[elbe-devel] [PATCH v2] gpg: gpg2 requires passphrases for private keys
Torben Hohn
torben.hohn at linutronix.de
Thu Apr 4 12:58:01 CEST 2019
On Thu, Apr 04, 2019 at 09:26:57AM +0200, Manuel Traut wrote:
> The keys inside the initvm are for temperory repo signing.
> To do this automatically it's best to have no passphrase at
> all. However having no passphrase for private keys is not
> allowed in gpg2.
>
> Therefore set a pseudo passphrase and unlock the keys in the
> gpg-agent before usage.
>
> Signed-off-by: Manuel Traut <manut at linutronix.de>
Reviewed-by: Torben Hohn <torben.hohn at linutronix.de>
lets see, that the other GNUPGHOME stuff gets also merged.
then this is fine.
> ---
>
> changes since v1: use shellhelper
>
> elbepack/egpg.py | 15 ++++++++++++++-
> elbepack/finetuning.py | 2 ++
> elbepack/repomanager.py | 22 +++++++++++++++-------
> 3 files changed, 31 insertions(+), 8 deletions(-)
>
> diff --git a/elbepack/egpg.py b/elbepack/egpg.py
> index 6d9072e2..7c3827cf 100644
> --- a/elbepack/egpg.py
> +++ b/elbepack/egpg.py
> @@ -13,6 +13,7 @@ from gpg import core
> from gpg.constants import sigsum, sig
>
> from elbepack.filesystem import hostfs
> +from elbepack.shellhelper import system
>
> elbe_internal_key_param = """
> <GnupgKeyParms format="internal">
> @@ -23,6 +24,7 @@ elbe_internal_key_param = """
> Name-Comment: Automatically generated
> Name-Email: root at elbe-daemon.de
> Expire-Date: 0
> + Passphrase: requiredToAvoidUserInput
> </GnupgKeyParms>
> """
>
> @@ -146,6 +148,14 @@ def unsign_file(fname):
>
> return None
>
> +def unlock_key(fingerprint):
> + os.environ['GNUPGHOME'] = "/var/cache/elbe/gnupg"
> + ctx = core.Context()
> + key = ctx.get_key(fingerprint, secret=True)
> + keygrip = key.subkeys[0].keygrip
> + system("/usr/lib/gnupg2/gpg-preset-passphrase "
> + "--preset -P requiredToAvoidUserInput %s" % str(keygrip),
> + env_add={"GNUPGHOME": "/var/cache/elbe/gnupg"})
>
> def sign(infile, outfile, fingerprint):
>
> @@ -158,6 +168,7 @@ def sign(infile, outfile, fingerprint):
> except Exception as ex:
> print("no key with fingerprint %s: %s" % (fingerprint, ex.message))
>
> + unlock_key(key.fpr)
> ctx.signers_add(key)
> ctx.set_armor(False)
>
> @@ -194,6 +205,8 @@ def get_fingerprints():
>
> def generate_elbe_internal_key():
> hostfs.mkdir_p("/var/cache/elbe/gnupg")
> + hostfs.write_file("/var/cache/elbe/gnupg/gpg-agent.conf", 0o600,
> + "allow-preset-passphrase")
> os.environ['GNUPGHOME'] = "/var/cache/elbe/gnupg"
> ctx = core.Context()
> ctx.op_genkey(elbe_internal_key_param, None, None)
> @@ -216,4 +229,4 @@ def export_key(fingerprint, outfile):
> except Exception:
> print("Error exporting key %s" % (fingerprint))
>
> - return '/var/cache/elbe/gnupg/pubring.gpg'
> + return '/var/cache/elbe/gnupg/pubring.kbx'
> diff --git a/elbepack/finetuning.py b/elbepack/finetuning.py
> index 5f2b0010..8e2fc4a0 100644
> --- a/elbepack/finetuning.py
> +++ b/elbepack/finetuning.py
> @@ -19,6 +19,7 @@ from elbepack.rpcaptcache import get_rpcaptcache
> from elbepack.shellhelper import CommandError
> from elbepack.filesystem import ImgMountFilesystem
> from elbepack.packers import default_packer, packers
> +from elbepack.egpg import unlock_key
>
>
> class FinetuningException(Exception):
> @@ -421,6 +422,7 @@ class UpdatedAction(FinetuningAction):
> gpgdata = core.Data()
> ctx = core.Context()
> ctx.set_armor(True)
> + unlock_key(fp)
> ctx.op_export(fp, 0, gpgdata)
> gpgdata.seek(0, os.SEEK_SET)
> key = gpgdata.read()
> diff --git a/elbepack/repomanager.py b/elbepack/repomanager.py
> index 9719a1ea..19a481ab 100644
> --- a/elbepack/repomanager.py
> +++ b/elbepack/repomanager.py
> @@ -15,7 +15,7 @@ from debian.deb822 import Deb822
> from elbepack.debianreleases import codename2suite
> from elbepack.filesystem import Filesystem
> from elbepack.pkgutils import get_dsc_size
> -from elbepack.egpg import generate_elbe_internal_key, export_key
> +from elbepack.egpg import generate_elbe_internal_key, export_key, unlock_key
> from elbepack.shellhelper import CommandError
>
>
> @@ -84,11 +84,17 @@ class RepoBase(object):
> self.maxsize = maxsize
> self.fs = self.get_volume_fs(self.volume_count)
>
> - # check whether the repository already exists
> - # if this is the case, we dont generate a new
> - # key, and dont touch den repository config
> - if not self.fs.isdir("/"):
> + # if repo exists retrive the keyid otherwise
> + # generate a new key and generate repository config
> + if self.fs.isdir("/"):
> + repo_conf = self.fs.read_file("conf/distributions")
> + for l in repo_conf:
> + if l.startswith("SignWith"):
> + self.keyid = l.split(" ")[1]
> + unlock_key(self.keyid)
> + else:
> self.keyid = generate_elbe_internal_key()
> + unlock_key(self.keyid)
> self.gen_repo_conf()
>
> def get_volume_fs(self, volume):
> @@ -163,14 +169,16 @@ class RepoBase(object):
> self.log.do(
> 'reprepro --export=force --basedir "' +
> self.fs.path +
> - '" update')
> + '" update',
> + env_add={'GNUPGHOME': "/var/cache/elbe/gnupg"})
> else:
> for att in self.attrs:
> self.log.do(
> 'reprepro --basedir "' +
> self.fs.path +
> '" export ' +
> - att.codename)
> + att.codename,
> + env_add={'GNUPGHOME': "/var/cache/elbe/gnupg"})
>
> def finalize(self):
> os.environ['GNUPGHOME'] = "/var/cache/elbe/gnupg"
> --
> 2.20.1
>
--
Torben Hohn
Linutronix GmbH | Bahnhofstrasse 3 | D-88690 Uhldingen-Mühlhofen
Phone: +49 7556 25 999 18; Fax.: +49 7556 25 999 99
Hinweise zum Datenschutz finden Sie hier (Informations on data privacy
can be found here): https://linutronix.de/kontakt/Datenschutz.php
Linutronix GmbH | Firmensitz (Registered Office): Uhldingen-Mühlhofen |
Registergericht (Registration Court): Amtsgericht Freiburg i.Br., HRB700
806 | Geschäftsführer (Managing Directors): Heinz Egger, Thomas Gleixner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.linutronix.de/pipermail/elbe-devel/attachments/20190404/e5022154/attachment.sig>
More information about the elbe-devel
mailing list