From 15683d7b0c4107fce39fc294454c5f151049dd95 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Wed, 5 Jun 2019 16:52:25 +0200 Subject: [PATCH 1/6] Add demo debian package sources and build Add dummy debian package based on "hello-world" package tutorial http://wiki.opf-labs.org/display/SP/The+Hello+World+Debian+Package Also add two builds created with dpkg-buildpackage (see tutorial). One of the builds is used as an "ok" version and as a "bad", i.e. compromised version of the package. --- .../demo-package_1.0.0/debian/changelog | 5 +++++ .../demo-package_1.0.0/debian/compat | 1 + .../demo-package_1.0.0/debian/control | 12 ++++++++++ .../demo-package_1.0.0/debian/copyright | 21 ++++++++++++++++++ .../demo-package_1.0.0/debian/install | 1 + .../demo-package_1.0.0/debian/rules | 16 +++++++++++++ .../demo-package_1.0.0/debian/source/format | 1 + .../demo-package_1.0.0/demo-package | 3 +++ .../demo-package_1.0.0_all.deb.good | Bin 0 -> 1688 bytes demo/demo-package_1.0.0_all.deb.mirror.bad | Bin 0 -> 1680 bytes demo/demo-package_1.0.0_all.deb.mirror.ok | Bin 0 -> 1688 bytes 11 files changed, 60 insertions(+) create mode 100644 demo/demo-package/demo-package_1.0.0/debian/changelog create mode 100644 demo/demo-package/demo-package_1.0.0/debian/compat create mode 100644 demo/demo-package/demo-package_1.0.0/debian/control create mode 100644 demo/demo-package/demo-package_1.0.0/debian/copyright create mode 100644 demo/demo-package/demo-package_1.0.0/debian/install create mode 100755 demo/demo-package/demo-package_1.0.0/debian/rules create mode 100644 demo/demo-package/demo-package_1.0.0/debian/source/format create mode 100755 demo/demo-package/demo-package_1.0.0/demo-package create mode 100644 demo/demo-package/demo-package_1.0.0_all.deb.good create mode 100644 demo/demo-package_1.0.0_all.deb.mirror.bad create mode 100644 demo/demo-package_1.0.0_all.deb.mirror.ok diff --git a/demo/demo-package/demo-package_1.0.0/debian/changelog b/demo/demo-package/demo-package_1.0.0/debian/changelog new file mode 100644 index 0000000..93c9179 --- /dev/null +++ b/demo/demo-package/demo-package_1.0.0/debian/changelog @@ -0,0 +1,5 @@ +demo-package (1.0.0) unstable; urgency=low + + * Initial Release. + + -- Lukas P Mon, 03 Jun 2019 12:00:00 +0000 diff --git a/demo/demo-package/demo-package_1.0.0/debian/compat b/demo/demo-package/demo-package_1.0.0/debian/compat new file mode 100644 index 0000000..9a03714 --- /dev/null +++ b/demo/demo-package/demo-package_1.0.0/debian/compat @@ -0,0 +1 @@ +10 \ No newline at end of file diff --git a/demo/demo-package/demo-package_1.0.0/debian/control b/demo/demo-package/demo-package_1.0.0/debian/control new file mode 100644 index 0000000..1deddf3 --- /dev/null +++ b/demo/demo-package/demo-package_1.0.0/debian/control @@ -0,0 +1,12 @@ +Source: demo-package +Section: misc +Priority: extra +Maintainer: Lukas P +Build-Depends: debhelper +Standards-Version: 4.0.0 +Homepage: in-toto.io + +Package: demo-package +Architecture: all +Depends: ${misc:Depends} +Description: A package for in-toto apt transport demo \ No newline at end of file diff --git a/demo/demo-package/demo-package_1.0.0/debian/copyright b/demo/demo-package/demo-package_1.0.0/debian/copyright new file mode 100644 index 0000000..5ad050c --- /dev/null +++ b/demo/demo-package/demo-package_1.0.0/debian/copyright @@ -0,0 +1,21 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: apt-transport-in-toto +Source: https://github.com/in-toto/apt-transport-in-toto + +Files: * +Copyright: 2018 New York University +License: Apache-2.0 +. +Copyright 2018 New York University +. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at +. + http://www.apache.org/licenses/LICENSE-2.0 +. +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/demo/demo-package/demo-package_1.0.0/debian/install b/demo/demo-package/demo-package_1.0.0/debian/install new file mode 100644 index 0000000..601c815 --- /dev/null +++ b/demo/demo-package/demo-package_1.0.0/debian/install @@ -0,0 +1 @@ +demo-package usr/bin/ diff --git a/demo/demo-package/demo-package_1.0.0/debian/rules b/demo/demo-package/demo-package_1.0.0/debian/rules new file mode 100755 index 0000000..718640c --- /dev/null +++ b/demo/demo-package/demo-package_1.0.0/debian/rules @@ -0,0 +1,16 @@ +#!/usr/bin/make -f +# See debhelper(7) (uncomment to enable) +# output every command that modifies files on the build system. +#DH_VERBOSE = 1 + +# see FEATURE AREAS in dpkg-buildflags(1) +#export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +# see ENVIRONMENT in dpkg-buildflags(1) +# package maintainers to append CFLAGS +#export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic +# package maintainers to append LDFLAGS +#export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed + +%: + dh $@ \ No newline at end of file diff --git a/demo/demo-package/demo-package_1.0.0/debian/source/format b/demo/demo-package/demo-package_1.0.0/debian/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/demo/demo-package/demo-package_1.0.0/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/demo/demo-package/demo-package_1.0.0/demo-package b/demo/demo-package/demo-package_1.0.0/demo-package new file mode 100755 index 0000000..18d0b96 --- /dev/null +++ b/demo/demo-package/demo-package_1.0.0/demo-package @@ -0,0 +1,3 @@ +#!/bin/sh + +echo "Hello, reproducible builds + in-toto + apt demo!" diff --git a/demo/demo-package/demo-package_1.0.0_all.deb.good b/demo/demo-package/demo-package_1.0.0_all.deb.good new file mode 100644 index 0000000000000000000000000000000000000000..c5ca173b5099758101eaed58bb7ac1a2d03c91dd GIT binary patch literal 1688 zcma)+Ycv}O7RM89&k#br6_rrhC?ZUfCWH*Or`r;&F;hWB2uZvr^(I{%^;YSjq~lSu z2{LrIsybBFq^3qtbebY`G@_bj3DTNK;}O=(KEBTW&i~wV?z!jQPrq|*ab!j;%^O6C zi=mTKTw>@cWJV4Y3Ux!Fuqcch27`q{5eNN$s~ZA=Mk1lmgZzhRkUJa!icL*PXQU>< z)5#1tHTRGAQHXzEg+il2kP2%yi zFWT!E+bDhCuW)w02aodbwWI!n-y@FDh+^<*r0R7fY34OU;ALYJY4%f`nDoO-9QOrr zue;LC#xPglH4vz2mO(z#2G&RAheTX6Llus$ItzTVOCzPn87m~^bAFf<~=tg*u<(5td1Xj^7cUhR9k1VtRoAeM6A zD^<&PjU6U1kK14AsmuwW(`T&GeJ>X1VXhXCX=o+ic@sWy_Oe zl6Fnaq~rOZJm_Da+X;yu-OESjYL4Pvx-<6F4eu%0vWBZY~kbV26s{j}P zKq04-f0rfuK$Zjk$Tut&{XgF{XL7^B0RSM~PK?$9*aFQC+(~zpawVts54BwanCm{a zW&&%U9KYb5WBTLxNiGowtOK>IDWCHR0xkWtv|&=)YD;_Ja>}i*?Rm96Cdb{p@8ro{ zvwxh}{Ie!FaaL&6ehG~cOa9i2anPTi+whrfEoZkJ-B2i|VlbzvKUw8(df##sfWFQ& zD^h()A6gQH?RteO7aW~l{{^Jo#g)f)!rjrctztegUdDM7K65Nec2o3jYp^09JjC=Y zt{42WiH367Eu|(+)*!0Lt^iu6FwCiSBwV2jnpZB*SHe?q$|gvb zIQGJ5qep>;z12>A|AjQy%i2*ZB(&}@Y8vS|oEmO^b=!f1%GS@iYEv_wZC!G$c*=^@ z2$RI-&*A;)DW9#49jpERgtDJdwb5dPOgHFw-0t9I$jn5=^i?=Q~V7fZVD4v z$)hY@8Gx!TQ!+#Dh~L;tyYTkuH|l~RE-ht4jYs}j@|qKrIpXMSw9h;Q+BnbRH%gw& zEI?AMZVaywu-Y-E>R4FLvhh+Q=0#w@G1wjN3m-*Fhp(2og}!$QrOdMHrb!W3I-=v) zLZ7)C0(u1X#(Dm!rEt-M>Dk`Xdpehq3tt}Qbmkj!fFHin>!{r14%BY1>kTgfR*wFf zf$JMVsQS=oLeY0!f715NV$S&sds)N}s*4X|nli_)oxcfrQ0$CaIG)JRsO{Bu0pNSf z-&U?#d$Yw!@0T6qNoKxr(%l`Cu*@F((UWU(d>knoo>SYCj#@if zk9vwRXzue(JerpqGvIhm)T+v1Qn&GzQ?%cFk@*-n@cwOjRC}BO z<6ICqWmn;Oc4@inS3pECD}o@(`MXVFr`|}^Ca-@TsCXz={{HVp)|&+Y;18b^1Ootm SZ-RgJMu01{ewzS^;r{}|XZoZ7 literal 0 HcmV?d00001 diff --git a/demo/demo-package_1.0.0_all.deb.mirror.bad b/demo/demo-package_1.0.0_all.deb.mirror.bad new file mode 100644 index 0000000000000000000000000000000000000000..0ef8294d7d4dfb7fca43901fb5a2dfb81307a3fa GIT binary patch literal 1680 zcma)-eLNEg7{@n4o4lN}g;{&K(8OMtY-iyPSt@gkyyT>9u@AOxS$S!$v-6Udg|0$p z5=teJPSRoIrNr`bQH0c_GMk~u4ySwj_wM`oeV)(f`Qv&1`aYirMG5CIBAvlZ)**H{ z$Mz7L6V8iAB9R0K2eJc+KqlKGk@)rgpGv^vcMyq4wSROYT8yn8U zMkM_AyaWEPtw`iSFd}m!;1e4(XP!)CUcegzj<~4z%McYEk;E<&r>ALpJGPn26ZeYE zq-Li+8&pr9ue&Gw;C6b8F-NYIF(|WmtNhr%HCr(j83~!{n=l)me7|J#C^N%e3KplV zUON=zzBGCq3Ju(hgQIe52g5>?H&&x+5cRm-#|v@OoV%~K7=W;uFYT1LakjYcjm=t6 z#~cN{AWBRqT6THta?((PxS4;&oEguiT@D=;zC1Ngw$=wWI1>t$Sxf@)!P`U=mZj@R(q1kwP(uN*x|zp)wjO zoG#z<{)zbNh``cGS@c#1(fs;zF2{)K%d%3+pe6o>|JWP+7joJ#P2mEi&QkWCBpfI*&IWVr~53A_G-eiV86-FAT34H zUbO?TF-g=+n+Q8*{uOsi&(ZwkCn`q1qP|UPV?FjIqe!Jrm2j2J-+L4X^>y~Sb>CJE zj#EqJtX9D?&aJgVB?TXz{$1rb@o-k^sCnN9p!GkqYVm^$3-V1P zU>g9y437=}QJiD01AX&I80aYD+K6`zk#hkQqF^|VIk7||{Ypl5f(>B%Np7Mke~!L+S@J0a+` zPFa5%3JL-GqnDrK)5_2I&EDNvK=V86D-wZx^wX-9UhSPY-zY4aHxu>4xK={EZ0jj` zE^M{M(YMWu(XvS4Ar2P_sEKM;QIn-th|;m0|7s=&^)Pi*TMsPm{hP6aK zxT5&ZUm8BLCtpN%9i)CSf4?t1^9aB#B$gw=9wXO$S5?1qukjMD?zL})JLz0?Vx)M( z#z4nZ8hfz`!x%(JK?XwC#P`-6t#9fvurGQVM5MHPdCc6e2I}M~-`B-F*(Vi(O12fh z81m@zkssbA3((gX>Nf8hp~sDPT^7tSDX5_vrsdq63n_=zR4n=dZz}0g)ZcrQ3Qr$2 z|0eruU7P+2?Nb%UD($mImmoWmb_+a=a&Ixq%<&3S1DuY-ax7vE#ek2#ZyQ61;lHqE zJO#(68h>rQJ|7s6zUu)t!q8zUVh?)LmDLuyGC%pa(+N@cWJV4Y3Ux!Fuqcch27`q{5eNN$s~ZA=Mk1lmgZzhRkUJa!icL*PXQU>< z)5#1tHTRGAQHXzEg+il2kP2%yi zFWT!E+bDhCuW)w02aodbwWI!n-y@FDh+^<*r0R7fY34OU;ALYJY4%f`nDoO-9QOrr zue;LC#xPglH4vz2mO(z#2G&RAheTX6Llus$ItzTVOCzPn87m~^bAFf<~=tg*u<(5td1Xj^7cUhR9k1VtRoAeM6A zD^<&PjU6U1kK14AsmuwW(`T&GeJ>X1VXhXCX=o+ic@sWy_Oe zl6Fnaq~rOZJm_Da+X;yu-OESjYL4Pvx-<6F4eu%0vWBZY~kbV26s{j}P zKq04-f0rfuK$Zjk$Tut&{XgF{XL7^B0RSM~PK?$9*aFQC+(~zpawVts54BwanCm{a zW&&%U9KYb5WBTLxNiGowtOK>IDWCHR0xkWtv|&=)YD;_Ja>}i*?Rm96Cdb{p@8ro{ zvwxh}{Ie!FaaL&6ehG~cOa9i2anPTi+whrfEoZkJ-B2i|VlbzvKUw8(df##sfWFQ& zD^h()A6gQH?RteO7aW~l{{^Jo#g)f)!rjrctztegUdDM7K65Nec2o3jYp^09JjC=Y zt{42WiH367Eu|(+)*!0Lt^iu6FwCiSBwV2jnpZB*SHe?q$|gvb zIQGJ5qep>;z12>A|AjQy%i2*ZB(&}@Y8vS|oEmO^b=!f1%GS@iYEv_wZC!G$c*=^@ z2$RI-&*A;)DW9#49jpERgtDJdwb5dPOgHFw-0t9I$jn5=^i?=Q~V7fZVD4v z$)hY@8Gx!TQ!+#Dh~L;tyYTkuH|l~RE-ht4jYs}j@|qKrIpXMSw9h;Q+BnbRH%gw& zEI?AMZVaywu-Y-E>R4FLvhh+Q=0#w@G1wjN3m-*Fhp(2og}!$QrOdMHrb!W3I-=v) zLZ7)C0(u1X#(Dm!rEt-M>Dk`Xdpehq3tt}Qbmkj!fFHin>!{r14%BY1>kTgfR*wFf zf$JMVsQS=oLeY0!f715NV$S&sds)N}s*4X|nli_)oxcfrQ0$CaIG)JRsO{Bu0pNSf z-&U?#d$Yw!@0T6qNoKxr(%l`Cu*@F((UWU(d>knoo>SYCj#@if zk9vwRXzue(JerpqGvIhm)T+v1Qn&GzQ?%cFk@*-n@cwOjRC}BO z<6ICqWmn;Oc4@inS3pECD}o@(`MXVFr`|}^Ca-@TsCXz={{HVp)|&+Y;18b^1Ootm SZ-RgJMu01{ewzS^;r{}|XZoZ7 literal 0 HcmV?d00001 From 2685599fe2ee4ff3ef790e7fa889e0706b1974e7 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Wed, 5 Jun 2019 16:59:16 +0200 Subject: [PATCH 2/6] Add demo data Add gpg keyring (copy of tests/data/gpg_keyring) keys for Alice, Bobby and Carly. Alice's key is used to sign both the demo root layout and the demo archives. This is purely done for convenience, in real live different keys should be used. Bobby and Carly are each used to sign rebuilder link metadata. Other demo data includes the link metadata served by the demo rebuilder, the root layout and the apt in-toto config file. --- demo/alice.asc | 29 +++++++++ demo/intoto.conf | 11 ++++ demo/keyring/pubring.gpg | Bin 0 -> 3543 bytes demo/keyring/random_seed | Bin 0 -> 600 bytes demo/keyring/secring.gpg | Bin 0 -> 7449 bytes demo/keyring/trustdb.gpg | Bin 0 -> 1520 bytes demo/rebuild.5863835e.link | 22 +++++++ demo/rebuild.e946fc60.link | 22 +++++++ demo/root.layout | 127 +++++++++++++++++++++++++++++++++++++ 9 files changed, 211 insertions(+) create mode 100644 demo/alice.asc create mode 100644 demo/intoto.conf create mode 100644 demo/keyring/pubring.gpg create mode 100644 demo/keyring/random_seed create mode 100644 demo/keyring/secring.gpg create mode 100644 demo/keyring/trustdb.gpg create mode 100644 demo/rebuild.5863835e.link create mode 100644 demo/rebuild.e946fc60.link create mode 100644 demo/root.layout diff --git a/demo/alice.asc b/demo/alice.asc new file mode 100644 index 0000000..dbc60ae --- /dev/null +++ b/demo/alice.asc @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFwJRhkBCACqoenU2d9ds+0WwIjF0Q2+tYIO8pKC1Wxfjjlo7EvjofFLejV5 +gg0brd2KsioCOjVbzOgIaDzqTf5Z64VH51qhMLQpkHuYamChUNWCImlq9LNzTX3/ +Hr9Mva2K6IWa382Vy0R8gdcE1L9ICwc20Y3SnuNjDTDYu73Mqzl+J+/s2vol+zqj +XEv5WQzeo+yttGdKtaqAON/kWryCyTenk++JjRb2fyTrsxW5HkYeTEdNbelcKKXp +BFS2QJuJRwVMnThkueIxCtLVcIyHD4DtXvTcEmfTHZDlSEPzBVwroCR3qjBxJQj1 ++GaYlTsWQ+af7N/dVtgcTpa73YxLxl4XLtd9ABEBAAG0F0FsaWNlIDxhbGljZUBh +bGljZS5jb20+iQE4BBMBAgAiBQJcCUYZAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe +AQIXgAAKCRBy4zyj4OBORsNNB/4u0MS3iXJPKR+0ps/xn8G5aKcccUo+1JLNaZ8H +4WqAzLLQPRk0UgoNHXzr7anvHDKZlrgpSEuu6zJi/ysVLxqgvHMXoaVrBHndCC7g +lKarOVQmFgiO9S5t3x/f+tdS+i5FDBauS3jQ0mKVkV3CPKQOq9qb5s1GPMtWIRkT +Bq6T45vy5MdcgFreuvr0/SkRXdOn808InRaKZlHOOnG4Gp1jPxBFCRTbpz48jGeE +UhXXP+/eygSvdpoo4Aybx9wWrKQz7GPusU8660FAN5SmmFdj+cr1H0Rp3yVPmvxe +W5w5H88MEPNeiF0Ui57hPQinv9xDORgHMkp2rtWPAv6MZuwTuQENBFwJRhkBCADW +Rfv/Z6hEjicX53QjMFZisiuMSjRxngWIHvMKMZDxx1sSvAkglUMv5QVBgLtBfam0 +SIfnSxPIwaZ0Ljd32aadnsof7S8sLERpqS2ZutD4COC5cLp3SuoGZ096kxAL7U1J +5pOjBR6SUZeiewNZ5DT47Z3TB8rfQ67e0jkg59xE6J8LOIfPIgcXg+7Kr9Ab/EXz +gHA2vwKaopb+kHH6QzUJGorX/9x+KA1NMk1TJt7zuBZ+XbFqvwNo3A7qEW42c6QM +//obR4cce0QIqBlKxT9SHYQ1lvTMRmpPx7UdWr2Pf6awU1lWad9VNq0HtGO+EEXy +BCZXcE52pgyuScSL0R49ABEBAAGJAR8EGAECAAkFAlwJRhkCGwwACgkQcuM8o+Dg +TkYGBAf+MTvsUYRcN5tfMDsXkbmAvO1dYLvAXyhEFX6X8R1ZiS6AYlZnwVaRXyTC +Qf6G3MVsjLNIRQCTdtt/wjhAO3m67zDR8I+77GVRqSzdjz+iYudjgdnDYwRXCpCe +co+87M9mwkjTDEOkAW1R8s04TLPksfTrl5Cfl4ncYRBIASeklVEyYKC06OLJ1gT7 +cCbEJHPe6wKto7JLXlNSEDKqCXNjJmMh4SFu68SQ15w3gc8eDqHG+ZFEjbghGx+X +Z7kC5X1UmcQA+Z/ArweCi0pi+XGhYhIXab2/NareGsB9MBRhk9t31IcguKv1EUMq +DeKCPetzGh3XTubL7vSl84xQ9MV1xQ== +=qRqp +-----END PGP PUBLIC KEY BLOCK----- diff --git a/demo/intoto.conf b/demo/intoto.conf new file mode 100644 index 0000000..f58127f --- /dev/null +++ b/demo/intoto.conf @@ -0,0 +1,11 @@ +APT::Intoto { + LogLevel {"20"}; + Rebuilders { + "http://rebuilder.a"; + "http://rebuilder.b"; + }; + Layout {"/etc/intoto/root.layout"}; + Keyids { + "88876A89E3D4698F83D3DB0E72E33CA3E0E04E46" + }; +}; diff --git a/demo/keyring/pubring.gpg b/demo/keyring/pubring.gpg new file mode 100644 index 0000000000000000000000000000000000000000..390af607c4fe01923eeb531dd3c75cfc20d25e98 GIT binary patch literal 3543 zcmajfXEYlMAII^C5HyGuu{WhIMa5oe5X7imdkacYI#64SQhTdSXpNd}5T&-F)ZVK$ zv9*fww0+J!_c`ajc;5Vf@Bim}KIuf1Aain6Mj|r6o4k#Y$$5(!0)0zF#}~>EbsHODlia4(g~`@4)S79YNUcDeUz&?` z-ks49E@zjc8ZRyXOSWdsrt%l-&obuwlY5n)29JYAn$@m=CBD2I%KmCcDKgR6)K@AU zaD8`s>Xi3ProbHi!vr!{uw7n@(WrY9BsITmiVx|LEKb~wd`bT;kY}rguAWVmO%tW% zwqed+v;i`Br<56qBGJr}vaeqfr5GCZhz_R?B3K^HT*VBt#;vF!4@t}gb9o-W5%J_D zJ3ettOO~ZauI6md&l*jzXs0yJMx#3|VZ!7702(3yQ7sJN>TKu0A!qY@l>S^{J9jsQ zNFpiFH6kE@iv;-lUqEJJ(ktX-U}7LC9T||E;tGf!NK6D|BLc#L02JiV2Vdn178bNs z+qA$J!h`MaBOmApu-9S-_H#bgI~B8dYAB2(^gHK(7hQt-st4s6#q}sCS)XnZUhlGq zrKjKo)X)`MVz!rpbT^rD@m{dJqI)2pSu){;By6d)0UteC%(1ZBJp26VxZbI-3WUA_ z{bX>+HaXs+Rj!b#bSiVTUsbNxh?DUeX+`4K%!B1F^B~i?hSQ^;0yGxG#fLg%S@bU) zbwA5^;+V4R6rn2Qw9~~3a?zMDJ-Ttl-MLSow~sRT7a*BkGxTMJx3=wes&r(w5K59s z*fe9iAD@odm7V8#bu!K^&0a~f4?v)YmJt@TQQ3>~WW~)hNNEPJn8u@u(OBR`wBz=* zN+5u^{-4gqRL(9jCCV|^VQb#pB1X2=g3%h{p4lW3Y=;!0ar<3nSMlT=$;g{4B#59! zg#YVWweU6cweF8tZ(+&Dlh~~6Pwa%7fBmKG{8}izVeo`(q28n6vBoATM#nc1dWE2+ zzM5D-!j_<$n(s$!vMhc=$QlNJnnza54M}sX%_y(uT#*VN-~z)!cRsxxWIk6p4Dyg@ z24>`^T*P^vBH`prFUBut0{AJl#I*GJ<_>Z60Txv*&BRVKRGT#SCA99(Pn0jhEU;xqQpeuRZosJBOb zVUz#UStJoVh~ZaG<6*W`BHFCxVsz!9ZFj-g3I=6Ox zsb>sy=E2v_<2APhEH9`=Tk7jU#omy6+40$NE^^-AYL6R#B^f-xMwQq3BVPF>j+2=^ z6;lsf@i$0s2mHusc?%AS(y;yEnP+2C_;x9sLlQ{i&B%A|RdQ5}7LAewn zzvacmIHOTG!kB3VP37MeC8 z6mI&k)GkhCA$NC1(1pw)`D*-!8op)M<1fmJGcqF9Un&P5mx0{&90;qQZq2Qf#_${p zl$vc-<9X;yZlBbd6%cyM=q0)iEUCXy88T~Hzh&v}#`Iv4#Rk*$1FR{(JUt{G(GiI} z&9&j!m{gcu`b_;U-_R9rx%B+A6ELBby&?tmC~CUiaLoq(;NIvQF{e@B_p)q2gR410 z<$Q;6pIV=|jO#S0BJ*(nnGl@JGPbe3<5U6QwNVlvOmPO4S}8RGeoJPd453WC&OV#` zoqSz_?vposD9Ziu*hmMO<^Gqd1Qq>U)cfK$aA&-)GMhe8 zgvR#`?j+IBr=gvEVO)k6tP3aE*-62~@(4&)fo6BiB1FSkasboVT_7}3ON~Q+ZBrG| zK$AbqZ1gM>8cipzUB9OlVxU`oLoF)wE^8eg%C1_ThBT6W-%+lI?r##ualY5bgs^S_ zp=0l~I(5{PA@L0Nj>3%Xp@zbJi8Sv$*-b`EQVA{k^7aiKhP1*E#u(?W%3g4t)TG4nrY`_-4M9?Q#2}k7lu`3YGN4z`nAXLey5c z7T}BFKQ{fTtjQ3=N6j%4_!cv3xjc*x$L`FP*bKrR*}TFbz8y-zuXLKYW#FAPU0b%o zG}tkZwG{Exfs@OkI`a!Nob|5JIA*dy9FTOU?T3^S+MiZ5`)bw^!$|L`eO zf#>b-M=a-5aB*S3F={bCQ%Z6Y(t#qOh=KK3p%kX)8=Csa(EBeTWBlcp zlp@}ay0{JRCUxPi{xYcG1v($)jA}b#EB(Gkevsb1P>zAvixI*-Z@9mzXlhNs6k zJMo8Utwj&ZCnuPlw8ea*kkYBiq08U&>q#AplE``!NS64s{sK1zRYb#{{H$+t7^!=5 z1ae9M?n*I1V_aj?{Hg-HdXYWDt1K?V)HaMph&<}2y9z9DYq%Nj#cQzywhzz( zc12YenfpLB%T8*p_8|B5Hb0!`ho%?}a2FX}u1)srq~*|<;^k_YzJG9GzYcaTQ7XbK z&{cJoIr_ahR^@fU@dl$3;bDmJ8W^?Di>9dBG>hDhmh8~T^>9S&=8JTH9(7e(CX@IV z+w%1an>j6utsY(j*B=V)MQ7fvtnIMZZuVHT0QA=iaihw-5q8$cxWmS(0?q6>xA5`<&q+gB> zG<)eyUm`U;&Idf8Z> z`R^rYZ@Ew~$slU3Veh!y6}#QD_t~GbN*88-1G^(IHGj^enk3S-rk@?GHB|8s%yO9f zx&@29CYF_8fTzW7)FX|?UP_JpxXABYTX*sTSg6mKx)1fQJj=>ew zU4}N<*U>ySB9S|@95w-eZR*|R1IfUf<_HIQwd-94s5s}>9QjqP^W{!YrN71 zMeQB&?lfhAB>;U#6Tx;R4-z+K>G1FwopPg}bfoas#InhQsLCk>DsPHcm*u|B@XUJp zMh|r{?vyXg%)d2ar59MSVZ#&q2r^kc(@m7ZBkQ9q2zvt3bkLNv+9~mWK16h`d;W|H z^$IiYbe=M+B%Cp5X&S22oitS@5uY0Wbi$(K;Ya3a+PIa0Xu5Y34Z@m6C&5p=8LTgV M^541!|6R?005;f2cK`qY literal 0 HcmV?d00001 diff --git a/demo/keyring/random_seed b/demo/keyring/random_seed new file mode 100644 index 0000000000000000000000000000000000000000..1e4f231a869eda31c581122e949931da92267748 GIT binary patch literal 600 zcmV-e0;m16^2tiK1>m?x3ZEx<0Rwe$UXUWkYpbtW(}IN+Wv^M7Bj(UMHK!42 z(t&4R_91eIum1Xcj)!nrnF=D&fv}>&bbA=&8a_4YQtFy#o8CUDY@?D}@n(>HKJ`ed zNdMSJLrN9=IXXNKpiTj68G%JCGOL$8HHh(yq}>bZ=84dU<%9BA3LQtuSwS~`9A4ge z97@sNGCd>dv;BUJXg7N)H7h^NfM0h)~*RgAhW1i^|(Z?a8ro?rfygaStS^>29fhxN7g zm-3hC5MaGKPMNCE1&v5836AvCj6nbjNq+N~qVJy)e_qkx4zMtC0h4E&c==>tC>WE( z$0`6Foa1(0_ys^C>z?H@-U+-4@01B~2{DX$B@1-lG)AeSoYBSiQKbMT(bfMp_=NfF z6tp76CPi+|lP@yhXZ&fNN78R~HKstuE`X^Y$a?curMKJw{A^6d-S=RF~Yp*>7u`J)`jl8$F`eQY;zoamnk zWbfY)+OJcYRaM6l<0B7*@*}B}6w75c6(BvJas%0m3%HvD?D8{5XEo(qnuim70BL}8XdRjtIuaiUO?2Y32tWV{3 z3a;dQxV%G9h-%iN8ySH7TzX@N@YaII3U4|m;gAE}0=8!QMBhwX;{xTm5K0@{+a^~9 z|98^w^4&GjhvC^9<7uN3e!&Z%+3(UwaNJXI(|J2)C~S+J-D6dJ0kjvV%TLtL{6+e5 zk2=WfMW;2*R{;x{n*j9))^R3Rac7kx~ z*`)*5?kMYY$zZ~F{p)r~mtIj5*akS#OW3oy7|->pkbJEt8!Jp2i zOD}Ip(21KF{TQcNi9d}4s_uQh`c5BK>;7fB^{Z$U=0X7<+cSz;nwTaGNfu*8-MmT} zF?q(xdCpsuq4I0#@nVLksOh75Q#M#*sX9Q0?akRD&XHT-a>a(pq^-Tdu@hTyh7>E& z0B;+?mRd<}9SOH%gBX~YARW8U@0>~@{V`Ks8i=}Tz|+EN zL=J{}!PJ+0Md9!Cfe9VA^HnZJHJrtKTuDJxY*TC|nHMMulAzMZi4=uDIy*4~d(WCU zPtm6i!UIW`yQgP&aYJnCsnC;i!S-$RIGv31VHt;sL{kmzEiAQ4#REav(t3=w&Tz5!s67NUgD&!~vUGp)+4pLYiK%#-<4& zmCC2E1*Y)?y_@hJ=^$q1Kdr?0@sM^bKk1!_T&>puEZT{MAb)j_^>LF_Tje}UB6=d? zwcL~=?6EKG4)V1AN>j6Ew5i&5-VNN*30{0Pfoh*v{FXxCNPCy+65Xj-b?#|}Z<_JI z_BLh~ul2Lv&i=TR;HV}A0Tyg+%1+Mp?vQ?v z?s~`5?JGTo!A#kW5_~Rhw57^#ewQ}FTr&}LNd)YbGGW13t1wlZ1(A#OU!XdVY`RV4 zoS{|R>f(>5X6Fq`{3l>hp48GzEwjg8cVrSa8`MhKFNS(w_{b)Z(QgbR4X|VKwuIoz zzORb&;lpvrdeqJ(0N-LQPqFHO06^}4$eWjZezz)@h^NInaHC?=G;L&zmF0BFgNY=) zL1a(78q&k;LLg5QXWfGV2X%t|E1IPv4&<>&zh1S{Sd^pRUf%~-~Ub{ZcM}Dv>ahQ+9 z8!hW*jEC+oIrL!M3p3rEB$s%%2sKpg+#YIA+WSwO-IvaLxZ~p zuGy>yUGf@4qvfpVQHoqE^D}0OROr9Sdxklh`TEY#__0(O>7+BpN2#b55x3%@_fk!m z&sIO~a}@GJ+EsLU zGQu|bIPN;-H&eUebkkHKSR(AZ=wld?EU%}yvkYH%Ydv{)YG!Z58)a&H}0MJvHg&|Q;Ida^5BA;R=*L`$bCoA)S5 zeo-J@a5-w{;8%7Jb>ptgAq|c88}xc%Y+M+k!9s_a9m3r?moT&_Dg>yMSpQY9Hp2)# z5QS`^Kv-vh7Tptl%bBU>*oVQcEEoDsNE2e7L3t)9ICvLo&}a6TGR4I%%5YK7b8>)& z5+mh~aY%pl1*c#_GM*;gh`CHwzZSa)BQ6bQbYWP97Jf#vkDcq0E&&sUVPW@_7Z3R` ze~3DWjDF{3K9X<;k7MVfs8dMr;CjN$o*hX9mWdy+(8rH~|?~Bsx(nL8h8k zKQxn!KJEhJVA#l*Ae{?1joPT1?uhHa9v;yD{Z-d1&oAWaZ+{ocn4e`z?|IASebwh}Gnou%BGZ&d7blt1W z5+ygkUaT_O!ds+aCiOJY?AqT=NrZuMa6@0EchcDP z0k>T2p+&FgY_uAed+6E_?GLI3k-Tvo@$j(Kh*cWLWR_ZhG0K$R4eYEETh!B66Y`@a z;kE7GXx|Do?7IxNKmWD{Cijumrb9epR@yZVOt?PT&8KHrC>`_dIUIlMZ|Z8bvRjXd8Ap z!&_qf28ZfSd|arvx6kKsRB?REtxUBy+!av`#7QSdFzeb7?@pK^Y1Pt?yl@6f8F}ez z4^F9DKPqi~E_J)RwP4RWctP^~t)!(0k(<~U=IZ{?+w1Jb;eH=(;i4~Lh&s<3%Z9BJ zTN#`q2nnI9Z9O==aL3`lILJTE9>xPbI!Z}X`uZoh5ElS$YT@zqDi%bYPzIA&&3x1^ zwRZwGn~nX?A{i)BUv3NLlfwhaTc`_>OKlL*i?tuDfgO#kuQWOSDXbb}F^AYs{LoD( zBDJh0GLIQPp2wXlU`LAkSQe2@5O4IZBxuLhfqVQF|1DLCv*-p%1WnFMN+j1D9HOt@_16g=(6FU- zYbELgvc-G|eXw6Cc1*_H42erzXotQi_8|pTkZLQmihgJbo*x=$OSKVa0p zP-z9iB#%cs=h+<&tjVGl`(6n^zfsXAf$equaIPBdr)k!m0UJmJ`$vAP?56tM^vfop?;x*G+~q)ZzP)!d3mY9&_ZD3+#>nm z_$_2v8=eWP&fy~F#b&fNxt)F~Hd#4@@SIMUYUa5t=;lK^g%EX>8V2c@P;HWyE_5=f znoMy`f!2WHfCtd)xd+9a3HBMwJ%BzO;e=-0*TC4eB^#ciG6>_nw5wl395wh;*R^F72`_ZEUVmwA;tF5y1zx0b$Sk zA9+Q&jJN5;(`3Yue1Nm|=Q4^{H-3agE@Jn$#4o5^oGiX+vqxz&E3hXVXdJ$}C4cw;1y6l*xW2t+K$}1WmtyBtI-+X9Cz3-Pv{TYaO;kgrr77{yr=N+}Px7lN(72-s%H5r8> z`)R6nEA9@&2;|tUeBVFR{48%<^k|^LjWZqj_mT=P;>*4+y2Q`lcbmM}iq|Gg>N?*H zqG||_!U0cPiK1tOw@2knpxKGkm^fiA{EgZBfbHvZx!}i@86PFzK^eAj?hSn+ipqQ6+gr}V04w;W9D7jXWYws9_hT~gBmuxzeCY9XY(uPl3#3+a578a^uT z&@h)cor^%h2PXUtEUe=i(w7L5ctVz>^k0O`TN+Ia?KXLopZQr~w-KGZ^cBsJ5L%a% zLX1*B+6*6N>>w#SPAy1%i2oswdhis?&S<%)6chfOhFgyypy+l98AEi#8rG(?3n6xN zFaQBAz`-Ghs?RDXsLEK~E_?ild`<=IkAYhe6z0YDDkRS~*wjx0jcg~FJzJOX)-qH6 zY|A$U&8OoeU1sYu@cHwkSr>9+e_9tJ;HD_|mDry6>P=Rb#xy$VC&A0|5*N9JkE{2r zH?j5UYxbX5+YZBY==Si0Hx;w5-!$k|k%s>|!LUt8gJWzKKlgF)WY3mN{+rVtD*JDi z3%kAhp75bP)>7$^$NKebWVMTXbmpT*5q-5AsC^HhG=CWwQ**<9)2srWfxCoi{aRk< zjF60>P{EYC2DigFQ=NWOP3x|C=umUzJ`2m}+tf5~1nYhi=vPo8_#Ou0n zRYNj1tqsOA7qhDOjR$`=5;@>(oy2u2Rzsd$B3uu+ZG9e3e77?3x;sbJInOy z2jwg`sau1o%h4j`PCsYL+OWO%Y9m~_Iuu5B2UdJ6#|}Zv%zX0C@5l3*`gJ#ahMa}L zf0^mnL}j6G%&H-Fo%Ek#Q@j1E*v7IU3xvpZ^>ul8>0gB{?zdz{ZRP}~Z-p$aW>)4Y z2D@%D`%2tvmKKSu6*+uj#Q8GPLU;eDwZmGLq{5FT!)(*#GQo8R)yCp^y|(vT%(i&l zf~=E)7rcb%@%9Osz6}Acqv9ho`^2_0XeI=j-~u$i3t?g|V=g`Fw+fDA(jN3kQ3j=3 zS80C&HsBg(zcK&vSNaZ(oP2W!9_LmeMIl_kZYEWjw>S)J$)ZR@2fva8FdKV=XU)Ry z>}$}6*ckL=MHHdH3ULBk3jS&?t!)$K#DwSV2XqvxEQhkj7;|XkY5ZWK-Xx;~gIc}9 zTt(5H!iclS%xnGM));kNJpTfQaC9`wy5|Xu?PwhvavS>XvLF|3j55x7T*{nZl88Ba8CAIivRLAGxu|1vrk0 ziVb(UD`XGxL#uCN0ui_2W*ScoPmEzlk$N_c2xSU?PO6~=u_}Ig!JYJM)Um3ym8s`> zEms8Ktf8HCeGMgKXj)W4l}7BafQdy}bi0{EwEJZA`fw~-0#0ax+j$nQob~6WUfCzP zoGy6tNWL2rsdlH-N5o}LfM~5)#9Jkxmc#bH39V+~5Xj4uemJ0f&NLQ<@m}IwT5l_( zt4JU2$+SW)EMxxYqQnJ?0|6$H)^|F}89VT)AR;N5kGuO{iv3wH0r5L zR}I8JzoB@vYWfe17Xok3d1Z1-9evO@s3C5pj)I`aKCzH*!@Cwk#uvPSLuGgi#`k}c zxsSEw?V}ifP|AUQe~7zx5Xm|-HFDtimcnH;jyXx%b3;2sh{Wi0VfD3(-x|Dk#*0L zmL$&XF_5JFb?6rKOZIgcRNtJ8{UJFnsLQVKH2|O zY-WEi(ZA>aO*XaL|1a5Q^lEIqiw2u`YT@3shhiE_^u5vLs~?&$N5rpGk9!`}Len)T zs7f^750*yGGxITYy9ApF?|W>?XyI(iMN7JbaT*4zEqyERq^ND%sDmLXTw&maCOkCn z=D5NggQylr$X(*$N9Zmea@~EwC>E8u{qlH%>(9& z-<`J%0OQTfRFG;{p(V3H<5v_t0!;ddRCEztakN}U?g0EG#XJ`H%wu9nWNCjTLc#Z0 z6V$iifDrsZ_5t;l>ITmuN7{~>Nom((+}+qfjn4)x79cJ95wv~5)Ag;vLkGOT<$XD_ zgEY5~iDA@N!zR!Yx`Ld$-)Kn6n%C+6lWhNp*Vw|rf^diGBwDhL9U1A|AEC&Q3|q7; zXWBmj>BuM%h>oqZ50c_?Xo9w%^I?9{a5XV}_PyRn;R)6Wi|4hrSNrqEzRIk?40MBaqyMx`g+Cv9i0&rIt1;=N$fnP zVOTnMjGKZB5iCtk4WJ)hzc8?X8X4%!TZwNgYIzUsHgCZ|hqfM0BrbItKRAbK!taIE zj4qOJB$T)#RFlH!0#9-fWLL$U6cj({{rkuUS17m$mAlpAx%YaDmHy&E{rxpMS_9KB zbMMAXGPrfBe)P23QCr3Srjbr8NPr;WVn@k#V|X!;BvK-YOL&$0ib0OISoD=ttFyh7 z_Yl==8otaHC0lFo9WmA_c*qtl(|cO+@`;`gLVPbxTej@I^5L-2_#;*WQmmYFo0To8>LG)VV+9>d=`deWfwg_FNPSBU3V&aL1!lp>{sxa>*mh@{BsQhM zaCAS$frn}bzsnY{kkGFYHw3TNnw+EY$SnYsho^V^o224zp~|TjMFOf~Hv`1%Omg$b zCiK8=g?_zShOg1&q{7v%4J0q+FG(#mAi#jda*P^hdTCvT*VRi}4;8A~)(#0ND(oo6 z3xUVWJqZKTs6=r2j4&HPJ8z}(ZuI@oS?E2@1X5weL6$N+`yECp*Q=#sr;!wj1&=y= ze%SdkK6%#fta2IB&WM`~w_o|Tcb(^;9|ufQV;i>HFHS|&vRaQb! zLv}>pa@AL&=pYvfcE3^Z#i8V_1`Ws)`aJ;OuNs3$*XIJsf_nA1nVo3m_d`zGAM%|e zYRAL`lGVlievDDduq5Nb=^IQnw&Zw>{9b=rvQU;Jx|!N=%<<2{-@Dv*r;JeG9>a&H zMC1Z5AR%ZR+L`eiVrV3}Hl z*imU_^)Tyb1g)&?i6%_Xzb|rc6j*y?@*%+kd8u)A7%KgPfVTuAo)<{oLY~Lyyxjlu zG}MdAOE@azi`9blOZu89OZKFpZm805>T)%AQbv;BqCvU)526+9#J!1FoNtRAEb^KU T!Cr3o#_z9mAF;Up2JF88!AsZ6 literal 0 HcmV?d00001 diff --git a/demo/keyring/trustdb.gpg b/demo/keyring/trustdb.gpg new file mode 100644 index 0000000000000000000000000000000000000000..a0453fbaf2b92ca809d2cc8775fa4a95ef59f536 GIT binary patch literal 1520 zcmZQfFGy!*W@Ke#Vql2j4Ee%<9WZiX7sn7CRfiEIU;(OyixR|qs+k9M?tq)80Cfls zYQWtGa+e$q#{q>0h5K+jkGk$t894v)Fsz+q!aQ-lnn&B$gISjgChHo?H*AA?Tpkes zybM`_&ClGj&+2(*)OybO6!3`epZWuYJdDM|(9xdN`S?m^fAi(rd_|9K7C(64=f(z+ zR)ncyV8Cu3R2@PY0}n$)a&uhViDwSKR2=!)=G~Ev+}g?xRi}(l$je|Pu=lJ?$K(k+ zq+DteW}afStGcOy&AgXxe-g^BHAnbmFyFo$y*8_I@v+TNb*jkbiBC8&|9s7zNg8dM Q>4|4|f17^#;Cf8+0LDXBCjbBd literal 0 HcmV?d00001 diff --git a/demo/rebuild.5863835e.link b/demo/rebuild.5863835e.link new file mode 100644 index 0000000..fd08a9c --- /dev/null +++ b/demo/rebuild.5863835e.link @@ -0,0 +1,22 @@ +{ + "signatures": [ + { + "keyid": "5863835e5ec8e640fa24410f069edc1d59b58507", + "other_headers": "04000108001d1621045863835e5ec8e640fa24410f069edc1d59b5850705025cf69068", + "signature": "340b64986fd2aabef1d1ca324d2ec980a48844dd32b6d8342cd32206816f02cffc50d58724108dbc10cc2344e1c4f020f3592ea191686453ce6cae7c60e6e39a23f2b4a95360bd1450727948229b01b6f5417b658e0d3381427d7529628556bf6ad22a9be268c3f828a98cd6bdfa32315450c91dba8f8667278e4aced16c8b4c33f1f20d7afa2b5da7e84568906920dbd686693d77417df78718409a7e15b738b6443ed3012e04f2c9622b09ea4a2609c99999928a975824f2a95bf5e7590b77678f7b02ef02042c2f6035a0aaab72ee044a3b2f85510b804eccfac3a93b6ac3cc8db3f5591e30d2c52d81a267a5613bbdc2d81eb93357420f074cd06ab72db0" + } + ], + "signed": { + "_type": "link", + "byproducts": {}, + "command": [], + "environment": {}, + "materials": {}, + "name": "rebuild", + "products": { + "demo-package_1.0.0_all.deb": { + "sha256": "6c2147cc1a69c549a7cc5cbc493597df783d65e1b3b62256c1d08305ef9c3d94" + } + } + } +} \ No newline at end of file diff --git a/demo/rebuild.e946fc60.link b/demo/rebuild.e946fc60.link new file mode 100644 index 0000000..956a1c7 --- /dev/null +++ b/demo/rebuild.e946fc60.link @@ -0,0 +1,22 @@ +{ + "signatures": [ + { + "keyid": "e946fc6076d683584e6803dbd35bad6a79a3c6b3", + "other_headers": "04000108001d162104e946fc6076d683584e6803dbd35bad6a79a3c6b305025cf6906f", + "signature": "2259ef9ff8c731aaa689b17ce4f0252d29a5e4d31421f4cf6f63ccf7c70ab775f84b46fefa97cf6222773f0fcf63b2167520539daea7ced9fc0cf5b14ffb46b1e6f794e21a4ccf85557859341fcd9a93750d2a7d8bda513f84130c77928895176334853251d46912ecdf64d9c84ae27b14e420a29991c6a49e61d79f7aa67606b745da667b8f4eca2dc456e4f1a37753c295f0c64e47b0b70a4cfec9133146082289524ceeb54c4490176b4604cbb05cb60a7fce5c59b725477373c051a8198d881148158a98d41b5167f0824aa6efa7634121cc2e713accc5064c406030cde9635ea323bf5eede1d353fc28dcac31d2aa63a0030e32d6f89c9d3e67ff41184a" + } + ], + "signed": { + "_type": "link", + "byproducts": {}, + "command": [], + "environment": {}, + "materials": {}, + "name": "rebuild", + "products": { + "demo-package_1.0.0_all.deb": { + "sha256": "6c2147cc1a69c549a7cc5cbc493597df783d65e1b3b62256c1d08305ef9c3d94" + } + } + } +} \ No newline at end of file diff --git a/demo/root.layout b/demo/root.layout new file mode 100644 index 0000000..b56cab5 --- /dev/null +++ b/demo/root.layout @@ -0,0 +1,127 @@ +{ + "signatures": [ + { + "keyid": "88876a89e3d4698f83d3db0e72e33ca3e0e04e46", + "other_headers": "04000108001d16210488876a89e3d4698f83d3db0e72e33ca3e0e04e4605025c348c50", + "signature": "2a5e5f62641c19e998ef0d3d41edbce64bc6c70ec8a10c271ca282340ce5ea5f56644911e55e1234837e6a468fe54a5fac224d1bae902bb46da9552a464b95304062fa18b873fee3f536d490dc762dc46b27cfb0058378b597136350da46d1dac8488137a1a048a0c1300c72980a627267ef49570e546c7b967786f663c4ebc6ed47545e34a7d2f89013e7c4af02ef79e7a2a345cf4aa8d761b1762a45f4fda266449cad36eeee22d24c426fba3d38d5377b2d2a7d62b188ae52ebd8eb71e2ec69eab3062c71f513c2f7999f8360a3e9784fc6b8fbd9cbc367020ef6f4394b8ba8e2b49fdbb8dfc4a241d8ae53c2ba3ff1f2e638b254a0110e0bc5e52c8b6785" + } + ], + "signed": { + "_type": "layout", + "expires": "2021-01-06T18:30:57Z", + "inspect": [ + { + "_type": "inspection", + "expected_materials": [ + [ + "MATCH", + "*.deb", + "WITH", + "PRODUCTS", + "FROM", + "rebuild" + ], + [ + "DISALLOW", + "*.deb" + ] + ], + "expected_products": [], + "name": "verify-reprobuilds", + "run": [ + "true" + ] + } + ], + "keys": { + "5863835e5ec8e640fa24410f069edc1d59b58507": { + "hashes": [ + "pgp+SHA2" + ], + "keyid": "5863835e5ec8e640fa24410f069edc1d59b58507", + "keyval": { + "private": "", + "public": { + "e": "010001", + "n": "e5742007525e17ee22f6d5223dbd471c37b30d988398d82d875a75ab639045e0a0efdc2b6a0865951291beb326e46cf5d1443fdc3a3060d1b0d077ac046df065ede6ca33dee5ab8e24f329ab5bebb2bc2416a842f8b55ba3edcbac1636c7f25e0ff60e551b4c60af1cc8c867c9679532d099537e600dd17cf306d44f3089faa06120e9d93edde2ce0fb6a2556cbc5ee286ce680292c21fae9647768bdbb955e76135726bd5de0321567ff7ac9e00ba6c5c4145fcee19f10f5303ac22fa80ae9bf3f1852d35085e8fbbc4c5fa3e0073e9a87e2e0afb1038e5ab5602f6951c0d820d93271fdd95f709e836159c3f573c9f7428f0ba4cd8e0b5b8b98cd523fb93fb" + } + }, + "method": "pgp+rsa-pkcsv1.5", + "subkeys": { + "8357b173d137d2482eb2707bf12a7ffdbd73613c": { + "hashes": [ + "pgp+SHA2" + ], + "keyid": "8357b173d137d2482eb2707bf12a7ffdbd73613c", + "keyval": { + "private": "", + "public": { + "e": "010001", + "n": "bd5567260f20dc7faf67dd5ee4d34b87a6eedea861d01776619cb841f6f338350bc6596d9abc694c6cc0eb844a1f67774d3fbc0f7fd9e4314fdfe0dc21b96c8cb81b087fb80206eec3f938403560e228439549420b7a02d46cee494ef1f37c1aa37142f7f41cfc0e35342e7b95d4e995d3db06eb320f327b5a0d090506cfa52d88cfe88f2d961a86e94c5343836e8d0cd628adff0d30746651b8e974bd492ec7cdac102bfe4ba2476947c3f41eabf7e955a8120293314b15fdfc9ae4abd743064bbcad7c335bbff091c3970a17859dcf5e6544e339eebaaed4f49acccba9431bfdad97a23fe695526bdb756d1c092014b739bf24adc4a8b8d876b126168d62c9" + } + }, + "method": "pgp+rsa-pkcsv1.5", + "type": "rsa" + } + }, + "type": "rsa" + }, + "e946fc6076d683584e6803dbd35bad6a79a3c6b3": { + "hashes": [ + "pgp+SHA2" + ], + "keyid": "e946fc6076d683584e6803dbd35bad6a79a3c6b3", + "keyval": { + "private": "", + "public": { + "e": "010001", + "n": "cc9a47d71a0cafb0af9e1796a03e65f7e149cb69d53bd2f43d6667d3dbd621c6bcf398c2a575add9d81b684e327a8b4339979583e4f653b90666a59408cb9205e2289d2c07bd80ae8c1778fdb9c365d4b578f404689202ef381a108e6c8f987bb17e73cb43c9d3e61c6ad30f61195641a10f7cef3e1c3560355b25fea932921ebe1088402a4ff473487d193002dd34c3603adaa029ba559b9f646d3770b73d4e3d1600e498238479430506a5d83fb1ba3a4f44029a14df37dd656beda080248c8b10924e0d3d7fa943196a213aac3557e26150908ffbe2f8100d67996da7b28b64030cd218811bc0915fe75dae5ba29d4e40e3a287edf998f25cce6811afbc37" + } + }, + "method": "pgp+rsa-pkcsv1.5", + "subkeys": { + "0dc0740edcd16f3c930b5d585cfdcc6b17f3ff27": { + "hashes": [ + "pgp+SHA2" + ], + "keyid": "0dc0740edcd16f3c930b5d585cfdcc6b17f3ff27", + "keyval": { + "private": "", + "public": { + "e": "010001", + "n": "b2b5322e09f50e6f40a5de14888870c3874e2a9206a3da4b62c3cf47ba97a53b8a8caf6c8046356db3036cd57a2dfa5573615efb7df0924eeb6a0a1a3a41b313a6506a583242c9f0ce7d21b15117642aa6ee29dadffc1a469430c7e7539e814dd2ae75071cf3a0a9c0a6a613329d9254bc14a6e9b94356d68d38d4f9fea2cce7e86873005d49dc5a6fa7bcedd5c9a41e2f5f7bd4217b73fda697354ebbd637d36d7b4abca0f136bf102b0483c7036e341c70cc555ea6d5ea169316473ca692947e29c8deef5d6501c9c5bb9edb8eb8a3b5ff83bd64b511100368c8901ca66fcde7ee01b318c006568aa3446e1a44f51a534611bc41d032199aab8beba1a4fa5b" + } + }, + "method": "pgp+rsa-pkcsv1.5", + "type": "rsa" + } + }, + "type": "rsa" + } + }, + "readme": "", + "steps": [ + { + "_type": "step", + "expected_command": [], + "expected_materials": [], + "expected_products": [ + [ + "CREATE", + "*.deb" + ], + [ + "DISALLOW", + "*.deb" + ] + ], + "name": "rebuild", + "pubkeys": [ + "5863835e5ec8e640fa24410f069edc1d59b58507", + "e946fc6076d683584e6803dbd35bad6a79a3c6b3" + ], + "threshold": 2 + } + ] + } +} \ No newline at end of file From cd3c448b3fa1fae6edecde27738a065dbf0f5292 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Wed, 5 Jun 2019 17:03:24 +0200 Subject: [PATCH 3/6] Add docker demo setup All components used for the demo are defined as docker compose services: - *mirror.ok* and *mirror.bad* each set up a basic Debian archive that serves a single `demo-package`. *mirror.ok* serves a package, whose hash corresponds to the rebuilder results. *mirror.bad* does not. - *rebuilder.a* and *rebuilder.b* each statically serve in-toto link metadata, to provide the signed rebuild evidence for `demo-package`. - *client* is a pre-configured Debian host, which is set up to demonstrate the installation. --- demo/Dockerfile-client | 38 +++++++++++++++++++++++ demo/Dockerfile-mirror | 22 ++++++++++++++ demo/Dockerfile-rebuilder | 3 ++ demo/archive.sh | 64 +++++++++++++++++++++++++++++++++++++++ demo/docker-compose.yml | 43 ++++++++++++++++++++++++++ 5 files changed, 170 insertions(+) create mode 100644 demo/Dockerfile-client create mode 100644 demo/Dockerfile-mirror create mode 100644 demo/Dockerfile-rebuilder create mode 100644 demo/archive.sh create mode 100644 demo/docker-compose.yml diff --git a/demo/Dockerfile-client b/demo/Dockerfile-client new file mode 100644 index 0000000..8110231 --- /dev/null +++ b/demo/Dockerfile-client @@ -0,0 +1,38 @@ +FROM debian:sid-slim + +# Install Python required for in-toto and some tools handy for demoing +RUN apt-get update \ + && apt-get install -y python-pip vim wget gpg iputils-ping apt-utils + +# Add custom archive release key to apt keyring (see Dockerfile-mirror) +COPY demo/alice.asc /tmp/release.key +RUN apt-key add /tmp/release.key + +# Add bash niceness for demoing, i.e. colored ls, json synax highlighting for +# in-toto/rebuilder metadata in vim, custom demo prompt +RUN echo 'alias ls="ls --color=auto"' >> ~/.bashrc +RUN echo 'PS1="demo:\w # "' >> ~/.bashrc +RUN echo 'colo delek' >> ~/.vimrc +RUN echo 'syntax on' >> ~/.vimrc +RUN echo 'autocmd BufRead,BufNewFile *.layout set filetype=json' >> ~/.vimrc +RUN echo 'autocmd BufRead,BufNewFile metadata* set filetype=json' >> ~/.vimrc + + +# NOTE: Below setup will be replaced by `apt-get install apt-transport-intoto` +# (see in-toto/apt-transport-in-toto#11) + +# Install in-toto and and intoto transport +RUN pip install in-toto requests subprocess32 +COPY intoto.py /usr/lib/apt/methods/intoto +RUN chmod +x /usr/lib/apt/methods/intoto + +# Manually copy apt config file, root layout and root layout key +COPY demo/intoto.conf /etc/apt/apt.conf.d/intoto +COPY demo/root.layout /etc/intoto/root.layout +COPY demo/alice.asc /etc/intoto/root.asc + +# Import root layout key to default keychain +RUN gpg --import /etc/intoto/root.asc + +# Patch sources.list to retrieve packages from mock mirror +RUN echo deb http://mirror.ok/debian/ unstable main > /etc/apt/sources.list diff --git a/demo/Dockerfile-mirror b/demo/Dockerfile-mirror new file mode 100644 index 0000000..465fb36 --- /dev/null +++ b/demo/Dockerfile-mirror @@ -0,0 +1,22 @@ +FROM debian:sid-slim + +# The passed mirror name is used to decide which package to serve +# (see service definition in docker-compose.yml) +ARG name + +RUN apt-get update && apt-get install -y nginx apt-utils gpg + +# Copy deb package to be served for the passed name +COPY demo-package_1.0.0_all.deb.${name} \ + /var/www/html/debian/pool/main/demo-package_1.0.0_all.deb + +# Copy gpg keyring used to sign the release (see archive.sh) +COPY keyring /tmp/keyring + +# Copy and run archive creation script +COPY archive.sh /tmp/archive.sh +RUN chmod +x /tmp/archive.sh +RUN /tmp/archive.sh + +# Start nginx server to serve archive +CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/demo/Dockerfile-rebuilder b/demo/Dockerfile-rebuilder new file mode 100644 index 0000000..ed744b7 --- /dev/null +++ b/demo/Dockerfile-rebuilder @@ -0,0 +1,3 @@ +FROM nginx +ARG keyid +COPY rebuild.${keyid}.link /usr/share/nginx/html/sources/demo-package/1.0.0/metadata \ No newline at end of file diff --git a/demo/archive.sh b/demo/archive.sh new file mode 100644 index 0000000..58541b1 --- /dev/null +++ b/demo/archive.sh @@ -0,0 +1,64 @@ +#!/bin/sh + +# Create a small public archive +# https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_small_public_package_archive +cd /var/www/html/debian +mkdir -p dists/unstable/main/binary-amd64 +mkdir -p dists/unstable/main/source +cat > dists/unstable/main/binary-amd64/Release << EOF +Archive: unstable +Version: 4.0 +Component: main +Origin: Foo +Label: Foo +Architecture: amd64 +EOF + +cat > dists/unstable/main/source/Release << EOF +Archive: unstable +Version: 4.0 +Component: main +Origin: Foo +Label: Foo +Architecture: source +EOF + +cat >aptftp.conf <aptgenerate.conf < dists/unstable/Release + +gpg --homedir /tmp/keyring -u 88876A89E3D4698F83D3DB0E72E33CA3E0E04E46 \ + -bao dists/unstable/Release.gpg dists/unstable/Release diff --git a/demo/docker-compose.yml b/demo/docker-compose.yml new file mode 100644 index 0000000..0fd8252 --- /dev/null +++ b/demo/docker-compose.yml @@ -0,0 +1,43 @@ +version: "3.7" +services: + mirror.ok: + build: + context: . + dockerfile: Dockerfile-mirror + args: + name: mirror.ok + expose: + - "80" + + mirror.bad: + build: + context: . + dockerfile: Dockerfile-mirror + args: + name: mirror.bad + expose: + - "80" + + rebuilder.a: + build: + context: . + dockerfile: Dockerfile-rebuilder + args: + keyid: 5863835e + expose: + - "80" + + rebuilder.b: + build: + context: . + dockerfile: Dockerfile-rebuilder + args: + keyid: e946fc60 + expose: + - "80" + + client: + build: + context: .. + dockerfile: demo/Dockerfile-client + tty: true \ No newline at end of file From 6f1e6136ffca3d0b819f83658981233b17ec8dac Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Wed, 5 Jun 2019 17:05:44 +0200 Subject: [PATCH 4/6] Add demo README Add demo command snippets and background information. --- demo/README.md | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 demo/README.md diff --git a/demo/README.md b/demo/README.md new file mode 100644 index 0000000..bd4a6a1 --- /dev/null +++ b/demo/README.md @@ -0,0 +1,80 @@ +# in-toto apt transport demo + +The commands in this document may be used to demonstrate two scenarios of +installing a Debian package with the in-toto apt transport, using a generic +[*rebuild layout*](root.layout), which requires a treshold of two trusted +rebuilders to agree on the package to be installed. + +In the first scenario the rebuilder results and the served package align and +the installation succeeds. In the second scenario, the mirror servers a package +with a hash that does not correspond to the rebuild results and thus in-toto +aborts installation. + +All components used for this demo are defined as docker compose services in +[`docker-compose.yml`](docker-compose.yml): + +- *mirror.ok* and *mirror.bad* each set up a basic Debian archive that serves + a single `demo-package`. *mirror.ok* serves a package, whose hash + corresponds to the rebuilder results. *mirror.bad* does not. +- *rebuilder.a* and *rebuilder.b* each statically serve in-toto link metadata, + to provide the signed rebuild evidence for `demo-package`. +- *client* is a pre-configured Debian host, which is set up to demonstrate the + installation. + + +## Create and run services +Use the following command to start all services in the same virtual network + +```bash +# In project root +docker-compose -f demo/docker-compose.yml up + +``` + +## Attach to client +Use the following command to connect to client service started above +```bash +# In a new terminal +docker exec -it $(docker ps -qf "name=client") bash +``` + +## Scenario 1: Successfully install verified package +```bash +# In client bash + +# Optional: Browse config file, root layout and root key +vi /etc/apt/apt.conf.d/intoto +vi /etc/intoto/root.layout +gpg --list-keys + +# Enable in-toto transport in sources.list +vi -c :s/http/intoto/g /etc/apt/sources.list + +# Update apt and install demo package +apt-get update && apt-get install demo-package + +# Check apt output... + +# Optional: Take a look at the used rebuilder link metadata +wget -q -O - rebuilder.a/sources/demo-package/1.0.0/metadata | vi - +wget -q -O - rebuilder.b/sources/demo-package/1.0.0/metadata | vi - + +``` + +## Scenario 2: Abort installation of package served from malicious mirror + +```bash +# In client bash + +# Remove demo package if installed above +apt-get remove demo-package + +# Change mirror in sources.list +vi -c :s/ok/bad/g /etc/apt/sources.list + +# Update apt and install demo package (will fail) +apt-get update && apt-get install demo-package + +# Check apt output... + +``` \ No newline at end of file From 660f6227b16f7773b48003c435f9e4c2dc17ea78 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Thu, 6 Jun 2019 21:44:43 +0200 Subject: [PATCH 5/6] Make log output nicer for demo (WIP) - Make all log messages bold to better distinguish from apt notifications. - Colorize failure and success message - Shorten error message sent to apt, because we have to escape newlines, which aren't un-escaped when apt prints them. - Add newlines where appropriate --- intoto.py | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/intoto.py b/intoto.py index 30f9408..507f09d 100755 --- a/intoto.py +++ b/intoto.py @@ -127,7 +127,6 @@ # finetune the actual log levels on handlers logger = logging.getLogger(__name__) logger.setLevel(logging.DEBUG) - # A file handler for debugging purposes # NOTE: bandit security linter flags the use of /tmp because an attacker might # hijack that file. This should not be a problem for logging since we don't @@ -144,6 +143,8 @@ # CONFIGURATION` message which may set the SteamHandler's loglevel LOG_HANDLER_STDERR = logging.StreamHandler() LOG_HANDLER_STDERR.setLevel(logging.INFO) +# Make all log messages bold to better distinguish them from apt output +LOG_HANDLER_STDERR.setFormatter(logging.Formatter("\033[1m%(message)s\033[0m")) logger.addHandler(LOG_HANDLER_STDERR) APT_METHOD_HTTP = os.path.join(os.path.dirname(sys.argv[0]), "http") @@ -559,10 +560,10 @@ def _intoto_verify(message_data): pkg_version_release = pkg_name_parts[1] if not (pkg_name and pkg_version_release): - logger.info("Skipping in-toto verification for '{}'".format(filename)) + logger.info("\nSkipping in-toto verification for '{}'".format(filename)) return True - logger.info("Prepare in-toto verification for '{}'".format(filename)) + logger.info("\nPrepare in-toto verification for '{}'".format(filename)) # Create temp dir verification_dir = tempfile.mkdtemp() @@ -650,7 +651,8 @@ def _intoto_verify(message_data): in_toto.verifylib.in_toto_verify(layout, layout_keys) except Exception as e: - error_msg = ("In-toto verification for '{}' failed, reason was: {}" + # Colorize (red) error message + error_msg = ("\033[31mIn-toto verification for '{}' failed:\033[0m\n{}" .format(filename, str(e))) logger.error(error_msg) @@ -660,13 +662,17 @@ def _intoto_verify(message_data): " installation continues.") else: - # Notify apt about the failure ... + # Notify apt about the failure using a short error message + error_msg = ("In-toto verification failed with '{}'.".format( + type(e).__name__)) notify_apt(URI_FAILURE, error_msg, uri) # ... and do not relay http's URI Done (so that apt does not install it) return False else: - logger.info("In-toto verification for '{}' passed! :)".format(filename)) + # Colorize (blue) success message + logger.info("\033[34mIn-toto verification for '{}' passed! :)\033[0m" + .format(filename)) finally: os.chdir(cached_cwd) From 77e64b1c1ec5631c9cd13d76430c4d2cd284c0c1 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 27 Oct 2021 19:15:45 -0400 Subject: [PATCH 6/6] ENH: demo: refresh for 2021 usage :) --- demo/Dockerfile-client | 9 ++------- demo/root.layout | 6 +++--- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/demo/Dockerfile-client b/demo/Dockerfile-client index 8110231..57ef507 100644 --- a/demo/Dockerfile-client +++ b/demo/Dockerfile-client @@ -1,8 +1,8 @@ -FROM debian:sid-slim +FROM debian:unstable-slim # Install Python required for in-toto and some tools handy for demoing RUN apt-get update \ - && apt-get install -y python-pip vim wget gpg iputils-ping apt-utils + && apt-get install -y python3-pip vim wget gpg iputils-ping apt-utils apt-transport-in-toto # Add custom archive release key to apt keyring (see Dockerfile-mirror) COPY demo/alice.asc /tmp/release.key @@ -21,11 +21,6 @@ RUN echo 'autocmd BufRead,BufNewFile metadata* set filetype=json' >> ~/.vimrc # NOTE: Below setup will be replaced by `apt-get install apt-transport-intoto` # (see in-toto/apt-transport-in-toto#11) -# Install in-toto and and intoto transport -RUN pip install in-toto requests subprocess32 -COPY intoto.py /usr/lib/apt/methods/intoto -RUN chmod +x /usr/lib/apt/methods/intoto - # Manually copy apt config file, root layout and root layout key COPY demo/intoto.conf /etc/apt/apt.conf.d/intoto COPY demo/root.layout /etc/intoto/root.layout diff --git a/demo/root.layout b/demo/root.layout index b56cab5..0fe2e12 100644 --- a/demo/root.layout +++ b/demo/root.layout @@ -2,13 +2,13 @@ "signatures": [ { "keyid": "88876a89e3d4698f83d3db0e72e33ca3e0e04e46", - "other_headers": "04000108001d16210488876a89e3d4698f83d3db0e72e33ca3e0e04e4605025c348c50", - "signature": "2a5e5f62641c19e998ef0d3d41edbce64bc6c70ec8a10c271ca282340ce5ea5f56644911e55e1234837e6a468fe54a5fac224d1bae902bb46da9552a464b95304062fa18b873fee3f536d490dc762dc46b27cfb0058378b597136350da46d1dac8488137a1a048a0c1300c72980a627267ef49570e546c7b967786f663c4ebc6ed47545e34a7d2f89013e7c4af02ef79e7a2a345cf4aa8d761b1762a45f4fda266449cad36eeee22d24c426fba3d38d5377b2d2a7d62b188ae52ebd8eb71e2ec69eab3062c71f513c2f7999f8360a3e9784fc6b8fbd9cbc367020ef6f4394b8ba8e2b49fdbb8dfc4a241d8ae53c2ba3ff1f2e638b254a0110e0bc5e52c8b6785" + "other_headers": "04000108001d16210488876a89e3d4698f83d3db0e72e33ca3e0e04e46050260d49da1", + "signature": "a73be11a8b1e4645e3f92de84c7776dca7ee296eef23c44fc61e76d8831064c2ab4c1e7fee3acb98a6c4203b5f6fbc8c8013db5921a22d9686353d536b69f2912ef926c7aa720744f017134af34dedf7ff52a9acd502bb98e0227438962260153d27c1693a9631e6f261f59f3adbb9e3ea36f2f15375875333bc87fb70f8e514df26241b1fb85e6a12d75c80e81c08d9a9c6c924144c31f561a3948e18dcb414f577425c3d6b1686c643c7490ee3d1030f5e39da872c7870aebd36d61692ceffb5bb201a478d47d3ff662b0f3932dfe919db1abae28d926f9bf3abf5655d424acf0929c02337225fa9436d3bee13b64f427fb1fcda551adaab1db498dd983ce5" } ], "signed": { "_type": "layout", - "expires": "2021-01-06T18:30:57Z", + "expires": "2022-01-06T18:30:57Z", "inspect": [ { "_type": "inspection",