Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: bump chisel.yaml format version to "chisel-v2" #108

Closed
wants to merge 7 commits into from
Closed

feat: bump chisel.yaml format version to "chisel-v2" #108

wants to merge 7 commits into from

Conversation

letFunny
Copy link
Collaborator

  • Have you signed the CLA?

Because of the format changes in #106, the format version needs to be increases to provide users with a good error message that highlights this change in format instead of a the fact that a field is missing.

This PR depends on #106.

rebornplusplus and others added 5 commits December 11, 2023 12:29
@rebornplusplus @letFunny
Revert "feat: support OpenPGP keyrings in release (canonical#100)"
3e8a881 
This reverts commit 6bf6d46.
@rebornplusplus @letFunny
feat: verify archive release signatures
720ff56 
This commit adds the functionalities to add public keys to validate
archive InRelease file signatures. Instead of downloading the "Release"
files for different suites, download the signed "InRelease" file and
validate the signature with the provided key(s).

This commit extends the chisel release with public keys definitions.
They are stored in ASCII armored format in the top-level public-keys
property by name. And they are referenced by name in the public-keys
list property in archive definitions. An example of the extended chisel
release file is at the bottom.

Example chisel.yaml:

    format: chisel-v1
    archives:
      ubuntu:
	version: 22.04
	components: [main, universe]
	suites: [jammy, jammy-updates, jammy-security]
	public-keys: [ubuntu]
      ubuntu-fips:
	version: 22.04
	pro: fips
	components: [main]
	suites: [jammy]
	public-keys: [ubuntu-fips]
      ubuntu-fips-updates:
	version: 22.04
	pro: fips-updates
	components: [main]
	suites: [jammy]
	public-keys: [ubuntu-fips]

    public-keys:
      ubuntu:
	id: C2B15A6A7FCD95FD
	armor: |
	  -----BEGIN PGP PUBLIC KEY BLOCK-----

	  mQINBFzZxGABEADSWmX0+K//0cosKPyr5m1ewmwWKjRo/KBPTyR8icHhbBWfFd8T
	  DtYggvQHPU0YnKRcWits0et8JqSgZttNa28s7SaSUTBzfgzFJZgULAi/4i8u8TUj
	  +KH2zSoUX55NKC9aozba1cR66jM6O/BHXK5YoZzTpmiY1AHlIWAJ9s6cCClhnYMR
	  ...
	  E+SWDGxtgwixyPziL56UavL/eeYJWeS/WqvGzZzsAtgSujFVLKWyUaRi0NvYW3h/
	  I50Tzj0Pkm8GtgvP2UqAWvy+iRpeUQ2ji0Nc
	  =j6+P
	  -----END PGP PUBLIC KEY BLOCK-----
      ubuntu-fips:
	id: E173597E2CAB05C1
	armor: |
	  -----BEGIN PGP PUBLIC KEY BLOCK-----

	  mQINBE+tgXgBEADfiL1KNFHT4H4Dw0OR9LemR8ebsFl+b9E44IpGhgWYDufj0gaM
	  /UJ1Ti3bHfRT39VVZ6cv1P4mQy0bnAKFbYz/wo+GhzjBWtn6dThYv7n+KL8bptSC
	  Xgg1a6en8dCCIA/pwtS2Ut/g4Eu6Z467dvYNlMgCqvg+prKIrXf5ibio48j3AFvd
	  ...
	  mguPI1KLfnVnXnsT5JYMbG2DCLHI/OIvnpRq8v955glZ5L9aq8bNnOwC2BK6MVUs
	  pbJRpGLQ29hbeH8jnRPOPQ+Sbwa2C8/ZSoBa/L6JGl5RDaOLQ1w=
	  =6Bkw
	  -----END PGP PUBLIC KEY BLOCK-----
@rebornplusplus @letFunny
feat: bump chisel.yaml format version to "chisel-v2"
0995608 
This commit introduces a new chisel-release yaml format named
"chisel-v2". The major changes in this format is the introduction of the
"public-keys" field, which is used in archive definitions to verify
archive InRelease files.
@letFunny
Revert "feat: bump chisel.yaml format version to "chisel-v2""
44d6f41 
This reverts commit 0995608.
@letFunny
Merge branch 'main' into feat/gpg/verify-release
d9ffa47
@letFunny letFunny mentioned this pull request Dec 14, 2023
Merged
letFunny and others added 2 commits December 14, 2023 11:40
@letFunny
Merge branch 'feat/gpg/verify-release' into verify-release-bump-version
ff4fa92
@rebornplusplus @letFunny
feat: bump chisel.yaml format version to "chisel-v2"
eeab8d1 
This commit introduces a new chisel-release yaml format named
"chisel-v2". The major changes in this format is the introduction of the
"public-keys" field, which is used in archive definitions to verify
archive InRelease files.
@letFunny letFunny force-pushed the verify-release-bump-version branch from b7f5b28 to eeab8d1 Compare December 14, 2023 10:41
@letFunny letFunny changed the base branch from main to renovate/configure December 14, 2023 10:45
@letFunny letFunny changed the base branch from renovate/configure to main December 14, 2023 10:45
cjdcordeiro
cjdcordeiro requested changes Dec 14, 2023
View reviewed changes
internal/setup/setup.go
}

const yamlReleaseFormat = "chisel-v1"
const yamlReleaseFormat = "chisel-v2"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding is that we should support both chisel-v1 and chisel-v2 for a while. This will allows for us to release v0.9.0 with support for chisel-v1, but already with GPG support, such that later, when we migrate to chisel-v2, v0.9.0 doesn't break. Then in the future we can remove chisel-v1 as it becomes redundant since it will no longer be in the chisel-releases

@cjdcordeiro cjdcordeiro added the Blocked Waiting for something external label Dec 14, 2023
@cjdcordeiro
Copy link
Collaborator

As a side note, before merging, please consider the plan described in #106 (review)

@letFunny letFunny closed this Jan 2, 2024
@letFunny letFunny deleted the verify-release-bump-version branch January 21, 2025 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cjdcordeiro cjdcordeiro cjdcordeiro requested changes

Assignees
No one assigned
Labels
Blocked Waiting for something external
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@letFunny @cjdcordeiro @rebornplusplus