[pbs-devel] applied: [PATCH proxmox-offline-mirror] verifier: add ability to verify with keyrings

Wolfgang Bumiller w.bumiller at proxmox.com
Fri Aug 30 11:21:48 CEST 2024 

applied with a minor style followup, thanks

On Thu, Aug 08, 2024 at 04:25:18PM GMT, Shannon Sterz wrote:
> some vendors don't just provide a single certificate but an entire
> keyring for their repositories. apt can handle those gracefully, so
> should we. this commit adds the ability to verify a repository's
> signatures with a keyring.
> 
> we use `PacketParserEOF` to check if a stream of packets is likely a
> single certificate or a keyring. if it is a keyring, we try to verify a
> message with all certificates in the ring and only fail if no
> certificate can verify the message.
> 
> Reported-by: Maximiliano Sandoval <m.sandoval at proxmox.com>
> Signed-off-by: Shannon Sterz <s.sterz at proxmox.com>
> ---
> 
> this came up in the enterprise support, so i can't link the exact ticket
> here, but it was about mirroring this mellanox repository:
> 
> https://linux.mellanox.com/public/repo/mlnx_ofed/24.04-0.7.0.0/debian12.1/amd64/
> 
> mellanox says to install the corresponding keyring with this command:
> 
> ```
> wget -qO - https://www.mellanox.com/downloads/ofed/RPM-GPG-KEY-Mellanox | \
>     gpg --dearmor | tee /etc/apt/trusted.gpg.d/mellanox.gpg
> ```
> 
> i tested the below code with this mellanox repo, our no-subscription
> repo and the debian security updates repo.
> 
>  src/helpers/verifier.rs | 71 +++++++++++++++++++++++++++++------------
>  1 file changed, 51 insertions(+), 20 deletions(-)
> 
> diff --git a/src/helpers/verifier.rs b/src/helpers/verifier.rs
> index ed986af..0930bd7 100644
> --- a/src/helpers/verifier.rs
> +++ b/src/helpers/verifier.rs
> @@ -1,12 +1,13 @@
> -use anyhow::{bail, Error};
> +use anyhow::{bail, format_err, Error};
> 
>  use sequoia_openpgp::{
> +    cert::CertParser,
>      parse::{
>          stream::{
>              DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationError,
>              VerificationHelper, VerifierBuilder,
>          },
> -        Parse,
> +        PacketParser, PacketParserResult, Parse,
>      },
>      policy::StandardPolicy,
>      types::HashAlgorithm,
> @@ -96,8 +97,6 @@ pub(crate) fn verify_signature(
>      detached_sig: Option<&[u8]>,
>      weak_crypto: &WeakCryptoConfig,
>  ) -> Result<Vec<u8>, Error> {
> -    let cert = Cert::from_bytes(key)?;
> -
>      let mut policy = StandardPolicy::new();
>      if weak_crypto.allow_sha1 {
>          policy.accept_hash(HashAlgorithm::SHA1);
> @@ -113,23 +112,55 @@ pub(crate) fn verify_signature(
>          }
>      }
> 
> -    let helper = Helper { cert: &cert };
> -
> -    let verified = if let Some(sig) = detached_sig {
> -        let mut verifier =
> -            DetachedVerifierBuilder::from_bytes(sig)?.with_policy(&policy, None, helper)?;
> -        verifier.verify_bytes(msg)?;
> -        msg.to_vec()
> -    } else {
> -        let mut verified = Vec::new();
> -        let mut verifier = VerifierBuilder::from_bytes(msg)?.with_policy(&policy, None, helper)?;
> -        let bytes = io::copy(&mut verifier, &mut verified)?;
> -        println!("{bytes} bytes verified");
> -        if !verifier.message_processed() {
> -            bail!("Failed to verify message!");
> +    let verifier = |cert| {
> +        let helper = Helper { cert: &cert };
> +
> +        if let Some(sig) = detached_sig {
> +            let mut verifier =
> +                DetachedVerifierBuilder::from_bytes(sig)?.with_policy(&policy, None, helper)?;
> +            verifier.verify_bytes(msg)?;
> +            Ok(msg.to_vec())
> +        } else {
> +            let mut verified = Vec::new();
> +            let mut verifier =
> +                VerifierBuilder::from_bytes(msg)?.with_policy(&policy, None, helper)?;
> +            let bytes = io::copy(&mut verifier, &mut verified)?;
> +            println!("{bytes} bytes verified");
> +            if !verifier.message_processed() {
> +                bail!("Failed to verify message!");
> +            }
> +            Ok(verified)
>          }
> -        verified
>      };
> 
> -    Ok(verified)
> +    let mut packed_parser = PacketParser::from_bytes(key)?;
> +
> +    // parse all packets to see whether this is a simple certificate or a keyring
> +    while let PacketParserResult::Some(pp) = packed_parser {
> +        packed_parser = pp.recurse()?.1;
> +    }
> +
> +    if let PacketParserResult::EOF(eof) = packed_parser {
> +        // verify against a single certificate
> +        if eof.is_cert().is_ok() {
> +            let cert = Cert::from_bytes(key)?;
> +            return verifier(cert);
> +        // verify against a keyring
> +        } else if eof.is_keyring().is_ok() {
> +            let packed_parser = PacketParser::from_bytes(key)?;
> +
> +            return CertParser::from(packed_parser)
> +                // flatten here as we ignore packets that aren't a certificate
> +                .flatten()
> +                // keep trying to verify the message until the first certificate that succeeds
> +                .find_map(|c| verifier(c).ok())
> +                // if no certificate verified the message, abort
> +                .ok_or_else(|| format_err!("No key in keyring could verify the message!"));
> +        }
> +    }
> +
> +    // neither a keyring nor a certificate was detect, so we abort here
> +    Err(format_err!(
> +        "'key-path' contains neither a keyring nor a certificate, aborting!"
> +    ))

^ condensed the 3 final lines to a single `bail!()` line.

More information about the pbs-devel mailing list