Implement blocklist for signing key IDs

Implement a blocklist, keyid_blocklist. If a keyid (without leading 0x) in this file matches the signing key for a release, terminate autospec with an error. This is intended as a mechanism to block building releases signed with a known compromised key.
clearlinux · Mar 29, 2024 · 1ad1ed1 · 1ad1ed1
1 parent c02b2fe
commit 1ad1ed1
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 0 deletions.
diff --git a/autospec/config.py b/autospec/config.py
@@ -121,6 +121,7 @@ def __init__(self, download_path):
         self.failed_commands = {}
         self.ignored_commands = {}
         self.gems = {}
+        self.keyid_blocklist = {}
         self.license_hashes = {}
         self.license_translations = {}
         self.license_blacklist = {}
@@ -603,6 +604,7 @@ def setup_patterns(self, path=None):
         read_pattern_conf("license_blacklist", self.license_blacklist, list_format=True, path=path)
         read_pattern_conf("qt_modules", self.qt_modules, path=path)
         read_pattern_conf("cmake_modules", self.cmake_modules, path=path)
+        read_pattern_conf("keyid_blocklist", self.keyid_blocklist, list_format=True, path=path)
 
     def parse_existing_spec(self, name):
         """Determine the old version, old patch list, old keyid, and cves from old spec file."""

diff --git a/autospec/keyid_blocklist b/autospec/keyid_blocklist
@@ -0,0 +1 @@
+59FCF207FEA7F445
diff --git a/autospec/pkg_integrity.py b/autospec/pkg_integrity.py
@@ -483,6 +483,10 @@ def verify(self, recursion=False):
             return None
         # valid signature exists at package_sign_path, operate on it now
         keyid = get_keyid(self.package_sign_path)
+        if keyid in self.config.keyid_blocklist:
+            self.print_result(False, err_msg='KEYID IN BLOCKLIST: {}'.format(keyid))
+            self.quit()
+
         # default location first
         pubkey_loc = self.pubkey_path.format(keyid)
         cache_key = os.path.join(KEY_CACHE_DIR, pubkey_loc)