func verifyUnitAction(c *cli.Context) {
r := getRegistry()
if len(c.Args()) != 1 {
fmt.Println("One unit file must be provided.")
syscall.Exit(1)
}
name := path.Base(c.Args()[0])
payload := r.GetPayload(name)
if payload == nil {
fmt.Println("Job not found.")
syscall.Exit(1)
}
sv, err := sign.NewSignatureVerifierFromSSHAgent()
if err != nil {
fmt.Println("Fail to create SignatureVerifier:", err)
return
}
s := r.GetSignatureSetOfPayload(name)
ok, err := sv.VerifyPayload(payload, s)
if !ok || err != nil {
fmt.Printf("Check of payload %s failed: %v\n", payload.Name, err)
return
}
fmt.Printf("Succeed to verify job(%s).\n", payload.Name)
}
// verifyJob attempts to verify the signature of the provided Job's unit using
// the public keys in the local SSH agent
func verifyJob(j *job.Job) error {
sv, err := sign.NewSignatureVerifierFromSSHAgent()
if err != nil {
return fmt.Errorf("Failed creating SignatureVerifier: %v", err)
}
ss := registryCtl.GetSignatureSetOfJob(j.Name)
verified, err := sv.VerifyJob(j, ss)
if err != nil {
return fmt.Errorf("Failed attempting to verify Job(%s): %v", j.Name, err)
} else if !verified {
return fmt.Errorf("Unable to verify Job(%s)", j.Name)
}
log.V(1).Infof("Verified signature of Job(%s)", j.Name)
return nil
}
// verifyJob attempts to verify the signature of the provided Job's unit using
// the public keys in the local SSH agent
func verifyJob(j *job.Job) error {
sv, err := sign.NewSignatureVerifierFromSSHAgent()
if err != nil {
return fmt.Errorf("failed creating SignatureVerifier: %v", err)
}
ss, err := cAPI.JobSignatureSet(j.Name)
if err != nil {
return fmt.Errorf("failed attempting to retrieve SignatureSet of Job(%s): %v", j.Name, err)
}
verified, err := sv.VerifyJob(j, ss)
if err != nil {
return fmt.Errorf("failed attempting to verify Job(%s): %v", j.Name, err)
} else if !verified {
return fmt.Errorf("unable to verify Job(%s)", j.Name)
}
log.V(1).Infof("Verified signature of Job(%s)", j.Name)
return nil
}
func startUnitAction(c *cli.Context) {
var err error
// If signing is explicitly set to on, verification will be done also.
toSign := c.Bool("sign")
var sc *sign.SignatureCreator
var sv *sign.SignatureVerifier
if toSign {
var err error
sc, err = sign.NewSignatureCreatorFromSSHAgent()
if err != nil {
fmt.Println("Fail to create SignatureCreator:", err)
return
}
sv, err = sign.NewSignatureVerifierFromSSHAgent()
if err != nil {
fmt.Println("Fail to create SignatureVerifier:", err)
return
}
}
payloads := make([]job.JobPayload, len(c.Args()))
for i, v := range c.Args() {
name := path.Base(v)
payload := registryCtl.GetPayload(name)
if payload == nil {
payload, err = getJobPayloadFromFile(v)
if err != nil {
fmt.Println(err.Error())
return
}
err = registryCtl.CreatePayload(payload)
if err != nil {
fmt.Printf("Creation of payload %s failed: %v\n", payload.Name, err)
return
}
if toSign {
s, err := sc.SignPayload(payload)
if err != nil {
fmt.Printf("Creation of sign for payload %s failed: %v\n", payload.Name, err)
return
}
registryCtl.CreateSignatureSet(s)
}
}
if toSign {
s := registryCtl.GetSignatureSetOfPayload(name)
ok, err := sv.VerifyPayload(payload, s)
if !ok || err != nil {
fmt.Printf("Check of payload %s failed: %v\n", payload.Name, err)
return
}
}
payloads[i] = *payload
}
requirements := parseRequirements(c.String("require"))
// TODO: This must be done in a transaction!
for _, jp := range payloads {
j := job.NewJob(jp.Name, requirements, &jp, nil)
err := registryCtl.CreateJob(j)
if err != nil {
fmt.Printf("Creation of job %s failed: %v\n", j.Name, err)
}
}
}
