Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix file signing verification error and bucket upload #2785

Merged
merged 5 commits into from
Nov 30, 2022
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 28 additions & 19 deletions cmd/krel/cmd/sign_blobs.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ const (
outputPathFlag = "output-path"
privateKeyPathFlag = "private-key-path"
publicKeyPathFlag = "public-key-path"
sigExt = ".sig"
certExt = ".cert"
)

type signBlobOptions struct {
Expand Down Expand Up @@ -92,19 +94,25 @@ func init() {
signCmd.AddCommand(signBlobCmd)
}

func runSignBlobs(signOpts *signOptions, signBlobOpts *signBlobOptions, args []string) error {
err := validateSignBlobsArgs(args)
if err != nil {
func runSignBlobs(signOpts *signOptions, signBlobOpts *signBlobOptions, args []string) (err error) {
if err := validateSignBlobsArgs(args); err != nil {
return fmt.Errorf("blobs to be signed does not exist: %w", err)
}

var tempDir string
defer func() {
if tempDir != "" {
os.RemoveAll(tempDir)
}
}()

var bundle []signingBundle
isGCSBucket := false
if strings.HasPrefix(args[0], object.GcsPrefix) {
// GCS Bucket remote location
isGCSBucket = true

tempDir, err := os.MkdirTemp("", "release-sign-blobs-")
tempDir, err = os.MkdirTemp("", "release-sign-blobs-")
if err != nil {
return fmt.Errorf("creating a temporary directory to save the files to be signed: %w", err)
}
Expand All @@ -120,13 +128,14 @@ func runSignBlobs(signOpts *signOptions, signBlobOpts *signBlobOptions, args []s
if strings.HasSuffix(file, ".sha256") || strings.HasSuffix(file, ".sha512") ||
strings.HasSuffix(file, ":") || strings.HasSuffix(file, ".docker_tag") ||
strings.Contains(file, "SHA256SUMS") || strings.Contains(file, "SHA512SUMS") ||
strings.Contains(file, "README") || strings.Contains(file, "Makefile") {
strings.Contains(file, "README") || strings.Contains(file, "Makefile") ||
strings.HasSuffix(file, certExt) || strings.HasSuffix(file, sigExt) || strings.HasSuffix(file, ".pem") {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: We decided to not use ".pem" at all but it should not hurt to have it part of the list.

continue
}

destinationPath := strings.TrimPrefix(file, object.GcsPrefix)
localPath := filepath.Join(tempDir, filepath.Dir(destinationPath), filepath.Base(destinationPath))
err = gcsClient.CopyToLocal(file, localPath)
if err != nil {
if err := gcsClient.CopyToLocal(file, localPath); err != nil {
return fmt.Errorf("copying file to sign: %w", err)
}

Expand Down Expand Up @@ -156,16 +165,15 @@ func runSignBlobs(signOpts *signOptions, signBlobOpts *signBlobOptions, args []s
signerOpts.PrivateKeyPath = signBlobOpts.privateKeyPath
signerOpts.PublicKeyPath = signBlobOpts.publicKeyPath

signerOpts.OutputCertificatePath = fmt.Sprintf("%s/%s.cert", signBlobOpts.outputPath, fileBundle.fileToSign)
signerOpts.OutputSignaturePath = fmt.Sprintf("%s/%s.sig", signBlobOpts.outputPath, fileBundle.fileToSign)
signerOpts.OutputCertificatePath = fmt.Sprintf("%s/%s%s", signBlobOpts.outputPath, fileBundle.fileToSign, certExt)
signerOpts.OutputSignaturePath = fmt.Sprintf("%s/%s%s", signBlobOpts.outputPath, fileBundle.fileToSign, sigExt)
if signBlobOpts.outputPath == "" {
signerOpts.OutputCertificatePath = fmt.Sprintf("%s.cert", fileBundle.fileLocalLocation)
signerOpts.OutputSignaturePath = fmt.Sprintf("%s.sig", fileBundle.fileLocalLocation)
signerOpts.OutputCertificatePath = fmt.Sprintf("%s%s", fileBundle.fileLocalLocation, certExt)
signerOpts.OutputSignaturePath = fmt.Sprintf("%s%s", fileBundle.fileLocalLocation, sigExt)
}

signer := sign.New(signerOpts)
_, err := signer.SignFile(fileBundle.fileLocalLocation)
if err != nil {
if _, err := signer.SignFile(fileBundle.fileLocalLocation); err != nil {
t.Done(fmt.Errorf("signing the file %s: %w", fileBundle.fileLocalLocation, err))
return
}
Expand All @@ -183,16 +191,17 @@ func runSignBlobs(signOpts *signOptions, signBlobOpts *signBlobOptions, args []s
if isGCSBucket {
logrus.Info("Copying Certificates and Signatures back to the bucket...")
for _, fileBundle := range bundle {
certFiles := fmt.Sprintf("%s/%s.cert", signBlobOpts.outputPath, fileBundle.fileToSign)
signFiles := fmt.Sprintf("%s/%s.sig", signBlobOpts.outputPath, fileBundle.fileToSign)
certFiles := fmt.Sprintf("%s/%s%s", signBlobOpts.outputPath, fileBundle.fileToSign, certExt)
signFiles := fmt.Sprintf("%s/%s%s", signBlobOpts.outputPath, fileBundle.fileToSign, sigExt)
if signBlobOpts.outputPath == "" {
certFiles = fmt.Sprintf("%s.cert", fileBundle.fileLocalLocation)
signFiles = fmt.Sprintf("%s.sig", fileBundle.fileLocalLocation)
certFiles = fmt.Sprintf("%s%s", fileBundle.fileLocalLocation, certExt)
signFiles = fmt.Sprintf("%s%s", fileBundle.fileLocalLocation, sigExt)
}

logrus.Infof("Copying %s and %s...", certFiles, signFiles)
_, err = gcli.GSUtilOutput("cp", "-n", certFiles, signFiles, fmt.Sprintf("%s%s", object.GcsPrefix, fileBundle.destinationPathToCopy))
if err != nil {
if _, err := gcli.GSUtilOutput(
"cp", certFiles, signFiles, fmt.Sprintf("%s%s", object.GcsPrefix, fileBundle.destinationPathToCopy),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, that sounds good

); err != nil {
return fmt.Errorf("copying certificates and signatures to the bucket: %w", err)
}
}
Expand Down