Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow verifying signatures without gpg #214

Closed
wants to merge 2 commits into from
Closed

Allow verifying signatures without gpg #214

wants to merge 2 commits into from

Conversation

FlorianVeaux
Copy link
Contributor

Please fill in the fields below to submit a pull request. The more information
that is provided, the better.

Issue:
A regression was introduced with #206
Before that it was possible to verify keys even if gpg was missing in the used environment.

gpg is not required for verifying but a safe-guard was added in the verify_signature method which now prevents that possibility.

Description of the changes being introduced by the pull request:

Removes the safe-guard introduced in #206

Please verify and check that the pull request fulfils the following
requirements:

  • The code follows the Code Style Guidelines
  • Tests have been added for the bug fix or new feature
  • Docs have been added for the bug fix or new feature

@coveralls
Copy link

Coverage Status

Coverage remained the same at 98.712% when pulling e035da8 on FlorianVeaux:florian/allow_missing_gpg_for_verifying into b6c160b on secure-systems-lab:master.

1 similar comment
@coveralls
Copy link

Coverage Status

Coverage remained the same at 98.712% when pulling e035da8 on FlorianVeaux:florian/allow_missing_gpg_for_verifying into b6c160b on secure-systems-lab:master.

trishankatdatadog
trishankatdatadog reviewed Feb 25, 2020
View reviewed changes
tests/check_public_interfaces.py
@@ -203,9 +203,6 @@ def test_gpg_cmds(self):
with self.assertRaises(securesystemslib.exceptions.UnsupportedLibraryError):
securesystemslib.gpg.functions.create_signature('bar')

with self.assertRaises(securesystemslib.exceptions.UnsupportedLibraryError):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to say that we do not raise this exception (regression test)?

Copy link
Contributor Author

@FlorianVeaux FlorianVeaux Feb 25, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAICT this would require running the securesystemslib.gpg.functions.verify_signature(None, 'f00', 'bar') function with correctly formatted arguments. I'm not really sure how that could be added but this is a great idea.

@FlorianVeaux FlorianVeaux mentioned this pull request Feb 25, 2020
Merged
@lukpueh lukpueh mentioned this pull request Feb 26, 2020
Merged
3 tasks
@lukpueh
Copy link
Member

lukpueh commented Feb 26, 2020

A comprehensive fix including regression testing is available in #215.

@lukpueh
Copy link
Member

lukpueh commented Feb 26, 2020

Fixed in #215.

@lukpueh lukpueh closed this Feb 26, 2020
@FlorianVeaux FlorianVeaux deleted the florian/allow_missing_gpg_for_verifying branch February 26, 2020 14:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@trishankatdatadog trishankatdatadog trishankatdatadog left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@FlorianVeaux @coveralls @lukpueh @trishankatdatadog