diff options
author | Konstantin Ryabitsev <konstantin@linuxfoundation.org> | 2021-05-11 14:56:05 -0400 |
---|---|---|
committer | Konstantin Ryabitsev <konstantin@linuxfoundation.org> | 2021-05-11 14:56:05 -0400 |
commit | f1a2700e70018349d5c63f2053ba4b0e7ebe351a (patch) | |
tree | d3bea7c91ff7d679cbe9d4614b02f40e09cac94c /b4/pr.py | |
parent | 31348a14afdb1d39e7faf9576eaddea1ced76e19 (diff) | |
download | b4-f1a2700e70018349d5c63f2053ba4b0e7ebe351a.tar.gz |
Reimplement attestation code one more time
Move end-to-end attestation code into its own library: patatt. See
https://git.kernel.org/pub/scm/utils/patatt/patatt.git/about/
It is included into b4 as a submodule, but you will need to init it
first:
git submodule update --init
This change significantly simplifies our attestation code, dropping
thousands of lines of rather hairy code. Notably, patatt-style
attestation is incompatible with previous attestation implementations
done directly in b4, but that's just as well -- we've always marked it
as "experimental" and the lack of adoption was proving that we weren't
on the right path.
Next to come is keyring management and documentation.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Diffstat (limited to 'b4/pr.py')
-rw-r--r-- | b4/pr.py | 29 |
1 files changed, 21 insertions, 8 deletions
@@ -122,11 +122,11 @@ def attest_fetch_head(gitdir, lmsg): config = b4.get_main_config() attpolicy = config['attestation-policy'] if config['attestation-checkmarks'] == 'fancy': - attpass = b4.PASS_FANCY - attfail = b4.FAIL_FANCY + attpass = b4.ATT_PASS_FANCY + attfail = b4.ATT_FAIL_FANCY else: - attpass = b4.PASS_SIMPLE - attfail = b4.FAIL_SIMPLE + attpass = b4.ATT_PASS_SIMPLE + attfail = b4.ATT_FAIL_SIMPLE # Is FETCH_HEAD a tag or a commit? htype = b4.git_get_command_lines(gitdir, ['cat-file', '-t', 'FETCH_HEAD']) passing = False @@ -139,17 +139,30 @@ def attest_fetch_head(gitdir, lmsg): elif otype == 'commit': ecode, out = b4.git_run_command(gitdir, ['verify-commit', '--raw', 'FETCH_HEAD'], logstderr=True) - good, valid, trusted, attestor, sigdate, errors = b4.validate_gpg_signature(out, 'pgp') - - if good and valid and trusted: + good, valid, trusted, keyid, sigtime = b4.check_gpg_status(out) + try: + uids = b4.get_gpg_uids(keyid) + signer = None + for uid in uids: + if uid.find(f'<{lmsg.fromemail}') >= 0: + signer = uid + break + if not signer: + signer = uids[0] + + except KeyError: + signer = f'{lmsg.fromname} <{lmsg.fromemail}' + + if good and valid: passing = True out = out.strip() + errors = set() if not len(out) and attpolicy != 'check': errors.add('Remote %s is not signed!' % otype) if passing: - trailer = attestor.get_trailer(lmsg.fromemail) + trailer = 'Signed: %s' % signer logger.info(' ---') logger.info(' %s %s', attpass, trailer) return |