Expand description
§VOA-OpenPGP
A library for using OpenPGP verifiers in VOA.
⚠️ DO NOT USE IN PRODUCTION: This VOA backend is still in an early experimental development stage.
§Documentation
- https://voa.archlinux.page/rustdoc/voa_openpgp/ for development version of the crate
- https://docs.rs/voa-openpgp/latest/voa_openpgp/ for released versions of the crate
§Examples
§Import
OpenPGP certificates can be written to their dedicated directory structures in a VOA hierarchy.
It is supported to import single binary or ASCII-armored files, as well as directory structures that contain a number of OpenPGP packet files which comprise an OpenPGP certificate when concatenated (this structured form is in use by the archlinux-keyring project).
use voa_core::VerifierWriter;
use voa_openpgp::OpenPgpImport;
use tempfile::{NamedTempFile, tempdir};
// Write a generic OpenPGP certificate to a temporary file.
let mut temp_file = NamedTempFile::new()?;
openpgp_cert()?.to_writer(&mut temp_file)?;
let input_path = temp_file.path();
// Import the OpenPGP certificate.
let import = OpenPgpImport::from_file(input_path)?;
// Prepare a temporary output directory.
let temp_dir = tempdir()?;
let output_dir = temp_dir.path();
// Write the OpenPGP verifier to a VOA hierarchy in the temporary output directory.
//
// There, the verifier is written to the configured directory, e.g.
// `os/purpose/context/openpgp/f1d2d2f924e986ac86fdf7b36c94bcdf32beec15.openpgp`
import.write_to_hierarchy(
output_dir,
"os".parse()?,
"purpose".parse()?,
Some("context".parse()?),
)?;
assert!(
output_dir
.join("os")
.join("purpose")
.join("context")
.join("openpgp")
.join(import.file_name())
.exists()
);§Verification
⚠️ DO NOT USE IN PRODUCTION: The verification mechanism in this VOA backend is still in an early experimental development stage.
Simple verification of artifacts using one or more OpenPGP signatures and verifiers from VOA is straight forward:
use std::path::PathBuf;
use voa_openpgp::{OpenpgpCert, OpenpgpSignature, VoaOpenpgp, lookup::VerifierLookup, verify_from_file};
let voa = VoaOpenpgp::new();
let certs = voa.lookup("os".parse()?, "purpose".parse()?, "context".parse()?);
let lookup = VerifierLookup::new(&certs);
verify_from_file(
&PathBuf::from("/path/to/a/file.tar.zst"),
&lookup,
&[OpenpgpSignature::from_file(&PathBuf::from("/path/to/a/file.tar.zst.sig"))?],
)?;
§Contributing
Please refer to the contribution guidelines to learn how to contribute to this project.
§License
This project can be used under the terms of the Apache-2.0 or MIT. Contributions to this project, unless noted otherwise, are automatically licensed under the terms of both of those licenses.
Re-exports§
pub use import::OpenPgpImport;
Modules§
- cert 🔒
- OpenPGP certificate used as a verifier in VOA
- error 🔒
- Error handling.
- import
- Import of OpenPGP certificates as VOA verifiers.
- lookup
- Helper functionality to find appropriate [
SignatureVerifier]s from a set ofOpenpgpCert. - signature 🔒
- Detached OpenPGP signatures for use with VOA verifiers.
- voa 🔒
- VOA technology implementation for OpenPGP
Structs§
- Openpgp
Cert - An OpenPGP certificate for “Verification of OS Artifacts (VOA)”
- Openpgp
Signature - A detached OpenPGP signature for use in VOA verification.
- Openpgp
Signature Check - The representation of an OpenPGP signature check.
- Signer
Info - The OpenPGP certificate that issued an OpenPGP signature, and the fingerprint of the
component key (within the
certificate) that created the signature. - VoaOpenpgp
- An OpenPGP-specific view of a VOA hierarchy
Enums§
- Error
- The error that can occur when using OpenPGP verifiers in VOA.
Constants§
- FILE_
SUFFIX 🔒 - File name suffix for verifiers in the VOA “openpgp” technology
Functions§
- log_
cert_ 🔒data - Creates a representative string for logging from an
OpenpgpCert. - log_
sig_ 🔒data - Creates a representative string for logging from an
OpenpgpSignature. - verify_
from_ file - Verifies one or more
signaturesfor asigned_filewith one or morecerts.