Launchpad itself

Merge ~lgp171188/launchpad:ppa-generate-keys-propagate-only-the-4096-bit-rsa-signing-keys-from-the-default-ppa into launchpad:master

  1. Git
  2. lp:~lgp171188/launchpad
  3. ppa-generate-keys-propagate-only-the-4096-bit-rsa-signing-keys-from-the-default-ppa
  4. Merge into master
Proposed by Guruprasad
Status: Merged
Approved by: Guruprasad
Approved revision: c70e1107006a50e7b7c9a21699312eb7769c4368
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: ~lgp171188/launchpad:ppa-generate-keys-propagate-only-the-4096-bit-rsa-signing-keys-from-the-default-ppa
Merge into: launchpad:master
Diff against target: 91 lines (+70/-2)
2 files modified
lib/lp/archivepublisher/archivegpgsigningkey.py (+10/-2)
lib/lp/archivepublisher/tests/test_archivegpgsigningkey.py (+60/-0)
Reviewer Review Type Date Requested Status
Simone Pelosi Approve
Review via email: mp+465868@code.launchpad.net

Commit message

Propagate only the 4096R key from the default PPA with a 1024R and a 4096R signing key

New, non-default PPAs need not have the legacy 1024-bit RSA signing key.

To post a comment you must log in.
Revision history for this message
Simone Pelosi (pelpsi) wrote :

LGTM!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/lib/lp/archivepublisher/archivegpgsigningkey.py b/lib/lp/archivepublisher/archivegpgsigningkey.py
index b4278c5..7d7db67 100644
--- a/lib/lp/archivepublisher/archivegpgsigningkey.py
+++ b/lib/lp/archivepublisher/archivegpgsigningkey.py
@@ -289,8 +289,16 @@ class ArchiveGPGSigningKey(SignableArchive):
289289
290 def propagate_key(_):290 def propagate_key(_):
291 self.archive.signing_key_owner = default_ppa.signing_key_owner291 self.archive.signing_key_owner = default_ppa.signing_key_owner
292 self.archive.signing_key_fingerprint = (292 default_ppa_new_signing_key = getUtility(
293 default_ppa.signing_key_fingerprint293 IArchiveSigningKeySet
294 ).get4096BitRSASigningKey(default_ppa)
295 if default_ppa_new_signing_key:
296 fingerprint = default_ppa_new_signing_key.fingerprint
297 else:
298 fingerprint = default_ppa.signing_key_fingerprint
299 self.archive.signing_key_fingerprint = fingerprint
300 getUtility(IArchiveSigningKeySet).create(
301 self.archive, None, default_ppa_new_signing_key
294 )302 )
295 del get_property_cache(self.archive).signing_key303 del get_property_cache(self.archive).signing_key
296 del get_property_cache(self.archive).signing_key_display_name304 del get_property_cache(self.archive).signing_key_display_name
diff --git a/lib/lp/archivepublisher/tests/test_archivegpgsigningkey.py b/lib/lp/archivepublisher/tests/test_archivegpgsigningkey.py
index ff2ce27..15b0f1b 100644
--- a/lib/lp/archivepublisher/tests/test_archivegpgsigningkey.py
+++ b/lib/lp/archivepublisher/tests/test_archivegpgsigningkey.py
@@ -624,3 +624,63 @@ class TestArchiveGPGSigningKey(TestCaseWithFactory):
624 ),624 ),
625 ),625 ),
626 )626 )
627
628 def test_generateSigningKey_ppa_default_ppa_has_1024R_and_4096R_keys(self):
629 default_ppa = self.factory.makeArchive()
630 owner = default_ppa.owner
631 another_ppa = self.factory.makeArchive(owner=owner)
632 self.assertIsNone(default_ppa.signing_key_fingerprint)
633 self.assertIsNone(another_ppa.signing_key_fingerprint)
634 # The follow steps simulate the steps taken by the PPA key
635 # updater script when it encounters a default PPA with a
636 # 1024-bit RSA signing key. We are doing them manually to
637 # avoid a dependency on that function which will go away
638 # after the key migration is completed. But this logic
639 # of propagating the appropriate key from the default PPA
640 # has to be present forever.
641 fingerprint_1024R = self.factory.getUniqueHexString(digits=40).upper()
642 signing_key_1024R = self.factory.makeSigningKey(
643 key_type=SigningKeyType.OPENPGP,
644 fingerprint=fingerprint_1024R,
645 )
646 gpg_key_1024R = self.factory.makeGPGKey(
647 owner=owner,
648 keyid=fingerprint_1024R[-8:],
649 fingerprint=fingerprint_1024R,
650 keysize=1024,
651 )
652 default_ppa.signing_key_fingerprint = fingerprint_1024R
653 fingerprint_4096R = self.factory.getUniqueHexString(digits=40).upper()
654 signing_key_4096R = self.factory.makeSigningKey(
655 key_type=SigningKeyType.OPENPGP, fingerprint=fingerprint_4096R
656 )
657 gpg_key_4096R = self.factory.makeGPGKey(
658 owner=owner,
659 keyid=fingerprint_4096R[-8:],
660 fingerprint=fingerprint_4096R,
661 keysize=4096,
662 )
663 getUtility(IArchiveSigningKeySet).create(
664 default_ppa,
665 None,
666 signing_key_1024R,
667 )
668 getUtility(IArchiveSigningKeySet).create(
669 default_ppa,
670 None,
671 signing_key_4096R,
672 )
673 logger = BufferLogger()
674 IArchiveGPGSigningKey(another_ppa).generateSigningKey(log=logger)
675 # The 'another_ppa' PPA should now have the fingerprint of the
676 # default PPA's 4096-bit RSA signing key as its signing key fingerprint
677 self.assertEqual(
678 fingerprint_4096R, another_ppa.signing_key_fingerprint
679 )
680 # `another_ppa` should also have a row in the `archivesigningkey` table
681 # with its new signing key propagated from the default PPA.
682 self.assertIsNotNone(
683 getUtility(IArchiveSigningKeySet).get4096BitRSASigningKey(
684 another_ppa
685 )
686 )

Subscribers

People subscribed via source and target branches

to status/vote changes: