Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Harden get-latest-pulsecore.sh #166

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

DemiMarie
Copy link
Contributor

This uses stricter input validation and key handling. It also uses
Sequoia instead of GnuPG for key fetching.

Comment on lines +47 to +57
for key in "${trusted_signers[@]}"; do
echo "$key:6:" | gpg --import-ownertrust
for i in keyserver.ubuntu.com keys.openpgp.org pgp.mit.edu keyserver.pgp.com; do
sq keyserver --server "$i" get --binary -- "0x$key" && break
done
done | gpg --homedir=../gnupg-tmp --import --no-armor
gpg --homedir=../gnupg-tmp --export -- "${trusted_signers[@]}" | gpg --import --no-armor

for key in "${trusted_signers[@]}"; do
echo "$key:6:"
done | gpg --import-ownertrust
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why two keyrings and all this dance?
But also, I don't like using both sequoia and gnupg. If sequoia can handle all the tasks (including git tag verification), then switch completely, otherwise stick with gnupg (and perhaps commit pubkeys into the repo to avoid keyservers interaction).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because I don’t want to rely on GnuPG’s networking code, but Git does not support Sequoia. Committing the public keys to the repo is a simpler solution.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Besides the thing above (which is still relevant), why two temporary gpg's homedirs? Does sq keyserver get potentially fetches a different key than it was asked for?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I can use the chameleon version of Sequoia.

This uses stricter input validation and key handling.  It also uses
Sequoia instead of GnuPG for key fetching.
@DemiMarie DemiMarie force-pushed the harden-pulsecore-get branch from c403c1e to 77a8b02 Compare June 2, 2023 20:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants