Re: [gentoo-dev] [PATCH v2 1/2] sec-keys.eclass: new eclass

[Florian Schmaus <flow@gentoo.org>]

[-- Attachment #1.1.1: Type: text/plain, Size: 8906 bytes --]

On 28/11/2024 05.32, Eli Schwartz wrote:
> The current state of verify-sig support is a bit awkward. We rely on
> validating distfiles against a known trusted keyring, but creating the
> known trusted keyring is basically all manual verification. We somehow
> decide an ascii armored key is good enough without any portage
> assistance, then arrange to download it and trust it by Manifest hash.
> How do we know when updating a key is actually safe?
> 
> This eclass handles the problem in a manner inspired in part by pacman.
> We require an eclass variable that lists all permitted PGP fingerprints,
> and the eclass is responsible checking that list against the keys we
> will install. It comes with a mechanism for computing SRC_URI for a
> couple of well known locations, or you can append your own in the
> ebuild.
> 
> Key rotations, both expected and malicious, are easily detected by
> checking the git log for changes to declared fingerprints in a bump. The
> former can be rationalized in the commit message. So can the latter, but
> in most cases those will be rejected during peer review.
> 
> Signed-off-by: Eli Schwartz <eschwartz@gentoo.org>
> ---
>   eclass/sec-keys.eclass | 197 +++++++++++++++++++++++++++++++++++++++++
>   1 file changed, 197 insertions(+)
>   create mode 100644 eclass/sec-keys.eclass
> 
> diff --git a/eclass/sec-keys.eclass b/eclass/sec-keys.eclass
> new file mode 100644
> index 000000000000..7ea4d34a8c1c
> --- /dev/null
> +++ b/eclass/sec-keys.eclass
> @@ -0,0 +1,197 @@
> +# Copyright 2024 Gentoo Authors
> +# Distributed under the terms of the GNU General Public License v2
> +
> +# @ECLASS: sec-keys.eclass
> +# @MAINTAINER:
> +# Eli Schwartz <eschwartz@gentoo.org>
> +# @AUTHOR:
> +# Eli Schwartz <eschwartz@gentoo.org>
> +# @SUPPORTED_EAPIS: 8
> +# @BLURB: Provides a uniform way of handling ebuilds which package PGP key material
> +# @DESCRIPTION:
> +# This eclass provides a streamlined approach to finding suitable source material
> +# for OpenPGP keys used by the verify-sig eclass. Its primary purpose is to permit
> +# developers to easily and securely package new sec-keys/* packages. The eclass
> +# removes the risk of developers accidentally packaging malformed key material, or
> +# neglecting to notice when PGP identities have changed.
> +#
> +# To use the eclass, define SEC_KEYS_VALIDPGPKEYS to contain the fingerprint of
> +# the key and the short name of the key's owner.
> +#
> +# @EXAMPLE:
> +# Example use:
> +#
> +# @CODE
> +# SEC_KEYS_VALIDPGPKEYS=(
> +#	# implicit Ubuntu
> +#	'3DB7F3CA6C1D90B99FE25B38D4B476A4D175C54F:bjones:'
> +#	'4EC8A4DB7D2E01C00AF36C49E5C587B5E286C65A:jsmith:github,openpgp'
> +#	# key only available on personal website, use manual SRC_URI
> +#	'5FD9B5EC8E3F12D11BA47D50F6D698C6F397D76B:awhite:none'
> +# )
> +#
> +# inherit sec-keys
> +#
> +# SRC_URI+="https://awhite.com/awhite.gpg -> awhite-${PV}.gpg"
> +# @CODE
> +
> +case ${EAPI} in
> +	8) ;;
> +	*) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
> +esac
> +
> +if [[ ! ${_SEC_KEYS_ECLASS} ]]; then
> +_SEC_KEYS_ECLASS=1
> +
> +inherit edo
> +
> +# @ECLASS_VARIABLE: SEC_KEYS_VALIDPGPKEYS
> +# @PRE_INHERIT
> +# @DEFAULT_UNSET
> +# @DESCRIPTION:
> +# Mapping of fingerprints, name, and optional location of PGP keys to include,
> +# separated by colons. The allowed values for a location are:
> +#
> +#  - gentoo -- fetch key by fingerprint from https://keys.gentoo.org
> +#
> +#  - github -- fetch key from github.com/${name}.pgp
> +#
> +#  - openpgp -- fetch key by fingerprint from https://keys.openpgp.org
> +#
> +#  - ubuntu -- fetch key by fingerprint from http://keyserver.ubuntu.com (the default)
> +#
> +#  - none -- do not add to SRC_URI, the ebuild will provide a custom download location
> +_sec_keys_set_globals() {
> +	if [[ ${SEC_KEYS_VALIDPGPKEYS[*]} ]]; then

The function's body is already pretty wide, therefore maybe consider 
using an early return here.


> +		local key fingerprint name loc locations=() remote
> +		for key in "${SEC_KEYS_VALIDPGPKEYS[@]}"; do
> +			fingerprint=${key%%:*}
> +			name=${key#${fingerprint}:}; name=${name%%:*}
> +			IFS=, read -r -a locations <<<"${key##*:}"
> +			[[ ${locations[@]} ]] || locations=(ubuntu)
> +			for loc in "${locations[@]}"; do
> +				case ${loc} in
> +					gentoo) remote="https://keys.gentoo.org/pks/lookup?op=get&search=0x${fingerprint}";;
> +					github) remote="https://github.com/${name}.gpg";;
> +					openpgp) remote="https://keys.openpgp.org/vks/v1/by-fingerprint/${fingerprint}";;
> +					ubuntu) remote="https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x${fingerprint}";;
> +					# provided via manual SRC_URI
> +					none) continue;;
> +					*) die "${ECLASS}: unknown PGP key remote: ${loc}";;
> +
> +				esac
> +				SRC_URI+="
> +					${remote} -> openpgp-keys-${name}-${loc}-${PV}.asc
> +				"
> +			done
> +		done
> +	fi
> +}
> +_sec_keys_set_globals
> +unset -f _sec_keys_set_globals
> +
> +IUSE="test"
> +PROPERTIES="test_network"
> +RESTRICT="test"
> +
> +BDEPEND="
> +	app-crypt/gnupg
> +	test? ( app-crypt/pgpdump )
> +"
> +S=${WORKDIR}
> +
> +LICENSE="public-domain"
> +SLOT="0"
> +
> +
> +# @FUNCTION: sec-keys_src_compile
> +# @DESCRIPTION:
> +# Default src_compile override that imports all public keys into a keyring,
> +# and validates that they are listed in SEC_KEYS_VALIDPGPKEYS.
> +sec-keys_src_compile() {
> +	local -x GNUPGHOME=${WORKDIR}/gnupg
> +	mkdir -m700 -p "${GNUPGHOME}" || die
> +
> +	pushd "${DISTDIR}" >/dev/null || die
> +	gpg --import ${A} || die
> +	popd >/dev/null || die
> +
> +	local line imported_keys=() found=0
> +	while IFS=: read -r -a line; do
> +		if [[ ${line[0]} = pub ]]; then
> +			# new key
> +			found=0
> +		elif [[ ${found} = 0 && ${line[0]} = fpr ]]; then
> +			# primary fingerprint
> +			imported_keys+=("${line[9]}")
> +			found=1
> +		fi
> +	done < <(gpg --batch --list-keys --keyid-format=long --with-colons || die)
> +
> +	printf '%s\n' "${imported_keys[@]}" | sort > imported_keys.list || die
> +	printf '%s\n' "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}" | sort > allowed_keys.list || die
> +
> +	local extra_keys=($(comm -23 imported_keys.list allowed_keys.list || die))
> +	local missing_keys=($(comm -13 imported_keys.list allowed_keys.list || die))
> +
> +	if [[ ${#extra_keys[@]} != 0 ]]; then
> +		die "too many keys found. Suspicious keys: ${extra_keys[@]}"
> +	fi
> +	if [[ ${#missing_keys[@]} != 0 ]]; then
> +		die "too few keys found. Unavailable keys: ${missing_keys[@]}"
> +	fi
> +}
> +
> +
> +sec-keys_src_test() {
> +	local -x GNUPGHOME=${WORKDIR}/gnupg
> +	local key fingerprint name server
> +	local gpg_command=(gpg --export-options export-minimal)
> +
> +	for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do
> +		"${gpg_command[@]}" --export "${fingerprint}" | pgpdump > "${fingerprint}.pgpdump" || die
> +	done
> +
> +	# Best-effort attempt to check for updates. keyservers can and usually do
> +	# fail for weird reasons, (such as being unable to import a key without a
> +	# uid) as well as normal reasons, like the key being exclusive to a
> +	# different keyserver. this isn't a reason to fail src_test.
> +	for server in keys.gentoo.org keys.openpgp.org keyserver.ubuntu.com; do
> +		gpg --refresh-keys --keyserver "hkps://${server}"
> +	done
> +	for key in "${SEC_KEYS_VALIDPGPKEYS[@]}"; do
> +		if [[ ${key##*:} = *github* ]]; then
> +			name=${key#*:}; name=${name%%:*}
> +			wget -qO- https://github.com/${name}.gpg | gpg --import || die
> +		fi
> +	done
> +
> +	for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do
> +		"${gpg_command[@]}" --export "${fingerprint}" | pgpdump > "${fingerprint}.pgpdump.new" || die
> +		diff -u "${fingerprint}.pgpdump" "${fingerprint}.pgpdump.new" || die "updates available for PGP key: ${fingerprint}"
> +	done
> +
> +}
> +
> +# @FUNCTION: sec-keys_src_install
> +# @DESCRIPTION:
> +# Default src_install override that minifies and exports all PGP public keys
> +# into an ascii-armored keyfile installed to the standard /usr/share/openpgp-keys.
> +sec-keys_src_install() {
> +	local -x GNUPGHOME=${WORKDIR}/gnupg
> +	local fingerprint
> +	local gpg_command=(gpg --no-permission-warning --export-options export-minimal)
> +
> +	for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do
> +		local uids=()
> +		mapfile -t uids < <("${gpg_command[@]}" --list-key --with-colons ${fingerprint} | awk -F: '/^uid/{print $10}' || die)
> +		edo "${gpg_command[@]}" "${uids[@]/#/--comment=}" --export --armor "${fingerprint}" >> ${PN#openpgp-keys-}.asc
> +	done
> +
> +	insinto /usr/share/openpgp-keys
> +	doins ${PN#openpgp-keys-}.asc
> +}
> +
> +fi
> +
> +EXPORT_FUNCTIONS src_compile src_test src_install


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 21567 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 618 bytes --]