Module: Artifact

Defined in:

lib/bundles/inspec-artifact/cli.rb

Overview

Notes:

Generate keys

The initial implementation uses 2048 bit RSA key pairs (public + private).
Public keys must be available for a customer to install and verify an artifact.
Private keys should be stored in a secure location and NOT be distributed.
  (They're only for creating artifacts).

.IAF file format

.iaf = "Inspec Artifact File", easy to rename if you'd like something more appropriate.
The iaf file wraps a binary artifact with some metadata. The first implementation
looks like this:

INSPEC-PROFILE-1 name_of_signing_key algorithm signature <empty line> binary-blob <eof>

Let’s look at each line: INSPEC-PROFILE-1:

This is the artifact version descriptor. It should't change unless the
format of the archive changes.

name_of_signing_key

The name of the public key that can be used to verify an artifact

algorithm

The digest used to sign, I picked SHA512 to start with.
If we support multiple digests, we'll need to have the verify() method
support each digest.

signature

The result of passing the binary artifact through the digest algorithm above.
Result is base64 encoded.

<empty line>

We use an empty line to separate artifact header from artifact body (binary blob).
The artifact body can be anything you like.

binary-blob

A binary blob, most likely a .tar.gz or tar.xz file. We'll need to pick one and
stick with it as part of the "INSPEC-PROFILE-1" artifact version. If we change block
format, the artifact version descriptor must be incremented, and the sign()
and verify() methods must be updated to support a newer version.

Key revocation

This implementation doesn't support key revocation. However, a customer
can remove the public cert file before installation, and artifacts will then
fail verification.

Key locations

This implementation uses the current working directory to find public and
private keys. We should establish a common key directory (similar to /hab/cache/keys
or ~/.hab/cache/keys in Habitat).

Extracting artifacts outside of Inspec

As in Habitat, the artifact format for Inspec allows the use of common
Unix tools to read the header and body of an artifact.

To extract the header from a .iaf:

sed '/^$/q' foo.iaf

To extract the raw content from a .iaf:

sed '1,/^$/d' foo.iaf

Defined Under Namespace

Classes: CLI

Constant Summary

KEY_BITS =

2048

KEY_ALG =

OpenSSL::PKey::RSA

INSPEC_PROFILE_VERSION_1 =

'INSPEC-PROFILE-1'.freeze

INSPEC_REPORT_VERSION_1 =

'INSPEC-REPORT-1'.freeze

ARTIFACT_DIGEST =

OpenSSL::Digest::SHA512

ARTIFACT_DIGEST_NAME =

'SHA512'.freeze

VALID_PROFILE_VERSIONS =

Set.new [INSPEC_PROFILE_VERSION_1]

VALID_PROFILE_DIGESTS =

Set.new [ARTIFACT_DIGEST_NAME]

SIGNED_PROFILE_SUFFIX =

'iaf'.freeze

SIGNED_REPORT_SUFFIX =

'iar'.freeze