Charm Helpers

Merge lp:~stub/charm-helpers/fix-gpg into lp:charm-helpers

  1. fix-gpg
  2. Merge into devel
Proposed by Stuart Bishop
Status: Merged
Merged at revision: 783
Proposed branch: lp:~stub/charm-helpers/fix-gpg
Merge into: lp:charm-helpers
Diff against target: 83 lines (+38/-24)
1 file modified
charmhelpers/fetch/ubuntu.py (+38/-24)
To merge this branch: bzr merge lp:~stub/charm-helpers/fix-gpg
Reviewer Review Type Date Requested Status
Alex Kavanagh Approve
Review via email: mp+329024@code.launchpad.net

Description of the change

A feature of the PostgreSQL charm had stopped working, as charm-helpers was attempting to do more validation of GPG key formats and the PG charm happens to add comments to its keys so they don't get mixed up.

While fixing this, noticed that insecure usage still seems to be promoted. Clearly flag this cases in the docstring and add WARNING messages to logs when people open themselves up to attack (the key retrieval protocol is unencrypted for historical reasons and the same man-in-the-middle attack that poisons an archive can also make people trust keys retrieved this way).

To post a comment you must log in.
Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

Looks good and passes tests.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'charmhelpers/fetch/ubuntu.py'
--- charmhelpers/fetch/ubuntu.py 2017-07-20 08:17:20 +0000
+++ charmhelpers/fetch/ubuntu.py 2017-08-15 07:09:24 +0000
@@ -27,6 +27,7 @@
27from charmhelpers.core.hookenv import (27from charmhelpers.core.hookenv import (
28 log,28 log,
29 DEBUG,29 DEBUG,
30 WARNING,
30)31)
31from charmhelpers.fetch import SourceConfigError, GPGKeyError32from charmhelpers.fetch import SourceConfigError, GPGKeyError
3233
@@ -261,34 +262,47 @@
261 return apt_mark(packages, 'unhold', fatal=fatal)262 return apt_mark(packages, 'unhold', fatal=fatal)
262263
263264
264def import_key(keyid):265def import_key(key):
265 """Import a key in either ASCII Armor or Radix64 format.266 """Import an ASCII Armor key.
266267
267 `keyid` is either the keyid to fetch from a PGP server, or268 /!\ A Radix64 format keyid is also supported for backwards
268 the key in ASCII armor foramt.269 compatibility, but should never be used; the key retrieval
269270 mechanism is insecure and subject to man-in-the-middle attacks
270 :param keyid: String of key (or key id).271 voiding all signature checks using that key.
272
273 :param keyid: The key in ASCII armor format,
274 including BEGIN and END markers.
271 :raises: GPGKeyError if the key could not be imported275 :raises: GPGKeyError if the key could not be imported
272 """276 """
273 key = keyid.strip()277 key = key.strip()
274 if (key.startswith('-----BEGIN PGP PUBLIC KEY BLOCK-----') and278 if '-' in key or '\n' in key:
275 key.endswith('-----END PGP PUBLIC KEY BLOCK-----')):279 # Send everything not obviously a keyid to GPG to import, as
280 # we trust its validation better than our own. eg. handling
281 # comments before the key.
276 log("PGP key found (looks like ASCII Armor format)", level=DEBUG)282 log("PGP key found (looks like ASCII Armor format)", level=DEBUG)
277 log("Importing ASCII Armor PGP key", level=DEBUG)283 if ('-----BEGIN PGP PUBLIC KEY BLOCK-----' in key and
278 with NamedTemporaryFile() as keyfile:284 '-----END PGP PUBLIC KEY BLOCK-----' in key):
279 with open(keyfile.name, 'w') as fd:285 log("Importing ASCII Armor PGP key", level=DEBUG)
280 fd.write(key)286 with NamedTemporaryFile() as keyfile:
281 fd.write("\n")287 with open(keyfile.name, 'w') as fd:
282 cmd = ['apt-key', 'add', keyfile.name]288 fd.write(key)
283 try:289 fd.write("\n")
284 subprocess.check_call(cmd)290 cmd = ['apt-key', 'add', keyfile.name]
285 except subprocess.CalledProcessError:291 try:
286 error = "Error importing PGP key '{}'".format(key)292 subprocess.check_call(cmd)
287 log(error)293 except subprocess.CalledProcessError:
288 raise GPGKeyError(error)294 error = "Error importing PGP key '{}'".format(key)
295 log(error)
296 raise GPGKeyError(error)
297 else:
298 raise GPGKeyError("ASCII armor markers missing from GPG key")
289 else:299 else:
290 log("PGP key found (looks like Radix64 format)", level=DEBUG)300 # We should only send things obviously not a keyid offsite
291 log("Importing PGP key from keyserver", level=DEBUG)301 # via this unsecured protocol, as it may be a secret or part
302 # of one.
303 log("PGP key found (looks like Radix64 format)", level=WARNING)
304 log("INSECURLY importing PGP key from keyserver; "
305 "full key not provided.", level=WARNING)
292 cmd = ['apt-key', 'adv', '--keyserver',306 cmd = ['apt-key', 'adv', '--keyserver',
293 'hkp://keyserver.ubuntu.com:80', '--recv-keys', key]307 'hkp://keyserver.ubuntu.com:80', '--recv-keys', key]
294 try:308 try:

Subscribers

People subscribed via source and target branches