Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitaly.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/cmd
diff options
context:
space:
mode:
authorIgor Drozdov <idrozdov@gitlab.com>2023-08-01 13:50:25 +0300
committerIgor Drozdov <idrozdov@gitlab.com>2023-08-18 09:01:28 +0300
commitb87326c283c89bf407a85b5d0b4364eb124a448a (patch)
treef7f6017e5f4dc09195854a50861bda5104ebe3ce /cmd
parentf20c5a226494b5e4235d7ec3e8592e2532ffaa42 (diff)
Support key rotation for signing keys
This commit allows specifying rotated signing keys in a separate `git.rotated_signing_keys` config field. It is added to prevent the following race condition: 1. An old signing key is used to create a signature 2. GetCommitSignatures is not yet called to store the values in Rails DB 3. An admin configures a new signing key 4. GetCommitSignatures is called, tries to verify the signatures using the new signing key, fails and returns SIGNER_USER instead of SIGNER_SYSTEM. Now: 3. An admin configures a new signing key and the old signing key(s) in the list (newest first) 4. GetCommitSignatures is called, and iterates over all configured signing keys, tries to verify the signature using each of them, returns SIGNER_SYSTEM if any of the verifications are successful
Diffstat (limited to 'cmd')
-rw-r--r--cmd/gitaly-git2go/git2goutil/sign.go4
-rw-r--r--cmd/gitaly-gpg/main.go4
2 files changed, 4 insertions, 4 deletions
diff --git a/cmd/gitaly-git2go/git2goutil/sign.go b/cmd/gitaly-git2go/git2goutil/sign.go
index 596542706..efa8d1b1d 100644
--- a/cmd/gitaly-git2go/git2goutil/sign.go
+++ b/cmd/gitaly-git2go/git2goutil/sign.go
@@ -13,10 +13,10 @@ func CreateCommitSignature(signingKeyPath string, contentToSign []byte) ([]byte,
return nil, nil
}
- signingKey, err := signature.ParseSigningKey(signingKeyPath)
+ signingKeys, err := signature.ParseSigningKeys(signingKeyPath)
if err != nil {
return nil, fmt.Errorf("failed to parse signing key: %w", err)
}
- return signingKey.CreateSignature(contentToSign)
+ return signingKeys.CreateSignature(contentToSign)
}
diff --git a/cmd/gitaly-gpg/main.go b/cmd/gitaly-gpg/main.go
index 1c1b5b550..ca41ed1d2 100644
--- a/cmd/gitaly-gpg/main.go
+++ b/cmd/gitaly-gpg/main.go
@@ -24,7 +24,7 @@ func gpgApp() *cli.App {
return errors.New("expected --status-fd=2")
}
- signingKey, err := signature.ParseSigningKey(cCtx.Args().First())
+ signingKeys, err := signature.ParseSigningKeys(cCtx.Args().First())
if err != nil {
return fmt.Errorf("reading signed key file %s : %w", cCtx.Args().First(), err)
}
@@ -34,7 +34,7 @@ func gpgApp() *cli.App {
return fmt.Errorf("reading contents from stdin: %w", err)
}
- sig, err := signingKey.CreateSignature(contents)
+ sig, err := signingKeys.CreateSignature(contents)
if err != nil {
return fmt.Errorf("creating signature: %w", err)
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-07 23:20:40 +0300