Class: Reyes::PgpWrapper

Inherits:

Object

• Object
• Reyes::PgpWrapper

Includes:

Chalk::Log

Defined in:

lib/reyes/pgp_wrapper.rb

Defined Under Namespace

Classes: VerificationFailed

Constant Summary

PATTERN =

Pattern for parsing gpg –status-fd signature output

/^\[GNUPG:\] VALIDSIG ([A-F0-9]{40}) .+ ([A-F0-9]{40})$/

Instance Attribute Summary

• #key_id ⇒ Object readonly

  Returns the value of attribute key_id.

• #keyring_directory ⇒ Object readonly

  Returns the value of attribute keyring_directory.

Instance Method Summary

• #clearsign(data) ⇒ Object
• #initialize(config) ⇒ PgpWrapper constructor

  Create a PgpVerifier.

• #verify!(data, retries = 1) ⇒ String

  Verifies data against @keyid.

Constructor Details

#initialize(config) ⇒ PgpWrapper

Create a PgpVerifier

Parameters:

• key_id (String) —

  40 digit key fingerprint

# File 'lib/reyes/pgp_wrapper.rb', line 13

def initialize(config)
  @config = config
  @key_id = @config.reyes_config.fetch("signing_key").upcase
  @keyring_directory = @config.reyes_config.fetch("keyring_directory")
end

Instance Attribute Details

#key_id ⇒ Object (readonly)

Returns the value of attribute key_id.

# File 'lib/reyes/pgp_wrapper.rb', line 8

def key_id
  @key_id
end

#keyring_directory ⇒ Object (readonly)

Returns the value of attribute keyring_directory.

# File 'lib/reyes/pgp_wrapper.rb', line 8

def keyring_directory
  @keyring_directory
end

Instance Method Details

#clearsign(data) ⇒ Object

# File 'lib/reyes/pgp_wrapper.rb', line 69

def clearsign(data)
  log.info("Signing #{data.length} bytes with key #{key_id}")

  gpg_cmd = %W{gpg --batch --clearsign -u #{key_id}} + keyring_args + ['-']
  Subprocess.check_call(gpg_cmd,
                        :stdin => Subprocess::PIPE,
                        :stdout => Subprocess::PIPE) do |child|
    out, _ = child.communicate(data)
    return out
  end
end

#verify!(data, retries = 1) ⇒ String

Verifies data against @keyid

Parameters:

• data (String) —

  the data to verify

Returns:

• (String) —

  the stripped cleartext data

Raises:

• (VerificationFailed)

# File 'lib/reyes/pgp_wrapper.rb', line 30

def verify!(data, retries=1)
  log.info("Verifying #{data.length} bytes against key #{key_id}")

  gpg_cmd = %w{gpg --batch --decrypt --status-fd 2} + keyring_args + ['-']
  Subprocess.check_call(gpg_cmd,
                        :stdin => Subprocess::PIPE,
                        :stdout => Subprocess::PIPE,
                        :stderr => Subprocess::PIPE) do |child|
    out, err = child.communicate(data)

    begin
      if err =~ PATTERN
        raise VerificationFailed.new("Bad key match") unless $1 == $2
        raise VerificationFailed.new("Bad Key ID") unless $1 == key_id
      else
        # There's a weird and very rare race condition where the stderr
        # output returned by Subprocess can be truncated.
        # Retry in this case.
        if err.split("\n").length < 4 && retries > 0
          log.error("Looks like we hit hit GPG/Subprocess race condition")
          log.error("GPG stderr:")
          log.error(err.inspect)
          log.error("Retrying...")
          return verify!(data, retries - 1)
        else
          raise VerificationFailed.new("Pattern does not match")
        end
      end
    rescue VerificationFailed => exc
      log.error("GPG verification failed: #{exc.message}")
      log_error_output(out, err, data)
      raise
    end

    # Sig looks ok
   return out
  end
end