Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace gnupg with sequoia #104

Open
jschlatow opened this issue Oct 2, 2024 · 0 comments
Open

Replace gnupg with sequoia #104

jschlatow opened this issue Oct 2, 2024 · 0 comments
Labels
feature

Comments

@jschlatow
Copy link
Member

We'd like to switch to using sequoia pgp for creating and verifying archive signatures at some point in the future (i.e. once the CLI of sq is settled). In the scope of the #99 overhaul, I experimented with replacing using sq in the depot tool.

Basically, replacing gpg with sq is pretty straightforward. I particularly like the clarity of the CLI. Nevertheless, I had a bit of trouble with signing. Apparently, sq requires write access to the user's key store. In a sandboxed execution environment, however, I don't want to make the entire key store available with write access. Moreover, there seems to be no general caching mechanism for passwords (yet), so that a user would need to unlock the secret key for every to-be-signed archive. I found a workaround that consists in exporting the secret keys known from the used depot directory from sequoia's keystore and making it available in unencrypted form in the sandbox. Bubblewrap has the nifty feature of being able to bind mount a file that is initialised by copying from a file descriptor. The downside is that, using this feature, bubblewrap cannot be executed directly from tcl anymore because we need input redirection to arbitrary file descriptors as provided by bash.
jschlatow added a commit to jschlatow/goa that referenced this issue Oct 2, 2024
@jschlatow
use sequoia instead of gpg
ccd9f42 
genodelabs#104
jschlatow added a commit to jschlatow/goa that referenced this issue Oct 2, 2024
@jschlatow
depot: parallelize xz
440bf46 
genodelabs#104
jschlatow added a commit to jschlatow/goa that referenced this issue Oct 2, 2024
@jschlatow
gaol: replace --user-sq by --with-secret-key <id>
f19cece 
Instead of trying to export all secret keys referenced by the depot
directory, the to-be-exported secret keys must be mentioned explicitly.

genodelabs#99
genodelabs#104
jschlatow added a commit to jschlatow/goa that referenced this issue Oct 2, 2024
@jschlatow
fixup! use sequoia instead of gpg
1035edd 
Add DRY_RUN option to depot/publish to extract the secret keys required
for signing. This prevents decryption of unneeded secret keys, e.g. when
there is no archive to be signed.

genodelabs#104
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jschlatow