func (gkms *gpgKeypairMgrSuite) SetUpTest(c *C) {
gkms.homedir = c.MkDir()
os.Setenv("SNAP_GNUPG_HOME", gkms.homedir)
gkms.keypairMgr = asserts.NewGPGKeypairManager()
// import test key
gkms.importKey(assertstest.DevKey)
}
func (s *SnapKeysSuite) TestExportKeyAccount(c *C) {
rootPrivKey, _ := assertstest.GenerateKey(1024)
storePrivKey, _ := assertstest.GenerateKey(752)
storeSigning := assertstest.NewStoreStack("canonical", rootPrivKey, storePrivKey)
manager := asserts.NewGPGKeypairManager()
assertstest.NewAccount(storeSigning, "developer1", nil, "")
rest, err := snap.Parser().ParseArgs([]string{"export-key", "another", "--account=developer1"})
c.Assert(err, IsNil)
c.Assert(rest, DeepEquals, []string{})
assertion, err := asserts.Decode(s.stdout.Bytes())
c.Assert(err, IsNil)
c.Check(assertion.Type(), Equals, asserts.AccountKeyRequestType)
c.Check(assertion.Revision(), Equals, 0)
c.Check(assertion.HeaderString("account-id"), Equals, "developer1")
c.Check(assertion.HeaderString("name"), Equals, "another")
c.Check(assertion.HeaderString("public-key-sha3-384"), Equals, "DVQf1U4mIsuzlQqAebjjTPYtYJ-GEhJy0REuj3zvpQYTZ7EJj7adBxIXLJ7Vmk3L")
since, err := time.Parse(time.RFC3339, assertion.HeaderString("since"))
c.Assert(err, IsNil)
zone, offset := since.Zone()
c.Check(zone, Equals, "UTC")
c.Check(offset, Equals, 0)
c.Check(s.Stderr(), Equals, "")
privKey, err := manager.Get(assertion.HeaderString("public-key-sha3-384"))
c.Assert(err, IsNil)
err = asserts.SignatureCheck(assertion, privKey.PublicKey())
c.Assert(err, IsNil)
}
func (x *cmdSign) Execute(args []string) error {
if len(args) > 0 {
return ErrExtraArgs
}
statement, err := ioutil.ReadAll(Stdin)
if err != nil {
return fmt.Errorf(i18n.G("cannot read assertion input: %v"), err)
}
keypairMgr := asserts.NewGPGKeypairManager()
privKey, err := keypairMgr.GetByName(x.KeyName)
if err != nil {
return err
}
signOpts := signtool.Options{
KeyID: privKey.PublicKey().ID(),
Statement: statement,
}
encodedAssert, err := signtool.Sign(&signOpts, keypairMgr)
if err != nil {
return err
}
_, err = Stdout.Write(encodedAssert)
if err != nil {
return err
}
return nil
}
func (x *cmdCreateKey) Execute(args []string) error {
if len(args) > 0 {
return ErrExtraArgs
}
keyName := x.Positional.KeyName
if keyName == "" {
keyName = "default"
}
if !asserts.IsValidAccountKeyName(keyName) {
return fmt.Errorf(i18n.G("key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"), keyName)
}
fmt.Fprint(Stdout, i18n.G("Passphrase: "))
passphrase, err := terminal.ReadPassword(0)
fmt.Fprint(Stdout, "\n")
if err != nil {
return err
}
fmt.Fprint(Stdout, i18n.G("Confirm passphrase: "))
confirmPassphrase, err := terminal.ReadPassword(0)
fmt.Fprint(Stdout, "\n")
if err != nil {
return err
}
if string(passphrase) != string(confirmPassphrase) {
return errors.New("passphrases do not match")
}
if err != nil {
return err
}
manager := asserts.NewGPGKeypairManager()
return manager.Generate(string(passphrase), keyName)
}
func (x *cmdDeleteKey) Execute(args []string) error {
if len(args) > 0 {
return ErrExtraArgs
}
manager := asserts.NewGPGKeypairManager()
return manager.Delete(x.Positional.KeyName)
}
func (s keyName) Complete(match string) []flags.Completion {
var res []flags.Completion
asserts.NewGPGKeypairManager().Walk(func(_ asserts.PrivateKey, _ string, uid string) error {
if strings.HasPrefix(uid, match) {
res = append(res, flags.Completion{Item: uid})
}
return nil
})
return res
}
func (x *cmdSignBuild) Execute(args []string) error {
if len(args) > 0 {
return ErrExtraArgs
}
snapDigest, snapSize, err := asserts.SnapFileSHA3_384(x.Positional.Filename)
if err != nil {
return err
}
gkm := asserts.NewGPGKeypairManager()
privKey, err := gkm.GetByName(x.KeyName)
if err != nil {
// TRANSLATORS: %q is the key name, %v the error message
return fmt.Errorf(i18n.G("cannot use %q key: %v"), x.KeyName, err)
}
pubKey := privKey.PublicKey()
timestamp := time.Now().Format(time.RFC3339)
headers := map[string]interface{}{
"developer-id": x.DeveloperID,
"authority-id": x.DeveloperID,
"snap-sha3-384": snapDigest,
"snap-id": x.SnapID,
"snap-size": fmt.Sprintf("%d", snapSize),
"grade": x.Grade,
"timestamp": timestamp,
}
adb, err := asserts.OpenDatabase(&asserts.DatabaseConfig{
KeypairManager: gkm,
})
if err != nil {
return fmt.Errorf(i18n.G("cannot open the assertions database: %v"), err)
}
a, err := adb.Sign(asserts.SnapBuildType, headers, nil, pubKey.ID())
if err != nil {
return fmt.Errorf(i18n.G("cannot sign assertion: %v"), err)
}
_, err = Stdout.Write(asserts.Encode(a))
if err != nil {
return err
}
return nil
}
func (x *cmdExportKey) Execute(args []string) error {
if len(args) > 0 {
return ErrExtraArgs
}
keyName := string(x.Positional.KeyName)
if keyName == "" {
keyName = "default"
}
manager := asserts.NewGPGKeypairManager()
if x.Account != "" {
privKey, err := manager.GetByName(keyName)
if err != nil {
return err
}
pubKey := privKey.PublicKey()
headers := map[string]interface{}{
"account-id": x.Account,
"name": keyName,
"public-key-sha3-384": pubKey.ID(),
"since": time.Now().UTC().Format(time.RFC3339),
// XXX: To support revocation, we need to check for matching known assertions and set a suitable revision if we find one.
}
body, err := asserts.EncodePublicKey(pubKey)
if err != nil {
return err
}
assertion, err := asserts.SignWithoutAuthority(asserts.AccountKeyRequestType, headers, body, privKey)
if err != nil {
return err
}
fmt.Fprint(Stdout, string(asserts.Encode(assertion)))
} else {
encoded, err := manager.Export(keyName)
if err != nil {
return err
}
fmt.Fprintf(Stdout, "%s\n", encoded)
}
return nil
}
func (x *cmdKeys) Execute(args []string) error {
if len(args) > 0 {
return ErrExtraArgs
}
w := tabWriter()
if !x.JSON {
fmt.Fprintln(w, i18n.G("Name\tSHA3-384"))
defer w.Flush()
}
keys := []Key{}
manager := asserts.NewGPGKeypairManager()
display := func(privk asserts.PrivateKey, fpr string, uid string) error {
key := Key{
Name: uid,
Sha3_384: privk.PublicKey().ID(),
}
if x.JSON {
keys = append(keys, key)
} else {
fmt.Fprintf(w, "%s\t%s\n", key.Name, key.Sha3_384)
}
return nil
}
err := manager.Walk(display)
if err != nil {
return err
}
if x.JSON {
obj, err := json.Marshal(keys)
if err != nil {
return err
}
fmt.Fprintf(Stdout, "%s\n", obj)
}
return nil
}
