Skip to content

Commit

Permalink
flatcar-install: Use --assert-signer rather than --trusted-key with gpg
Browse files Browse the repository at this point in the history 
Using a custom key was recently broken by a GnuPG update. The Flatcar
key is not imported when a custom key is given, but we still reference
the Flatcar key with --trusted-key regardless, causing gpg to attempt to
download the key from a keyserver. This fails because we no longer ship
the necessary dirmngr binary, which is now only built when GnuPG has
GnuTLS support enabled.

Enabling GnuTLS support works around the problem, but it is not the
proper fix. --trusted-key causes gpg to trust the given key, even though
there is no secret key present. This is unnecessary, as the key would be
trusted anyway, albeit with a warning. --assert-signer makes more sense,
as this ensures the file was signed specifically by the given key rather
than some other key you happen to have in your keyring.

--assert-signer only accepts the long key ID, not the key file. There is
no way to discover the key ID of a key that has just been imported, but
you can get it from the original key file in a stable manner.

Closes: flatcar/Flatcar#1471
Signed-off-by: James Le Cuirot <[email protected]>
  • Loading branch information
@chewi
chewi committed Jun 21, 2024
1 parent 05e3d8b commit 24cdd55
Showing 1 changed file with 8 additions and 3 deletions.
11 changes: 8 additions & 3 deletions bin/flatcar-install
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ Flatcar Container Linux on a machine then use this tool to make a permanent inst
# sub rsa4096/FCBEAB91 2020-08-28 [S] [expires: 2021-08-28]
# sub rsa4096/250D4A42 2021-08-10 [S] [expires: 2022-08-10]
# sub rsa4096/267EC954 2022-08-11 [S] [expires: 2023-08-11]
GPG_LONG_ID="E25D9AED0593B34A"
GPG_LONG_ID="F88CFEDEFF29A5B4D9523864E25D9AED0593B34A"
GPG_KEY="-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFqUFawBEACdnSVBBSx3negnGv7Ppf2D6fbIQAHSzUQ+BA5zEG02BS6EKbJh
Expand Down Expand Up @@ -668,6 +668,11 @@ function prep_url(){
mkdir -p "${GNUPGHOME}"
if [ -n "${KEYFILE}" ]; then
gpg --batch --quiet --import < "${KEYFILE}"
# --assert-signer needs the long key ID. We have no way of looking up
# the key we just imported, but we can get the ID from the original
# file. --with-colons provides a stable interface for parsing.
GPG_LONG_ID=$(gpg --show-key --with-colons "${KEYFILE}" | grep -m1 "^fpr:" | cut -d: -f10)
else
gpg --batch --quiet --import <<< "${GPG_KEY}"
fi
Expand All @@ -686,7 +691,7 @@ function download_from_url(){
exit 1
fi
if ! gpg --batch --trusted-key "${GPG_LONG_ID}" --verify "${WORKDIR}/${SIG_NAME}" "${PWD}/${IMAGE_NAME}"; then
if ! gpg --batch --assert-signer "${GPG_LONG_ID}" --verify "${WORKDIR}/${SIG_NAME}" "${PWD}/${IMAGE_NAME}"; then
echo "Could not verify ${IMAGE_NAME}." >&2
exit 1
fi
Expand All @@ -697,7 +702,7 @@ function install_from_url() {
echo "Downloading, writing and verifying ${IMAGE_NAME}..."
if ! wget ${WGET_ARGS} --no-verbose -O - "${IMAGE_URL}" \
| tee >(${BZIP_UTIL} -cd >&3) \
| gpg --batch --trusted-key "${GPG_LONG_ID}" \
| gpg --batch --assert-signer "${GPG_LONG_ID}" \
--verify "${WORKDIR}/${SIG_NAME}" -
then
local EEND=( "${PIPESTATUS[@]}" )
Expand Down

0 comments on commit 24cdd55

Please sign in to comment.