From 66ea6cc04ea46676bf6b9d7b68f6a376bd0dfc96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Thu, 6 Mar 2025 16:54:18 +0100 Subject: [PATCH 01/10] add section for tarball signatures --- scripts/automated_ingestion/automated_ingestion.cfg.example | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/automated_ingestion/automated_ingestion.cfg.example b/scripts/automated_ingestion/automated_ingestion.cfg.example index c79274b5..68df3e4e 100644 --- a/scripts/automated_ingestion/automated_ingestion.cfg.example +++ b/scripts/automated_ingestion/automated_ingestion.cfg.example @@ -9,6 +9,12 @@ download_dir = /where/to/store/download/tarballs ingestion_script = /absolute/path/to/ingest-tarball.sh metadata_file_extension = .meta.txt +[signatures] +signatures_required = no +signature_file_extension = .sig +signature_verification_script = /absolute/path/to/sign_verify_file_ssh.sh +allowed_signers_file = /path/to/allowed_signers + [aws] staging_buckets = { "software.eessi.io-2023.06": "software.eessi.io", From 809cb00a610fd2f015fd03809c1eaf891233ab6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Thu, 6 Mar 2025 16:54:39 +0100 Subject: [PATCH 02/10] draft code for verifying signatures --- scripts/automated_ingestion/eessitarball.py | 101 ++++++++++++++++---- 1 file changed, 85 insertions(+), 16 deletions(-) diff --git a/scripts/automated_ingestion/eessitarball.py b/scripts/automated_ingestion/eessitarball.py index 9d59dbc1..1753ad4c 100644 --- a/scripts/automated_ingestion/eessitarball.py +++ b/scripts/automated_ingestion/eessitarball.py @@ -24,12 +24,16 @@ def __init__(self, object_name, config, git_staging_repo, s3, bucket, cvmfs_repo self.config = config self.git_repo = git_staging_repo self.metadata_file = object_name + config['paths']['metadata_file_extension'] + self.metadata_sig_file = self.metadata_file + config['signatures']['signature_file_extension'] self.object = object_name + self.object_sig = object_name + config['signatures']['signature_file_extension'] self.s3 = s3 self.bucket = bucket self.cvmfs_repo = cvmfs_repo self.local_path = os.path.join(config['paths']['download_dir'], os.path.basename(object_name)) + self.local_sig_path = self.local_path + config['signatures']['signature_file_extension'] self.local_metadata_path = self.local_path + config['paths']['metadata_file_extension'] + self.local_metadata_sig_path = self.local_metadata_path + config['signatures']['signature_file_extension'] self.url = f'https://{bucket}.s3.amazonaws.com/{object_name}' self.states = { @@ -48,22 +52,35 @@ def download(self, force=False): """ Download this tarball and its corresponding metadata file, if this hasn't been already done. """ - if force or not os.path.exists(self.local_path): - try: - self.s3.download_file(self.bucket, self.object, self.local_path) - except: - logging.error( - f'Failed to download tarball {self.object} from {self.bucket} to {self.local_path}.' - ) - self.local_path = None - if force or not os.path.exists(self.local_metadata_path): - try: - self.s3.download_file(self.bucket, self.metadata_file, self.local_metadata_path) - except: - logging.error( - f'Failed to download metadata file {self.metadata_file} from {self.bucket} to {self.local_metadata_path}.' - ) - self.local_metadata_path = None + files = [ + (self.object, self.local_path, self.object_sig, self.local_sig_path), + (self.metadata_file, self.local_metadata_path, self.metadata_sig_file, self.local_metadata_sig_path), + ] + for (object, local_file, sig_object, local_sig_file) in files: + if force or not os.path.exists(local_file): + try: + self.s3.download_file(self.bucket, object, local_file) + # Also try to download the corresponding signature file; they may be optional. + try: + self.s3.download_file(self.bucket, sig_object, local_sig_file) + except: + if config['signatures'].getboolean('signatures_required', True): + logging.error( + f'Failed to download signature file {sig_object} for {object} from {self.bucket} to {local_sig_file}.' + ) + else: + logging.warning( + f'Failed to download signature file {sig_object} for {object} from {self.bucket} to {local_sig_file}.' + + 'Ignoring this, because signatures are not required with the current configuration.' + ) + except: + logging.error( + f'Failed to download {object} from {self.bucket} to {local_file}.' + ) + # If either the tarball itself or its metadata cannot be downloaded, set both to None + # to make sure that this tarball is completely ignored/skipped. + self.local_path = None + self.local_metadata_path = None def find_state(self): """Find the state of this tarball by searching through the state directories in the git repository.""" @@ -156,6 +173,47 @@ def run_handler(self): handler = self.states[self.state]['handler'] handler() + def verify_signatures(self): + """Verify the signatures of the downloaded tarball and metadata file using the corresponding signature files.""" + + sig_missing_msg = 'Signature file %s is missing.' + sig_missing = False + for sig_file in [self.local_sig_path, self.local_metadata_sig_path]: + if not os.path.exists(sig_file): + logging.warning(sig_missing_msg % sig_file) + sig_missing = True + + if sig_missing: + # If signature files are missing, we return a failure, + # unless the configuration specifies that signatures are not required. + if self.config['signatures'].getboolean('signatures_required', True): + return False + else: + return True + + verify_script = self.config['signatures']['signature_verification_script'] + allowed_signers_file = self.config['signatures']['allowed_signers_file'] + if not os.path.exists(verify_script): + logging.error(f'Unable to verify signatures, the specified signature verification script does not exist!') + return False + + if not os.path.exists(allowed_signers_file): + logging.error(f'Unable to verify signatures, the specified allowed signers file does not exist!') + return False + + for (file, sig_file) in [(self.local_path, self.local_sig_path), (self.local_metadata_path, self.local_metadata_sig_path)]: + verify_cmd = subprocess.run( + [verify_script, 'verify', file, allowed_signers_file, sig_file], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + if verify_cmd.returncode == 0: + logging.debug(f'Signature for {file} successfully verified.') + else: + logging.error(f'Failed to verify signature for {file}.') + return False + + return True + def verify_checksum(self): """Verify the checksum of the downloaded tarball with the one in its metadata file.""" local_sha256 = sha256sum(self.local_path) @@ -171,6 +229,13 @@ def ingest(self): #TODO: check if there is an open issue for this tarball, and if there is, skip it. logging.info(f'Tarball {self.object} is ready to be ingested.') self.download() + logging.info('Verifying its signature...') + if not self.verify_signatures(): + logging.error('Signature of tarball (or its metadata file) could not be verified!') + # Open issue? + return + else: + logging.debug(f'Signatures of {self.object} and its metadata file successfully verified.') logging.info('Verifying its checksum...') if not self.verify_checksum(): logging.error('Checksum of downloaded tarball does not match the one in its metadata file!') @@ -222,6 +287,10 @@ def mark_new_tarball_as_staged(self): logging.warn('Skipping this tarball...') return + # Verify the signatures of the tarball and metadata file. + if not self.verify_signatures(): + logging.warn('Signature verification of the tarball or its metadata failed, skipping this tarball...') + contents = '' with open(self.local_metadata_path, 'r') as meta: contents = meta.read() From 67925a283b5b4adfb59ee3a3f0c68f4dfbf76663 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Thu, 20 Mar 2025 16:18:42 +0100 Subject: [PATCH 03/10] adapt arguments for updated verification script --- scripts/automated_ingestion/eessitarball.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/automated_ingestion/eessitarball.py b/scripts/automated_ingestion/eessitarball.py index 1753ad4c..c70f5c58 100644 --- a/scripts/automated_ingestion/eessitarball.py +++ b/scripts/automated_ingestion/eessitarball.py @@ -203,7 +203,7 @@ def verify_signatures(self): for (file, sig_file) in [(self.local_path, self.local_sig_path), (self.local_metadata_path, self.local_metadata_sig_path)]: verify_cmd = subprocess.run( - [verify_script, 'verify', file, allowed_signers_file, sig_file], + [verify_script, '--verify', '--allowed-signers-file', allowed_signers_file, '--file', file, '--signature-file', sig_file], stdout=subprocess.PIPE, stderr=subprocess.PIPE) if verify_cmd.returncode == 0: From f0cc8fb4f6233f88c30ef03005ab0599875e629b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Thu, 20 Mar 2025 16:57:04 +0100 Subject: [PATCH 04/10] open issue if signature/checksum verification fails --- scripts/automated_ingestion/eessitarball.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/scripts/automated_ingestion/eessitarball.py b/scripts/automated_ingestion/eessitarball.py index c70f5c58..6c48bee3 100644 --- a/scripts/automated_ingestion/eessitarball.py +++ b/scripts/automated_ingestion/eessitarball.py @@ -231,18 +231,24 @@ def ingest(self): self.download() logging.info('Verifying its signature...') if not self.verify_signatures(): - logging.error('Signature of tarball (or its metadata file) could not be verified!') - # Open issue? + issue_msg = f'Failed to verify signatures for {self.object}' + logging.error(issue_msg) + if not self.issue_exists(issue_msg, state='open'): + self.git_repo.create_issue(title=issue_msg, body=issue_msg) return else: logging.debug(f'Signatures of {self.object} and its metadata file successfully verified.') + logging.info('Verifying its checksum...') if not self.verify_checksum(): - logging.error('Checksum of downloaded tarball does not match the one in its metadata file!') - # Open issue? + issue_msg = f'Failed to verify checksum for {self.object}' + logging.error(issue_msg) + if not self.issue_exists(issue_msg, state='open'): + self.git_repo.create_issue(title=issue_msg, body=issue_msg) return else: logging.debug(f'Checksum of {self.object} matches the one in its metadata file.') + script = self.config['paths']['ingestion_script'] sudo = ['sudo'] if self.config['cvmfs'].getboolean('ingest_as_root', True) else [] logging.info(f'Running the ingestion script for {self.object}...') From f10207aaa8933d0fdfe8bf064245f85cef8a39b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Thu, 20 Mar 2025 17:08:35 +0100 Subject: [PATCH 05/10] add backticks around object name in issue message/title --- scripts/automated_ingestion/eessitarball.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/automated_ingestion/eessitarball.py b/scripts/automated_ingestion/eessitarball.py index 6c48bee3..6d40d166 100644 --- a/scripts/automated_ingestion/eessitarball.py +++ b/scripts/automated_ingestion/eessitarball.py @@ -231,7 +231,7 @@ def ingest(self): self.download() logging.info('Verifying its signature...') if not self.verify_signatures(): - issue_msg = f'Failed to verify signatures for {self.object}' + issue_msg = f'Failed to verify signatures for `{self.object}`' logging.error(issue_msg) if not self.issue_exists(issue_msg, state='open'): self.git_repo.create_issue(title=issue_msg, body=issue_msg) @@ -241,7 +241,7 @@ def ingest(self): logging.info('Verifying its checksum...') if not self.verify_checksum(): - issue_msg = f'Failed to verify checksum for {self.object}' + issue_msg = f'Failed to verify checksum for `{self.object}`' logging.error(issue_msg) if not self.issue_exists(issue_msg, state='open'): self.git_repo.create_issue(title=issue_msg, body=issue_msg) From 1a3d5015a7cbb15e70c1a45fbbf33bc94c2d8fce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Fri, 21 Mar 2025 15:39:47 +0100 Subject: [PATCH 06/10] improve code for downloading files and signatures --- scripts/automated_ingestion/eessitarball.py | 41 ++++++++++++--------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/scripts/automated_ingestion/eessitarball.py b/scripts/automated_ingestion/eessitarball.py index 6d40d166..ca2bb865 100644 --- a/scripts/automated_ingestion/eessitarball.py +++ b/scripts/automated_ingestion/eessitarball.py @@ -56,31 +56,38 @@ def download(self, force=False): (self.object, self.local_path, self.object_sig, self.local_sig_path), (self.metadata_file, self.local_metadata_path, self.metadata_sig_file, self.local_metadata_sig_path), ] + skip = False for (object, local_file, sig_object, local_sig_file) in files: if force or not os.path.exists(local_file): + # First we try to download signature file, which may or may not be available + # and may be optional or required. + try: + self.s3.download_file(self.bucket, sig_object, local_sig_file) + except: + if self.config['signatures'].getboolean('signatures_required', True): + logging.error( + f'Failed to download signature file {sig_object} for {object} from {self.bucket} to {local_sig_file}.' + ) + skip = True + break + else: + logging.warning( + f'Failed to download signature file {sig_object} for {object} from {self.bucket} to {local_sig_file}. ' + + 'Ignoring this, because signatures are not required with the current configuration.' + ) + # Npw we download the file itself. try: self.s3.download_file(self.bucket, object, local_file) - # Also try to download the corresponding signature file; they may be optional. - try: - self.s3.download_file(self.bucket, sig_object, local_sig_file) - except: - if config['signatures'].getboolean('signatures_required', True): - logging.error( - f'Failed to download signature file {sig_object} for {object} from {self.bucket} to {local_sig_file}.' - ) - else: - logging.warning( - f'Failed to download signature file {sig_object} for {object} from {self.bucket} to {local_sig_file}.' + - 'Ignoring this, because signatures are not required with the current configuration.' - ) except: logging.error( f'Failed to download {object} from {self.bucket} to {local_file}.' ) - # If either the tarball itself or its metadata cannot be downloaded, set both to None - # to make sure that this tarball is completely ignored/skipped. - self.local_path = None - self.local_metadata_path = None + skip = True + break + # If any required download failed, make sure to skip this tarball completely. + if skip: + self.local_path = None + self.local_metadata_path = None def find_state(self): """Find the state of this tarball by searching through the state directories in the git repository.""" From f49510af5b1266a417921369c5eb77f8e384d572 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Fri, 21 Mar 2025 16:11:48 +0100 Subject: [PATCH 07/10] use new version of actions/upload-artifact --- .github/workflows/build-test-release-client-packages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-test-release-client-packages.yml b/.github/workflows/build-test-release-client-packages.yml index c21b370f..3245ee1d 100644 --- a/.github/workflows/build-test-release-client-packages.yml +++ b/.github/workflows/build-test-release-client-packages.yml @@ -64,7 +64,7 @@ jobs: fpm_opts: "--debug -n cvmfs-config-eessi-${{ steps.get_version.outputs.version }} -t tar -a all -s dir -C ./package --description 'CVMFS configuration package for EESSI.'" - name: Upload packages as build artifacts - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: linux_packages path: cvmfs-config-eessi* From 5b8ee1cb4bde5494e3b7dce8c9d0537f394f26aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Fri, 21 Mar 2025 16:15:56 +0100 Subject: [PATCH 08/10] bump download-artifact version --- .../workflows/build-test-release-client-packages.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-test-release-client-packages.yml b/.github/workflows/build-test-release-client-packages.yml index 3245ee1d..524ae6e6 100644 --- a/.github/workflows/build-test-release-client-packages.yml +++ b/.github/workflows/build-test-release-client-packages.yml @@ -135,7 +135,7 @@ jobs: run: sudo apt-get update && sudo apt-get install cvmfs - name: Download cvmfs-config-eessi package - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1 + uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 with: name: linux_packages @@ -174,7 +174,7 @@ jobs: dnf install -y cvmfs cvmfs-config-none - name: Download cvmfs-config-eessi package - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1 + uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 with: name: linux_packages @@ -215,7 +215,7 @@ jobs: run: sudo apt-get update && sudo apt-get install cvmfs - name: Download cvmfs-config-eessi package - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1 + uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 with: name: linux_packages @@ -288,7 +288,7 @@ jobs: run: | echo ::set-output name=version::${GITHUB_REF#refs/tags/} - - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1 + - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 with: path: ./build_artifacts @@ -319,7 +319,7 @@ jobs: - name: Checkout uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1 + - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 with: path: ./build_artifacts From 058d2f5acd342774ed2fd7ced7da4b85f91d4e65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Fri, 21 Mar 2025 20:07:55 +0100 Subject: [PATCH 09/10] Fix typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Thomas Röblitz --- scripts/automated_ingestion/eessitarball.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/automated_ingestion/eessitarball.py b/scripts/automated_ingestion/eessitarball.py index ca2bb865..95b96be4 100644 --- a/scripts/automated_ingestion/eessitarball.py +++ b/scripts/automated_ingestion/eessitarball.py @@ -75,7 +75,7 @@ def download(self, force=False): f'Failed to download signature file {sig_object} for {object} from {self.bucket} to {local_sig_file}. ' + 'Ignoring this, because signatures are not required with the current configuration.' ) - # Npw we download the file itself. + # Now we download the file itself. try: self.s3.download_file(self.bucket, object, local_file) except: From f7a60f6f05438bdd9e8c329222777b91985bf831 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Fri, 21 Mar 2025 20:36:52 +0100 Subject: [PATCH 10/10] add comment about signatures_required --- scripts/automated_ingestion/eessitarball.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/automated_ingestion/eessitarball.py b/scripts/automated_ingestion/eessitarball.py index 95b96be4..46d3fc89 100644 --- a/scripts/automated_ingestion/eessitarball.py +++ b/scripts/automated_ingestion/eessitarball.py @@ -198,6 +198,8 @@ def verify_signatures(self): else: return True + # If signatures are provided, we should always verify them, regardless of the signatures_required. + # In order to do so, we need the verification script and an allowed signers file. verify_script = self.config['signatures']['signature_verification_script'] allowed_signers_file = self.config['signatures']['allowed_signers_file'] if not os.path.exists(verify_script):