Launchpad itself

Merge ~lgp171188/launchpad:ppa-generate-keys-propagate-only-the-4096-bit-rsa-signing-keys-from-the-default-ppa into launchpad:master

  1. Git
  2. lp:~lgp171188/launchpad
  3. ppa-generate-keys-propagate-only-the-4096-bit-rsa-signing-keys-from-the-default-ppa
  4. Merge into master
Proposed by Guruprasad
Status: Merged
Approved by: Guruprasad
Approved revision: c70e1107006a50e7b7c9a21699312eb7769c4368
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: ~lgp171188/launchpad:ppa-generate-keys-propagate-only-the-4096-bit-rsa-signing-keys-from-the-default-ppa
Merge into: launchpad:master
Diff against target: 91 lines (+70/-2)
2 files modified
lib/lp/archivepublisher/archivegpgsigningkey.py (+10/-2)
lib/lp/archivepublisher/tests/test_archivegpgsigningkey.py (+60/-0)
Reviewer Review Type Date Requested Status
Simone Pelosi Approve
Review via email: mp+465868@code.launchpad.net

Commit message

Propagate only the 4096R key from the default PPA with a 1024R and a 4096R signing key

New, non-default PPAs need not have the legacy 1024-bit RSA signing key.

To post a comment you must log in.
Revision history for this message
Simone Pelosi (pelpsi) wrote :

LGTM!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/lib/lp/archivepublisher/archivegpgsigningkey.py b/lib/lp/archivepublisher/archivegpgsigningkey.py
2index b4278c5..7d7db67 100644
3--- a/lib/lp/archivepublisher/archivegpgsigningkey.py
4+++ b/lib/lp/archivepublisher/archivegpgsigningkey.py
5@@ -289,8 +289,16 @@ class ArchiveGPGSigningKey(SignableArchive):
6
7 def propagate_key(_):
8 self.archive.signing_key_owner = default_ppa.signing_key_owner
9- self.archive.signing_key_fingerprint = (
10- default_ppa.signing_key_fingerprint
11+ default_ppa_new_signing_key = getUtility(
12+ IArchiveSigningKeySet
13+ ).get4096BitRSASigningKey(default_ppa)
14+ if default_ppa_new_signing_key:
15+ fingerprint = default_ppa_new_signing_key.fingerprint
16+ else:
17+ fingerprint = default_ppa.signing_key_fingerprint
18+ self.archive.signing_key_fingerprint = fingerprint
19+ getUtility(IArchiveSigningKeySet).create(
20+ self.archive, None, default_ppa_new_signing_key
21 )
22 del get_property_cache(self.archive).signing_key
23 del get_property_cache(self.archive).signing_key_display_name
24diff --git a/lib/lp/archivepublisher/tests/test_archivegpgsigningkey.py b/lib/lp/archivepublisher/tests/test_archivegpgsigningkey.py
25index ff2ce27..15b0f1b 100644
26--- a/lib/lp/archivepublisher/tests/test_archivegpgsigningkey.py
27+++ b/lib/lp/archivepublisher/tests/test_archivegpgsigningkey.py
28@@ -624,3 +624,63 @@ class TestArchiveGPGSigningKey(TestCaseWithFactory):
29 ),
30 ),
31 )
32+
33+ def test_generateSigningKey_ppa_default_ppa_has_1024R_and_4096R_keys(self):
34+ default_ppa = self.factory.makeArchive()
35+ owner = default_ppa.owner
36+ another_ppa = self.factory.makeArchive(owner=owner)
37+ self.assertIsNone(default_ppa.signing_key_fingerprint)
38+ self.assertIsNone(another_ppa.signing_key_fingerprint)
39+ # The follow steps simulate the steps taken by the PPA key
40+ # updater script when it encounters a default PPA with a
41+ # 1024-bit RSA signing key. We are doing them manually to
42+ # avoid a dependency on that function which will go away
43+ # after the key migration is completed. But this logic
44+ # of propagating the appropriate key from the default PPA
45+ # has to be present forever.
46+ fingerprint_1024R = self.factory.getUniqueHexString(digits=40).upper()
47+ signing_key_1024R = self.factory.makeSigningKey(
48+ key_type=SigningKeyType.OPENPGP,
49+ fingerprint=fingerprint_1024R,
50+ )
51+ gpg_key_1024R = self.factory.makeGPGKey(
52+ owner=owner,
53+ keyid=fingerprint_1024R[-8:],
54+ fingerprint=fingerprint_1024R,
55+ keysize=1024,
56+ )
57+ default_ppa.signing_key_fingerprint = fingerprint_1024R
58+ fingerprint_4096R = self.factory.getUniqueHexString(digits=40).upper()
59+ signing_key_4096R = self.factory.makeSigningKey(
60+ key_type=SigningKeyType.OPENPGP, fingerprint=fingerprint_4096R
61+ )
62+ gpg_key_4096R = self.factory.makeGPGKey(
63+ owner=owner,
64+ keyid=fingerprint_4096R[-8:],
65+ fingerprint=fingerprint_4096R,
66+ keysize=4096,
67+ )
68+ getUtility(IArchiveSigningKeySet).create(
69+ default_ppa,
70+ None,
71+ signing_key_1024R,
72+ )
73+ getUtility(IArchiveSigningKeySet).create(
74+ default_ppa,
75+ None,
76+ signing_key_4096R,
77+ )
78+ logger = BufferLogger()
79+ IArchiveGPGSigningKey(another_ppa).generateSigningKey(log=logger)
80+ # The 'another_ppa' PPA should now have the fingerprint of the
81+ # default PPA's 4096-bit RSA signing key as its signing key fingerprint
82+ self.assertEqual(
83+ fingerprint_4096R, another_ppa.signing_key_fingerprint
84+ )
85+ # `another_ppa` should also have a row in the `archivesigningkey` table
86+ # with its new signing key propagated from the default PPA.
87+ self.assertIsNotNone(
88+ getUtility(IArchiveSigningKeySet).get4096BitRSASigningKey(
89+ another_ppa
90+ )
91+ )

Subscribers

People subscribed via source and target branches

to status/vote changes: