-
Notifications
You must be signed in to change notification settings - Fork 512
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support passing in root keys on repo initialization #801
Conversation
Can one of the admins verify this patch? |
540cdd4
to
cea9e8d
Compare
jenkins, test this please |
thank you @ecordell for this awesome work! I had some design concerns about how this might work with a Maybe we could only allow for up to 1 key on init: And if we wanted to add more keys: What do you think? |
cea9e8d
to
d2e7af3
Compare
Thanks for taking a look @riyazdf ! To limit the scope, I've simply rebased on master and changed Looks like circle is failing because of temporary connection issue; I don't have the ability to restart it afaict. |
jenkins, test this please |
I'll review this fully next week but in the meantime, thank you! This is a feature we've had quite a few people asking for. I largely agree with @riyazdf's suggestions, though it might be nice to find a way to cleanly combine the key and cert so that if we do decide to allow multiple keys/certs to be added on init in the future there's a nice way to do it. Also worth noting there might be a use case to add multiple certs but fewer keys (i.e. you want other keys to be able to sign root but you personally only hold one of them. This is a specific use case we discussed with one user at DockerCon). |
@@ -285,7 +320,7 @@ func (t *tufCommander) tufInit(cmd *cobra.Command, args []string) error { | |||
cmd.Printf("Root key found, using: %s\n", rootKeyID) | |||
} | |||
|
|||
if err = nRepo.Initialize(rootKeyID); err != nil { | |||
if err = nRepo.Initialize([]string{rootKeyID}); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If other root keys already exist on this host, this rootKeyID
may not necessarily correspond to the --rootkey
we pass in. We should change the conditional logic above such that it prioritizes keys from the --rootkey
flag if we passed any in
Edit: this is resolved now in above logic
18d2ad4
to
8f3dec0
Compare
@riyazdf Fixed the issues you noted and rebased. |
jenkins, test this please |
rootPubKey2, err := repo.CryptoService.Create("root", repo.gun, data.ECDSAKey) | ||
require.NoError(t, err, "error generating second root key: %s", err) | ||
|
||
err = repo.Initialize([]string{rootPubKeyID, rootPubKey2.ID()}, data.CanonicalTimestampRole) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we verify that both keys were included in the root metadata?
Something like:
require.Len(t, repo.tufRepo.Root.Signed.Roles[data.CanonicalRootRole].KeyIDs, 2)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Definitely, will update
thank you @ecordell for working on this! I have a couple of small nits and test case additions, but I really like how this looks, cc @cyli @endophage for additional review. I'll also link #813 for tracking, since it is somewhat coupled with the discussion above Also, if you could update the initial PR description to reflect the updated behavior (just single root key) that would be awesome :) |
@riyazdf @endophage maybe |
@ecordell This is awesome - thanks so much for adding this! Being able to import existing root keys and certs will become really important for our use cases in the future. It looks fantastic aside from the test nitpicks above! |
@cyli: @endophage and I just discussed that it might be useful to allow for multiple The use case would be to add other admins to be root-signers, but without having to share private key material directly. Ex: |
That makes sense - and I guess certs and keys don't really need to be On Thursday, July 7, 2016, Riyaz Faizullabhoy notifications@github.com
|
Thanks @riyazdf and @cyli for taking the time to review! I agree that passing multiple certs and root keys (and not needing to correlate them) makes sense. I'm happy to work on the implementation but I think it makes more sense to do that in a separate PR. Just updated with the last couple of points w.r.t. the tests; just let me know if it's important that cert loading be in this PR as well or if it can wait for a separate one. |
3b1316c
to
62ade6b
Compare
62ade6b
to
a2426a7
Compare
jenkins, test this please |
Hi everyone! Sorry to make things more complicated, but I have created new pull request at #821 based on top of a (probably slightly out-of-date) version of this commit. It adds the --rootcert flag to allow a root cert and root key to be imported together. I'm very willing to work with everyone here to get all the functionality approved asap -- please let me know the best way to co-ordinate things. Cheers. |
err = ioutil.WriteFile(badKeyFilename, nonPEMKey, 0644) | ||
require.NoError(t, err) | ||
|
||
_, err = runCommand(t, tempDir, "-s", server.URL, "init", "gun2", "--rootKey", badKeyFilename) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the flag for these next few test cases should have --rootkey
as opposed to --rootKey
?
Thanks so much for all your work and your responsiveness on this @ecordell! Aside from one last nitpick about the |
return err | ||
} | ||
|
||
privKey, _, err := trustmanager.GetPasswdDecryptBytes(t.retriever, pemBytes, "", "imported root") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
something I just noticed from #821 - it might make sense to just change the last arg here to data.CanonicalRootRole
, so that NOTARY_ROOT_PASSPHRASE
can be used to automate this
Signed-off-by: Evan Cordell <cordell.evan@gmail.com>
a2426a7
to
96daed2
Compare
Updated and rebased! |
jenkins, test this please |
LGTM after changes, thank you again @ecordell for contributing this! |
if err != nil { | ||
return err | ||
func (r *NotaryRepository) Initialize(rootKeyIDs []string, serverManagedRoles ...string) error { | ||
privKeys := []data.PrivateKey{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In all likelihood privKeys
will have the same length as rootKeyIDs
so we should initialize appropriately: privKeys := make([]data.PrivateKey, 0, len(rootKeyIDs))
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not so sure - I think you should be able to initialize with one private key and multiple public keys, so that these two don't match up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's not implemented in this PR though. Although @dnwake's PR for --rootcert
may make my comment moot.
Left some comments on minor stuff but overall good to merge this now. LGTM and thank you! |
This addresses #731 by adding a
--rootkey
flag toinit
.Example:
resulting root.json:
Additionally, the underlying TUF apis are updated to allow multiple root keys and certs, but that is not currently exposed to the CLI.