From b8edb19b23d019881219e8f951b5b57e61068138 Mon Sep 17 00:00:00 2001 From: Debian Go Packaging Team Date: Sun, 20 Aug 2023 19:54:04 -0400 Subject: avoid-boulder commit 548f37171bb96d28553f37dc2e03c4975db697f3 (HEAD -> release-1.6) Author: Reinhard Tartler Date: Thu Apr 6 20:24:46 2023 -0400 Drop dependency on boulder, disable RSA checks Gbp-Pq: Name avoid-boulder.patch --- pkg/cryptoutils/publickey.go | 19 ++----------------- pkg/cryptoutils/publickey_test.go | 2 ++ 2 files changed, 4 insertions(+), 17 deletions(-) diff --git a/pkg/cryptoutils/publickey.go b/pkg/cryptoutils/publickey.go index e9f48de..7b5ce48 100644 --- a/pkg/cryptoutils/publickey.go +++ b/pkg/cryptoutils/publickey.go @@ -16,7 +16,6 @@ package cryptoutils import ( - "context" "crypto" "crypto/ecdsa" "crypto/ed25519" @@ -30,8 +29,6 @@ import ( "encoding/pem" "errors" "fmt" - - "github.com/letsencrypt/boulder/goodkey" ) const ( @@ -135,20 +132,8 @@ func genErrMsg(first, second crypto.PublicKey, keyType string) string { func ValidatePubKey(pub crypto.PublicKey) error { switch pk := pub.(type) { case *rsa.PublicKey: - // goodkey policy enforces: - // * Size of key: 2048 <= size <= 4096, size % 8 = 0 - // * Exponent E = 65537 (Default exponent for OpenSSL and Golang) - // * Small primes check for modulus - // * Weak keys generated by Infineon hardware (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17) - // * Key is easily factored with Fermat's factorization method - p, err := goodkey.NewKeyPolicy(&goodkey.Config{FermatRounds: 100}, nil) - if err != nil { - // Should not occur, only chances to return errors are if fermat rounds - // are <0 or when loading blocked/weak keys from disk (not used here) - return errors.New("unable to initialize key policy") - } - // ctx is unused - return p.GoodKey(context.Background(), pub) + // Avoid dependency on Goodkey for debian + return nil; case *ecdsa.PublicKey: // Unable to use goodkey policy because P-521 curve is not supported return validateEcdsaKey(pk) diff --git a/pkg/cryptoutils/publickey_test.go b/pkg/cryptoutils/publickey_test.go index a399999..044c659 100644 --- a/pkg/cryptoutils/publickey_test.go +++ b/pkg/cryptoutils/publickey_test.go @@ -181,6 +181,8 @@ func TestValidatePubKeyUnsupported(t *testing.T) { } func TestValidatePubKeyRsa(t *testing.T) { + t.Skip("Validations disabled for Debian") + // Validate common RSA key sizes for _, bits := range []int{2048, 3072, 4096} { priv, err := rsa.GenerateKey(rand.Reader, bits) -- cgit v1.2.3 From 4708aaffd529d038c20916c96c98292ab01a1ce6 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 20 Aug 2023 19:54:04 -0400 Subject: build against ttlcache v3 Origin: https://github.com/sigstore/sigstore/pull/1099 Gbp-Pq: Name ttlcache-v3.patch --- pkg/signature/kms/aws/client.go | 66 ++++++++++++++-------------------- pkg/signature/kms/aws/signer.go | 3 +- pkg/signature/kms/azure/client.go | 49 ++++++++++++------------- pkg/signature/kms/azure/signer.go | 2 +- pkg/signature/kms/gcp/client.go | 65 +++++++++++++++++---------------- pkg/signature/kms/hashivault/client.go | 40 +++++++++++---------- 6 files changed, 110 insertions(+), 115 deletions(-) diff --git a/pkg/signature/kms/aws/client.go b/pkg/signature/kms/aws/client.go index ac8a576..3acf041 100644 --- a/pkg/signature/kms/aws/client.go +++ b/pkg/signature/kms/aws/client.go @@ -34,7 +34,7 @@ import ( "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/kms" "github.com/aws/aws-sdk-go-v2/service/kms/types" - "github.com/jellydator/ttlcache/v2" + "github.com/jellydator/ttlcache/v3" "github.com/sigstore/sigstore/pkg/signature" sigkms "github.com/sigstore/sigstore/pkg/signature/kms" ) @@ -56,7 +56,7 @@ type awsClient struct { endpoint string keyID string alias string - keyCache *ttlcache.Cache + keyCache *ttlcache.Cache[string, cmk] } var ( @@ -124,9 +124,10 @@ func newAWSClient(ctx context.Context, keyResourceID string, opts ...func(*confi return nil, err } - a.keyCache = ttlcache.NewCache() - a.keyCache.SetLoaderFunction(a.keyCacheLoaderFunction) - a.keyCache.SkipTTLExtensionOnHit(true) + a.keyCache = ttlcache.New[string, cmk]( + ttlcache.WithDisableTouchOnHit[string, cmk](), + ) + return a, nil } @@ -200,18 +201,6 @@ func (c *cmk) Verifier() (signature.Verifier, error) { } } -func (a *awsClient) keyCacheLoaderFunction(key string) (cmk interface{}, ttl time.Duration, err error) { - return a.keyCacheLoaderFunctionWithContext(context.Background())(key) -} - -func (a *awsClient) keyCacheLoaderFunctionWithContext(ctx context.Context) ttlcache.LoaderFunction { - return func(key string) (cmk interface{}, ttl time.Duration, err error) { - cmk, err = a.fetchCMK(ctx) - ttl = time.Second * 300 - return - } -} - func (a *awsClient) fetchCMK(ctx context.Context) (*cmk, error) { var err error cmk := &cmk{} @@ -235,15 +224,24 @@ func (a *awsClient) getHashFunc(ctx context.Context) (crypto.Hash, error) { } func (a *awsClient) getCMK(ctx context.Context) (*cmk, error) { - c, err := a.keyCache.GetByLoader(cacheKey, a.keyCacheLoaderFunctionWithContext(ctx)) - if err != nil { - return nil, err - } - cmk, ok := c.(*cmk) - if !ok { - return nil, fmt.Errorf("could not parse cache value as cmk") + var lerr error + loader := ttlcache.LoaderFunc[string, cmk]( + func(c *ttlcache.Cache[string, cmk], key string) *ttlcache.Item[string, cmk] { + var k *cmk + k, lerr = a.fetchCMK(ctx) + if lerr == nil { + return c.Set(cacheKey, *k, time.Second*300) + } + return nil + }, + ) + + item := a.keyCache.Get(cacheKey, ttlcache.WithLoader[string, cmk](loader)) + if lerr == nil { + cmk := item.Value() + return &cmk, nil } - return cmk, nil + return nil, lerr } func (a *awsClient) createKey(ctx context.Context, algorithm string) (crypto.PublicKey, error) { @@ -252,8 +250,9 @@ func (a *awsClient) createKey(ctx context.Context, algorithm string) (crypto.Pub } // look for existing key first - out, err := a.public(ctx) + cmk, err := a.getCMK(ctx) if err == nil { + out := cmk.PublicKey return out, nil } @@ -282,7 +281,8 @@ func (a *awsClient) createKey(ctx context.Context, algorithm string) (crypto.Pub return nil, fmt.Errorf("creating alias %q: %w", a.alias, err) } - return a.public(ctx) + cmk, err = a.getCMK(ctx) + return cmk.PublicKey, err } func (a *awsClient) verify(ctx context.Context, sig, message io.Reader, opts ...signature.VerifyOption) error { @@ -316,18 +316,6 @@ func (a *awsClient) verifyRemotely(ctx context.Context, sig, digest []byte) erro return nil } -func (a *awsClient) public(ctx context.Context) (crypto.PublicKey, error) { - key, err := a.keyCache.GetByLoader(cacheKey, a.keyCacheLoaderFunctionWithContext(ctx)) - if err != nil { - return nil, err - } - cmk, ok := key.(*cmk) - if !ok { - return nil, fmt.Errorf("could not parse key as cmk") - } - return cmk.PublicKey, nil -} - func (a *awsClient) sign(ctx context.Context, digest []byte, _ crypto.Hash) ([]byte, error) { cmk, err := a.getCMK(ctx) if err != nil { diff --git a/pkg/signature/kms/aws/signer.go b/pkg/signature/kms/aws/signer.go index abab7e6..d904eb6 100644 --- a/pkg/signature/kms/aws/signer.go +++ b/pkg/signature/kms/aws/signer.go @@ -117,7 +117,8 @@ func (a *SignerVerifier) PublicKey(opts ...signature.PublicKeyOption) (crypto.Pu opt.ApplyContext(&ctx) } - return a.client.public(ctx) + cmk, err := a.client.getCMK(ctx) + return cmk, err } // VerifySignature verifies the signature for the given message. Unless provided diff --git a/pkg/signature/kms/azure/client.go b/pkg/signature/kms/azure/client.go index a6b7780..9fe7b1a 100644 --- a/pkg/signature/kms/azure/client.go +++ b/pkg/signature/kms/azure/client.go @@ -28,7 +28,7 @@ import ( "strings" "time" - "github.com/jellydator/ttlcache/v2" + "github.com/jellydator/ttlcache/v3" jose "gopkg.in/square/go-jose.v2" kvauth "github.com/Azure/azure-sdk-for-go/services/keyvault/auth" @@ -47,7 +47,7 @@ func init() { type azureVaultClient struct { client *keyvault.BaseClient - keyCache *ttlcache.Cache + keyCache *ttlcache.Cache[string, crypto.PublicKey] vaultURL string vaultName string keyName string @@ -104,12 +104,11 @@ func newAzureKMS(_ context.Context, keyResourceID string) (*azureVaultClient, er vaultURL: vaultURL, vaultName: vaultName, keyName: keyName, - keyCache: ttlcache.NewCache(), + keyCache: ttlcache.New[string, crypto.PublicKey]( + ttlcache.WithDisableTouchOnHit[string, crypto.PublicKey](), + ), } - azClient.keyCache.SetLoaderFunction(azClient.keyCacheLoaderFunction) - azClient.keyCache.SkipTTLExtensionOnHit(true) - return azClient, nil } @@ -194,20 +193,6 @@ func getKeysClient() (keyvault.BaseClient, error) { return keyClient, nil } -func (a *azureVaultClient) keyCacheLoaderFunction(key string) (data interface{}, ttl time.Duration, err error) { - ttl = time.Second * 300 - var pubKey crypto.PublicKey - - pubKey, err = a.fetchPublicKey(context.Background()) - if err != nil { - data = nil - return - } - - data = pubKey - return data, ttl, err -} - func (a *azureVaultClient) fetchPublicKey(ctx context.Context) (crypto.PublicKey, error) { key, err := a.getKey(ctx) if err != nil { @@ -244,14 +229,30 @@ func (a *azureVaultClient) getKey(ctx context.Context) (keyvault.KeyBundle, erro return key, err } -func (a *azureVaultClient) public() (crypto.PublicKey, error) { - return a.keyCache.Get(cacheKey) +func (a *azureVaultClient) public(ctx context.Context) (crypto.PublicKey, error) { + var lerr error + loader := ttlcache.LoaderFunc[string, crypto.PublicKey]( + func(c *ttlcache.Cache[string, crypto.PublicKey], key string) *ttlcache.Item[string, crypto.PublicKey] { + ttl := 300 * time.Second + var pubKey crypto.PublicKey + pubKey, lerr = a.fetchPublicKey(ctx) + if lerr == nil { + return c.Set(cacheKey, pubKey, ttl) + } + return nil + }, + ) + item := a.keyCache.Get(cacheKey, ttlcache.WithLoader[string, crypto.PublicKey](loader)) + if lerr != nil { + return nil, lerr + } + return item.Value(), nil } func (a *azureVaultClient) createKey(ctx context.Context) (crypto.PublicKey, error) { _, err := a.getKey(ctx) if err == nil { - return a.public() + return a.public(ctx) } _, err = a.client.CreateKey( @@ -276,7 +277,7 @@ func (a *azureVaultClient) createKey(ctx context.Context) (crypto.PublicKey, err return nil, err } - return a.public() + return a.public(ctx) } func (a *azureVaultClient) sign(ctx context.Context, hash []byte) ([]byte, error) { diff --git a/pkg/signature/kms/azure/signer.go b/pkg/signature/kms/azure/signer.go index 841fc79..83de8bd 100644 --- a/pkg/signature/kms/azure/signer.go +++ b/pkg/signature/kms/azure/signer.go @@ -176,7 +176,7 @@ func (a *SignerVerifier) VerifySignature(sig, message io.Reader, opts ...signatu // PublicKey returns the public key that can be used to verify signatures created by // this signer. All options provided in arguments to this method are ignored. func (a *SignerVerifier) PublicKey(_ ...signature.PublicKeyOption) (crypto.PublicKey, error) { - return a.client.public() + return a.client.public(context.Background()) } // CreateKey attempts to create a new key in Vault with the specified algorithm. diff --git a/pkg/signature/kms/gcp/client.go b/pkg/signature/kms/gcp/client.go index 05a1c7e..66506b9 100644 --- a/pkg/signature/kms/gcp/client.go +++ b/pkg/signature/kms/gcp/client.go @@ -33,7 +33,7 @@ import ( kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1" "google.golang.org/protobuf/types/known/wrapperspb" - "github.com/jellydator/ttlcache/v2" + "github.com/jellydator/ttlcache/v3" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" sigkms "github.com/sigstore/sigstore/pkg/signature/kms" @@ -81,7 +81,7 @@ type gcpClient struct { keyRing string keyName string version string - kvCache *ttlcache.Cache + kvCache *ttlcache.Cache[string, cryptoKeyVersion] kmsClient *gcpkms.KeyManagementClient } @@ -97,7 +97,7 @@ func newGCPClient(ctx context.Context, refStr string, opts ...option.ClientOptio g := &gcpClient{ defaultCtx: ctx, refString: refStr, - kvCache: ttlcache.NewCache(), + kvCache: nil, } var err error g.projectID, g.locationID, g.keyRing, g.keyName, g.version, err = parseReference(refStr) @@ -110,13 +110,32 @@ func newGCPClient(ctx context.Context, refStr string, opts ...option.ClientOptio return nil, fmt.Errorf("new gcp kms client: %w", err) } - g.kvCache.SetLoaderFunction(g.kvCacheLoaderFunction) - g.kvCache.SkipTTLExtensionOnHit(true) + loader := ttlcache.LoaderFunc[string, cryptoKeyVersion]( + func(c *ttlcache.Cache[string, cryptoKeyVersion], key string) *ttlcache.Item[string, cryptoKeyVersion] { + var ttl time.Duration + + // if we're given an explicit version, cache this value forever + if g.version != "" { + ttl = time.Second * 0 + } else { + ttl = time.Second * 300 + } + data, err := g.keyVersionName(context.Background()) + if err == nil { + item := c.Set(key, *data, ttl) + return item + } + return nil + }, + ) + + g.kvCache = ttlcache.New[string, cryptoKeyVersion]( + ttlcache.WithLoader[string, cryptoKeyVersion](loader), + ttlcache.WithDisableTouchOnHit[string, cryptoKeyVersion](), + ) + // prime the cache - _, err = g.kvCache.Get(cacheKey) - if err != nil { - return nil, fmt.Errorf("initializing key version from GCP KMS: %w", err) - } + g.kvCache.Get(cacheKey) return g, nil } @@ -156,18 +175,6 @@ type cryptoKeyVersion struct { // use a consistent key for cache lookups const cacheKey = "crypto_key_version" -func (g *gcpClient) kvCacheLoaderFunction(key string) (data interface{}, ttl time.Duration, err error) { - // if we're given an explicit version, cache this value forever - if g.version != "" { - ttl = time.Second * 0 - } else { - ttl = time.Second * 300 - } - data, err = g.keyVersionName(context.Background()) - - return -} - // keyVersionName returns the first key version found for a key in KMS func (g *gcpClient) keyVersionName(ctx context.Context) (*cryptoKeyVersion, error) { parent := fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s", g.projectID, g.locationID, g.keyRing, g.keyName) @@ -274,17 +281,13 @@ func (g *gcpClient) getHashFunc() (crypto.Hash, error) { // call to GCP if the existing entry in the cache has expired. func (g *gcpClient) getCKV() (*cryptoKeyVersion, error) { // we get once and use consistently to ensure the cache value doesn't change underneath us - kmsVersionInt, err := g.kvCache.Get(cacheKey) - if err != nil { - return nil, err - } - kv, ok := kmsVersionInt.(*cryptoKeyVersion) - if !ok { - return nil, fmt.Errorf("could not parse kms version cache value as CryptoKeyVersion") + item := g.kvCache.Get(cacheKey) + if item != nil { + v := item.Value() + return &v, nil } - - return kv, nil + return nil, fmt.Errorf("could not retrieve CryptoKeyVersion from gcp") } func (g *gcpClient) sign(ctx context.Context, digest []byte, alg crypto.Hash, crc uint32) ([]byte, error) { @@ -353,7 +356,7 @@ func (g *gcpClient) verify(sig, message io.Reader, opts ...signature.VerifyOptio if err := crv.Verifier.VerifySignature(sig, message, opts...); err != nil { // key could have been rotated, clear cache and try again if we're not pinned to a version if g.version == "" { - _ = g.kvCache.Remove(cacheKey) + g.kvCache.Delete(cacheKey) crv, err = g.getCKV() if err != nil { return fmt.Errorf("transient error getting info from KMS: %w", err) diff --git a/pkg/signature/kms/hashivault/client.go b/pkg/signature/kms/hashivault/client.go index 7a82425..591e22f 100644 --- a/pkg/signature/kms/hashivault/client.go +++ b/pkg/signature/kms/hashivault/client.go @@ -30,7 +30,7 @@ import ( "time" vault "github.com/hashicorp/vault/api" - "github.com/jellydator/ttlcache/v2" + "github.com/jellydator/ttlcache/v3" "github.com/mitchellh/go-homedir" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" @@ -47,7 +47,7 @@ type hashivaultClient struct { client *vault.Client keyPath string transitSecretEnginePath string - keyCache *ttlcache.Cache + keyCache *ttlcache.Cache[string, crypto.PublicKey] keyVersion uint64 } @@ -140,11 +140,11 @@ func newHashivaultClient(address, token, transitSecretEnginePath, keyResourceID client: client, keyPath: keyPath, transitSecretEnginePath: transitSecretEnginePath, - keyCache: ttlcache.NewCache(), - keyVersion: keyVersion, + keyCache: ttlcache.New[string, crypto.PublicKey]( + ttlcache.WithDisableTouchOnHit[string, crypto.PublicKey](), + ), + keyVersion: keyVersion, } - hvClient.keyCache.SetLoaderFunction(hvClient.keyCacheLoaderFunction) - hvClient.keyCache.SkipTTLExtensionOnHit(true) return hvClient, nil } @@ -179,18 +179,6 @@ func oidcLogin(_ context.Context, address, path, role, token string) (string, er return resp.TokenID() } -func (h *hashivaultClient) keyCacheLoaderFunction(key string) (data interface{}, ttl time.Duration, err error) { - ttl = time.Second * 300 - var pubKey crypto.PublicKey - pubKey, err = h.fetchPublicKey(context.Background()) - if err != nil { - data = nil - return - } - data = pubKey - return data, ttl, err -} - func (h *hashivaultClient) fetchPublicKey(_ context.Context) (crypto.PublicKey, error) { client := h.client.Logical() @@ -245,7 +233,21 @@ func (h *hashivaultClient) fetchPublicKey(_ context.Context) (crypto.PublicKey, } func (h *hashivaultClient) public() (crypto.PublicKey, error) { - return h.keyCache.Get(cacheKey) + var lerr error + loader := ttlcache.LoaderFunc[string, crypto.PublicKey]( + func(c *ttlcache.Cache[string, crypto.PublicKey], key string) *ttlcache.Item[string, crypto.PublicKey] { + var pubkey crypto.PublicKey + pubkey, lerr = h.fetchPublicKey(context.Background()) + if lerr == nil { + item := c.Set(key, pubkey, 300*time.Second) + return item + } + return nil + }, + ) + + item := h.keyCache.Get(cacheKey, ttlcache.WithLoader[string, crypto.PublicKey](loader)) + return item.Value(), lerr } func (h hashivaultClient) sign(digest []byte, alg crypto.Hash, opts ...signature.SignOption) ([]byte, error) { -- cgit v1.2.3 From ec5e52561b832d904d1b9f8aafaae19c6c487f6d Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 20 Aug 2023 19:54:04 -0400 Subject: Fix build against debian tuf Gbp-Pq: Name tuf-0.4.patch --- pkg/tuf/client.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go index 476f74a..2f86268 100644 --- a/pkg/tuf/client.go +++ b/pkg/tuf/client.go @@ -275,7 +275,7 @@ func initializeTUF(mirror string, root []byte, embedded fs.FS, forceUpdate bool) } } - if err := t.client.InitLocal(root); err != nil { + if err := t.client.Init(root); err != nil { singletonTUFErr = fmt.Errorf("unable to initialize client, local cache may be corrupt: %w", err) return } -- cgit v1.2.3 From 59170ae4029a952dbd40add286fb3dae830910e1 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 20 Aug 2023 19:54:04 -0400 Subject: avoid hashivault dependency Gbp-Pq: Name avoid-hashivault.patch --- pkg/signature/kms/kms_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/signature/kms/kms_test.go b/pkg/signature/kms/kms_test.go index 2400fe7..bf20f96 100644 --- a/pkg/signature/kms/kms_test.go +++ b/pkg/signature/kms/kms_test.go @@ -21,7 +21,7 @@ import ( "github.com/sigstore/sigstore/pkg/signature/kms" "github.com/sigstore/sigstore/pkg/signature/kms/aws" "github.com/sigstore/sigstore/pkg/signature/kms/azure" - "github.com/sigstore/sigstore/pkg/signature/kms/hashivault" + // "github.com/sigstore/sigstore/pkg/signature/kms/hashivault" // Debian-local "github.com/stretchr/testify/require" ) -- cgit v1.2.3 From 8a2cd579c0e42ee27ae85e017731098e3759e520 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 20 Aug 2023 19:54:04 -0400 Subject: Commit patch to update .gitignore [dgit (11.1) update-gitignore-quilt-fixup] --- debian/patches/auto-gitignore | 19 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 20 insertions(+) create mode 100644 debian/patches/auto-gitignore diff --git a/debian/patches/auto-gitignore b/debian/patches/auto-gitignore new file mode 100644 index 0000000..1e7d930 --- /dev/null +++ b/debian/patches/auto-gitignore @@ -0,0 +1,19 @@ +Subject: Update .gitignore from Debian packaging branch + +The Debian packaging git branch contains these updates to the upstream +.gitignore file(s). This patch is autogenerated, to provide these +updates to users of the official Debian archive view of the package. + +[dgit (11.1) update-gitignore] +--- +diff --git a/.gitignore b/.gitignore +index eefc503..156ff2f 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -4,3 +4,6 @@ sigstore + *fuzz.zip + bin* + .vscode/* ++ ++/.pc/ ++/_build/ diff --git a/debian/patches/series b/debian/patches/series index f9df8ff..3988771 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ avoid-boulder.patch ttlcache-v3.patch tuf-0.4.patch avoid-hashivault.patch +auto-gitignore -- cgit v1.2.3 From 6b72fbbe657760941eb914d867c13310a1a31654 Mon Sep 17 00:00:00 2001 From: Debian Go Packaging Team Date: Fri, 27 Oct 2023 11:51:14 -0400 Subject: avoid-boulder commit 548f37171bb96d28553f37dc2e03c4975db697f3 (HEAD -> release-1.6) Author: Reinhard Tartler Date: Thu Apr 6 20:24:46 2023 -0400 Drop dependency on boulder, disable RSA checks Gbp-Pq: Name avoid-boulder.patch --- pkg/cryptoutils/publickey.go | 19 ++----------------- pkg/cryptoutils/publickey_test.go | 2 ++ 2 files changed, 4 insertions(+), 17 deletions(-) diff --git a/pkg/cryptoutils/publickey.go b/pkg/cryptoutils/publickey.go index e9f48de..7b5ce48 100644 --- a/pkg/cryptoutils/publickey.go +++ b/pkg/cryptoutils/publickey.go @@ -16,7 +16,6 @@ package cryptoutils import ( - "context" "crypto" "crypto/ecdsa" "crypto/ed25519" @@ -30,8 +29,6 @@ import ( "encoding/pem" "errors" "fmt" - - "github.com/letsencrypt/boulder/goodkey" ) const ( @@ -135,20 +132,8 @@ func genErrMsg(first, second crypto.PublicKey, keyType string) string { func ValidatePubKey(pub crypto.PublicKey) error { switch pk := pub.(type) { case *rsa.PublicKey: - // goodkey policy enforces: - // * Size of key: 2048 <= size <= 4096, size % 8 = 0 - // * Exponent E = 65537 (Default exponent for OpenSSL and Golang) - // * Small primes check for modulus - // * Weak keys generated by Infineon hardware (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17) - // * Key is easily factored with Fermat's factorization method - p, err := goodkey.NewKeyPolicy(&goodkey.Config{FermatRounds: 100}, nil) - if err != nil { - // Should not occur, only chances to return errors are if fermat rounds - // are <0 or when loading blocked/weak keys from disk (not used here) - return errors.New("unable to initialize key policy") - } - // ctx is unused - return p.GoodKey(context.Background(), pub) + // Avoid dependency on Goodkey for debian + return nil; case *ecdsa.PublicKey: // Unable to use goodkey policy because P-521 curve is not supported return validateEcdsaKey(pk) diff --git a/pkg/cryptoutils/publickey_test.go b/pkg/cryptoutils/publickey_test.go index a399999..044c659 100644 --- a/pkg/cryptoutils/publickey_test.go +++ b/pkg/cryptoutils/publickey_test.go @@ -181,6 +181,8 @@ func TestValidatePubKeyUnsupported(t *testing.T) { } func TestValidatePubKeyRsa(t *testing.T) { + t.Skip("Validations disabled for Debian") + // Validate common RSA key sizes for _, bits := range []int{2048, 3072, 4096} { priv, err := rsa.GenerateKey(rand.Reader, bits) -- cgit v1.2.3 From dff75f0add298f900a14e1f823983929e6f688c5 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 27 Oct 2023 11:51:14 -0400 Subject: build against ttlcache v3 Origin: https://github.com/sigstore/sigstore/pull/1099 Gbp-Pq: Name ttlcache-v3.patch --- pkg/signature/kms/aws/client.go | 66 ++++++++++++++-------------------- pkg/signature/kms/aws/signer.go | 3 +- pkg/signature/kms/azure/client.go | 49 ++++++++++++------------- pkg/signature/kms/azure/signer.go | 2 +- pkg/signature/kms/gcp/client.go | 65 +++++++++++++++++---------------- pkg/signature/kms/hashivault/client.go | 40 +++++++++++---------- 6 files changed, 110 insertions(+), 115 deletions(-) diff --git a/pkg/signature/kms/aws/client.go b/pkg/signature/kms/aws/client.go index ac8a576..3acf041 100644 --- a/pkg/signature/kms/aws/client.go +++ b/pkg/signature/kms/aws/client.go @@ -34,7 +34,7 @@ import ( "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/kms" "github.com/aws/aws-sdk-go-v2/service/kms/types" - "github.com/jellydator/ttlcache/v2" + "github.com/jellydator/ttlcache/v3" "github.com/sigstore/sigstore/pkg/signature" sigkms "github.com/sigstore/sigstore/pkg/signature/kms" ) @@ -56,7 +56,7 @@ type awsClient struct { endpoint string keyID string alias string - keyCache *ttlcache.Cache + keyCache *ttlcache.Cache[string, cmk] } var ( @@ -124,9 +124,10 @@ func newAWSClient(ctx context.Context, keyResourceID string, opts ...func(*confi return nil, err } - a.keyCache = ttlcache.NewCache() - a.keyCache.SetLoaderFunction(a.keyCacheLoaderFunction) - a.keyCache.SkipTTLExtensionOnHit(true) + a.keyCache = ttlcache.New[string, cmk]( + ttlcache.WithDisableTouchOnHit[string, cmk](), + ) + return a, nil } @@ -200,18 +201,6 @@ func (c *cmk) Verifier() (signature.Verifier, error) { } } -func (a *awsClient) keyCacheLoaderFunction(key string) (cmk interface{}, ttl time.Duration, err error) { - return a.keyCacheLoaderFunctionWithContext(context.Background())(key) -} - -func (a *awsClient) keyCacheLoaderFunctionWithContext(ctx context.Context) ttlcache.LoaderFunction { - return func(key string) (cmk interface{}, ttl time.Duration, err error) { - cmk, err = a.fetchCMK(ctx) - ttl = time.Second * 300 - return - } -} - func (a *awsClient) fetchCMK(ctx context.Context) (*cmk, error) { var err error cmk := &cmk{} @@ -235,15 +224,24 @@ func (a *awsClient) getHashFunc(ctx context.Context) (crypto.Hash, error) { } func (a *awsClient) getCMK(ctx context.Context) (*cmk, error) { - c, err := a.keyCache.GetByLoader(cacheKey, a.keyCacheLoaderFunctionWithContext(ctx)) - if err != nil { - return nil, err - } - cmk, ok := c.(*cmk) - if !ok { - return nil, fmt.Errorf("could not parse cache value as cmk") + var lerr error + loader := ttlcache.LoaderFunc[string, cmk]( + func(c *ttlcache.Cache[string, cmk], key string) *ttlcache.Item[string, cmk] { + var k *cmk + k, lerr = a.fetchCMK(ctx) + if lerr == nil { + return c.Set(cacheKey, *k, time.Second*300) + } + return nil + }, + ) + + item := a.keyCache.Get(cacheKey, ttlcache.WithLoader[string, cmk](loader)) + if lerr == nil { + cmk := item.Value() + return &cmk, nil } - return cmk, nil + return nil, lerr } func (a *awsClient) createKey(ctx context.Context, algorithm string) (crypto.PublicKey, error) { @@ -252,8 +250,9 @@ func (a *awsClient) createKey(ctx context.Context, algorithm string) (crypto.Pub } // look for existing key first - out, err := a.public(ctx) + cmk, err := a.getCMK(ctx) if err == nil { + out := cmk.PublicKey return out, nil } @@ -282,7 +281,8 @@ func (a *awsClient) createKey(ctx context.Context, algorithm string) (crypto.Pub return nil, fmt.Errorf("creating alias %q: %w", a.alias, err) } - return a.public(ctx) + cmk, err = a.getCMK(ctx) + return cmk.PublicKey, err } func (a *awsClient) verify(ctx context.Context, sig, message io.Reader, opts ...signature.VerifyOption) error { @@ -316,18 +316,6 @@ func (a *awsClient) verifyRemotely(ctx context.Context, sig, digest []byte) erro return nil } -func (a *awsClient) public(ctx context.Context) (crypto.PublicKey, error) { - key, err := a.keyCache.GetByLoader(cacheKey, a.keyCacheLoaderFunctionWithContext(ctx)) - if err != nil { - return nil, err - } - cmk, ok := key.(*cmk) - if !ok { - return nil, fmt.Errorf("could not parse key as cmk") - } - return cmk.PublicKey, nil -} - func (a *awsClient) sign(ctx context.Context, digest []byte, _ crypto.Hash) ([]byte, error) { cmk, err := a.getCMK(ctx) if err != nil { diff --git a/pkg/signature/kms/aws/signer.go b/pkg/signature/kms/aws/signer.go index abab7e6..d904eb6 100644 --- a/pkg/signature/kms/aws/signer.go +++ b/pkg/signature/kms/aws/signer.go @@ -117,7 +117,8 @@ func (a *SignerVerifier) PublicKey(opts ...signature.PublicKeyOption) (crypto.Pu opt.ApplyContext(&ctx) } - return a.client.public(ctx) + cmk, err := a.client.getCMK(ctx) + return cmk, err } // VerifySignature verifies the signature for the given message. Unless provided diff --git a/pkg/signature/kms/azure/client.go b/pkg/signature/kms/azure/client.go index a6b7780..9fe7b1a 100644 --- a/pkg/signature/kms/azure/client.go +++ b/pkg/signature/kms/azure/client.go @@ -28,7 +28,7 @@ import ( "strings" "time" - "github.com/jellydator/ttlcache/v2" + "github.com/jellydator/ttlcache/v3" jose "gopkg.in/square/go-jose.v2" kvauth "github.com/Azure/azure-sdk-for-go/services/keyvault/auth" @@ -47,7 +47,7 @@ func init() { type azureVaultClient struct { client *keyvault.BaseClient - keyCache *ttlcache.Cache + keyCache *ttlcache.Cache[string, crypto.PublicKey] vaultURL string vaultName string keyName string @@ -104,12 +104,11 @@ func newAzureKMS(_ context.Context, keyResourceID string) (*azureVaultClient, er vaultURL: vaultURL, vaultName: vaultName, keyName: keyName, - keyCache: ttlcache.NewCache(), + keyCache: ttlcache.New[string, crypto.PublicKey]( + ttlcache.WithDisableTouchOnHit[string, crypto.PublicKey](), + ), } - azClient.keyCache.SetLoaderFunction(azClient.keyCacheLoaderFunction) - azClient.keyCache.SkipTTLExtensionOnHit(true) - return azClient, nil } @@ -194,20 +193,6 @@ func getKeysClient() (keyvault.BaseClient, error) { return keyClient, nil } -func (a *azureVaultClient) keyCacheLoaderFunction(key string) (data interface{}, ttl time.Duration, err error) { - ttl = time.Second * 300 - var pubKey crypto.PublicKey - - pubKey, err = a.fetchPublicKey(context.Background()) - if err != nil { - data = nil - return - } - - data = pubKey - return data, ttl, err -} - func (a *azureVaultClient) fetchPublicKey(ctx context.Context) (crypto.PublicKey, error) { key, err := a.getKey(ctx) if err != nil { @@ -244,14 +229,30 @@ func (a *azureVaultClient) getKey(ctx context.Context) (keyvault.KeyBundle, erro return key, err } -func (a *azureVaultClient) public() (crypto.PublicKey, error) { - return a.keyCache.Get(cacheKey) +func (a *azureVaultClient) public(ctx context.Context) (crypto.PublicKey, error) { + var lerr error + loader := ttlcache.LoaderFunc[string, crypto.PublicKey]( + func(c *ttlcache.Cache[string, crypto.PublicKey], key string) *ttlcache.Item[string, crypto.PublicKey] { + ttl := 300 * time.Second + var pubKey crypto.PublicKey + pubKey, lerr = a.fetchPublicKey(ctx) + if lerr == nil { + return c.Set(cacheKey, pubKey, ttl) + } + return nil + }, + ) + item := a.keyCache.Get(cacheKey, ttlcache.WithLoader[string, crypto.PublicKey](loader)) + if lerr != nil { + return nil, lerr + } + return item.Value(), nil } func (a *azureVaultClient) createKey(ctx context.Context) (crypto.PublicKey, error) { _, err := a.getKey(ctx) if err == nil { - return a.public() + return a.public(ctx) } _, err = a.client.CreateKey( @@ -276,7 +277,7 @@ func (a *azureVaultClient) createKey(ctx context.Context) (crypto.PublicKey, err return nil, err } - return a.public() + return a.public(ctx) } func (a *azureVaultClient) sign(ctx context.Context, hash []byte) ([]byte, error) { diff --git a/pkg/signature/kms/azure/signer.go b/pkg/signature/kms/azure/signer.go index 841fc79..83de8bd 100644 --- a/pkg/signature/kms/azure/signer.go +++ b/pkg/signature/kms/azure/signer.go @@ -176,7 +176,7 @@ func (a *SignerVerifier) VerifySignature(sig, message io.Reader, opts ...signatu // PublicKey returns the public key that can be used to verify signatures created by // this signer. All options provided in arguments to this method are ignored. func (a *SignerVerifier) PublicKey(_ ...signature.PublicKeyOption) (crypto.PublicKey, error) { - return a.client.public() + return a.client.public(context.Background()) } // CreateKey attempts to create a new key in Vault with the specified algorithm. diff --git a/pkg/signature/kms/gcp/client.go b/pkg/signature/kms/gcp/client.go index 05a1c7e..66506b9 100644 --- a/pkg/signature/kms/gcp/client.go +++ b/pkg/signature/kms/gcp/client.go @@ -33,7 +33,7 @@ import ( kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1" "google.golang.org/protobuf/types/known/wrapperspb" - "github.com/jellydator/ttlcache/v2" + "github.com/jellydator/ttlcache/v3" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" sigkms "github.com/sigstore/sigstore/pkg/signature/kms" @@ -81,7 +81,7 @@ type gcpClient struct { keyRing string keyName string version string - kvCache *ttlcache.Cache + kvCache *ttlcache.Cache[string, cryptoKeyVersion] kmsClient *gcpkms.KeyManagementClient } @@ -97,7 +97,7 @@ func newGCPClient(ctx context.Context, refStr string, opts ...option.ClientOptio g := &gcpClient{ defaultCtx: ctx, refString: refStr, - kvCache: ttlcache.NewCache(), + kvCache: nil, } var err error g.projectID, g.locationID, g.keyRing, g.keyName, g.version, err = parseReference(refStr) @@ -110,13 +110,32 @@ func newGCPClient(ctx context.Context, refStr string, opts ...option.ClientOptio return nil, fmt.Errorf("new gcp kms client: %w", err) } - g.kvCache.SetLoaderFunction(g.kvCacheLoaderFunction) - g.kvCache.SkipTTLExtensionOnHit(true) + loader := ttlcache.LoaderFunc[string, cryptoKeyVersion]( + func(c *ttlcache.Cache[string, cryptoKeyVersion], key string) *ttlcache.Item[string, cryptoKeyVersion] { + var ttl time.Duration + + // if we're given an explicit version, cache this value forever + if g.version != "" { + ttl = time.Second * 0 + } else { + ttl = time.Second * 300 + } + data, err := g.keyVersionName(context.Background()) + if err == nil { + item := c.Set(key, *data, ttl) + return item + } + return nil + }, + ) + + g.kvCache = ttlcache.New[string, cryptoKeyVersion]( + ttlcache.WithLoader[string, cryptoKeyVersion](loader), + ttlcache.WithDisableTouchOnHit[string, cryptoKeyVersion](), + ) + // prime the cache - _, err = g.kvCache.Get(cacheKey) - if err != nil { - return nil, fmt.Errorf("initializing key version from GCP KMS: %w", err) - } + g.kvCache.Get(cacheKey) return g, nil } @@ -156,18 +175,6 @@ type cryptoKeyVersion struct { // use a consistent key for cache lookups const cacheKey = "crypto_key_version" -func (g *gcpClient) kvCacheLoaderFunction(key string) (data interface{}, ttl time.Duration, err error) { - // if we're given an explicit version, cache this value forever - if g.version != "" { - ttl = time.Second * 0 - } else { - ttl = time.Second * 300 - } - data, err = g.keyVersionName(context.Background()) - - return -} - // keyVersionName returns the first key version found for a key in KMS func (g *gcpClient) keyVersionName(ctx context.Context) (*cryptoKeyVersion, error) { parent := fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s", g.projectID, g.locationID, g.keyRing, g.keyName) @@ -274,17 +281,13 @@ func (g *gcpClient) getHashFunc() (crypto.Hash, error) { // call to GCP if the existing entry in the cache has expired. func (g *gcpClient) getCKV() (*cryptoKeyVersion, error) { // we get once and use consistently to ensure the cache value doesn't change underneath us - kmsVersionInt, err := g.kvCache.Get(cacheKey) - if err != nil { - return nil, err - } - kv, ok := kmsVersionInt.(*cryptoKeyVersion) - if !ok { - return nil, fmt.Errorf("could not parse kms version cache value as CryptoKeyVersion") + item := g.kvCache.Get(cacheKey) + if item != nil { + v := item.Value() + return &v, nil } - - return kv, nil + return nil, fmt.Errorf("could not retrieve CryptoKeyVersion from gcp") } func (g *gcpClient) sign(ctx context.Context, digest []byte, alg crypto.Hash, crc uint32) ([]byte, error) { @@ -353,7 +356,7 @@ func (g *gcpClient) verify(sig, message io.Reader, opts ...signature.VerifyOptio if err := crv.Verifier.VerifySignature(sig, message, opts...); err != nil { // key could have been rotated, clear cache and try again if we're not pinned to a version if g.version == "" { - _ = g.kvCache.Remove(cacheKey) + g.kvCache.Delete(cacheKey) crv, err = g.getCKV() if err != nil { return fmt.Errorf("transient error getting info from KMS: %w", err) diff --git a/pkg/signature/kms/hashivault/client.go b/pkg/signature/kms/hashivault/client.go index 7a82425..591e22f 100644 --- a/pkg/signature/kms/hashivault/client.go +++ b/pkg/signature/kms/hashivault/client.go @@ -30,7 +30,7 @@ import ( "time" vault "github.com/hashicorp/vault/api" - "github.com/jellydator/ttlcache/v2" + "github.com/jellydator/ttlcache/v3" "github.com/mitchellh/go-homedir" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" @@ -47,7 +47,7 @@ type hashivaultClient struct { client *vault.Client keyPath string transitSecretEnginePath string - keyCache *ttlcache.Cache + keyCache *ttlcache.Cache[string, crypto.PublicKey] keyVersion uint64 } @@ -140,11 +140,11 @@ func newHashivaultClient(address, token, transitSecretEnginePath, keyResourceID client: client, keyPath: keyPath, transitSecretEnginePath: transitSecretEnginePath, - keyCache: ttlcache.NewCache(), - keyVersion: keyVersion, + keyCache: ttlcache.New[string, crypto.PublicKey]( + ttlcache.WithDisableTouchOnHit[string, crypto.PublicKey](), + ), + keyVersion: keyVersion, } - hvClient.keyCache.SetLoaderFunction(hvClient.keyCacheLoaderFunction) - hvClient.keyCache.SkipTTLExtensionOnHit(true) return hvClient, nil } @@ -179,18 +179,6 @@ func oidcLogin(_ context.Context, address, path, role, token string) (string, er return resp.TokenID() } -func (h *hashivaultClient) keyCacheLoaderFunction(key string) (data interface{}, ttl time.Duration, err error) { - ttl = time.Second * 300 - var pubKey crypto.PublicKey - pubKey, err = h.fetchPublicKey(context.Background()) - if err != nil { - data = nil - return - } - data = pubKey - return data, ttl, err -} - func (h *hashivaultClient) fetchPublicKey(_ context.Context) (crypto.PublicKey, error) { client := h.client.Logical() @@ -245,7 +233,21 @@ func (h *hashivaultClient) fetchPublicKey(_ context.Context) (crypto.PublicKey, } func (h *hashivaultClient) public() (crypto.PublicKey, error) { - return h.keyCache.Get(cacheKey) + var lerr error + loader := ttlcache.LoaderFunc[string, crypto.PublicKey]( + func(c *ttlcache.Cache[string, crypto.PublicKey], key string) *ttlcache.Item[string, crypto.PublicKey] { + var pubkey crypto.PublicKey + pubkey, lerr = h.fetchPublicKey(context.Background()) + if lerr == nil { + item := c.Set(key, pubkey, 300*time.Second) + return item + } + return nil + }, + ) + + item := h.keyCache.Get(cacheKey, ttlcache.WithLoader[string, crypto.PublicKey](loader)) + return item.Value(), lerr } func (h hashivaultClient) sign(digest []byte, alg crypto.Hash, opts ...signature.SignOption) ([]byte, error) { -- cgit v1.2.3 From 90925bc38ae09b334f7cffdba5d9a29c8d3a86f0 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 27 Oct 2023 11:51:14 -0400 Subject: Fix build against debian tuf Gbp-Pq: Name tuf-0.4.patch --- pkg/tuf/client.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go index 476f74a..2f86268 100644 --- a/pkg/tuf/client.go +++ b/pkg/tuf/client.go @@ -275,7 +275,7 @@ func initializeTUF(mirror string, root []byte, embedded fs.FS, forceUpdate bool) } } - if err := t.client.InitLocal(root); err != nil { + if err := t.client.Init(root); err != nil { singletonTUFErr = fmt.Errorf("unable to initialize client, local cache may be corrupt: %w", err) return } -- cgit v1.2.3 From 85ffb7b0db500faf16c4729e4a990ff593caddfa Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 27 Oct 2023 11:51:14 -0400 Subject: avoid hashivault dependency Gbp-Pq: Name avoid-hashivault.patch --- pkg/signature/kms/kms_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/signature/kms/kms_test.go b/pkg/signature/kms/kms_test.go index 2400fe7..bf20f96 100644 --- a/pkg/signature/kms/kms_test.go +++ b/pkg/signature/kms/kms_test.go @@ -21,7 +21,7 @@ import ( "github.com/sigstore/sigstore/pkg/signature/kms" "github.com/sigstore/sigstore/pkg/signature/kms/aws" "github.com/sigstore/sigstore/pkg/signature/kms/azure" - "github.com/sigstore/sigstore/pkg/signature/kms/hashivault" + // "github.com/sigstore/sigstore/pkg/signature/kms/hashivault" // Debian-local "github.com/stretchr/testify/require" ) -- cgit v1.2.3 From dbb290d37295179a5fbfbb20a5b53e5755fd9dd3 Mon Sep 17 00:00:00 2001 From: Debian Go Packaging Team Date: Fri, 27 Oct 2023 11:51:14 -0400 Subject: securesystemslib-0.7 commit b365116178d775727fc2dfc818d3ef67948d5002 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri Feb 24 09:57:59 2023 -0800 build(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.4.0 to 0.5.0 (#973) * build(deps): bump github.com/secure-systems-lab/go-securesystemslib Bumps [github.com/secure-systems-lab/go-securesystemslib](https://github.com/secure-systems-lab/go-securesystemslib) from 0.4.0 to 0.5.0. - [Release notes](https://github.com/secure-systems-lab/go-securesystemslib/releases) - [Commits](https://github.com/secure-systems-lab/go-securesystemslib/compare/v0.4.0...v0.5.0) --- updated-dependencies: - dependency-name: github.com/secure-systems-lab/go-securesystemslib dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * update fucntions Signed-off-by: cpanato --------- Signed-off-by: dependabot[bot] Signed-off-by: cpanato Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: cpanato Gbp-Pq: Name securesystemslib-0.7.patch --- pkg/signature/dsse/adapters.go | 7 ++++--- pkg/signature/dsse/dsse.go | 4 +++- pkg/signature/dsse/multidsse.go | 5 +++-- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/pkg/signature/dsse/adapters.go b/pkg/signature/dsse/adapters.go index dc18ea3..a18fdd4 100644 --- a/pkg/signature/dsse/adapters.go +++ b/pkg/signature/dsse/adapters.go @@ -17,6 +17,7 @@ package dsse import ( "bytes" + "context" "crypto" "errors" @@ -32,12 +33,12 @@ type SignerAdapter struct { } // Sign implements `go-securesystemslib/dsse.Signer` -func (a *SignerAdapter) Sign(data []byte) ([]byte, error) { +func (a *SignerAdapter) Sign(ctx context.Context, data []byte) ([]byte, error) { return a.SignatureSigner.SignMessage(bytes.NewReader(data), a.Opts...) } // Verify disabled `go-securesystemslib/dsse.Verifier` -func (a *SignerAdapter) Verify(data, sig []byte) error { +func (a *SignerAdapter) Verify(ctx context.Context, data, sig []byte) error { return errors.New("Verify disabled") } @@ -59,7 +60,7 @@ type VerifierAdapter struct { } // Verify implements `go-securesystemslib/dsse.Verifier` -func (a *VerifierAdapter) Verify(data, sig []byte) error { +func (a *VerifierAdapter) Verify(ctx context.Context, data, sig []byte) error { return a.SignatureVerifier.VerifySignature(bytes.NewReader(sig), bytes.NewReader(data)) } diff --git a/pkg/signature/dsse/dsse.go b/pkg/signature/dsse/dsse.go index cc1ebf0..c0004d2 100644 --- a/pkg/signature/dsse/dsse.go +++ b/pkg/signature/dsse/dsse.go @@ -17,6 +17,7 @@ package dsse import ( "bytes" + "context" "crypto" "encoding/base64" "encoding/json" @@ -110,7 +111,8 @@ func (w *wrappedVerifier) VerifySignature(s, _ io.Reader, opts ...signature.Veri if err != nil { return err } - _, err = verifier.Verify(&env) + + _, err = verifier.Verify(context.Background(), &env) return err } diff --git a/pkg/signature/dsse/multidsse.go b/pkg/signature/dsse/multidsse.go index 73252d9..2e456e8 100644 --- a/pkg/signature/dsse/multidsse.go +++ b/pkg/signature/dsse/multidsse.go @@ -16,6 +16,7 @@ package dsse import ( + "context" "crypto" "encoding/json" "errors" @@ -78,7 +79,7 @@ func (wL *wrappedMultiSigner) SignMessage(r io.Reader, opts ...signature.SignOpt return nil, err } - env, err := envSigner.SignPayload(wL.payloadType, p) + env, err := envSigner.SignPayload(context.Background(), wL.payloadType, p) if err != nil { return nil, err } @@ -144,7 +145,7 @@ func (wL *wrappedMultiVerifier) VerifySignature(s, _ io.Reader, opts ...signatur return err } - _, err = envVerifier.Verify(&env) + _, err = envVerifier.Verify(context.Background(), &env) return err } -- cgit v1.2.3 From 1832c091c9db32d1705c816e65ad59d5398eba99 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 27 Oct 2023 11:51:14 -0400 Subject: Commit patch to update .gitignore [dgit (11.3) update-gitignore-quilt-fixup] --- debian/patches/auto-gitignore | 19 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 20 insertions(+) create mode 100644 debian/patches/auto-gitignore diff --git a/debian/patches/auto-gitignore b/debian/patches/auto-gitignore new file mode 100644 index 0000000..9f1e082 --- /dev/null +++ b/debian/patches/auto-gitignore @@ -0,0 +1,19 @@ +Subject: Update .gitignore from Debian packaging branch + +The Debian packaging git branch contains these updates to the upstream +.gitignore file(s). This patch is autogenerated, to provide these +updates to users of the official Debian archive view of the package. + +[dgit (11.3) update-gitignore] +--- +diff --git a/.gitignore b/.gitignore +index eefc503..156ff2f 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -4,3 +4,6 @@ sigstore + *fuzz.zip + bin* + .vscode/* ++ ++/.pc/ ++/_build/ diff --git a/debian/patches/series b/debian/patches/series index d5929c6..e45904f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ ttlcache-v3.patch tuf-0.4.patch avoid-hashivault.patch securesystemslib-0.7.patch +auto-gitignore -- cgit v1.2.3