely, but leave other attestation modes enabled. Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
-rw-r--r--b4/__init__.py14
-rw-r--r--man/b4.525
-rw-r--r--man/b4.5.rst28
3 files changed, 36 insertions, 31 deletions
diff --git a/b4/__init__.py b/b4/__init__.py
index ac0e85c..e916feb 100644
--- a/b4/__init__.py
+++ b/b4/__init__.py
@@ -104,9 +104,8 @@ DEFAULT_CONFIG = {
'attestation-uid-match': 'loose',
# How many days before we consider attestation too old?
'attestation-staleness-days': '30',
- # NB! This whole behaviour will change once public-inbox
- # gains support for cross-list searches
- 'attestation-query-url': LOREADDR + '/signatures/',
+ # Should we check DKIM signatures if we don't find any other attestation?
+ 'attestation-check-dkim': 'yes',
# We'll use the default gnupg homedir, unless you set it here
'attestation-gnupghome': None,
# Do you like simple or fancy checkmarks?
@@ -573,9 +572,9 @@ class LoreSeries:
for trailer, attmode in set(attdata):
logger.info(' %s %s', attmode, trailer)
return mbx
- elif not can_dkim_verify:
+ elif not can_dkim_verify and config.get('attestation-check-dkim') == 'yes':
logger.info(' ---')
- logger.info(' NOTE: install dkimpy for DKIM signature attestation.')
+ logger.info(' NOTE: install dkimpy for DKIM signature verification')
errors = set(atterrors)
for attdoc in ATTESTATIONS:
@@ -1806,8 +1805,9 @@ class LoreAttestation:
hhdr = msg.get(HDR_PATCH_HASHES)
if hhdr is None:
# Do we have a dkim signature header?
- if msg.get('DKIM-Signature'):
- if can_dkim_verify:
+ if can_dkim_verify and msg.get('DKIM-Signature'):
+ config = get_main_config()
+ if config.get('attestation-check-dkim') == 'yes':
self.lsig = LoreAttestationSignatureDKIM(msg)
if self.lsig.passing:
self.passing = True
diff --git a/man/b4.5 b/man/b4.5
index cc8bddf..8da4ef4 100644
--- a/man/b4.5
+++ b/man/b4.5
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH B4 5 "2020-05-25" "0.5.0" ""
+.TH B4 5 "2020-11-20" "0.6.0" ""
.SH NAME
B4 \- Work with code submissions in a public-inbox archive
.
@@ -49,13 +49,13 @@ precursor to Lore and Data in the Star Trek universe.
.IP \(bu 2
\fIb4 am\fP: Create an mbox file that is ready to git\-am
.IP \(bu 2
-\fIb4 attest\fP: (EXPERIMENTAL) Submit cryptographic attestation for patches
+\fIb4 pr\fP: Work with pull requests
.IP \(bu 2
-\fIb4 pr\fP: (EXPERIMENTAL) Work with pull requests
+\fIb4 diff\fP: Show range\-diff style diffs between patch versions
.IP \(bu 2
\fIb4 ty\fP: (EXPERIMENTAL) Create templated replies for processed patches and pull requests
.IP \(bu 2
-\fIb4 diff\fP: (EXPERIMENTAL) Show range\-diff style diffs between patch versions
+\fIb4 attest\fP: (EXPERIMENTAL) Add cryptographic attestation to patches
.UNINDENT
.SH OPTIONS
.INDENT 0.0
@@ -176,11 +176,10 @@ Do not save the cover letter (on by default when using \-o \-)
.sp
\fIExample\fP: b4 am \fI\%20200313231252.64999\-1\-keescook@chromium.org\fP
.SS b4 attest
+.sp
+usage: b4 attest [\-h] [\-f SENDER] [\-n] [\-o OUTPUT] patchfile [patchfile ...]
.INDENT 0.0
.TP
-.B usage:
-b4 attest [\-h] [\-f SENDER] [\-n] [\-o OUTPUT] patchfile [patchfile ...]
-.TP
.B positional arguments:
patchfile Patches to attest
.TP
@@ -191,17 +190,17 @@ patchfile Patches to attest
show this help message and exit
.TP
.BI \-f \ SENDER\fP,\fB \ \-\-from \ SENDER
-Use a custom From field
+OBSOLETE: this option does nothing and will be removed
.TP
.B \-n\fP,\fB \-\-no\-submit
-Do not submit attestation, just save the message ready to send
+OBSOLETE: this option does nothing and will be removed
.TP
.BI \-o \ OUTPUT\fP,\fB \ \-\-output \ OUTPUT
-Save attestation message in this file if not submitting it
+OBSOLETE: this option does nothing and will be removed
.UNINDENT
.UNINDENT
.sp
-\fIExample\fP: b4 attest \-n \-o output/xxxx\-attestation.patch output/*.patch
+\fIExample\fP: b4 attest output/*.patch
.SS b4 pr
.INDENT 0.0
.TP
@@ -358,6 +357,10 @@ Default configuration, with explanations:
# hardfail: exit with an error when no attestation found
attestation\-policy = check
#
+ # Fall back to checking DKIM header if we don\(aqt find any other
+ # attestations present?
+ attestation\-check\-dkim = yes
+ #
# "gpg" (whatever gpg is configured to do) or "tofu" to force TOFU mode
# If you don\(aqt already have a carefully maintained web of trust setup, it is
# strongly recommended to set this to "tofu"
diff --git a/man/b4.5.rst b/man/b4.5.rst
index 2e1f5b0..b8f8f8b 100644
--- a/man/b4.5.rst
+++ b/man/b4.5.rst
@@ -5,10 +5,10 @@ Work with code submissions in a public-inbox archive
----------------------------------------------------
:Author: mricon@kernel.org
-:Date: 2020-05-25
+:Date: 2020-11-20
:Copyright: The Linux Foundation and contributors
:License: GPLv2+
-:Version: 0.5.0
+:Version: 0.6.0
:Manual section: 5
SYNOPSIS
@@ -29,10 +29,10 @@ SUBCOMMANDS
-----------
* *b4 mbox*: Download a thread as an mbox file
* *b4 am*: Create an mbox file that is ready to git-am
-* *b4 attest*: (EXPERIMENTAL) Submit cryptographic attestation for patches
-* *b4 pr*: (EXPERIMENTAL) Work with pull requests
+* *b4 pr*: Work with pull requests
+* *b4 diff*: Show range-diff style diffs between patch versions
* *b4 ty*: (EXPERIMENTAL) Create templated replies for processed patches and pull requests
-* *b4 diff*: (EXPERIMENTAL) Show range-diff style diffs between patch versions
+* *b4 attest*: (EXPERIMENTAL) Add cryptographic attestation to patches
OPTIONS
-------
@@ -112,8 +112,7 @@ optional arguments:
b4 attest
~~~~~~~~~
-usage:
- b4 attest [-h] [-f SENDER] [-n] [-o OUTPUT] patchfile [patchfile ...]
+usage: b4 attest [-h] [-f SENDER] [-n] [-o OUTPUT] patchfile [patchfile ...]
positional arguments:
patchfile Patches to attest
@@ -121,13 +120,12 @@ positional arguments:
optional arguments:
-h, --help show this help message and exit
-f SENDER, --from SENDER
- Use a custom From field
- -n, --no-submit
- Do not submit attestation, just save the message ready to send
+ OBSOLETE: this option does nothing and will be removed
+ -n, --no-submit OBSOLETE: this option does nothing and will be removed
-o OUTPUT, --output OUTPUT
- Save attestation message in this file if not submitting it
-
-*Example*: b4 attest -n -o output/xxxx-attestation.patch output/\*.patch
+ OBSOLETE: this option does nothing and will be removed
+*Example*: b4 attest output/\*.patch
b4 pr
~~~~~
@@ -233,6 +231,10 @@ Default configuration, with explanations::
# hardfail: exit with an error when no attestation found
attestation-policy = check
#
+ # Fall back to checking DKIM header if we don't find any other
+ # attestations present?
+ attestation-check-dkim = yes
+ #
# "gpg" (whatever gpg is configured to do) or "tofu" to force TOFU mode
# If you don't already have a carefully maintained web of trust setup, it is
# strongly recommended to set this to "tofu"