Add docker-based in-toto apt transport demo #25
Conversation
Add dummy debian package based on "hello-world" package tutorial http://wiki.opf-labs.org/display/SP/The+Hello+World+Debian+Package Also add two builds created with dpkg-buildpackage (see tutorial). One of the builds is used as an "ok" version and as a "bad", i.e. compromised version of the package.
Add gpg keyring (copy of tests/data/gpg_keyring) keys for Alice, Bobby and Carly. Alice's key is used to sign both the demo root layout and the demo archives. This is purely done for convenience, in real live different keys should be used. Bobby and Carly are each used to sign rebuilder link metadata. Other demo data includes the link metadata served by the demo rebuilder, the root layout and the apt in-toto config file.
All components used for the demo are defined as docker compose services: - *mirror.ok* and *mirror.bad* each set up a basic Debian archive that serves a single `demo-package`. *mirror.ok* serves a package, whose hash corresponds to the rebuilder results. *mirror.bad* does not. - *rebuilder.a* and *rebuilder.b* each statically serve in-toto link metadata, to provide the signed rebuild evidence for `demo-package`. - *client* is a pre-configured Debian host, which is set up to demonstrate the installation.
Add demo command snippets and background information.
- Make all log messages bold to better distinguish from apt notifications. - Colorize failure and success message - Shorten error message sent to apt, because we have to escape newlines, which aren't un-escaped when apt prints them. - Add newlines where appropriate
|
Note that tests that expect the transport to emit certain messages fail due to output updates in 660f622. Before merging we need to either revert the output updates or update the test cases. |
| build: | ||
| context: .. | ||
| dockerfile: demo/Dockerfile-client | ||
| tty: true |
There was a problem hiding this comment.
GitHub is showing this "no newline at EOF" error. I'm not sure if that's a concern.
There was a problem hiding this comment.
Maybe minor comments would be helpful here so someone doesn't have to go back to the README to tell what's going on.
| logger.info("In-toto verification for '{}' passed! :)".format(filename)) | ||
| # Colorize (blue) success message | ||
| logger.info("\033[34mIn-toto verification for '{}' passed! :)\033[0m" | ||
| .format(filename)) |
There was a problem hiding this comment.
The SSL guidelines seem to favor string concatenation over string formatting. Not sure if this is a big deal.
There was a problem hiding this comment.
in-toto projects favors format over string concatenation pretty much everywhere. :)
| RUN echo 'autocmd BufRead,BufNewFile metadata* set filetype=json' >> ~/.vimrc | ||
|
|
||
|
|
||
| # NOTE: Below setup will be replaced by `apt-get install apt-transport-intoto` |
There was a problem hiding this comment.
Can we use https://packages.debian.org/sid/apt-transport-in-toto now?
| ```bash | ||
| # In project root | ||
| docker-compose -f demo/docker-compose.yml up | ||
|
|
| @@ -650,7 +651,8 @@ def _intoto_verify(message_data): | |||
| in_toto.verifylib.in_toto_verify(layout, layout_keys) | |||
|
|
|||
| except Exception as e: | |||
| error_msg = ("In-toto verification for '{}' failed, reason was: {}" | |||
| # Colorize (red) error message | |||
| error_msg = ("\033[31mIn-toto verification for '{}' failed:\033[0m\n{}" | |||
There was a problem hiding this comment.
nit: should in-toto be capitalized here?
Fixes issue #:
None
Description of the changes being introduced by the pull request:
See commit messages and
demo/README.mdfor details.Files to consider for review:
demo/README.md(most importantly),demo/docker-compose.ymlanddemo/Dockerfile-*filesPlease verify and check that the pull request fulfills the following
requirements: