Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: GPG commit signature verification (#2492) #3242

Merged
merged 132 commits into from
Jun 22, 2020
Merged
Changes from 1 commit
Commits
Show all changes
132 commits
Select commit Hold shift + click to select a range
44f9263
Add initial primitives and tests for GPG related operations
jannfis Mar 6, 2020
9d8341f
More tests and test documentation
jannfis Mar 6, 2020
d61b3ec
Move gpg primitives to own module
jannfis Mar 7, 2020
75351be
Add initial primitives for running git verify-commit and tests
jannfis Mar 7, 2020
6182269
Improve and better comment test
jannfis Mar 7, 2020
1eac401
Implement VerifyCommitSignature() primitive for metrics wrapper
jannfis Mar 7, 2020
99af2b2
More commentary
jannfis Mar 7, 2020
f95079e
Merge branch 'master' of https://github.com/argoproj/argo-cd into fea…
jannfis Mar 7, 2020
51bb819
Make reposerver verify gpg signatures when generating manifests
jannfis Mar 7, 2020
5f61603
Make signature validation optional
jannfis Mar 7, 2020
ae2ed9c
Forbid use of local manifests when signature verification is enabled
jannfis Mar 8, 2020
18b2a62
Introduce new signatureKeys field in project CRD
jannfis Mar 8, 2020
99ed2da
Initial support for only syncing against signed revisions
jannfis Mar 8, 2020
47ffd95
Updates to GnuPG primitives and more test cases
jannfis Mar 9, 2020
a900dd3
Move signature verification to correct place and add tests
jannfis Mar 9, 2020
f5f53f9
Add signature verification result to revision metadata and display it…
jannfis Mar 9, 2020
bc430b0
Add more primitives and move out some stuff to common module
jannfis Mar 11, 2020
3713b6d
Add more testdata
jannfis Mar 11, 2020
b340e54
Add key management primitives to ArgoDB
jannfis Mar 11, 2020
023fc24
Move type GnuPGPublicKey to appsv1 package
jannfis Mar 11, 2020
73a44c2
Add const ArgoCDGPGKeysConfigMapName
jannfis Mar 12, 2020
75a12c1
Handle key operations with appsv1.GnuPGPublicKey
jannfis Mar 12, 2020
941c588
Add initial API for managing GPG keys
jannfis Mar 12, 2020
54fcd82
Remove deprecated code
jannfis Mar 12, 2020
33bf9b9
Add primitives for adding public keys to configuration
jannfis Mar 12, 2020
a35f685
Change semantics of ValidateGPGKeys to return more key information
jannfis Mar 13, 2020
8516f24
Add key import functionality to public key API
jannfis Mar 13, 2020
be3c019
Fix code quirks reported by linter
jannfis Mar 13, 2020
2ef9fa6
More code quirks fixes
jannfis Mar 13, 2020
394b490
Fix test
jannfis Mar 13, 2020
5840e2d
Merge branch 'master' of https://github.com/argoproj/argo-cd into fea…
jannfis Mar 13, 2020
be0635a
Add primitives for deleting keys from configuration
jannfis Mar 13, 2020
0011ce1
Add delete key operation to API and CLI
jannfis Mar 13, 2020
6c65b33
Cosmetics
jannfis Mar 13, 2020
d64c268
Implement logic to sync configuration to keyring in repo-server
jannfis Mar 14, 2020
b92461a
Merge branch 'master' of https://github.com/argoproj/argo-cd into fea…
jannfis Mar 14, 2020
289df52
Add IsGPGEnabled() primitive and also update trustdb on ownertrust ch…
jannfis Mar 14, 2020
b1f0256
Use gpg.IsGPGEnabled() instead of custom test
jannfis Mar 14, 2020
4306a44
Remove all keyring manipulating methods from DB
jannfis Mar 14, 2020
d9b37a1
Cosmetics/comments
jannfis Mar 14, 2020
e0b274b
Require grpc methods from argoproj pkg
jannfis Mar 14, 2020
1087494
Enable setting config path via ARGOCD_GPG_DATA_PATH
jannfis Mar 14, 2020
145c6f5
Allow "no" and any cases in ARGOCD_GPG_ENABLED
jannfis Mar 14, 2020
ef761dc
Enable GPG feature on start and start-e2e and set required environment
jannfis Mar 14, 2020
5917879
Cosmetics/comments
jannfis Mar 14, 2020
badbdff
Cosmetics and commentary
jannfis Mar 14, 2020
3cc5191
Update API documentation
jannfis Mar 14, 2020
a63cfa3
Fix comment
jannfis Mar 14, 2020
a14673e
Only run GPG related operations if GPG is enabled
jannfis Mar 14, 2020
f378edc
Allow setting ARGOCD_GPG_ENABLE from the environment
jannfis Mar 14, 2020
3ec960d
Create GPG ConfigMap resource during installation
jannfis Mar 16, 2020
1af7f72
Use function instead of constant to get the watcher path
jannfis Mar 16, 2020
94f490c
Re-watch source path in case it gets recreated. Also, error on finish
jannfis Mar 16, 2020
6538cb1
Add End-to-End tests for GPG commit verification
jannfis Mar 16, 2020
bf5352b
Introduce SignatureKey type for AppProject CRD
jannfis Mar 16, 2020
182e2a0
Merge branch 'master' of https://github.com/argoproj/argo-cd into fea…
jannfis Mar 16, 2020
144c54b
Fix merge error from previous commit
jannfis Mar 16, 2020
c1e321e
Adapt test for additional manifest (argocd-gpg-keys-cm.yaml)
jannfis Mar 16, 2020
593a072
Fix linter issues
jannfis Mar 16, 2020
1aa646f
Adapt CircleCI configuration to enable running tests
jannfis Mar 16, 2020
706eaab
Add wrapper scripts for git and gpg
jannfis Mar 16, 2020
c4f4ecd
Sigh.
jannfis Mar 16, 2020
707831a
Display gpg version in CircleCI
jannfis Mar 16, 2020
1f3245c
Install gnupg2 and link it to gpg in CI
jannfis Mar 16, 2020
f7b7848
Try to install gnupg2 in CircleCI image
jannfis Mar 17, 2020
db60c76
More CircleCI tweaks
jannfis Mar 17, 2020
b131fb2
# This is a combination of 10 commits.
jannfis Mar 17, 2020
34bdab6
Dockerize toolchain
jannfis Mar 22, 2020
c911a0d
Add new targets to Makefile
jannfis Mar 23, 2020
8e723d7
Merge branch 'master' of https://github.com/argoproj/argo-cd into fea…
jannfis Mar 23, 2020
9403035
Codegen
jannfis Mar 23, 2020
2a89afd
Merge branch 'chore/dockerize-tests' into feat/2492-gpg-verification
jannfis Mar 23, 2020
7932c70
Properly handle permissions for E2E tests
jannfis Mar 24, 2020
375de7d
Remove gnupg2 installation from CircleCI configuration
jannfis Mar 24, 2020
e51a4a9
Limit parallelism of build
jannfis Mar 24, 2020
51988e2
Fix Yarn lint
jannfis Mar 24, 2020
8370549
Retrigger CI for possible flaky test
jannfis Mar 24, 2020
b55f45b
Merge branch 'master' of https://github.com/argoproj/argo-cd into fea…
jannfis Mar 24, 2020
3dca8cd
Merge branch 'master' of https://github.com/argoproj/argo-cd into fea…
jannfis Mar 27, 2020
d6d1ead
Codegen
jannfis Mar 27, 2020
86c505a
Remove duplicate target in Makefile
jannfis Mar 27, 2020
d35fac0
Merge branch 'master' of https://github.com/argoproj/argo-cd into fea…
jannfis Mar 28, 2020
94f757c
Pull in pager from dep ensure -v
jannfis Mar 28, 2020
1c3e200
Merge branch 'master' of https://github.com/argoproj/argo-cd into fea…
jannfis Mar 29, 2020
8626b4b
Merge branch 'master' of https://github.com/argoproj/argo-cd into fea…
jannfis Jun 8, 2020
c3bf911
Adapt to gitops-engine changes and codegen
jannfis Jun 8, 2020
876546b
Use new health package for health status constants
jannfis Jun 8, 2020
3043743
Add GPG methods to ArgoDB mock module
jannfis Jun 8, 2020
873a22e
Fix possible nil pointer dereference
jannfis Jun 8, 2020
1ebda34
Fix linter issue in imports
jannfis Jun 8, 2020
e6137b9
Introduce RBAC resource type 'gpgkeys' and adapt policies
jannfis Jun 8, 2020
907aa9f
Use ARGOCD_GNUPGHOME instead of GNUPGHOME for subsystem configuration
jannfis Jun 8, 2020
5649a56
Merge branch 'master' of https://github.com/argoproj/argo-cd into fea…
jannfis Jun 10, 2020
26ab9fc
Also register GPG keys API with gRPC-GW
jannfis Jun 11, 2020
b9165e5
Update from codegen
jannfis Jun 11, 2020
fa31449
Update GPG key API
jannfis Jun 11, 2020
e95f5a2
Add web UI to manage GPG keys
jannfis Jun 11, 2020
74bb65e
Lint updates
jannfis Jun 11, 2020
6845b65
Change wording
jannfis Jun 11, 2020
c92d4cb
Add some plausibility checks for supplied data on key creation
jannfis Jun 12, 2020
71bd095
Merge branch 'master' of https://github.com/argoproj/argo-cd into fea…
jannfis Jun 12, 2020
804da86
Update from codegen
jannfis Jun 12, 2020
4c212ed
Re-allow binary keys and move check for ASCII armoured to UI
jannfis Jun 12, 2020
8c0bdee
Make yarn lint happy
jannfis Jun 12, 2020
fe107ee
Add editing signature keys for projects in UI
jannfis Jun 14, 2020
fa75a5a
Add ability to configure signature keys for project in CLI
jannfis Jun 14, 2020
5e564bb
Change default value to use for GNUPGHOME
jannfis Jun 14, 2020
021ea14
Do not include data section in default gpg keys CM
jannfis Jun 14, 2020
3f25438
Adapt Docker image for GnuPG feature
jannfis Jun 15, 2020
bfebf0e
Add required configuration to installation manifests
jannfis Jun 15, 2020
f22730e
Add add-signature-key and remove-signature-key commands to project CLI
jannfis Jun 15, 2020
6f97a76
Fix typo
jannfis Jun 15, 2020
27ca0f8
Add initial user documentation for GnuPG verification
jannfis Jun 15, 2020
61fdfb0
Fix role name - oops
jannfis Jun 15, 2020
e8c7fac
Mention required RBAC roles in docs
jannfis Jun 15, 2020
60957a8
Support GPG verification of git annotated tags as well
jannfis Jun 15, 2020
d24a302
Ensure CLI can build succesfully
jannfis Jun 15, 2020
4970db4
Better support verification on tags
jannfis Jun 15, 2020
d754da2
Print key type in upper case
jannfis Jun 16, 2020
5acc119
Update user documentation
jannfis Jun 16, 2020
8c856d9
Correctly disable GnuPG verification if ARGOCD_GPG_ENABLE=false
jannfis Jun 16, 2020
8285fae
Clarify that this feature is only available with Git repositories
jannfis Jun 16, 2020
c5db493
Merge branch 'master' of https://github.com/argoproj/argo-cd into fea…
jannfis Jun 16, 2020
7233325
codegen
jannfis Jun 16, 2020
cad98dc
Move verification code to own function
jannfis Jun 19, 2020
b9bad16
Remove deprecated check
jannfis Jun 19, 2020
8fc0183
Merge branch 'master' of https://github.com/argoproj/argo-cd into fea…
jannfis Jun 19, 2020
9c870c3
Make things more developer friendly when running locally
jannfis Jun 20, 2020
3f2ddd5
Enable GPG feature by default, and don't require ARGOCD_GNUPGHOME to …
jannfis Jun 21, 2020
98b2ebe
Revert changes to manifests to reflect default enable state
jannfis Jun 21, 2020
43f34c0
Merge branch 'master' of https://github.com/argoproj/argo-cd into fea…
jannfis Jun 21, 2020
d16418f
Codegen
jannfis Jun 21, 2020
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
More commentary
jannfis committed Mar 7, 2020

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
commit 99af2b2a1bae63923a82b6626d420f71c1b05113
2 changes: 2 additions & 0 deletions util/gpg/gpg.go
Original file line number Diff line number Diff line change
@@ -94,6 +94,7 @@ const DefaultGnuPgHomePath = "/app/config/gpg"
// Maximum number of lines to parse for a gpg verify-commit output
const MaxVerificationLinesToParse = 40

// GetGnuPGHomePath retrieves the path to use for GnuPG home directory, which is either taken from GNUPGHOME environment or a default value
func GetGnuPGHomePath() string {
if gnuPgHome := os.Getenv("GNUPGHOME"); gnuPgHome == "" {
return DefaultGnuPgHomePath
@@ -102,6 +103,7 @@ func GetGnuPGHomePath() string {
}
}

// Helper function to append GNUPGHOME for a command execution environment
func getGPGEnviron() []string {
if h := os.Getenv("GNUPGHOME"); h != "" {
return append(os.Environ(), GetGnuPGHomePath())