Merge lp:~cjwatson/launchpad/inline-release into lp:launchpad

Proposed by Colin Watson
Status: Merged
Merged at revision: 17758
Proposed branch: lp:~cjwatson/launchpad/inline-release
Merge into: lp:launchpad
Diff against target: 133 lines (+52/-7)
3 files modified
lib/lp/archivepublisher/archivesigningkey.py (+9/-0)
lib/lp/archivepublisher/tests/archive-signing.txt (+23/-4)
lib/lp/archivepublisher/tests/test_publisher.py (+20/-3)
To merge this branch: bzr merge lp:~cjwatson/launchpad/inline-release
Reviewer Review Type Date Requested Status
William Grant code Approve
Review via email: mp+272132@code.launchpad.net

Commit message

Add clearsigned InRelease files for archives.

Description of the change

Add clearsigned InRelease files for archives.

This only applies to PPAs. The primary archive will be handled by a separate change to ubuntu-archive-publishing once one remaining bit of Canonical's infrastructure has been upgraded to cope with that.

To post a comment you must log in.
Revision history for this message
William Grant (wgrant) wrote :

This will also affect partner, and I don't think we've checked its mirror scripts.

review: Approve (code)
Revision history for this message
Colin Watson (cjwatson) wrote :

The partner mirror scripts were part of the puppet work I landed a little while back. I've just rechecked puppet with specific attention to archive.canonical.com and it looks fine to me.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'lib/lp/archivepublisher/archivesigningkey.py'
2--- lib/lp/archivepublisher/archivesigningkey.py 2015-07-08 16:05:11 +0000
3+++ lib/lp/archivepublisher/archivesigningkey.py 2015-09-25 11:13:31 +0000
4@@ -135,3 +135,12 @@
5 os.path.join(suite_path, 'Release.gpg'), 'w')
6 release_signature_file.write(signature)
7 release_signature_file.close()
8+
9+ inline_release = gpghandler.signContent(
10+ release_file_content, secret_key.fingerprint,
11+ mode=gpgme.SIG_MODE_CLEAR)
12+
13+ inline_release_file = open(
14+ os.path.join(suite_path, 'InRelease'), 'w')
15+ inline_release_file.write(inline_release)
16+ inline_release_file.close()
17
18=== modified file 'lib/lp/archivepublisher/tests/archive-signing.txt'
19--- lib/lp/archivepublisher/tests/archive-signing.txt 2012-09-20 12:00:22 +0000
20+++ lib/lp/archivepublisher/tests/archive-signing.txt 2015-09-25 11:13:31 +0000
21@@ -15,9 +15,11 @@
22 Once the signing key is available, the subsequent publications will
23 result in a signed repository.
24
25-The signed repository will contained a detached signature of the
26-top-level 'Release' file, named 'Release.gpg' and a ASCII-armoded
27-export of the public GPG key (name 'key.gpg')
28+The signed repository will contain a detached signature of the
29+top-level 'Release' file, named 'Release.gpg' and a ASCII-armored
30+export of the public GPG key (name 'key.gpg'). A clearsigned
31+'InRelease' file is also created, reducing the risk of clients
32+acquiring skewed copies of the content and its signature.
33
34 We will set up and use the test-keyserver.
35
36@@ -377,7 +379,7 @@
37 /var/tmp/ppa.test/cprov/ppa/ubuntutest/dists/hoary/Release
38
39 It produces a detached signature for the repository Release current
40-file contents.
41+file contents, and a clearsigned InRelease file.
42
43 >>> from lp.archivepublisher.config import getPubConfig
44 >>> archive_root = getPubConfig(cprov.archive).archiveroot
45@@ -398,6 +400,15 @@
46 -----END PGP SIGNATURE-----
47 <BLANKLINE>
48
49+ >>> inline_release_path = os.path.join(suite_path, 'InRelease')
50+ >>> print open(inline_release_path).read()
51+ -----BEGIN PGP SIGNED MESSAGE-----
52+ ...
53+ -----BEGIN PGP SIGNATURE-----
54+ ...
55+ -----END PGP SIGNATURE-----
56+ <BLANKLINE>
57+
58 The signature can be verified by retrieving the public key from the
59 keyserver.
60
61@@ -415,6 +426,14 @@
62 >>> signature.fingerprint == expected_fingerprint
63 True
64
65+ >>> inline_signature = gpghandler.getVerifiedSignature(
66+ ... content=open(inline_release_path).read())
67+ >>> inline_signature.fingerprint == expected_fingerprint
68+ True
69+ >>> print inline_signature.plain_data
70+ This is a fake release file.
71+ <BLANKLINE>
72+
73 Finally, if we try to sign a repository for which the archive doesn't
74 have a 'signing_key' set, it raises an error.
75
76
77=== modified file 'lib/lp/archivepublisher/tests/test_publisher.py'
78--- lib/lp/archivepublisher/tests/test_publisher.py 2015-04-09 05:16:37 +0000
79+++ lib/lp/archivepublisher/tests/test_publisher.py 2015-09-25 11:13:31 +0000
80@@ -2183,6 +2183,10 @@
81 return os.path.join(self.suite_path, 'Release.gpg')
82
83 @property
84+ def inline_release_file_path(self):
85+ return os.path.join(self.suite_path, 'InRelease')
86+
87+ @property
88 def public_key_path(self):
89 return os.path.join(
90 self.archive_publisher._config.distsroot, 'key.gpg')
91@@ -2206,7 +2210,8 @@
92 """Check publisher behaviour when signing repositories.
93
94 When the 'signing_key' is available every modified suite Release
95- file gets signed with a detached signature name 'Release.gpg'.
96+ file gets signed with a detached signature name 'Release.gpg' and
97+ a clearsigned file name 'InRelease'.
98 """
99 cprov = getUtility(IPersonSet).getByName('cprov')
100 self.assertTrue(cprov.archive.signing_key is None)
101@@ -2222,19 +2227,31 @@
102
103 self._publishArchive(cprov.archive)
104
105- # Both, Release and Release.gpg exist.
106+ # All of Release, Release.gpg, and InRelease exist.
107 self.assertTrue(os.path.exists(self.release_file_path))
108 self.assertTrue(os.path.exists(self.release_file_signature_path))
109+ self.assertTrue(os.path.exists(self.inline_release_file_path))
110
111 # Release file signature is correct and was done by Celso's PPA
112 # signing_key.
113 with open(self.release_file_path) as release_file:
114+ release_content = release_file.read()
115 with open(self.release_file_signature_path) as release_file_sig:
116 signature = getUtility(IGPGHandler).getVerifiedSignature(
117- release_file.read(), release_file_sig.read())
118+ release_content, release_file_sig.read())
119 self.assertEqual(
120 cprov.archive.signing_key.fingerprint, signature.fingerprint)
121
122+ # InRelease file signature and content are correct, and the
123+ # signature was done by Celso's PPA signing_key.
124+ with open(self.inline_release_file_path) as inline_release_file:
125+ inline_signature = getUtility(IGPGHandler).getVerifiedSignature(
126+ inline_release_file.read())
127+ self.assertEqual(
128+ inline_signature.fingerprint,
129+ cprov.archive.signing_key.fingerprint)
130+ self.assertEqual(release_content, inline_signature.plain_data)
131+
132 # All done, turn test-keyserver off.
133 tac.tearDown()
134