Merge pull request #622 from vladimir-v-diaz/add_sign_option

Add --sign option to repo.py
2026-05-24 10:08:28 +00:00 · 2018-02-06 10:54:23 -05:00 · 2018-02-06 10:54:23 -05:00 · ef8bbfe61f
commit ef8bbfe61f
parent 3215096afc c3b05a8e05
2 changed files with 79 additions and 2 deletions
--- a/docs/CLI.md
+++ b/docs/CLI.md
@ -67,6 +67,29 @@ $ repo.py --add <foo.tar.gz> --path </path/to/my_repo>



+## Sign metadata ##
+Sign, using the specified key argument, the metadata of the role indicated by
+--role.  If no key argument or --role is given, the Targets role or its key is
+used.  The Snapshot and Timestamp role are also automatically signed, if
+possible.
+```Bash
+$ repo.py --sign
+$ repo.py --sign </path/to/key>
+$ repo.py --sign </path/to/key> [--role <rolename>]
+$ repo.py --sign </path/to/key> [--role <rolename>, --path </path/to/repo>]
+```
+
+For example, to sign a new Timestamp:
+```Bash
+$ repo.py --sign /path/to/timestamp_key --role timestamp
+```
+
+Note: In the future, the user might be given the option of disabling automatic
+signing of Snapshot and Timestamp metadata.  Also, only ECDSA keys are
+presently supported, but other key types will be added.
+
+
+
 ## Verbosity ##

 Set the verbosity of the logger (2, by default).  Logger messages are saved to
@ -75,6 +98,8 @@ Set the verbosity of the logger (2, by default).  Logger messages are saved to
 $ repo.py --verbose <0-5>
 ```

+
+
 ## Clean ##

 Remove the files created via `repo.py --init`.
--- a/tuf/scripts/repo.py
+++ b/tuf/scripts/repo.py
@ -25,6 +25,7 @@
 <Usage>
  $ repo.py --init [--consistent_snapshot, --bare, --path]
  $ repo.py --add <target> <dir> ... [--path, --recursive]
+  $ repo.py --sign </path/to/key> --role <targets>
  $ repo.py --verbose
  $ repo.py --clean [--path]
 """
@ -53,7 +54,7 @@
 import securesystemslib

 # See 'log.py' to learn how logging is handled in TUF.
-logger = logging.getLogger('tuf.script.repo')
+logger = logging.getLogger('tuf.scripts.repo')

 repo_tool.disable_console_log_messages()

@ -102,7 +103,7 @@ def process_arguments(parsed_arguments):
    logger.debug('We have a valid argparse Namespace: ' + repr(parsed_arguments))

  # TODO: Process all of the supported command-line actions.  --init, --clean,
-  # --add are currently implemented.
+  # --add, --sign are currently implemented.
  if parsed_arguments.init:
    init_repo(parsed_arguments)

@ -112,6 +113,53 @@ def process_arguments(parsed_arguments):
  if parsed_arguments.add:
    add_targets(parsed_arguments)

+  if parsed_arguments.sign:
+    sign_role(parsed_arguments)
+
+
+
+def sign_role(parsed_arguments):
+
+  repository = repo_tool.load_repository(
+      os.path.join(parsed_arguments.path, REPO_DIR))
+
+  # Was a private key path given with --sign?  If so, load the specified
+  # private key. Otherwise, load the default key path.
+  if parsed_arguments.sign != '.':
+    role_privatekey = repo_tool.import_ecdsa_privatekey_from_file(
+        parsed_arguments.sign)
+
+  else:
+    role_privatekey = repo_tool.import_ecdsa_privatekey_from_file(
+        os.path.join(parsed_arguments.path, KEYSTORE_DIR, TARGETS_KEY_NAME),
+        parsed_arguments.pw)
+
+  if parsed_arguments.role == 'targets':
+    repository.targets.load_signing_key(role_privatekey)
+
+  elif parsed_arguments.role in ['snapshot', 'timestamp']:
+    pass
+
+  else:
+    repository.targets(parsed_arguments.role).load_signing_key(role_privatekey)
+
+  # Update the required top-level roles, Snapshot and Timestamp, to make a new
+  # release.
+  snapshot_private = repo_tool.import_ecdsa_privatekey_from_file(
+      os.path.join(parsed_arguments.path, KEYSTORE_DIR, SNAPSHOT_KEY_NAME),
+      parsed_arguments.pw)
+  timestamp_private = repo_tool.import_ecdsa_privatekey_from_file(
+      os.path.join(parsed_arguments.path, KEYSTORE_DIR,
+      TIMESTAMP_KEY_NAME), parsed_arguments.pw)
+
+  repository.snapshot.load_signing_key(snapshot_private)
+  repository.timestamp.load_signing_key(timestamp_private)
+
+  repository.writeall()
+
+  # Move staged metadata directory to "live" metadata directory.
+  write_to_live_repo()
+


 def clean_repo(parsed_arguments):
@ -374,6 +422,10 @@ def parse_arguments():
      choices=[True, False], const=True, default=False,
      help='Specify whether a directory should be processed recursively.')

+  parser.add_argument('--sign', nargs='?', type=str, const='.',
+      default=None, help='Sign --role <rolename> (Targets role, if'
+      ' --role is unset) with the specified key.')
+
  parser.add_argument('--role', nargs='?', type=str, const='targets',
      default='targets', help='Specify a role.')