Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(pgp): Use crypto.py during Egg and Collection verification #4131

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

feat(pgp): Use crypto.py during Egg and Collection verification #4131

wants to merge 3 commits into from

Conversation

m-horky
Copy link
Contributor

@m-horky m-horky commented Jun 25, 2024

All Pull Requests:

Check all that apply:

  • Have you followed the guidelines in our Contributing document, including the instructions about commit messages?
  • Is this PR to correct an issue?
  • Is this PR an enhancement?

Complete Description of Additions/Changes:

  • Card ID: CCT-131
  • Card ID: CCT-405
  • Card ID: RHEL-2480
  • Card ID: RHEL-2482

This patch adds a self-contained and isolated GPG verification
environment. It runs GPG in an isolated environment where only selected
PGP keys are allowed to check the file signature matches its file.

GPG creates a directory $HOME/.gnupg/ every time it performs some
operation. When run under root, but not manually (e.g. via
subscription-manager Cockpit plugin), it tries to create and write to
this directory, which pollutes user directories and/or causes SELinux
denials.

This patch utilizes the --homedir argument GPG supports in order to
move the GPG home directory to a temporary directory for the time of the
transaction. After the GPG action is performed, the directory is cleaned
up.

This PR is an improvement over previously reverted #3930

@m-horky m-horky force-pushed the cct-131-gpg branch 2 times, most recently from b73b1e7 to 7f35d55 Compare June 25, 2024 09:55
@m-horky
feat(pgp): Add crypto.py with PGP signature verification
099fe41 
* Card ID: CCT-131
* Card ID: CCT-405
* Card ID: RHEL-2480
* Card ID: RHEL-2482

This patch adds a self-contained and isolated GPG verification
environment. It runs GPG in an isolated environment where only selected
PGP keys are allowed to check the file signature matches its file.

GPG creates a directory `$HOME/.gnupg/` every time it performs some
operation. When run under root, but not manually (e.g. via
subscription-manager Cockpit plugin), it tries to create and write to
this directory, which pollutes user directories and/or causes SELinux
denials.

This patch utilizes the `--homedir` argument GPG supports in order to
move the GPG home directory to a temporary directory for the time of the
transaction. After the GPG action is performed, the directory is cleaned
up.

Signed-off-by: mhorky <[email protected]>
@m-horky
chore: Add .gitleaks.toml
5a75eca 
This configuration file ensures the dummy PGP public/private key pair
is not flagged by security tools as a false positive.

Signed-off-by: mhorky <[email protected]>
@m-horky
feat(pgp): Use crypto.py during Egg and Collection verification
7c46fcd 
* Card ID: CCT-131
* Card ID: RHEL-2480
* Card ID: RHEL-2482

Signed-off-by: mhorky <[email protected]>
@zpetrace
Copy link

From a QA perspective the pre-verification for this PR passed

@m-horky m-horky marked this pull request as ready for review June 26, 2024 15:46
@xiangce xiangce added the client These issues represent work to be done by the "client" team. label Jun 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
client These issues represent work to be done by the "client" team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@m-horky @zpetrace @xiangce