Expand description
§VOA-OpenPGP
A library for using OpenPGP verifiers in VOA.
§Documentation
- https://voa.archlinux.page/rustdoc/voa_openpgp/ for development version of the crate
- https://docs.rs/voa-openpgp/latest/voa_openpgp/ for released versions of the crate
§Examples
§Import
OpenPGP certificates can be written to their dedicated directory structures in a VOA hierarchy.
It is supported to import single binary or ASCII-armored files, as well as directory structures that contain a number of OpenPGP packet files which comprise an OpenPGP certificate when concatenated (this structured form is in use by the archlinux-keyring project).
use voa_core::VerifierWriter;
use voa_openpgp::OpenPgpImport;
use tempfile::{NamedTempFile, tempdir};
// Write a generic OpenPGP certificate to a temporary file.
let mut temp_file = NamedTempFile::new()?;
openpgp_cert()?.to_writer(&mut temp_file)?;
let input_path = temp_file.path();
// Import the OpenPGP certificate.
let import = OpenPgpImport::from_file(input_path)?;
// Prepare a temporary output directory.
let temp_dir = tempdir()?;
let output_dir = temp_dir.path();
// Write the OpenPGP verifier to a VOA hierarchy in the temporary output directory.
//
// There, the verifier is written to the configured directory, e.g.
// `os/purpose/context/openpgp/f1d2d2f924e986ac86fdf7b36c94bcdf32beec15.openpgp`
import.write_to_hierarchy(
output_dir,
"os".parse()?,
"purpose".parse()?,
Some("context".parse()?),
)?;
assert!(
output_dir
.join("os")
.join("purpose")
.join("context")
.join("openpgp")
.join(import.file_name())
.exists()
);§Verification
Simple verification of artifacts using one or more OpenPGP signatures and verifiers from VOA is straight forward:
use std::{num::NonZero, path::PathBuf};
use voa_config::openpgp::{NumDataSignatures, OpenpgpSettings, PlainMode, VerificationMethod};
use voa_openpgp::{ModelBasedVerifier, OpenpgpCert, OpenpgpSignature, VoaOpenpgp};
let voa = VoaOpenpgp::new();
let certs = voa.lookup("os".parse()?, "purpose".parse()?, "context".parse()?);
let config = OpenpgpSettings::new(
NumDataSignatures::new(NonZero::new(1).expect("1")),
VerificationMethod::Plain(PlainMode::default())).expect("OpenpgpSettings::new");
let model = ModelBasedVerifier::new(&config, &certs, &[]);
let file = PathBuf::from("/path/to/a/file.tar.zst");
let sigs = &[OpenpgpSignature::from_file(&PathBuf::from("/path/to/a/file.tar.zst.sig"))?];
let result = model.verify_file_with_signatures(&file, &sigs[..])?;
§Contributing
Please refer to the contribution guidelines to learn how to contribute to this project.
§License
This project can be used under the terms of the Apache-2.0 or MIT. Contributions to this project, unless noted otherwise, are automatically licensed under the terms of both of those licenses.
Re-exports§
pub use import::OpenPgpImport;
Modules§
- cert 🔒
- OpenPGP certificate used as a verifier in VOA
- error 🔒
- Error handling.
- import
- Import of OpenPGP certificates as VOA verifiers.
- lookup 🔒
- Helper functionality to find appropriate [
SignatureVerifier]s from a set ofOpenpgpCert. - signature 🔒
- Detached OpenPGP signatures for use with VOA verifiers.
- trust 🔒
- Trust model implementations, linked together in the shared
ModelBasedVerifierAPI. - voa 🔒
- VOA technology implementation for OpenPGP
Structs§
- Model
Based Verifier - Performs signature verification based on a trust model configuration and sets of verifiers.
- Openpgp
Cert - An OpenPGP certificate for “Verification of OS Artifacts (VOA)”
- Openpgp
Signature - A detached OpenPGP signature for use in VOA verification.
- Openpgp
Signature Check - The representation of an OpenPGP signature check.
- Signer
Info - The OpenPGP certificate that issued an OpenPGP signature, and the fingerprint of the
component key (within the
certificate) that created the signature. - VoaOpenpgp
- An OpenPGP-specific view of a VOA hierarchy
Enums§
- Error
- The error that can occur when using OpenPGP verifiers in VOA.
Constants§
- FILE_
SUFFIX 🔒 - File name suffix for verifiers in the VOA “openpgp” technology