image: add oc adm verify-image-signature command

Author: mfojtik

pkg/cmd/admin/admin.go

@@ -12,6 +12,7 @@ import (
 	"github.com/openshift/origin/pkg/cmd/admin/cert"
 	diagnostics "github.com/openshift/origin/pkg/cmd/admin/diagnostics"
 	"github.com/openshift/origin/pkg/cmd/admin/groups"
+	"github.com/openshift/origin/pkg/cmd/admin/image"
 	"github.com/openshift/origin/pkg/cmd/admin/migrate"
 	migrateimages "github.com/openshift/origin/pkg/cmd/admin/migrate/images"
 	migratestorage "github.com/openshift/origin/pkg/cmd/admin/migrate/storage"
@@ -93,6 +94,7 @@ func NewCommandAdmin(name, fullName string, in io.Reader, out io.Writer, errout
 					migratestorage.NewCmdMigrateAPIStorage("storage", fullName+" "+migrate.MigrateRecommendedName+" storage", f, in, out, errout),
 				),
 				top.NewCommandTop(top.TopRecommendedName, fullName+" "+top.TopRecommendedName, f, out, errout),
+				image.NewCmdVerifyImageSignature("verify-image-signature", fullName, f, out, errout),
 			},
 		},
 		{

pkg/cmd/admin/image/openpgp.go

@@ -0,0 +1,162 @@
+package image
+
+// TODO: Remove this wrapper when the 'containers/image' is suitable to pull as godep.
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"strings"
+	"time"
+
+	"golang.org/x/crypto/openpgp"
+)
+
+type SigningMechanism interface {
+	Close() error
+	// SupportsSigning returns nil if the mechanism supports signing, or a SigningNotSupportedError.
+	SupportsSigning() error
+	// Sign creates a (non-detached) signature of input using keyIdentity.
+	// Fails with a SigningNotSupportedError if the mechanism does not support signing.
+	Sign(input []byte, keyIdentity string) ([]byte, error)
+	// Verify parses unverifiedSignature and returns the content and the signer's identity
+	Verify(unverifiedSignature []byte) (contents []byte, keyIdentity string, err error)
+}
+
+// A GPG/OpenPGP signing mechanism, implemented using x/crypto/openpgp.
+type openpgpSigningMechanism struct {
+	keyring openpgp.EntityList
+}
+
+// SigningNotSupportedError is returned when trying to sign using a mechanism which does not support that.
+type SigningNotSupportedError string
+
+func (err SigningNotSupportedError) Error() string {
+	return string(err)
+}
+
+// InvalidSignatureError is returned when parsing an invalid signature.
+type InvalidSignatureError struct {
+	msg string
+}
+
+func (err InvalidSignatureError) Error() string {
+	return err.msg
+}
+
+// newGPGSigningMechanismInDirectory returns a new GPG/OpenPGP signing mechanism, using optionalDir if not empty.
+// The caller must call .Close() on the returned SigningMechanism.
+func newGPGSigningMechanismInDirectory(optionalDir string) (SigningMechanism, error) {
+	m := &openpgpSigningMechanism{
+		keyring: openpgp.EntityList{},
+	}
+
+	homeDir := os.Getenv("HOME")
+	gpgHome := optionalDir
+	if gpgHome == "" {
+		gpgHome = os.Getenv("GNUPGHOME")
+		if gpgHome == "" {
+			gpgHome = path.Join(homeDir, ".gnupg")
+		}
+	}
+
+	pubring, err := ioutil.ReadFile(path.Join(gpgHome, "pubring.gpg"))
+	if err != nil {
+		if !os.IsNotExist(err) {
+			return nil, err
+		}
+	} else {
+		_, err := m.importKeysFromBytes(pubring)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return m, nil
+}
+
+// newEphemeralGPGSigningMechanism returns a new GPG/OpenPGP signing mechanism which
+// recognizes _only_ public keys from the supplied blob, and returns the identities
+// of these keys.
+// The caller must call .Close() on the returned SigningMechanism.
+func newEphemeralGPGSigningMechanism(blob []byte) (SigningMechanism, []string, error) {
+	m := &openpgpSigningMechanism{
+		keyring: openpgp.EntityList{},
+	}
+	keyIdentities, err := m.importKeysFromBytes(blob)
+	if err != nil {
+		return nil, nil, err
+	}
+	return m, keyIdentities, nil
+}
+
+func (m *openpgpSigningMechanism) Close() error {
+	return nil
+}
+
+// importKeysFromBytes imports public keys from the supplied blob and returns their identities.
+// The blob is assumed to have an appropriate format (the caller is expected to know which one).
+func (m *openpgpSigningMechanism) importKeysFromBytes(blob []byte) ([]string, error) {
+	keyring, err := openpgp.ReadKeyRing(bytes.NewReader(blob))
+	if err != nil {
+		k, e2 := openpgp.ReadArmoredKeyRing(bytes.NewReader(blob))
+		if e2 != nil {
+			return nil, err // The original error  -- FIXME: is this better?
+		}
+		keyring = k
+	}
+
+	keyIdentities := []string{}
+	for _, entity := range keyring {
+		if entity.PrimaryKey == nil {
+			continue
+		}
+		// Uppercase the fingerprint to be compatible with gpgme
+		keyIdentities = append(keyIdentities, strings.ToUpper(fmt.Sprintf("%x", entity.PrimaryKey.Fingerprint)))
+		m.keyring = append(m.keyring, entity)
+	}
+	return keyIdentities, nil
+}
+
+// SupportsSigning returns nil if the mechanism supports signing, or a SigningNotSupportedError.
+func (m *openpgpSigningMechanism) SupportsSigning() error {
+	return SigningNotSupportedError("signing is not supported in github.com/containers/image built with the containers_image_openpgp build tag")
+}
+
+// Sign creates a (non-detached) signature of input using keyIdentity.
+// Fails with a SigningNotSupportedError if the mechanism does not support signing.
+func (m *openpgpSigningMechanism) Sign(input []byte, keyIdentity string) ([]byte, error) {
+	return nil, SigningNotSupportedError("signing is not supported in github.com/containers/image built with the containers_image_openpgp build tag")
+}
+
+// Verify parses unverifiedSignature and returns the content and the signer's identity
+func (m *openpgpSigningMechanism) Verify(unverifiedSignature []byte) (contents []byte, keyIdentity string, err error) {
+	md, err := openpgp.ReadMessage(bytes.NewReader(unverifiedSignature), m.keyring, nil, nil)
+	if err != nil {
+		return nil, "", err
+	}
+	if !md.IsSigned {
+		return nil, "", errors.New("not signed")
+	}
+	content, err := ioutil.ReadAll(md.UnverifiedBody)
+	if err != nil {
+		return nil, "", err
+	}
+	if md.SignatureError != nil {
+		return nil, "", fmt.Errorf("signature error: %v", md.SignatureError)
+	}
+	if md.SignedBy == nil {
+		return nil, "", InvalidSignatureError{msg: fmt.Sprintf("Invalid GPG signature: %#v", md.Signature)}
+	}
+	if md.Signature.SigLifetimeSecs != nil {
+		expiry := md.Signature.CreationTime.Add(time.Duration(*md.Signature.SigLifetimeSecs) * time.Second)
+		if time.Now().After(expiry) {
+			return nil, "", InvalidSignatureError{msg: fmt.Sprintf("Signature expired on %s", expiry)}
+		}
+	}
+
+	// Uppercase the fingerprint to be compatible with gpgme
+	return content, strings.ToUpper(fmt.Sprintf("%x", md.SignedBy.PublicKey.Fingerprint)), nil
+}

pkg/cmd/admin/image/verify-signature.go

@@ -0,0 +1,220 @@
+package image
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+
+	"github.com/openshift/origin/pkg/client"
+	"github.com/openshift/origin/pkg/cmd/templates"
+	"github.com/openshift/origin/pkg/cmd/util/clientcmd"
+	imageapi "github.com/openshift/origin/pkg/image/api"
+	"github.com/spf13/cobra"
+	kapi "k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
+)
+
+var (
+	verifyImageSignatureLongDesc = templates.LongDesc(`
+	Verifies the imported image signature using the local public key.
+
+	This command verifies if the signature attached to an image is trusted by
+	using the provided public GPG key.
+	By default this command will not record the signature condition back to the Image object but only
+	print the verification status to the console.
+
+	To record a new condition, you have to pass the "--confirm" flag.
+	`)
+
+	verifyImageSignatureExample = templates.Examples(`
+	# Verify the image signature using the public key and record the status as a condition to image
+	%[1]s sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 --public-key=production.gpg --confirm
+	`)
+)
+
+type VerifyImageSignatureOptions struct {
+	InputImage        string
+	PublicKeyFilename string
+	PublicKey         []byte
+	Confirm           bool
+	Remove            bool
+	CurrentUser       string
+
+	Client client.Interface
+	Out    io.Writer
+	ErrOut io.Writer
+}
+
+func NewCmdVerifyImageSignature(name, fullName string, f *clientcmd.Factory, out, errOut io.Writer) *cobra.Command {
+	opts := &VerifyImageSignatureOptions{ErrOut: errOut, Out: out}
+	cmd := &cobra.Command{
+		Use:     fmt.Sprintf("%s IMAGE [--confirm]", name),
+		Short:   "Verifies the given IMAGE signature with local public key",
+		Long:    verifyImageSignatureLongDesc,
+		Example: fmt.Sprintf(verifyImageSignatureExample, name),
+		Run: func(cmd *cobra.Command, args []string) {
+			kcmdutil.CheckErr(opts.Complete(f, cmd, args, out))
+			if opts.Remove {
+				kcmdutil.CheckErr(opts.removeImageSignature())
+			} else {
+				kcmdutil.CheckErr(opts.Run())
+			}
+		},
+	}
+
+	cmd.Flags().BoolVar(&opts.Confirm, "confirm", opts.Confirm, "If true, the result of the verification will be recorded to an image object.")
+	cmd.Flags().BoolVar(&opts.Remove, "remove", opts.Remove, "If set, the current signature verification will be removed from the image.")
+	cmd.Flags().StringVar(&opts.PublicKeyFilename, "public-key", opts.PublicKeyFilename, "A path to a public GPG key to be used for verification.")
+	return cmd
+}
+
+func (o *VerifyImageSignatureOptions) Complete(f *clientcmd.Factory, cmd *cobra.Command, args []string, out io.Writer) error {
+	if len(args) != 1 {
+		return kcmdutil.UsageError(cmd, "exactly one image must be specified")
+	}
+	o.InputImage = args[0]
+	var err error
+
+	// If --public-key is provided only this key will be used for verification and the
+	// .gnupg/pubring.gpg will be ignored.
+	if len(o.PublicKeyFilename) > 0 {
+		o.PublicKey, err = ioutil.ReadFile(o.PublicKeyFilename)
+		if err != nil {
+			return err
+		}
+	}
+	if o.Client, _, err = f.Clients(); err != nil {
+		return err
+	}
+	if o.Confirm && !o.Remove {
+		if me, err := o.Client.Users().Get("~"); err != nil {
+			return err
+		} else {
+			o.CurrentUser = me.Name
+		}
+	}
+
+	return nil
+}
+
+// verifySignature verifies the image signature and return the identity when the signature
+// is valid.
+// TODO: This should be calling the 'containers/image' library in future.
+func (o *VerifyImageSignatureOptions) verifySignature(signature []byte) (string, error) {
+	var (
+		mechanism SigningMechanism
+		err       error
+	)
+	// If public key is specified, use JUST that key for verification. Otherwise use all
+	// keys in local GPG public keyring.
+	if len(o.PublicKeyFilename) == 0 {
+		mechanism, err = newGPGSigningMechanismInDirectory("")
+	} else {
+		mechanism, _, err = newEphemeralGPGSigningMechanism(o.PublicKey)
+	}
+	if err != nil {
+		return "", err
+	}
+	defer mechanism.Close()
+	_, identity, err := mechanism.Verify(signature)
+	if err != nil {
+		return "", err
+	}
+	return string(identity), nil
+}
+
+// removeImageSignature removes the current image signature from the Image object by
+// erasing all signature fields that were previously set (when image signature was
+// previously verified).
+func (o *VerifyImageSignatureOptions) removeImageSignature() error {
+	img, err := o.Client.Images().Get(o.InputImage)
+	if err != nil {
+		return err
+	}
+	if len(img.Signatures) == 0 {
+		return fmt.Errorf("%s does not have signature", img.Name)
+	}
+	if !o.Confirm {
+		fmt.Fprintf(o.Out, "(add --confirm to record signature verification status to server\n")
+		return nil
+	}
+	for i := range img.Signatures {
+		newConditions := []imageapi.SignatureCondition{}
+		img.Signatures[i].Conditions = newConditions
+		img.Signatures[i].IssuedBy = nil
+	}
+	_, err = o.Client.Images().Update(img)
+	return err
+}
+
+func (o *VerifyImageSignatureOptions) Run() error {
+	img, err := o.Client.Images().Get(o.InputImage)
+	if err != nil {
+		return err
+	}
+	if len(img.Signatures) == 0 {
+		return fmt.Errorf("%s does not have signature", img.Name)
+	}
+
+	for i, s := range img.Signatures {
+		// Do the actual verification of the image signature
+		signedBy, signatureErr := o.verifySignature(s.Content)
+
+		if signatureErr != nil {
+			if o.Confirm {
+				fmt.Fprintf(o.ErrOut, "%s: %v\n", o.InputImage, signatureErr)
+			} else {
+				return fmt.Errorf("%s: %v", o.InputImage, signatureErr)
+			}
+		} else {
+			fmt.Fprintf(o.Out, "%s signature is verified (signed by key: %q)\n", o.InputImage, signedBy)
+		}
+
+		if signatureErr != nil {
+			// If an error occured during signature verification, remove the verified fields
+			// (if present).
+			fmt.Fprintf(o.ErrOut, "%s signature cannot be verified: %v\n", o.InputImage, signatureErr)
+			if err := o.removeImageSignature(); err == nil {
+				os.Exit(1)
+			} else {
+				return err
+			}
+		}
+
+		if o.Confirm {
+			now := unversioned.Now()
+			newConditions := []imageapi.SignatureCondition{
+				{
+					Type:               imageapi.SignatureTrusted,
+					Status:             kapi.ConditionTrue,
+					LastProbeTime:      now,
+					LastTransitionTime: now,
+					Reason:             "verified manually",
+					Message:            fmt.Sprintf("verified by user %s", o.CurrentUser),
+				},
+				// FIXME: This condition is required to be set for validation.
+				{
+					Type:               imageapi.SignatureForImage,
+					Status:             kapi.ConditionTrue,
+					LastProbeTime:      now,
+					LastTransitionTime: now,
+				},
+			}
+			img.Signatures[i].Conditions = newConditions
+			img.Signatures[i].IssuedBy = &imageapi.SignatureIssuer{}
+			// TODO: This should not be just a key id but a human-readable identity.
+			img.Signatures[i].IssuedBy.CommonName = signedBy
+			// Record updated information back to the server
+			if _, err := o.Client.Images().Update(img); err != nil {
+				return err
+			}
+		} else {
+			fmt.Fprintf(o.Out, "(add --confirm to record signature verification status to server\n")
+			return nil
+		}
+
+	}
+	return nil
+}