-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace gnupg with sequoia #104
Labels
Comments
jschlatow
added a commit
to jschlatow/goa
that referenced
this issue
Oct 2, 2024
jschlatow
added a commit
to jschlatow/goa
that referenced
this issue
Oct 2, 2024
jschlatow
added a commit
to jschlatow/goa
that referenced
this issue
Oct 2, 2024
Instead of trying to export all secret keys referenced by the depot directory, the to-be-exported secret keys must be mentioned explicitly. genodelabs#99 genodelabs#104
jschlatow
added a commit
to jschlatow/goa
that referenced
this issue
Oct 2, 2024
Add DRY_RUN option to depot/publish to extract the secret keys required for signing. This prevents decryption of unneeded secret keys, e.g. when there is no archive to be signed. genodelabs#104
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We'd like to switch to using sequoia pgp for creating and verifying archive signatures at some point in the future (i.e. once the CLI of
sq
is settled). In the scope of the #99 overhaul, I experimented with replacing using sq in the depot tool.Basically, replacing gpg with sq is pretty straightforward. I particularly like the clarity of the CLI. Nevertheless, I had a bit of trouble with signing. Apparently,
sq
requires write access to the user's key store. In a sandboxed execution environment, however, I don't want to make the entire key store available with write access. Moreover, there seems to be no general caching mechanism for passwords (yet), so that a user would need to unlock the secret key for every to-be-signed archive. I found a workaround that consists in exporting the secret keys known from the used depot directory from sequoia's keystore and making it available in unencrypted form in the sandbox. Bubblewrap has the nifty feature of being able to bind mount a file that is initialised by copying from a file descriptor. The downside is that, using this feature, bubblewrap cannot be executed directly from tcl anymore because we need input redirection to arbitrary file descriptors as provided by bash.The text was updated successfully, but these errors were encountered: