-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rework of signature verification #1
base: main
Are you sure you want to change the base?
Conversation
@@ -664,12 +664,10 @@ def _print_warning(timeout): | |||
|
|||
def read(self, size=-1): | |||
""" | |||
Read the data from the file or URL and and uncompress it on-the-fly if | |||
Read the data from the file or URL and uncompress it on-the-fly if |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, thanks for working on this.
Could you please split this typo fix into its own commit?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, should it go in its own PR, or can I add the commit here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whichever is easier for you. Thanks!
Sorry, I wrote something here, but I was confused that this is still the old github URL, apologies, ignore my message (I also deleted it). |
Also, please add SoB lines to your commits, thanks! |
bmaptool doesn't have a lot of tests, but what little tests it does have does seem to test the signing feature. These signing tests seem to succeed both with and without this patch. Could you provide me with a clearer example of what is not working; or, better yet, provide a test that demonstrates the problem before your patch, and how your patch fixes it? i.e. see tests/test_CLI.py |
Isn't the test test_clearsign required to fail? The return code should be
Here is what I tried:
The first problem is the comparison of string |
Please also see intel#116 for a case where signature checking tests currently fail. |
Thanks for the pointer @bnavigator |
@jo-so-nx |
It will break after 2024-06-12 with or without the PR. The embedded key expires.
|
Extending the test key is enough for intel#116. It's unrelated to this PR. Sorry for the noise. Althought I would not know where else to discuss. There is no issue tracker in the new repo, yet. # extend signing key expiration for reproducible builds
export GNUPGHOME=$PWD/tests/test-data/gnupg
echo 'expire
50y
key 1
expire
50y
save' | gpg --command-fd=0 --batch --edit-key 927FF9746434704C5774BE648D49DFB1163BDFB4 |
Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de>
Passing 0xFFFFFFFFFFFFFFFF to read causes python to complain about: OverflowError: cannot fit 'int' into an index-sized integer Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de>
The current tests do not take into account whether the `gpg` package has been installed or not. If it is missing, the tests should be skipped. Furthermore, the output of the tests must be checked in order to decide whether tests fail due to an exception or whether the desired error message is displayed. Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de>
The verification of PGP signatures had some flaws and didn't work, because the Python API and the GPG interface have changed. Inline signatures were not detected, because of a comparison of string and byte array. And even after this the code failed, because `sig.status` is no longer available. Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de>
The gpg expires on 2024-06-12 (see [1]) which makes all tests fail using the key. Therefore extend the expiration to 50 year as suggested in [2]. [1]: intel#116 [2]: yoctoproject#1 (comment) Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de>
@twoerner another question is if this should be added: diff --git i/.github/workflows/ci.yml w/.github/workflows/ci.yml
index 7b61782..d2c3a20 100644
--- i/.github/workflows/ci.yml
+++ w/.github/workflows/ci.yml
@@ -30,7 +30,7 @@ jobs:
strategy:
fail-fast: false
matrix:
- python-version: ["3.8", "3.9", "3.10"]
+ python-version: ["3.8", "3.9", "3.10", "3.11"]
steps:
- uses: actions/checkout@v3 And is the description in README.md about tests (bmaptool/README.md) still valid? I get the error |
Hint: There's also python3.12 |
Patches and pull requests are welcome. |
@bnavigator I fixed that unrelated thing in #31 by always re-creating $GNUPGHOME. This also allows this git repo to have fewer binary blobs stored in it. |
Currently, the signature verification doesn't work, esp. the detection of inline signatures what causes the whole file can't be processed, because it's invalid. This rework joins both cases of inline and detached signatures, because the GPG API allows the passing and receive of buffers.