Support for --passphrase & --passphrase-file arguments on publishing. #94

2026-04-19 19:28:22 +00:00 · 2014-09-01 15:13:07 +04:00
parent f01ac06d97
commit 97158ef37b
11 changed files with 65 additions and 2 deletions
--- a/cmd/publish.go
+++ b/cmd/publish.go
@@ -15,6 +15,7 @@ func getSigner(flags *flag.FlagSet) (utils.Signer, error) {
 	signer := &utils.GpgSigner{}
 	signer.SetKey(flags.Lookup("gpg-key").Value.String())
 	signer.SetKeyRing(flags.Lookup("keyring").Value.String(), flags.Lookup("secret-keyring").Value.String())
+	signer.SetPassphrase(flags.Lookup("passphrase").Value.String(), flags.Lookup("passphrase-file").Value.String())

 	err := signer.Init()
 	if err != nil {
--- a/cmd/publish_repo.go
+++ b/cmd/publish_repo.go
@@ -37,6 +37,8 @@ Example:
 	cmd.Flag.String("gpg-key", "", "GPG key ID to use when signing the release")
 	cmd.Flag.Var(&keyRingsFlag{}, "keyring", "GPG keyring to use (instead of default)")
 	cmd.Flag.String("secret-keyring", "", "GPG secret keyring to use (instead of default)")
+	cmd.Flag.String("passphrase", "", "GPG passhprase for the key (warning: could be insecure)")
+	cmd.Flag.String("passphrase-file", "", "GPG passhprase-file for the key (warning: could be insecure)")
 	cmd.Flag.Bool("skip-signing", false, "don't sign Release files with GPG")
 	cmd.Flag.String("origin", "", "origin name to publish")
 	cmd.Flag.String("label", "", "label to publish")
--- a/cmd/publish_snapshot.go
+++ b/cmd/publish_snapshot.go
@@ -199,6 +199,8 @@ Example:
 	cmd.Flag.String("gpg-key", "", "GPG key ID to use when signing the release")
 	cmd.Flag.Var(&keyRingsFlag{}, "keyring", "GPG keyring to use (instead of default)")
 	cmd.Flag.String("secret-keyring", "", "GPG secret keyring to use (instead of default)")
+	cmd.Flag.String("passphrase", "", "GPG passhprase for the key (warning: could be insecure)")
+	cmd.Flag.String("passphrase-file", "", "GPG passhprase-file for the key (warning: could be insecure)")
 	cmd.Flag.Bool("skip-signing", false, "don't sign Release files with GPG")
 	cmd.Flag.String("origin", "", "origin name to publish")
 	cmd.Flag.String("label", "", "label to publish")
--- a/cmd/publish_switch.go
+++ b/cmd/publish_switch.go
@@ -131,6 +131,8 @@ Example:
 	cmd.Flag.String("gpg-key", "", "GPG key ID to use when signing the release")
 	cmd.Flag.Var(&keyRingsFlag{}, "keyring", "GPG keyring to use (instead of default)")
 	cmd.Flag.String("secret-keyring", "", "GPG secret keyring to use (instead of default)")
+	cmd.Flag.String("passphrase", "", "GPG passhprase for the key (warning: could be insecure)")
+	cmd.Flag.String("passphrase-file", "", "GPG passhprase-file for the key (warning: could be insecure)")
 	cmd.Flag.Bool("skip-signing", false, "don't sign Release files with GPG")
 	cmd.Flag.String("component", "", "component names to update (for multi-component publishing, separate components with commas)")
 	cmd.Flag.Bool("force-overwrite", false, "overwrite files in package pool in case of mismatch")
--- a/cmd/publish_update.go
+++ b/cmd/publish_update.go
@@ -98,6 +98,8 @@ Example:
 	cmd.Flag.String("gpg-key", "", "GPG key ID to use when signing the release")
 	cmd.Flag.Var(&keyRingsFlag{}, "keyring", "GPG keyring to use (instead of default)")
 	cmd.Flag.String("secret-keyring", "", "GPG secret keyring to use (instead of default)")
+	cmd.Flag.String("passphrase", "", "GPG passhprase for the key (warning: could be insecure)")
+	cmd.Flag.String("passphrase-file", "", "GPG passhprase-file for the key (warning: could be insecure)")
 	cmd.Flag.Bool("skip-signing", false, "don't sign Release files with GPG")
 	cmd.Flag.Bool("force-overwrite", false, "overwrite files in package pool in case of mismatch")

--- a/deb/publish_test.go
+++ b/deb/publish_test.go
@@ -39,6 +39,9 @@ func (n *NullSigner) SetKey(keyRef string) {
 func (n *NullSigner) SetKeyRing(keyring, secretKeyring string) {
 }

+func (n *NullSigner) SetPassphrase(passphrase, passphraseFile string) {
+}
+
 func (n *NullSigner) DetachedSign(source string, destination string) error {
 	return ioutil.WriteFile(destination, []byte{}, 0644)
 }
--- a/system/files/aptly_passphrase.pub
+++ b/system/files/aptly_passphrase.pub
--- a/system/files/aptly_passphrase.sec
+++ b/system/files/aptly_passphrase.sec
--- a/system/t06_publish/PublishRepo26Test_gold
+++ b/system/t06_publish/PublishRepo26Test_gold
@@ -0,0 +1,13 @@
+Loading packages...
+Generating metadata files and linking package files...
+Signing file 'Release' with gpg, please enter your passphrase when prompted:
+Clearsigning file 'Release' with gpg, please enter your passphrase when prompted:
+
+Local repo local-repo has been successfully published.
+Please setup your webserver to serve directory '${HOME}/.aptly/public' with autoindexing.
+Now you can add following line to apt sources:
+  deb http://your-server/ maverick main
+  deb-src http://your-server/ maverick main
+Don't forget to add your GPG key to apt with apt-key.
+
+You can also use `aptly serve` to publish your repositories over HTTP quickly.
--- a/system/t06_publish/repo.py
+++ b/system/t06_publish/repo.py
@@ -584,3 +584,26 @@ class PublishRepo25Test(BaseTest):
        super(PublishRepo25Test, self).check()

        self.check_file_contents("public/pool/main/p/pyspi/pyspi_0.6.1.orig.tar.gz", "file")
+
+
+class PublishRepo26Test(BaseTest):
+    """
+    publish repo: sign with passphrase
+    """
+    fixtureCmds = [
+        "aptly repo create local-repo",
+        "aptly repo add local-repo ${files}",
+    ]
+    runCmd = "aptly publish repo -keyring=${files}/aptly_passphrase.pub -secret-keyring=${files}/aptly_passphrase.sec -passphrase=verysecret -distribution=maverick local-repo"
+    gold_processor = BaseTest.expand_environ
+
+    def check(self):
+        super(PublishRepo26Test, self).check()
+
+        # verify signatures
+        self.run_cmd(["gpg", "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly_passphrase.pub"),
+                      "--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/InRelease')])
+        self.run_cmd(["gpg", "--no-auto-check-trustdb",  "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly_passphrase.pub"),
+                      "--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release.gpg'),
+                      os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release')])
+
--- a/utils/gpg.go
+++ b/utils/gpg.go
@@ -17,6 +17,7 @@ type Signer interface {
 	Init() error
 	SetKey(keyRef string)
 	SetKeyRing(keyring, secretKeyring string)
+	SetPassphrase(passphrase, passphraseFile string)
 	DetachedSign(source string, destination string) error
 	ClearSign(source string, destination string) error
 }
@@ -38,8 +39,9 @@ var (

 // GpgSigner is implementation of Signer interface using gpg
 type GpgSigner struct {
-	keyRef                 string
-	keyring, secretKeyring string
+	keyRef                     string
+	keyring, secretKeyring     string
+	passphrase, passphraseFile string
 }

 // SetKey sets key ID to use when signing files
@@ -52,6 +54,11 @@ func (g *GpgSigner) SetKeyRing(keyring, secretKeyring string) {
 	g.keyring, g.secretKeyring = keyring, secretKeyring
 }

+// SetPassphrase sets passhprase params
+func (g *GpgSigner) SetPassphrase(passphrase, passphraseFile string) {
+	g.passphrase, g.passphraseFile = passphrase, passphraseFile
+}
+
 func (g *GpgSigner) gpgArgs() []string {
 	args := []string{}
 	if g.keyring != "" {
@@ -65,6 +72,14 @@ func (g *GpgSigner) gpgArgs() []string {
 		args = append(args, "-u", g.keyRef)
 	}

+	if g.passphrase != "" {
+		args = append(args, "--passphrase", g.passphrase)
+	}
+
+	if g.passphraseFile != "" {
+		args = append(args, "--passphrase-file", g.passphraseFile)
+	}
+
 	return args
 }