Add docker-based in-toto apt transport demo

demo/Dockerfile-client

@@ -0,0 +1,33 @@
+FROM debian:unstable-slim
+
+# Install Python required for in-toto and some tools handy for demoing
+RUN apt-get update \
+    && apt-get install -y python3-pip vim wget gpg iputils-ping apt-utils apt-transport-in-toto
+
+# Add custom archive release key to apt keyring (see Dockerfile-mirror)
+COPY demo/alice.asc /tmp/release.key
+RUN apt-key add /tmp/release.key
+
+# Add bash niceness for demoing, i.e. colored ls, json synax highlighting for
+# in-toto/rebuilder metadata in vim, custom demo prompt
+RUN echo 'alias ls="ls --color=auto"' >> ~/.bashrc
+RUN echo 'PS1="demo:\w # "' >> ~/.bashrc
+RUN echo 'colo delek' >> ~/.vimrc
+RUN echo 'syntax on' >> ~/.vimrc
+RUN echo 'autocmd BufRead,BufNewFile *.layout set filetype=json' >> ~/.vimrc
+RUN echo 'autocmd BufRead,BufNewFile metadata* set filetype=json' >> ~/.vimrc
+
+
+# NOTE: Below setup will be replaced by `apt-get install apt-transport-intoto`
+# (see in-toto/apt-transport-in-toto#11)
+
+# Manually copy apt config file, root layout and root layout key
+COPY demo/intoto.conf /etc/apt/apt.conf.d/intoto
+COPY demo/root.layout /etc/intoto/root.layout
+COPY demo/alice.asc /etc/intoto/root.asc
+
+# Import root layout key to default keychain
+RUN gpg --import /etc/intoto/root.asc
+
+# Patch sources.list to retrieve packages from mock mirror
+RUN echo deb http://mirror.ok/debian/ unstable main > /etc/apt/sources.list

demo/Dockerfile-mirror

@@ -0,0 +1,22 @@
+FROM debian:sid-slim
+
+# The passed mirror name is used to decide which package to serve
+# (see service definition in docker-compose.yml)
+ARG name
+
+RUN apt-get update && apt-get install -y nginx apt-utils gpg
+
+# Copy deb package to be served for the passed name
+COPY demo-package_1.0.0_all.deb.${name} \
+    /var/www/html/debian/pool/main/demo-package_1.0.0_all.deb
+
+# Copy gpg keyring used to sign the release (see archive.sh)
+COPY keyring /tmp/keyring
+
+# Copy and run archive creation script
+COPY archive.sh /tmp/archive.sh
+RUN chmod +x /tmp/archive.sh
+RUN /tmp/archive.sh
+
+# Start nginx server to serve archive
+CMD ["nginx", "-g", "daemon off;"]

demo/Dockerfile-rebuilder

@@ -0,0 +1,3 @@
+FROM nginx
+ARG keyid
+COPY rebuild.${keyid}.link /usr/share/nginx/html/sources/demo-package/1.0.0/metadata

demo/README.md

@@ -0,0 +1,80 @@
+# in-toto apt transport demo
+
+The commands in this document may be used to demonstrate two scenarios of
+installing a Debian package with the in-toto apt transport, using a generic
+[*rebuild layout*](root.layout), which requires a treshold of two trusted
+rebuilders to agree on the package to be installed.
+
+In the first scenario the rebuilder results and the served package align and
+the installation succeeds. In the second scenario, the mirror servers a package
+with a hash that does not correspond to the rebuild results and thus in-toto
+aborts installation.
+
+All components used for this demo are defined as docker compose services in
+[`docker-compose.yml`](docker-compose.yml):
+
+- *mirror.ok* and *mirror.bad* each set up a basic Debian archive that serves
+  a single `demo-package`. *mirror.ok* serves a package, whose hash
+  corresponds to the rebuilder results. *mirror.bad* does not.
+- *rebuilder.a* and *rebuilder.b* each statically serve in-toto link metadata,
+  to provide the signed rebuild evidence for `demo-package`.
+- *client* is a pre-configured Debian host, which is set up to demonstrate the
+  installation.
+
+
+## Create and run services
+Use the following command to start all services in the same virtual network
+
+```bash
+# In project root
+docker-compose -f demo/docker-compose.yml up
+
+```
+
+## Attach to client
+Use the following command to connect to client service started above
+```bash
+# In a new terminal
+docker exec -it $(docker ps -qf "name=client") bash
+```
+
+## Scenario 1: Successfully install verified package
+```bash
+# In client bash
+
+# Optional: Browse config file, root layout and root key
+vi /etc/apt/apt.conf.d/intoto
+vi /etc/intoto/root.layout
+gpg --list-keys
+
+# Enable in-toto transport in sources.list
+vi -c :s/http/intoto/g /etc/apt/sources.list
+
+# Update apt and install demo package
+apt-get update && apt-get install demo-package
+
+# Check apt output...
+
+# Optional: Take a look at the used rebuilder link metadata
+wget -q -O - rebuilder.a/sources/demo-package/1.0.0/metadata | vi -
+wget -q -O - rebuilder.b/sources/demo-package/1.0.0/metadata | vi -
+
+```
+
+## Scenario 2: Abort installation of package served from malicious mirror
+
+```bash
+# In client bash
+
+# Remove demo package if installed above
+apt-get remove demo-package
+
+# Change mirror in sources.list
+vi -c :s/ok/bad/g /etc/apt/sources.list
+
+# Update apt and install demo package (will fail)
+apt-get update && apt-get install demo-package
+
+# Check apt output...
+
+```

demo/alice.asc

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFwJRhkBCACqoenU2d9ds+0WwIjF0Q2+tYIO8pKC1Wxfjjlo7EvjofFLejV5
+gg0brd2KsioCOjVbzOgIaDzqTf5Z64VH51qhMLQpkHuYamChUNWCImlq9LNzTX3/
+Hr9Mva2K6IWa382Vy0R8gdcE1L9ICwc20Y3SnuNjDTDYu73Mqzl+J+/s2vol+zqj
+XEv5WQzeo+yttGdKtaqAON/kWryCyTenk++JjRb2fyTrsxW5HkYeTEdNbelcKKXp
+BFS2QJuJRwVMnThkueIxCtLVcIyHD4DtXvTcEmfTHZDlSEPzBVwroCR3qjBxJQj1
++GaYlTsWQ+af7N/dVtgcTpa73YxLxl4XLtd9ABEBAAG0F0FsaWNlIDxhbGljZUBh
+bGljZS5jb20+iQE4BBMBAgAiBQJcCUYZAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe
+AQIXgAAKCRBy4zyj4OBORsNNB/4u0MS3iXJPKR+0ps/xn8G5aKcccUo+1JLNaZ8H
+4WqAzLLQPRk0UgoNHXzr7anvHDKZlrgpSEuu6zJi/ysVLxqgvHMXoaVrBHndCC7g
+lKarOVQmFgiO9S5t3x/f+tdS+i5FDBauS3jQ0mKVkV3CPKQOq9qb5s1GPMtWIRkT
+Bq6T45vy5MdcgFreuvr0/SkRXdOn808InRaKZlHOOnG4Gp1jPxBFCRTbpz48jGeE
+UhXXP+/eygSvdpoo4Aybx9wWrKQz7GPusU8660FAN5SmmFdj+cr1H0Rp3yVPmvxe
+W5w5H88MEPNeiF0Ui57hPQinv9xDORgHMkp2rtWPAv6MZuwTuQENBFwJRhkBCADW
+Rfv/Z6hEjicX53QjMFZisiuMSjRxngWIHvMKMZDxx1sSvAkglUMv5QVBgLtBfam0
+SIfnSxPIwaZ0Ljd32aadnsof7S8sLERpqS2ZutD4COC5cLp3SuoGZ096kxAL7U1J
+5pOjBR6SUZeiewNZ5DT47Z3TB8rfQ67e0jkg59xE6J8LOIfPIgcXg+7Kr9Ab/EXz
+gHA2vwKaopb+kHH6QzUJGorX/9x+KA1NMk1TJt7zuBZ+XbFqvwNo3A7qEW42c6QM
+//obR4cce0QIqBlKxT9SHYQ1lvTMRmpPx7UdWr2Pf6awU1lWad9VNq0HtGO+EEXy
+BCZXcE52pgyuScSL0R49ABEBAAGJAR8EGAECAAkFAlwJRhkCGwwACgkQcuM8o+Dg
+TkYGBAf+MTvsUYRcN5tfMDsXkbmAvO1dYLvAXyhEFX6X8R1ZiS6AYlZnwVaRXyTC
+Qf6G3MVsjLNIRQCTdtt/wjhAO3m67zDR8I+77GVRqSzdjz+iYudjgdnDYwRXCpCe
+co+87M9mwkjTDEOkAW1R8s04TLPksfTrl5Cfl4ncYRBIASeklVEyYKC06OLJ1gT7
+cCbEJHPe6wKto7JLXlNSEDKqCXNjJmMh4SFu68SQ15w3gc8eDqHG+ZFEjbghGx+X
+Z7kC5X1UmcQA+Z/ArweCi0pi+XGhYhIXab2/NareGsB9MBRhk9t31IcguKv1EUMq
+DeKCPetzGh3XTubL7vSl84xQ9MV1xQ==
+=qRqp
+-----END PGP PUBLIC KEY BLOCK-----

demo/archive.sh

@@ -0,0 +1,64 @@
+#!/bin/sh
+
+# Create a small public archive
+# https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_small_public_package_archive
+cd /var/www/html/debian
+mkdir -p dists/unstable/main/binary-amd64
+mkdir -p dists/unstable/main/source
+cat > dists/unstable/main/binary-amd64/Release << EOF
+Archive: unstable
+Version: 4.0
+Component: main
+Origin: Foo
+Label: Foo
+Architecture: amd64
+EOF
+
+cat > dists/unstable/main/source/Release << EOF
+Archive: unstable
+Version: 4.0
+Component: main
+Origin: Foo
+Label: Foo
+Architecture: source
+EOF
+
+cat >aptftp.conf <<EOF
+APT::FTPArchive::Release {
+  Origin "Foo";
+  Label "Foo";
+  Suite "unstable";
+  Codename "sid";
+  Architectures "amd64";
+  Components "main";
+  Description "Public archive for Foo";
+};
+EOF
+
+cat >aptgenerate.conf <<EOF
+Dir::ArchiveDir ".";
+Dir::CacheDir ".";
+TreeDefault::Directory "pool/";
+TreeDefault::SrcDirectory "pool/";
+Default::Packages::Extensions ".deb";
+Default::Packages::Compress ". gzip bzip2";
+Default::Sources::Compress "gzip bzip2";
+Default::Contents::Compress "gzip bzip2";
+
+BinDirectory "dists/unstable/main/binary-amd64" {
+  Packages "dists/unstable/main/binary-amd64/Packages";
+  Contents "dists/unstable/Contents-amd64";
+  SrcPackages "dists/unstable/main/source/Sources";
+};
+
+Tree "dists/unstable" {
+  Sections "main";
+  Architectures "amd64 source";
+};
+EOF
+
+apt-ftparchive generate -c=aptftp.conf aptgenerate.conf
+apt-ftparchive release -c=aptftp.conf dists/unstable > dists/unstable/Release
+
+gpg --homedir /tmp/keyring -u 88876A89E3D4698F83D3DB0E72E33CA3E0E04E46 \
+    -bao dists/unstable/Release.gpg dists/unstable/Release

demo/demo-package/demo-package_1.0.0/debian/changelog

@@ -0,0 +1,5 @@
+demo-package (1.0.0) unstable; urgency=low
+
+  * Initial Release.
+
+ -- Lukas P <[email protected]>  Mon, 03 Jun 2019 12:00:00 +0000

demo/demo-package/demo-package_1.0.0/debian/compat

@@ -0,0 +1 @@
+10

demo/demo-package/demo-package_1.0.0/debian/control

@@ -0,0 +1,12 @@
+Source: demo-package
+Section: misc
+Priority: extra
+Maintainer: Lukas P <[email protected]>
+Build-Depends: debhelper
+Standards-Version: 4.0.0
+Homepage: in-toto.io
+
+Package: demo-package
+Architecture: all
+Depends: ${misc:Depends}
+Description: A package for in-toto apt transport demo

demo/demo-package/demo-package_1.0.0/debian/copyright

@@ -0,0 +1,21 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: apt-transport-in-toto
+Source: https://github.com/in-toto/apt-transport-in-toto
+
+Files: *
+Copyright: 2018 New York University
+License: Apache-2.0
+.
+Copyright 2018 New York University
+.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+.
+    http://www.apache.org/licenses/LICENSE-2.0
+.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

demo/demo-package/demo-package_1.0.0/debian/install

@@ -0,0 +1 @@
+demo-package usr/bin/

demo/demo-package/demo-package_1.0.0/debian/rules

@@ -0,0 +1,16 @@
+#!/usr/bin/make -f
+# See debhelper(7) (uncomment to enable)
+# output every command that modifies files on the build system.
+#DH_VERBOSE = 1
+
+# see FEATURE AREAS in dpkg-buildflags(1)
+#export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+# see ENVIRONMENT in dpkg-buildflags(1)
+# package maintainers to append CFLAGS
+#export DEB_CFLAGS_MAINT_APPEND  = -Wall -pedantic
+# package maintainers to append LDFLAGS
+#export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
+
+%:
+	dh $@ 

demo/demo-package/demo-package_1.0.0/debian/source/format

@@ -0,0 +1 @@
+3.0 (native)

demo/demo-package/demo-package_1.0.0/demo-package

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo "Hello, reproducible builds + in-toto + apt demo!"

demo/docker-compose.yml

@@ -0,0 +1,43 @@
+version: "3.7"
+services:
+  mirror.ok:
+    build:
+      context: .
+      dockerfile: Dockerfile-mirror
+      args:
+        name: mirror.ok
+    expose:
+      - "80"
+
+  mirror.bad:
+    build:
+      context: .
+      dockerfile: Dockerfile-mirror
+      args:
+        name: mirror.bad
+    expose:
+      - "80"
+
+  rebuilder.a:
+    build:
+      context: .
+      dockerfile: Dockerfile-rebuilder
+      args:
+        keyid: 5863835e
+    expose:
+      - "80"
+
+  rebuilder.b:
+    build:
+      context: .
+      dockerfile: Dockerfile-rebuilder
+      args:
+        keyid: e946fc60
+    expose:
+      - "80"
+
+  client:
+    build:
+      context: ..
+      dockerfile: demo/Dockerfile-client
+    tty: true

demo/intoto.conf

@@ -0,0 +1,11 @@
+APT::Intoto {
+  LogLevel {"20"};
+  Rebuilders {
+    "http://rebuilder.a";
+    "http://rebuilder.b";
+  };
+  Layout {"/etc/intoto/root.layout"};
+  Keyids {
+    "88876A89E3D4698F83D3DB0E72E33CA3E0E04E46"
+  };
+};

demo/rebuild.5863835e.link

@@ -0,0 +1,22 @@
+{
+ "signatures": [
+  {
+   "keyid": "5863835e5ec8e640fa24410f069edc1d59b58507",
+   "other_headers": "04000108001d1621045863835e5ec8e640fa24410f069edc1d59b5850705025cf69068",
+   "signature": "340b64986fd2aabef1d1ca324d2ec980a48844dd32b6d8342cd32206816f02cffc50d58724108dbc10cc2344e1c4f020f3592ea191686453ce6cae7c60e6e39a23f2b4a95360bd1450727948229b01b6f5417b658e0d3381427d7529628556bf6ad22a9be268c3f828a98cd6bdfa32315450c91dba8f8667278e4aced16c8b4c33f1f20d7afa2b5da7e84568906920dbd686693d77417df78718409a7e15b738b6443ed3012e04f2c9622b09ea4a2609c99999928a975824f2a95bf5e7590b77678f7b02ef02042c2f6035a0aaab72ee044a3b2f85510b804eccfac3a93b6ac3cc8db3f5591e30d2c52d81a267a5613bbdc2d81eb93357420f074cd06ab72db0"
+  }
+ ],
+ "signed": {
+  "_type": "link",
+  "byproducts": {},
+  "command": [],
+  "environment": {},
+  "materials": {},
+  "name": "rebuild",
+  "products": {
+   "demo-package_1.0.0_all.deb": {
+    "sha256": "6c2147cc1a69c549a7cc5cbc493597df783d65e1b3b62256c1d08305ef9c3d94"
+   }
+  }
+ }
+}