diff options
author | Igor Drozdov <idrozdov@gitlab.com> | 2023-08-01 13:50:25 +0300 |
---|---|---|
committer | Igor Drozdov <idrozdov@gitlab.com> | 2023-08-18 09:01:28 +0300 |
commit | b87326c283c89bf407a85b5d0b4364eb124a448a (patch) | |
tree | f7f6017e5f4dc09195854a50861bda5104ebe3ce /cmd | |
parent | f20c5a226494b5e4235d7ec3e8592e2532ffaa42 (diff) |
Support key rotation for signing keys
This commit allows specifying rotated signing keys in a separate
`git.rotated_signing_keys` config field.
It is added to prevent the following race condition:
1. An old signing key is used to create a signature
2. GetCommitSignatures is not yet called to store the values in Rails DB
3. An admin configures a new signing key
4. GetCommitSignatures is called, tries to verify the signatures using
the new signing key, fails and returns SIGNER_USER instead of SIGNER_SYSTEM.
Now:
3. An admin configures a new signing key and the old signing key(s)
in the list (newest first)
4. GetCommitSignatures is called, and iterates over all configured
signing keys, tries to verify the signature using each of them,
returns SIGNER_SYSTEM if any of the verifications are successful
Diffstat (limited to 'cmd')
-rw-r--r-- | cmd/gitaly-git2go/git2goutil/sign.go | 4 | ||||
-rw-r--r-- | cmd/gitaly-gpg/main.go | 4 |
2 files changed, 4 insertions, 4 deletions
diff --git a/cmd/gitaly-git2go/git2goutil/sign.go b/cmd/gitaly-git2go/git2goutil/sign.go index 596542706..efa8d1b1d 100644 --- a/cmd/gitaly-git2go/git2goutil/sign.go +++ b/cmd/gitaly-git2go/git2goutil/sign.go @@ -13,10 +13,10 @@ func CreateCommitSignature(signingKeyPath string, contentToSign []byte) ([]byte, return nil, nil } - signingKey, err := signature.ParseSigningKey(signingKeyPath) + signingKeys, err := signature.ParseSigningKeys(signingKeyPath) if err != nil { return nil, fmt.Errorf("failed to parse signing key: %w", err) } - return signingKey.CreateSignature(contentToSign) + return signingKeys.CreateSignature(contentToSign) } diff --git a/cmd/gitaly-gpg/main.go b/cmd/gitaly-gpg/main.go index 1c1b5b550..ca41ed1d2 100644 --- a/cmd/gitaly-gpg/main.go +++ b/cmd/gitaly-gpg/main.go @@ -24,7 +24,7 @@ func gpgApp() *cli.App { return errors.New("expected --status-fd=2") } - signingKey, err := signature.ParseSigningKey(cCtx.Args().First()) + signingKeys, err := signature.ParseSigningKeys(cCtx.Args().First()) if err != nil { return fmt.Errorf("reading signed key file %s : %w", cCtx.Args().First(), err) } @@ -34,7 +34,7 @@ func gpgApp() *cli.App { return fmt.Errorf("reading contents from stdin: %w", err) } - sig, err := signingKey.CreateSignature(contents) + sig, err := signingKeys.CreateSignature(contents) if err != nil { return fmt.Errorf("creating signature: %w", err) } |