diff --git a/demo/Dockerfile-client b/demo/Dockerfile-client new file mode 100644 index 0000000..57ef507 --- /dev/null +++ b/demo/Dockerfile-client @@ -0,0 +1,33 @@ +FROM debian:unstable-slim + +# Install Python required for in-toto and some tools handy for demoing +RUN apt-get update \ + && apt-get install -y python3-pip vim wget gpg iputils-ping apt-utils apt-transport-in-toto + +# Add custom archive release key to apt keyring (see Dockerfile-mirror) +COPY demo/alice.asc /tmp/release.key +RUN apt-key add /tmp/release.key + +# Add bash niceness for demoing, i.e. colored ls, json synax highlighting for +# in-toto/rebuilder metadata in vim, custom demo prompt +RUN echo 'alias ls="ls --color=auto"' >> ~/.bashrc +RUN echo 'PS1="demo:\w # "' >> ~/.bashrc +RUN echo 'colo delek' >> ~/.vimrc +RUN echo 'syntax on' >> ~/.vimrc +RUN echo 'autocmd BufRead,BufNewFile *.layout set filetype=json' >> ~/.vimrc +RUN echo 'autocmd BufRead,BufNewFile metadata* set filetype=json' >> ~/.vimrc + + +# NOTE: Below setup will be replaced by `apt-get install apt-transport-intoto` +# (see in-toto/apt-transport-in-toto#11) + +# Manually copy apt config file, root layout and root layout key +COPY demo/intoto.conf /etc/apt/apt.conf.d/intoto +COPY demo/root.layout /etc/intoto/root.layout +COPY demo/alice.asc /etc/intoto/root.asc + +# Import root layout key to default keychain +RUN gpg --import /etc/intoto/root.asc + +# Patch sources.list to retrieve packages from mock mirror +RUN echo deb http://mirror.ok/debian/ unstable main > /etc/apt/sources.list diff --git a/demo/Dockerfile-mirror b/demo/Dockerfile-mirror new file mode 100644 index 0000000..465fb36 --- /dev/null +++ b/demo/Dockerfile-mirror @@ -0,0 +1,22 @@ +FROM debian:sid-slim + +# The passed mirror name is used to decide which package to serve +# (see service definition in docker-compose.yml) +ARG name + +RUN apt-get update && apt-get install -y nginx apt-utils gpg + +# Copy deb package to be served for the passed name +COPY demo-package_1.0.0_all.deb.${name} \ + /var/www/html/debian/pool/main/demo-package_1.0.0_all.deb + +# Copy gpg keyring used to sign the release (see archive.sh) +COPY keyring /tmp/keyring + +# Copy and run archive creation script +COPY archive.sh /tmp/archive.sh +RUN chmod +x /tmp/archive.sh +RUN /tmp/archive.sh + +# Start nginx server to serve archive +CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/demo/Dockerfile-rebuilder b/demo/Dockerfile-rebuilder new file mode 100644 index 0000000..ed744b7 --- /dev/null +++ b/demo/Dockerfile-rebuilder @@ -0,0 +1,3 @@ +FROM nginx +ARG keyid +COPY rebuild.${keyid}.link /usr/share/nginx/html/sources/demo-package/1.0.0/metadata \ No newline at end of file diff --git a/demo/README.md b/demo/README.md new file mode 100644 index 0000000..bd4a6a1 --- /dev/null +++ b/demo/README.md @@ -0,0 +1,80 @@ +# in-toto apt transport demo + +The commands in this document may be used to demonstrate two scenarios of +installing a Debian package with the in-toto apt transport, using a generic +[*rebuild layout*](root.layout), which requires a treshold of two trusted +rebuilders to agree on the package to be installed. + +In the first scenario the rebuilder results and the served package align and +the installation succeeds. In the second scenario, the mirror servers a package +with a hash that does not correspond to the rebuild results and thus in-toto +aborts installation. + +All components used for this demo are defined as docker compose services in +[`docker-compose.yml`](docker-compose.yml): + +- *mirror.ok* and *mirror.bad* each set up a basic Debian archive that serves + a single `demo-package`. *mirror.ok* serves a package, whose hash + corresponds to the rebuilder results. *mirror.bad* does not. +- *rebuilder.a* and *rebuilder.b* each statically serve in-toto link metadata, + to provide the signed rebuild evidence for `demo-package`. +- *client* is a pre-configured Debian host, which is set up to demonstrate the + installation. + + +## Create and run services +Use the following command to start all services in the same virtual network + +```bash +# In project root +docker-compose -f demo/docker-compose.yml up + +``` + +## Attach to client +Use the following command to connect to client service started above +```bash +# In a new terminal +docker exec -it $(docker ps -qf "name=client") bash +``` + +## Scenario 1: Successfully install verified package +```bash +# In client bash + +# Optional: Browse config file, root layout and root key +vi /etc/apt/apt.conf.d/intoto +vi /etc/intoto/root.layout +gpg --list-keys + +# Enable in-toto transport in sources.list +vi -c :s/http/intoto/g /etc/apt/sources.list + +# Update apt and install demo package +apt-get update && apt-get install demo-package + +# Check apt output... + +# Optional: Take a look at the used rebuilder link metadata +wget -q -O - rebuilder.a/sources/demo-package/1.0.0/metadata | vi - +wget -q -O - rebuilder.b/sources/demo-package/1.0.0/metadata | vi - + +``` + +## Scenario 2: Abort installation of package served from malicious mirror + +```bash +# In client bash + +# Remove demo package if installed above +apt-get remove demo-package + +# Change mirror in sources.list +vi -c :s/ok/bad/g /etc/apt/sources.list + +# Update apt and install demo package (will fail) +apt-get update && apt-get install demo-package + +# Check apt output... + +``` \ No newline at end of file diff --git a/demo/alice.asc b/demo/alice.asc new file mode 100644 index 0000000..dbc60ae --- /dev/null +++ b/demo/alice.asc @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFwJRhkBCACqoenU2d9ds+0WwIjF0Q2+tYIO8pKC1Wxfjjlo7EvjofFLejV5 +gg0brd2KsioCOjVbzOgIaDzqTf5Z64VH51qhMLQpkHuYamChUNWCImlq9LNzTX3/ +Hr9Mva2K6IWa382Vy0R8gdcE1L9ICwc20Y3SnuNjDTDYu73Mqzl+J+/s2vol+zqj +XEv5WQzeo+yttGdKtaqAON/kWryCyTenk++JjRb2fyTrsxW5HkYeTEdNbelcKKXp +BFS2QJuJRwVMnThkueIxCtLVcIyHD4DtXvTcEmfTHZDlSEPzBVwroCR3qjBxJQj1 ++GaYlTsWQ+af7N/dVtgcTpa73YxLxl4XLtd9ABEBAAG0F0FsaWNlIDxhbGljZUBh +bGljZS5jb20+iQE4BBMBAgAiBQJcCUYZAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe +AQIXgAAKCRBy4zyj4OBORsNNB/4u0MS3iXJPKR+0ps/xn8G5aKcccUo+1JLNaZ8H +4WqAzLLQPRk0UgoNHXzr7anvHDKZlrgpSEuu6zJi/ysVLxqgvHMXoaVrBHndCC7g +lKarOVQmFgiO9S5t3x/f+tdS+i5FDBauS3jQ0mKVkV3CPKQOq9qb5s1GPMtWIRkT +Bq6T45vy5MdcgFreuvr0/SkRXdOn808InRaKZlHOOnG4Gp1jPxBFCRTbpz48jGeE +UhXXP+/eygSvdpoo4Aybx9wWrKQz7GPusU8660FAN5SmmFdj+cr1H0Rp3yVPmvxe +W5w5H88MEPNeiF0Ui57hPQinv9xDORgHMkp2rtWPAv6MZuwTuQENBFwJRhkBCADW +Rfv/Z6hEjicX53QjMFZisiuMSjRxngWIHvMKMZDxx1sSvAkglUMv5QVBgLtBfam0 +SIfnSxPIwaZ0Ljd32aadnsof7S8sLERpqS2ZutD4COC5cLp3SuoGZ096kxAL7U1J +5pOjBR6SUZeiewNZ5DT47Z3TB8rfQ67e0jkg59xE6J8LOIfPIgcXg+7Kr9Ab/EXz +gHA2vwKaopb+kHH6QzUJGorX/9x+KA1NMk1TJt7zuBZ+XbFqvwNo3A7qEW42c6QM +//obR4cce0QIqBlKxT9SHYQ1lvTMRmpPx7UdWr2Pf6awU1lWad9VNq0HtGO+EEXy +BCZXcE52pgyuScSL0R49ABEBAAGJAR8EGAECAAkFAlwJRhkCGwwACgkQcuM8o+Dg +TkYGBAf+MTvsUYRcN5tfMDsXkbmAvO1dYLvAXyhEFX6X8R1ZiS6AYlZnwVaRXyTC +Qf6G3MVsjLNIRQCTdtt/wjhAO3m67zDR8I+77GVRqSzdjz+iYudjgdnDYwRXCpCe +co+87M9mwkjTDEOkAW1R8s04TLPksfTrl5Cfl4ncYRBIASeklVEyYKC06OLJ1gT7 +cCbEJHPe6wKto7JLXlNSEDKqCXNjJmMh4SFu68SQ15w3gc8eDqHG+ZFEjbghGx+X +Z7kC5X1UmcQA+Z/ArweCi0pi+XGhYhIXab2/NareGsB9MBRhk9t31IcguKv1EUMq +DeKCPetzGh3XTubL7vSl84xQ9MV1xQ== +=qRqp +-----END PGP PUBLIC KEY BLOCK----- diff --git a/demo/archive.sh b/demo/archive.sh new file mode 100644 index 0000000..58541b1 --- /dev/null +++ b/demo/archive.sh @@ -0,0 +1,64 @@ +#!/bin/sh + +# Create a small public archive +# https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_small_public_package_archive +cd /var/www/html/debian +mkdir -p dists/unstable/main/binary-amd64 +mkdir -p dists/unstable/main/source +cat > dists/unstable/main/binary-amd64/Release << EOF +Archive: unstable +Version: 4.0 +Component: main +Origin: Foo +Label: Foo +Architecture: amd64 +EOF + +cat > dists/unstable/main/source/Release << EOF +Archive: unstable +Version: 4.0 +Component: main +Origin: Foo +Label: Foo +Architecture: source +EOF + +cat >aptftp.conf <aptgenerate.conf < dists/unstable/Release + +gpg --homedir /tmp/keyring -u 88876A89E3D4698F83D3DB0E72E33CA3E0E04E46 \ + -bao dists/unstable/Release.gpg dists/unstable/Release diff --git a/demo/demo-package/demo-package_1.0.0/debian/changelog b/demo/demo-package/demo-package_1.0.0/debian/changelog new file mode 100644 index 0000000..93c9179 --- /dev/null +++ b/demo/demo-package/demo-package_1.0.0/debian/changelog @@ -0,0 +1,5 @@ +demo-package (1.0.0) unstable; urgency=low + + * Initial Release. + + -- Lukas P Mon, 03 Jun 2019 12:00:00 +0000 diff --git a/demo/demo-package/demo-package_1.0.0/debian/compat b/demo/demo-package/demo-package_1.0.0/debian/compat new file mode 100644 index 0000000..9a03714 --- /dev/null +++ b/demo/demo-package/demo-package_1.0.0/debian/compat @@ -0,0 +1 @@ +10 \ No newline at end of file diff --git a/demo/demo-package/demo-package_1.0.0/debian/control b/demo/demo-package/demo-package_1.0.0/debian/control new file mode 100644 index 0000000..1deddf3 --- /dev/null +++ b/demo/demo-package/demo-package_1.0.0/debian/control @@ -0,0 +1,12 @@ +Source: demo-package +Section: misc +Priority: extra +Maintainer: Lukas P +Build-Depends: debhelper +Standards-Version: 4.0.0 +Homepage: in-toto.io + +Package: demo-package +Architecture: all +Depends: ${misc:Depends} +Description: A package for in-toto apt transport demo \ No newline at end of file diff --git a/demo/demo-package/demo-package_1.0.0/debian/copyright b/demo/demo-package/demo-package_1.0.0/debian/copyright new file mode 100644 index 0000000..5ad050c --- /dev/null +++ b/demo/demo-package/demo-package_1.0.0/debian/copyright @@ -0,0 +1,21 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: apt-transport-in-toto +Source: https://github.com/in-toto/apt-transport-in-toto + +Files: * +Copyright: 2018 New York University +License: Apache-2.0 +. +Copyright 2018 New York University +. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at +. + http://www.apache.org/licenses/LICENSE-2.0 +. +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/demo/demo-package/demo-package_1.0.0/debian/install b/demo/demo-package/demo-package_1.0.0/debian/install new file mode 100644 index 0000000..601c815 --- /dev/null +++ b/demo/demo-package/demo-package_1.0.0/debian/install @@ -0,0 +1 @@ +demo-package usr/bin/ diff --git a/demo/demo-package/demo-package_1.0.0/debian/rules b/demo/demo-package/demo-package_1.0.0/debian/rules new file mode 100755 index 0000000..718640c --- /dev/null +++ b/demo/demo-package/demo-package_1.0.0/debian/rules @@ -0,0 +1,16 @@ +#!/usr/bin/make -f +# See debhelper(7) (uncomment to enable) +# output every command that modifies files on the build system. +#DH_VERBOSE = 1 + +# see FEATURE AREAS in dpkg-buildflags(1) +#export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +# see ENVIRONMENT in dpkg-buildflags(1) +# package maintainers to append CFLAGS +#export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic +# package maintainers to append LDFLAGS +#export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed + +%: + dh $@ \ No newline at end of file diff --git a/demo/demo-package/demo-package_1.0.0/debian/source/format b/demo/demo-package/demo-package_1.0.0/debian/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/demo/demo-package/demo-package_1.0.0/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/demo/demo-package/demo-package_1.0.0/demo-package b/demo/demo-package/demo-package_1.0.0/demo-package new file mode 100755 index 0000000..18d0b96 --- /dev/null +++ b/demo/demo-package/demo-package_1.0.0/demo-package @@ -0,0 +1,3 @@ +#!/bin/sh + +echo "Hello, reproducible builds + in-toto + apt demo!" diff --git a/demo/demo-package/demo-package_1.0.0_all.deb.good b/demo/demo-package/demo-package_1.0.0_all.deb.good new file mode 100644 index 0000000..c5ca173 Binary files /dev/null and b/demo/demo-package/demo-package_1.0.0_all.deb.good differ diff --git a/demo/demo-package_1.0.0_all.deb.mirror.bad b/demo/demo-package_1.0.0_all.deb.mirror.bad new file mode 100644 index 0000000..0ef8294 Binary files /dev/null and b/demo/demo-package_1.0.0_all.deb.mirror.bad differ diff --git a/demo/demo-package_1.0.0_all.deb.mirror.ok b/demo/demo-package_1.0.0_all.deb.mirror.ok new file mode 100644 index 0000000..c5ca173 Binary files /dev/null and b/demo/demo-package_1.0.0_all.deb.mirror.ok differ diff --git a/demo/docker-compose.yml b/demo/docker-compose.yml new file mode 100644 index 0000000..0fd8252 --- /dev/null +++ b/demo/docker-compose.yml @@ -0,0 +1,43 @@ +version: "3.7" +services: + mirror.ok: + build: + context: . + dockerfile: Dockerfile-mirror + args: + name: mirror.ok + expose: + - "80" + + mirror.bad: + build: + context: . + dockerfile: Dockerfile-mirror + args: + name: mirror.bad + expose: + - "80" + + rebuilder.a: + build: + context: . + dockerfile: Dockerfile-rebuilder + args: + keyid: 5863835e + expose: + - "80" + + rebuilder.b: + build: + context: . + dockerfile: Dockerfile-rebuilder + args: + keyid: e946fc60 + expose: + - "80" + + client: + build: + context: .. + dockerfile: demo/Dockerfile-client + tty: true \ No newline at end of file diff --git a/demo/intoto.conf b/demo/intoto.conf new file mode 100644 index 0000000..f58127f --- /dev/null +++ b/demo/intoto.conf @@ -0,0 +1,11 @@ +APT::Intoto { + LogLevel {"20"}; + Rebuilders { + "http://rebuilder.a"; + "http://rebuilder.b"; + }; + Layout {"/etc/intoto/root.layout"}; + Keyids { + "88876A89E3D4698F83D3DB0E72E33CA3E0E04E46" + }; +}; diff --git a/demo/keyring/pubring.gpg b/demo/keyring/pubring.gpg new file mode 100644 index 0000000..390af60 Binary files /dev/null and b/demo/keyring/pubring.gpg differ diff --git a/demo/keyring/random_seed b/demo/keyring/random_seed new file mode 100644 index 0000000..1e4f231 Binary files /dev/null and b/demo/keyring/random_seed differ diff --git a/demo/keyring/secring.gpg b/demo/keyring/secring.gpg new file mode 100644 index 0000000..35a9343 Binary files /dev/null and b/demo/keyring/secring.gpg differ diff --git a/demo/keyring/trustdb.gpg b/demo/keyring/trustdb.gpg new file mode 100644 index 0000000..a0453fb Binary files /dev/null and b/demo/keyring/trustdb.gpg differ diff --git a/demo/rebuild.5863835e.link b/demo/rebuild.5863835e.link new file mode 100644 index 0000000..fd08a9c --- /dev/null +++ b/demo/rebuild.5863835e.link @@ -0,0 +1,22 @@ +{ + "signatures": [ + { + "keyid": "5863835e5ec8e640fa24410f069edc1d59b58507", + "other_headers": "04000108001d1621045863835e5ec8e640fa24410f069edc1d59b5850705025cf69068", + "signature": "340b64986fd2aabef1d1ca324d2ec980a48844dd32b6d8342cd32206816f02cffc50d58724108dbc10cc2344e1c4f020f3592ea191686453ce6cae7c60e6e39a23f2b4a95360bd1450727948229b01b6f5417b658e0d3381427d7529628556bf6ad22a9be268c3f828a98cd6bdfa32315450c91dba8f8667278e4aced16c8b4c33f1f20d7afa2b5da7e84568906920dbd686693d77417df78718409a7e15b738b6443ed3012e04f2c9622b09ea4a2609c99999928a975824f2a95bf5e7590b77678f7b02ef02042c2f6035a0aaab72ee044a3b2f85510b804eccfac3a93b6ac3cc8db3f5591e30d2c52d81a267a5613bbdc2d81eb93357420f074cd06ab72db0" + } + ], + "signed": { + "_type": "link", + "byproducts": {}, + "command": [], + "environment": {}, + "materials": {}, + "name": "rebuild", + "products": { + "demo-package_1.0.0_all.deb": { + "sha256": "6c2147cc1a69c549a7cc5cbc493597df783d65e1b3b62256c1d08305ef9c3d94" + } + } + } +} \ No newline at end of file diff --git a/demo/rebuild.e946fc60.link b/demo/rebuild.e946fc60.link new file mode 100644 index 0000000..956a1c7 --- /dev/null +++ b/demo/rebuild.e946fc60.link @@ -0,0 +1,22 @@ +{ + "signatures": [ + { + "keyid": "e946fc6076d683584e6803dbd35bad6a79a3c6b3", + "other_headers": "04000108001d162104e946fc6076d683584e6803dbd35bad6a79a3c6b305025cf6906f", + "signature": "2259ef9ff8c731aaa689b17ce4f0252d29a5e4d31421f4cf6f63ccf7c70ab775f84b46fefa97cf6222773f0fcf63b2167520539daea7ced9fc0cf5b14ffb46b1e6f794e21a4ccf85557859341fcd9a93750d2a7d8bda513f84130c77928895176334853251d46912ecdf64d9c84ae27b14e420a29991c6a49e61d79f7aa67606b745da667b8f4eca2dc456e4f1a37753c295f0c64e47b0b70a4cfec9133146082289524ceeb54c4490176b4604cbb05cb60a7fce5c59b725477373c051a8198d881148158a98d41b5167f0824aa6efa7634121cc2e713accc5064c406030cde9635ea323bf5eede1d353fc28dcac31d2aa63a0030e32d6f89c9d3e67ff41184a" + } + ], + "signed": { + "_type": "link", + "byproducts": {}, + "command": [], + "environment": {}, + "materials": {}, + "name": "rebuild", + "products": { + "demo-package_1.0.0_all.deb": { + "sha256": "6c2147cc1a69c549a7cc5cbc493597df783d65e1b3b62256c1d08305ef9c3d94" + } + } + } +} \ No newline at end of file diff --git a/demo/root.layout b/demo/root.layout new file mode 100644 index 0000000..0fe2e12 --- /dev/null +++ b/demo/root.layout @@ -0,0 +1,127 @@ +{ + "signatures": [ + { + "keyid": "88876a89e3d4698f83d3db0e72e33ca3e0e04e46", + "other_headers": "04000108001d16210488876a89e3d4698f83d3db0e72e33ca3e0e04e46050260d49da1", + "signature": "a73be11a8b1e4645e3f92de84c7776dca7ee296eef23c44fc61e76d8831064c2ab4c1e7fee3acb98a6c4203b5f6fbc8c8013db5921a22d9686353d536b69f2912ef926c7aa720744f017134af34dedf7ff52a9acd502bb98e0227438962260153d27c1693a9631e6f261f59f3adbb9e3ea36f2f15375875333bc87fb70f8e514df26241b1fb85e6a12d75c80e81c08d9a9c6c924144c31f561a3948e18dcb414f577425c3d6b1686c643c7490ee3d1030f5e39da872c7870aebd36d61692ceffb5bb201a478d47d3ff662b0f3932dfe919db1abae28d926f9bf3abf5655d424acf0929c02337225fa9436d3bee13b64f427fb1fcda551adaab1db498dd983ce5" + } + ], + "signed": { + "_type": "layout", + "expires": "2022-01-06T18:30:57Z", + "inspect": [ + { + "_type": "inspection", + "expected_materials": [ + [ + "MATCH", + "*.deb", + "WITH", + "PRODUCTS", + "FROM", + "rebuild" + ], + [ + "DISALLOW", + "*.deb" + ] + ], + "expected_products": [], + "name": "verify-reprobuilds", + "run": [ + "true" + ] + } + ], + "keys": { + "5863835e5ec8e640fa24410f069edc1d59b58507": { + "hashes": [ + "pgp+SHA2" + ], + "keyid": "5863835e5ec8e640fa24410f069edc1d59b58507", + "keyval": { + "private": "", + "public": { + "e": "010001", + "n": "e5742007525e17ee22f6d5223dbd471c37b30d988398d82d875a75ab639045e0a0efdc2b6a0865951291beb326e46cf5d1443fdc3a3060d1b0d077ac046df065ede6ca33dee5ab8e24f329ab5bebb2bc2416a842f8b55ba3edcbac1636c7f25e0ff60e551b4c60af1cc8c867c9679532d099537e600dd17cf306d44f3089faa06120e9d93edde2ce0fb6a2556cbc5ee286ce680292c21fae9647768bdbb955e76135726bd5de0321567ff7ac9e00ba6c5c4145fcee19f10f5303ac22fa80ae9bf3f1852d35085e8fbbc4c5fa3e0073e9a87e2e0afb1038e5ab5602f6951c0d820d93271fdd95f709e836159c3f573c9f7428f0ba4cd8e0b5b8b98cd523fb93fb" + } + }, + "method": "pgp+rsa-pkcsv1.5", + "subkeys": { + "8357b173d137d2482eb2707bf12a7ffdbd73613c": { + "hashes": [ + "pgp+SHA2" + ], + "keyid": "8357b173d137d2482eb2707bf12a7ffdbd73613c", + "keyval": { + "private": "", + "public": { + "e": "010001", + "n": "bd5567260f20dc7faf67dd5ee4d34b87a6eedea861d01776619cb841f6f338350bc6596d9abc694c6cc0eb844a1f67774d3fbc0f7fd9e4314fdfe0dc21b96c8cb81b087fb80206eec3f938403560e228439549420b7a02d46cee494ef1f37c1aa37142f7f41cfc0e35342e7b95d4e995d3db06eb320f327b5a0d090506cfa52d88cfe88f2d961a86e94c5343836e8d0cd628adff0d30746651b8e974bd492ec7cdac102bfe4ba2476947c3f41eabf7e955a8120293314b15fdfc9ae4abd743064bbcad7c335bbff091c3970a17859dcf5e6544e339eebaaed4f49acccba9431bfdad97a23fe695526bdb756d1c092014b739bf24adc4a8b8d876b126168d62c9" + } + }, + "method": "pgp+rsa-pkcsv1.5", + "type": "rsa" + } + }, + "type": "rsa" + }, + "e946fc6076d683584e6803dbd35bad6a79a3c6b3": { + "hashes": [ + "pgp+SHA2" + ], + "keyid": "e946fc6076d683584e6803dbd35bad6a79a3c6b3", + "keyval": { + "private": "", + "public": { + "e": "010001", + "n": "cc9a47d71a0cafb0af9e1796a03e65f7e149cb69d53bd2f43d6667d3dbd621c6bcf398c2a575add9d81b684e327a8b4339979583e4f653b90666a59408cb9205e2289d2c07bd80ae8c1778fdb9c365d4b578f404689202ef381a108e6c8f987bb17e73cb43c9d3e61c6ad30f61195641a10f7cef3e1c3560355b25fea932921ebe1088402a4ff473487d193002dd34c3603adaa029ba559b9f646d3770b73d4e3d1600e498238479430506a5d83fb1ba3a4f44029a14df37dd656beda080248c8b10924e0d3d7fa943196a213aac3557e26150908ffbe2f8100d67996da7b28b64030cd218811bc0915fe75dae5ba29d4e40e3a287edf998f25cce6811afbc37" + } + }, + "method": "pgp+rsa-pkcsv1.5", + "subkeys": { + "0dc0740edcd16f3c930b5d585cfdcc6b17f3ff27": { + "hashes": [ + "pgp+SHA2" + ], + "keyid": "0dc0740edcd16f3c930b5d585cfdcc6b17f3ff27", + "keyval": { + "private": "", + "public": { + "e": "010001", + "n": "b2b5322e09f50e6f40a5de14888870c3874e2a9206a3da4b62c3cf47ba97a53b8a8caf6c8046356db3036cd57a2dfa5573615efb7df0924eeb6a0a1a3a41b313a6506a583242c9f0ce7d21b15117642aa6ee29dadffc1a469430c7e7539e814dd2ae75071cf3a0a9c0a6a613329d9254bc14a6e9b94356d68d38d4f9fea2cce7e86873005d49dc5a6fa7bcedd5c9a41e2f5f7bd4217b73fda697354ebbd637d36d7b4abca0f136bf102b0483c7036e341c70cc555ea6d5ea169316473ca692947e29c8deef5d6501c9c5bb9edb8eb8a3b5ff83bd64b511100368c8901ca66fcde7ee01b318c006568aa3446e1a44f51a534611bc41d032199aab8beba1a4fa5b" + } + }, + "method": "pgp+rsa-pkcsv1.5", + "type": "rsa" + } + }, + "type": "rsa" + } + }, + "readme": "", + "steps": [ + { + "_type": "step", + "expected_command": [], + "expected_materials": [], + "expected_products": [ + [ + "CREATE", + "*.deb" + ], + [ + "DISALLOW", + "*.deb" + ] + ], + "name": "rebuild", + "pubkeys": [ + "5863835e5ec8e640fa24410f069edc1d59b58507", + "e946fc6076d683584e6803dbd35bad6a79a3c6b3" + ], + "threshold": 2 + } + ] + } +} \ No newline at end of file diff --git a/intoto.py b/intoto.py index 30f9408..507f09d 100755 --- a/intoto.py +++ b/intoto.py @@ -127,7 +127,6 @@ # finetune the actual log levels on handlers logger = logging.getLogger(__name__) logger.setLevel(logging.DEBUG) - # A file handler for debugging purposes # NOTE: bandit security linter flags the use of /tmp because an attacker might # hijack that file. This should not be a problem for logging since we don't @@ -144,6 +143,8 @@ # CONFIGURATION` message which may set the SteamHandler's loglevel LOG_HANDLER_STDERR = logging.StreamHandler() LOG_HANDLER_STDERR.setLevel(logging.INFO) +# Make all log messages bold to better distinguish them from apt output +LOG_HANDLER_STDERR.setFormatter(logging.Formatter("\033[1m%(message)s\033[0m")) logger.addHandler(LOG_HANDLER_STDERR) APT_METHOD_HTTP = os.path.join(os.path.dirname(sys.argv[0]), "http") @@ -559,10 +560,10 @@ def _intoto_verify(message_data): pkg_version_release = pkg_name_parts[1] if not (pkg_name and pkg_version_release): - logger.info("Skipping in-toto verification for '{}'".format(filename)) + logger.info("\nSkipping in-toto verification for '{}'".format(filename)) return True - logger.info("Prepare in-toto verification for '{}'".format(filename)) + logger.info("\nPrepare in-toto verification for '{}'".format(filename)) # Create temp dir verification_dir = tempfile.mkdtemp() @@ -650,7 +651,8 @@ def _intoto_verify(message_data): in_toto.verifylib.in_toto_verify(layout, layout_keys) except Exception as e: - error_msg = ("In-toto verification for '{}' failed, reason was: {}" + # Colorize (red) error message + error_msg = ("\033[31mIn-toto verification for '{}' failed:\033[0m\n{}" .format(filename, str(e))) logger.error(error_msg) @@ -660,13 +662,17 @@ def _intoto_verify(message_data): " installation continues.") else: - # Notify apt about the failure ... + # Notify apt about the failure using a short error message + error_msg = ("In-toto verification failed with '{}'.".format( + type(e).__name__)) notify_apt(URI_FAILURE, error_msg, uri) # ... and do not relay http's URI Done (so that apt does not install it) return False else: - logger.info("In-toto verification for '{}' passed! :)".format(filename)) + # Colorize (blue) success message + logger.info("\033[34mIn-toto verification for '{}' passed! :)\033[0m" + .format(filename)) finally: os.chdir(cached_cwd)