[pbs-devel] [PATCH proxmox-offline-mirror] verifier: add ability to verify with keyrings

Shannon Sterz s.sterz at proxmox.com
Thu Aug 8 16:25:18 CEST 2024


some vendors don't just provide a single certificate but an entire
keyring for their repositories. apt can handle those gracefully, so
should we. this commit adds the ability to verify a repository's
signatures with a keyring.

we use `PacketParserEOF` to check if a stream of packets is likely a
single certificate or a keyring. if it is a keyring, we try to verify a
message with all certificates in the ring and only fail if no
certificate can verify the message.

Reported-by: Maximiliano Sandoval <m.sandoval at proxmox.com>
Signed-off-by: Shannon Sterz <s.sterz at proxmox.com>
---

this came up in the enterprise support, so i can't link the exact ticket
here, but it was about mirroring this mellanox repository:

https://linux.mellanox.com/public/repo/mlnx_ofed/24.04-0.7.0.0/debian12.1/amd64/

mellanox says to install the corresponding keyring with this command:

```
wget -qO - https://www.mellanox.com/downloads/ofed/RPM-GPG-KEY-Mellanox | \
    gpg --dearmor | tee /etc/apt/trusted.gpg.d/mellanox.gpg
```

i tested the below code with this mellanox repo, our no-subscription
repo and the debian security updates repo.

 src/helpers/verifier.rs | 71 +++++++++++++++++++++++++++++------------
 1 file changed, 51 insertions(+), 20 deletions(-)

diff --git a/src/helpers/verifier.rs b/src/helpers/verifier.rs
index ed986af..0930bd7 100644
--- a/src/helpers/verifier.rs
+++ b/src/helpers/verifier.rs
@@ -1,12 +1,13 @@
-use anyhow::{bail, Error};
+use anyhow::{bail, format_err, Error};

 use sequoia_openpgp::{
+    cert::CertParser,
     parse::{
         stream::{
             DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationError,
             VerificationHelper, VerifierBuilder,
         },
-        Parse,
+        PacketParser, PacketParserResult, Parse,
     },
     policy::StandardPolicy,
     types::HashAlgorithm,
@@ -96,8 +97,6 @@ pub(crate) fn verify_signature(
     detached_sig: Option<&[u8]>,
     weak_crypto: &WeakCryptoConfig,
 ) -> Result<Vec<u8>, Error> {
-    let cert = Cert::from_bytes(key)?;
-
     let mut policy = StandardPolicy::new();
     if weak_crypto.allow_sha1 {
         policy.accept_hash(HashAlgorithm::SHA1);
@@ -113,23 +112,55 @@ pub(crate) fn verify_signature(
         }
     }

-    let helper = Helper { cert: &cert };
-
-    let verified = if let Some(sig) = detached_sig {
-        let mut verifier =
-            DetachedVerifierBuilder::from_bytes(sig)?.with_policy(&policy, None, helper)?;
-        verifier.verify_bytes(msg)?;
-        msg.to_vec()
-    } else {
-        let mut verified = Vec::new();
-        let mut verifier = VerifierBuilder::from_bytes(msg)?.with_policy(&policy, None, helper)?;
-        let bytes = io::copy(&mut verifier, &mut verified)?;
-        println!("{bytes} bytes verified");
-        if !verifier.message_processed() {
-            bail!("Failed to verify message!");
+    let verifier = |cert| {
+        let helper = Helper { cert: &cert };
+
+        if let Some(sig) = detached_sig {
+            let mut verifier =
+                DetachedVerifierBuilder::from_bytes(sig)?.with_policy(&policy, None, helper)?;
+            verifier.verify_bytes(msg)?;
+            Ok(msg.to_vec())
+        } else {
+            let mut verified = Vec::new();
+            let mut verifier =
+                VerifierBuilder::from_bytes(msg)?.with_policy(&policy, None, helper)?;
+            let bytes = io::copy(&mut verifier, &mut verified)?;
+            println!("{bytes} bytes verified");
+            if !verifier.message_processed() {
+                bail!("Failed to verify message!");
+            }
+            Ok(verified)
         }
-        verified
     };

-    Ok(verified)
+    let mut packed_parser = PacketParser::from_bytes(key)?;
+
+    // parse all packets to see whether this is a simple certificate or a keyring
+    while let PacketParserResult::Some(pp) = packed_parser {
+        packed_parser = pp.recurse()?.1;
+    }
+
+    if let PacketParserResult::EOF(eof) = packed_parser {
+        // verify against a single certificate
+        if eof.is_cert().is_ok() {
+            let cert = Cert::from_bytes(key)?;
+            return verifier(cert);
+        // verify against a keyring
+        } else if eof.is_keyring().is_ok() {
+            let packed_parser = PacketParser::from_bytes(key)?;
+
+            return CertParser::from(packed_parser)
+                // flatten here as we ignore packets that aren't a certificate
+                .flatten()
+                // keep trying to verify the message until the first certificate that succeeds
+                .find_map(|c| verifier(c).ok())
+                // if no certificate verified the message, abort
+                .ok_or_else(|| format_err!("No key in keyring could verify the message!"));
+        }
+    }
+
+    // neither a keyring nor a certificate was detect, so we abort here
+    Err(format_err!(
+        "'key-path' contains neither a keyring nor a certificate, aborting!"
+    ))
 }
--
2.39.2





More information about the pbs-devel mailing list