mirror of
https://github.com/aptly-dev/aptly.git
synced 2026-06-08 05:50:47 +00:00
Compare commits
2 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 André Roth
|
594883f1e5 | ||
|
André Roth
|
55a4872891 |
@@ -0,0 +1,21 @@
|
||||
name: test aptly upload-lint
|
||||
on:
|
||||
push:
|
||||
pull_request:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
aptly-upload:
|
||||
name: upload
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Publish to aptly server
|
||||
uses: neolynx/aptly-github-action/publish@v0.0.15
|
||||
with:
|
||||
directory: buildout
|
||||
aptly_server: https://aptly.info
|
||||
aptly_user: ${{ secrets.APTLY_USER }}
|
||||
aptly_password: ${{ secrets.APTLY_PASSWORD }}
|
||||
|
||||
@@ -68,4 +68,3 @@ List of contributors, in chronological order:
|
||||
* Blake Kostner (https://github.com/btkostner)
|
||||
* Leigh London (https://github.com/leighlondon)
|
||||
* Gordian Schoenherr (https://github.com/schoenherrg)
|
||||
* Charles Duffy (https://github.com/charles-dyfis-net)
|
||||
|
||||
+1
-1
@@ -1622,7 +1622,7 @@ GPG passphrase\-file for the key (warning: could be insecure)
|
||||
.
|
||||
.TP
|
||||
\-\fBsecret\-keyring\fR=
|
||||
GPG secret keyring to use (instead of default); may be of the form \fBtpm://HANDLE?dev=DEVICE\fR to use a TPM-backed key if the selected \fBgpgProvider\fR is \fBinternal\fR, where \fBHANDLE\fR is of the form \fB0x81000003\fR, and \fBdev\fR is a (URL-escaped) value similar to \fB/dev/tpmrm0\fR (which happens to be the default if not given).
|
||||
GPG secret keyring to use (instead of default)
|
||||
.
|
||||
.TP
|
||||
\-\fBskip\-bz2\fR
|
||||
|
||||
+28
-91
@@ -4,22 +4,17 @@ import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/url"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"sort"
|
||||
"strconv"
|
||||
"strings"
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"github.com/folbricht/tpmk"
|
||||
"github.com/google/go-tpm/tpmutil"
|
||||
"github.com/pkg/errors"
|
||||
|
||||
"github.com/ProtonMail/go-crypto/openpgp"
|
||||
"github.com/ProtonMail/go-crypto/openpgp/clearsign"
|
||||
"github.com/ProtonMail/go-crypto/openpgp/armor"
|
||||
openpgp_errors "github.com/ProtonMail/go-crypto/openpgp/errors"
|
||||
"github.com/ProtonMail/go-crypto/openpgp/packet"
|
||||
"golang.org/x/term"
|
||||
@@ -43,33 +38,12 @@ type GoSigner struct {
|
||||
passphrase, passphraseFile string
|
||||
batch bool
|
||||
|
||||
tpmPrivateKey *tpmk.RSAPrivateKey
|
||||
publicKeyring openpgp.EntityList
|
||||
secretKeyring openpgp.EntityList
|
||||
signer *openpgp.Entity
|
||||
signerConfig *packet.Config
|
||||
}
|
||||
|
||||
func findKey(keyRef string, keyring openpgp.EntityList) *openpgp.Entity {
|
||||
for _, signer := range keyring {
|
||||
key := KeyFromUint64(signer.PrimaryKey.KeyId)
|
||||
if key.Matches(Key(keyRef)) {
|
||||
return signer
|
||||
}
|
||||
|
||||
if !validEntity(signer) {
|
||||
continue
|
||||
}
|
||||
|
||||
for name := range signer.Identities {
|
||||
if strings.Contains(name, keyRef) {
|
||||
return signer
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// SetBatch controls whether we allowed to interact with user, for example
|
||||
// for getting the passphrase from stdin.
|
||||
func (g *GoSigner) SetBatch(batch bool) {
|
||||
@@ -130,56 +104,12 @@ func (g *GoSigner) Init() error {
|
||||
return errors.Wrap(err, "error loading public keyring")
|
||||
}
|
||||
|
||||
if strings.HasPrefix(g.secretKeyringFile, "tpm://") {
|
||||
// Expected form of tpm://0x81000002 -- optionally with query parameters holding extra values
|
||||
// f/e, ?dev=%2Fdev%2Ftpmrm1 to specify the device as /dev/tpmrm1; or ?dev=sim for simulator
|
||||
tpmSecretURL, err := url.Parse(g.secretKeyringFile)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "parsing TPM URI")
|
||||
}
|
||||
tpmQueryArgs := tpmSecretURL.Query()
|
||||
devStrings, hasDev := tpmQueryArgs["dev"]
|
||||
tpmDevFilename := "/dev/tpmrm0"
|
||||
if hasDev && len(devStrings) != 0 {
|
||||
if len(devStrings) > 1 {
|
||||
return errors.Errorf("Parsing TPM address, more than one device name found")
|
||||
}
|
||||
tpmDevFilename = devStrings[0]
|
||||
}
|
||||
tpmDev, err := tpmk.OpenDevice(tpmDevFilename)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "opening TPM device")
|
||||
}
|
||||
tpmHandleInt, err := strconv.ParseUint(tpmSecretURL.Host, 0, 32)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "parsing TPM URI host as integer handle")
|
||||
}
|
||||
tpmHandle := tpmutil.Handle(tpmHandleInt)
|
||||
privKey, err := tpmk.NewRSAPrivateKey(tpmDev, tpmHandle, g.passphrase)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "opening TPM key handle")
|
||||
}
|
||||
g.tpmPrivateKey = &privKey
|
||||
} else {
|
||||
g.secretKeyring, err = loadKeyRing(g.secretKeyringFile, false)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "error load secret keyring")
|
||||
}
|
||||
g.secretKeyring, err = loadKeyRing(g.secretKeyringFile, false)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "error load secret keyring")
|
||||
}
|
||||
|
||||
if g.secretKeyring == nil {
|
||||
// Happens if our private key is TPM-backed; means we only have a public key
|
||||
if g.keyRef == "" && len(g.publicKeyring) == 1 {
|
||||
g.signer = g.publicKeyring[0]
|
||||
} else if g.keyRef != "" {
|
||||
g.signer = findKey(g.keyRef, g.publicKeyring)
|
||||
if g.signer == nil {
|
||||
return errors.Errorf("couldn't find key for key reference %+v in public keyring", g.keyRef)
|
||||
}
|
||||
} else {
|
||||
return errors.Errorf("must either only have our signing key in the public keyring, or provide the identity of the signing key when in tpm mode")
|
||||
}
|
||||
} else if g.keyRef == "" {
|
||||
if g.keyRef == "" {
|
||||
// no key reference, pick the first key
|
||||
for _, signer := range g.secretKeyring {
|
||||
if !validEntity(signer) {
|
||||
@@ -194,9 +124,28 @@ func (g *GoSigner) Init() error {
|
||||
return fmt.Errorf("looks like there are no keys in gpg, please create one (official manual: http://www.gnupg.org/gph/en/manual.html)")
|
||||
}
|
||||
} else {
|
||||
g.signer = findKey(g.keyRef, g.secretKeyring)
|
||||
pickKeyLoop:
|
||||
for _, signer := range g.secretKeyring {
|
||||
key := KeyFromUint64(signer.PrimaryKey.KeyId)
|
||||
if key.Matches(Key(g.keyRef)) {
|
||||
g.signer = signer
|
||||
break
|
||||
}
|
||||
|
||||
if !validEntity(signer) {
|
||||
continue
|
||||
}
|
||||
|
||||
for name := range signer.Identities {
|
||||
if strings.Contains(name, g.keyRef) {
|
||||
g.signer = signer
|
||||
break pickKeyLoop
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if g.signer == nil {
|
||||
return errors.Errorf("couldn't find key for key reference %v in private keyring", g.keyRef)
|
||||
return errors.Errorf("couldn't find key for key reference %v", g.keyRef)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -283,21 +232,9 @@ func (g *GoSigner) DetachedSign(source string, destination string) error {
|
||||
}
|
||||
defer signature.Close()
|
||||
|
||||
if g.tpmPrivateKey != nil {
|
||||
encoder, err := armor.Encode(signature, openpgp.SignatureType, nil)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "error creating armoring encoder")
|
||||
}
|
||||
defer encoder.Close()
|
||||
err = tpmk.OpenPGPDetachSign(encoder, g.signer, message, nil, g.tpmPrivateKey)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "error creating detached signature with TPM-backed key")
|
||||
}
|
||||
} else {
|
||||
err = openpgp.ArmoredDetachSign(signature, g.signer, message, g.signerConfig)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "error creating detached signature")
|
||||
}
|
||||
err = openpgp.ArmoredDetachSign(signature, g.signer, message, g.signerConfig)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "error creating detached signature")
|
||||
}
|
||||
|
||||
return nil
|
||||
|
||||
Reference in New Issue
Block a user