Allow the gpg keyring to be configured #3852
Comments
m-horky
added a commit
to m-horky/insights-core
that referenced
this issue
Oct 2, 2023
GPG creates a directory $HOME/.gnupg/ every time it performs some
operation. When run under root, but not manually (e.g. via
subscription-manager Cockpit plugin), it tries to create and write to
this directory, which causes SELinux denials.
This patch utilizes the `--homedir` argument GPG supports in order to
move the home directory to a temporary directory for the time of the
transaction. After the GPG action is performed, the directory is cleaned
up.
You can verify this patch by performing the following actions:
1/ Create your own GPG key pair
~ $ gpg --full-generate-key
~ $ gpg --list-secret-keys --keyid-format long
~ $ (key identifier is on line `sec`, after the slash)
~ $ KEYID=9F2B2565A7CC100E # (for example)
~ $ gpg --armor --export $KEYID > $HOME/.gnupg/my-key.pub.gpg
2/ Ensure you have created the egg zip file
~/insights-core $ bash build_client_egg.sh
3/ Sign the egg
~/insights-core $ gpg --detach-sign -u $KEYID --armor insights.zip
4/ Use it in the client
~/insights-client $ sudo PYTHONPATH=./src \
EGG=../insights-core/insights.zip \
EXTRA_GPG_KEY=$HOME/.gnupg/my-key.pub.gpg \
./builddir/src/insights-client --verbose
Please note that this change is also required in insights-client; until
then, you have to pass in `BYPASS_GPG=True` to skip GPG verification
on the client side.
By introducing the EXTRA_GPG_KEY environment variable, this patch also
resolves RedHatInsights#3852.
m-horky
added a commit
to m-horky/insights-core
that referenced
this issue
Oct 2, 2023
GPG creates a directory $HOME/.gnupg/ every time it performs some
operation. When run under root, but not manually (e.g. via
subscription-manager Cockpit plugin), it tries to create and write to
this directory, which causes SELinux denials.
This patch utilizes the `--homedir` argument GPG supports in order to
move the home directory to a temporary directory for the time of the
transaction. After the GPG action is performed, the directory is cleaned
up.
You can verify this patch by performing the following actions:
1/ Create your own GPG key pair
~ $ gpg --full-generate-key
~ $ gpg --list-secret-keys --keyid-format long
~ $ (key identifier is on line `sec`, after the slash)
~ $ KEYID=9F2B2565A7CC100E # (for example)
~ $ gpg --armor --export $KEYID > $HOME/.gnupg/my-key.pub.gpg
2/ Ensure you have created the egg zip file
~/insights-core $ bash build_client_egg.sh
3/ Sign the egg
~/insights-core $ gpg --detach-sign -u $KEYID --armor insights.zip
4/ Use it in the client
~/insights-client $ sudo PYTHONPATH=./src \
EGG=../insights-core/insights.zip \
EXTRA_GPG_KEY=$HOME/.gnupg/my-key.pub.gpg \
./builddir/src/insights-client --verbose
Please note that this change is also required in insights-client; until
then, you have to pass in `BYPASS_GPG=True` to skip GPG verification
on the client side.
By introducing the EXTRA_GPG_KEY environment variable, this patch also
resolves RedHatInsights#3852.
3 tasks
m-horky
added a commit
to m-horky/insights-core
that referenced
this issue
Oct 2, 2023
GPG creates a directory `$HOME/.gnupg/` every time it performs some
operation. When run under root, but not manually (e.g. via
subscription-manager Cockpit plugin), it tries to create and write to
this directory, which causes SELinux denials.
This patch utilizes the `--homedir` argument GPG supports in order to
move the home directory to a temporary directory for the time of the
transaction. After the GPG action is performed, the directory is cleaned
up.
You can verify this patch by performing the following actions:
1/ Create your own GPG key pair
~ $ gpg --full-generate-key
~ $ gpg --list-secret-keys --keyid-format long
~ $ (key identifier is on line `sec`, after the slash)
~ $ KEYID=9F2B2565A7CC100E # (for example)
~ $ gpg --armor --export $KEYID > $HOME/.gnupg/my-key.pub.gpg
2/ Ensure you have created the egg zip file
~/insights-core $ bash build_client_egg.sh
3/ Sign the egg
~/insights-core $ gpg --detach-sign -u $KEYID --armor insights.zip
4/ Use it in the client
~/insights-client $ sudo PYTHONPATH=./src \
EGG=../insights-core/insights.zip \
EXTRA_GPG_KEY=$HOME/.gnupg/my-key.pub.gpg \
./builddir/src/insights-client --verbose
Please note that this change is also required in insights-client; until
then, you have to pass in `BYPASS_GPG=True` to skip GPG verification
on the client side.
By introducing the EXTRA_GPG_KEY environment variable, this patch also
resolves RedHatInsights#3852.
Signed-off-by: mhorky <mhorky@redhat.com>
m-horky
added a commit
to m-horky/insights-core
that referenced
this issue
Oct 2, 2023
* Jira ID: RHEL-2480
* RHBZ ID: 2077777
GPG creates a directory `$HOME/.gnupg/` every time it performs some
operation. When run under root, but not manually (e.g. via
subscription-manager Cockpit plugin), it tries to create and write to
this directory, which causes SELinux denials.
This patch utilizes the `--homedir` argument GPG supports in order to
move the home directory to a temporary directory for the time of the
transaction. After the GPG action is performed, the directory is cleaned
up.
You can verify this patch by performing the following actions:
1/ Create your own GPG key pair
~ $ gpg --full-generate-key
~ $ gpg --list-secret-keys --keyid-format long
~ $ (key identifier is on line `sec`, after the slash)
~ $ KEYID=9F2B2565A7CC100E # (for example)
~ $ gpg --armor --export $KEYID > $HOME/.gnupg/my-key.pub.gpg
2/ Ensure you have created the egg zip file
~/insights-core $ bash build_client_egg.sh
3/ Sign the egg
~/insights-core $ gpg --detach-sign -u $KEYID --armor insights.zip
4/ Use it in the client
~/insights-client $ sudo PYTHONPATH=./src \
EGG=../insights-core/insights.zip \
EXTRA_GPG_KEY=$HOME/.gnupg/my-key.pub.gpg \
./builddir/src/insights-client --verbose
Please note that this change is also required in insights-client; until
then, you have to pass in `BYPASS_GPG=True` to skip GPG verification
on the client side.
By introducing the EXTRA_GPG_KEY environment variable, this patch also
resolves RedHatInsights#3852.
Signed-off-by: mhorky <mhorky@redhat.com>
m-horky
added a commit
to m-horky/insights-core
that referenced
this issue
Oct 9, 2023
* Jira ID: RHEL-2480
* RHBZ ID: 2077777
GPG creates a directory `$HOME/.gnupg/` every time it performs some
operation. When run under root, but not manually (e.g. via
subscription-manager Cockpit plugin), it tries to create and write to
this directory, which causes SELinux denials.
This patch utilizes the `--homedir` argument GPG supports in order to
move the home directory to a temporary directory for the time of the
transaction. After the GPG action is performed, the directory is cleaned
up.
You can verify this patch by performing the following actions:
1/ Create your own GPG key pair
~ $ gpg --full-generate-key
~ $ gpg --list-secret-keys --keyid-format long
~ $ (key identifier is on line `sec`, after the slash)
~ $ KEYID=9F2B2565A7CC100E # (for example)
~ $ gpg --armor --export $KEYID > $HOME/.gnupg/my-key.pub.gpg
2/ Ensure you have created the egg zip file
~/insights-core $ bash build_client_egg.sh
3/ Sign the egg
~/insights-core $ gpg --detach-sign -u $KEYID --armor insights.zip
4/ Use it in the client
~/insights-client $ sudo PYTHONPATH=./src \
EGG=../insights-core/insights.zip \
EXTRA_GPG_KEY=$HOME/.gnupg/my-key.pub.gpg \
./builddir/src/insights-client --verbose
Please note that this change is also required in insights-client; until
then, you have to pass in `BYPASS_GPG=True` to skip GPG verification
on the client side.
By introducing the EXTRA_GPG_KEY environment variable, this patch also
resolves RedHatInsights#3852.
Signed-off-by: mhorky <mhorky@redhat.com>
m-horky
added a commit
to m-horky/insights-core
that referenced
this issue
Oct 10, 2023
* Jira ID: RHEL-2480
* RHBZ ID: 2077777
GPG creates a directory `$HOME/.gnupg/` every time it performs some
operation. When run under root, but not manually (e.g. via
subscription-manager Cockpit plugin), it tries to create and write to
this directory, which causes SELinux denials.
This patch utilizes the `--homedir` argument GPG supports in order to
move the home directory to a temporary directory for the time of the
transaction. After the GPG action is performed, the directory is cleaned
up.
You can verify this patch by performing the following actions:
1/ Create your own GPG key pair
~ $ gpg --full-generate-key
~ $ gpg --list-secret-keys --keyid-format long
~ $ (key identifier is on line `sec`, after the slash)
~ $ KEYID=9F2B2565A7CC100E # (for example)
~ $ gpg --armor --export $KEYID > $HOME/.gnupg/my-key.pub.gpg
2/ Ensure you have created the egg zip file
~/insights-core $ bash build_client_egg.sh
3/ Sign the egg
~/insights-core $ gpg --detach-sign -u $KEYID --armor insights.zip
4/ Use it in the client
~/insights-client $ sudo PYTHONPATH=./src \
EGG=../insights-core/insights.zip \
EXTRA_GPG_KEY=$HOME/.gnupg/my-key.pub.gpg \
./builddir/src/insights-client --verbose
Please note that this change is also required in insights-client; until
then, you have to pass in `BYPASS_GPG=True` to skip GPG verification
on the client side.
By introducing the EXTRA_GPG_KEY environment variable, this patch also
resolves RedHatInsights#3852.
Signed-off-by: mhorky <mhorky@redhat.com>
m-horky
added a commit
to m-horky/insights-core
that referenced
this issue
Oct 10, 2023
* Jira ID: RHEL-2480
* RHBZ ID: 2077777
GPG creates a directory `$HOME/.gnupg/` every time it performs some
operation. When run under root, but not manually (e.g. via
subscription-manager Cockpit plugin), it tries to create and write to
this directory, which causes SELinux denials.
This patch utilizes the `--homedir` argument GPG supports in order to
move the home directory to a temporary directory for the time of the
transaction. After the GPG action is performed, the directory is cleaned
up.
You can verify this patch by performing the following actions:
1/ Create your own GPG key pair
~ $ gpg --full-generate-key
~ $ gpg --list-secret-keys --keyid-format long
~ $ (key identifier is on line `sec`, after the slash)
~ $ KEYID=9F2B2565A7CC100E # (for example)
~ $ gpg --armor --export $KEYID > $HOME/.gnupg/my-key.pub.gpg
2/ Ensure you have created the egg zip file
~/insights-core $ bash build_client_egg.sh
3/ Sign the egg
~/insights-core $ gpg --detach-sign -u $KEYID --armor insights.zip
4/ Use it in the client
~/insights-client $ sudo PYTHONPATH=./src \
EGG=../insights-core/insights.zip \
EXTRA_GPG_KEY=$HOME/.gnupg/my-key.pub.gpg \
./builddir/src/insights-client --verbose
Please note that this change is also required in insights-client; until
then, you have to pass in `BYPASS_GPG=True` to skip GPG verification
on the client side.
By introducing the EXTRA_GPG_KEY environment variable, this patch also
resolves RedHatInsights#3852.
Signed-off-by: mhorky <mhorky@redhat.com>
m-horky
added a commit
to m-horky/insights-core
that referenced
this issue
Oct 10, 2023
* Jira ID: RHEL-2480
* RHBZ ID: 2077777
GPG creates a directory `$HOME/.gnupg/` every time it performs some
operation. When run under root, but not manually (e.g. via
subscription-manager Cockpit plugin), it tries to create and write to
this directory, which causes SELinux denials.
This patch utilizes the `--homedir` argument GPG supports in order to
move the home directory to a temporary directory for the time of the
transaction. After the GPG action is performed, the directory is cleaned
up.
You can verify this patch by performing the following actions:
1/ Create your own GPG key pair
~ $ gpg --full-generate-key
~ $ gpg --list-secret-keys --keyid-format long
~ $ (key identifier is on line `sec`, after the slash)
~ $ KEYID=9F2B2565A7CC100E # (for example)
~ $ gpg --armor --export $KEYID > $HOME/.gnupg/my-key.pub.gpg
~ $ gpg --armor --export-secret-keys $KEYID > $HOME/.gnupg/my-key.gpg
2/ Ensure you have created the egg zip file
~/insights-core $ bash build_client_egg.sh
3/ Sign the egg
~/insights-core $ gpg --detach-sign -u $KEYID --armor insights.zip
4/ Use it in the client
~/insights-client $ sudo PYTHONPATH=./src \
EGG=../insights-core/insights.zip \
EXTRA_GPG_KEY=$HOME/.gnupg/my-key.pub.gpg \
./builddir/src/insights-client --verbose
Please note that this change is also required in insights-client; until
then, you have to pass in `BYPASS_GPG=True` to skip GPG verification
on the client side.
By introducing the EXTRA_GPG_KEY environment variable, this patch also
resolves RedHatInsights#3852.
Signed-off-by: mhorky <mhorky@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The gpg keyring used to verify that a playbook to be executed by a worker is currently hardcoded to a keyring file that we install as part of insights-core. This is good for security in production but it would be nice if there was a way to change this value for development and testing of the workers. In that use case, a developer wants to be able to write a script, sign it, have their worker process it as if it came from rhcd, and then verify that the script returned the expected output. If the only valid key is what we ship, then they would have to have their test scripts signed by the production keyring (which has other, negative security implications as well...) to execute that test.
The text was updated successfully, but these errors were encountered: