One-time migration of sources' public keys and fingerprints from gpg to database-backed storage #6800
Assignees
Milestone
Comments
14 tasks
legoktm
added a commit
that referenced
this issue
Sep 21, 2023
Add an alembic migration that iterates over the GPG keyring, identifies
source keys, exports them from GPG and saves them into the database.
TODO:
* needs more hardening, if it fails then the DB seems screwed ("sources"
will be missing, it gets renamed to "sources_tmp")
** would be nice if we could avoid alembic even doing the rename?
* tests
* after this point should EncryptionManager throw if the public key is
missing? I think so
Fixes #6800.
legoktm
added a commit
that referenced
this issue
Sep 21, 2023
Add an alembic migration that iterates over the GPG keyring, identifies
source keys, exports them from GPG and saves them into the database.
TODO:
* needs more hardening, if it fails then the DB seems screwed ("sources"
will be missing, it gets renamed to "sources_tmp")
** would be nice if we could avoid alembic even doing the rename?
* tests
* after this point should EncryptionManager throw if the public key is
missing? I think so
Fixes #6800.
9 tasks
legoktm
added a commit
that referenced
this issue
Sep 21, 2023
Add an alembic migration that iterates over the GPG keyring, identifies
source keys, exports them from GPG and saves them into the database.
TODO:
* needs more hardening, if it fails then the DB seems screwed ("sources"
will be missing, it gets renamed to "sources_tmp")
** would be nice if we could avoid alembic even doing the rename?
* tests
* after this point should EncryptionManager throw if the public key is
missing? I think so
Fixes #6800.
legoktm
added a commit
that referenced
this issue
Sep 21, 2023
Add an alembic migration that iterates over the GPG keyring, identifies
source keys, exports them from GPG and saves them into the database.
TODO:
* needs more hardening, if it fails then the DB seems screwed ("sources"
will be missing, it gets renamed to "sources_tmp")
** would be nice if we could avoid alembic even doing the rename?
* after this point should EncryptionManager throw if the public key is
missing? I think so
Fixes #6800.
legoktm
added a commit
that referenced
this issue
Sep 28, 2023
Add an alembic migration that iterates over the GPG keyring, identifies source keys, exports them from GPG and saves them into the database. The main failure risks are the interactions with GPG. We already run `gpg.list_keys()` on startup, so it's unlikely that's broken (and if it is, we have bigger problems). So the main concern is exporting the key might fail. The export operation is wrapped in a try/except and we validate the exported key we get from GPG. Fixes #6800.
legoktm
added a commit
that referenced
this issue
Sep 28, 2023
Add an alembic migration that iterates over the GPG keyring, identifies source keys, exports them from GPG and saves them into the database. The main failure risks are the interactions with GPG. We already run `gpg.list_keys()` on startup, so it's unlikely that's broken (and if it is, we have bigger problems). So the main concern is exporting the key might fail. The export operation is wrapped in a try/except and we validate the exported key we get from GPG. In theory we could remove the GPG fallbacks from `Source.fingerprint` and `Source.public_key` but since that will require reworking a number of tests it would be better to do it after the secret key migration is in place too. Fixes #6800.
legoktm
added a commit
that referenced
this issue
Oct 3, 2023
Add an alembic migration that iterates over the GPG keyring, identifies source keys, exports them from GPG and saves them into the database. The main failure risks are the interactions with GPG. We already run `gpg.list_keys()` on startup, so it's unlikely that's broken (and if it is, we have bigger problems). So the main concern is exporting the key might fail. The export operation is wrapped in a try/except and we validate the exported key we get from GPG. In theory we could remove the GPG fallbacks from `Source.fingerprint` and `Source.public_key` but since that will require reworking a number of tests it would be better to do it after the secret key migration is in place too. Fixes #6800.
legoktm
added a commit
that referenced
this issue
Oct 3, 2023
Add an alembic migration that iterates over the GPG keyring, identifies source keys, exports them from GPG and saves them into the database. The main failure risks are the interactions with GPG. We already run `gpg.list_keys()` on startup, so it's unlikely that's broken (and if it is, we have bigger problems). So the main concern is exporting the key might fail. The export operation is wrapped in a try/except and we validate the exported key we get from GPG. In theory we could remove the GPG fallbacks from `Source.fingerprint` and `Source.public_key` but since that will require reworking a number of tests it would be better to do it after the secret key migration is in place too. Fixes #6800.
legoktm
added a commit
that referenced
this issue
Oct 4, 2023
Add an alembic migration that iterates over the GPG keyring, identifies source keys, exports them from GPG and saves them into the database. The main failure risks are the interactions with GPG. We already run `gpg.list_keys()` on startup, so it's unlikely that's broken (and if it is, we have bigger problems). So the main concern is exporting the key might fail. The export operation is wrapped in a try/except and we validate the exported key we get from GPG. Notably, this does not increase our footprint of pretty_bad_protcol usage as the two functions being used are already in use elsewhere in SecureDrop. Some higher-level design information is at <#6946 (comment)>. Fixes #6800.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As part of our work to migrate to Sequoia, we will perform a one-time, alembic migration of sources' public keys and fingerprints from the gpg keyring and into the new database backed storage (added in #6799).
This will iterate over each source, fetch the armored public key out of the gpg keyring, get the fingerprint, and store both in the database.
The text was updated successfully, but these errors were encountered: