verifier: Add public key verification of release image digests

Use the existing Atomic image signing protocol to read detached signatures
for images by digest from a remote location so that release images can
be verified before they are executed.

Add a Verifier interface to the CVO that abstracts checking for verified
updates. On start, check the payload for a config map with the annotation
release.openshift.io/verification-config-map set (value is ignored) and
load the set of all public keys that must be verified along with the http
or file store locations for detached signatures. Every key must be
verified to accept the payload. A subsequent commit will leverage the
Verifier to block downloading a new release image.

Author: smarterclayton

hack/test-integration.sh

@@ -5,4 +5,4 @@ set -euo pipefail
 base=$( dirname "${BASH_SOURCE[0]}")
 
 go run "${base}/test-prerequisites.go"
-TEST_INTEGRATION=1 go test ./... -test.run=^TestIntegration -args -alsologtostderr -v=5
+TEST_INTEGRATION=1 go test ./... -test.run=^TestIntegration

pkg/cvo/cvo.go

@@ -7,9 +7,12 @@ import (
 	"sync"
 	"time"
 
+	"github.com/openshift/cluster-version-operator/pkg/verify"
+
 	"github.com/blang/semver"
 	"github.com/golang/glog"
 	"github.com/google/uuid"
+
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -109,6 +112,10 @@ type Operator struct {
 	statusLock       sync.Mutex
 	availableUpdates *availableUpdates
 
+	// verifier, if provided, will be used to check an update before it is executed.
+	// Any error will prevent an update payload from being accessed.
+	verifier verify.Interface
+
 	configSync ConfigSyncWorker
 	// statusInterval is how often the configSync worker is allowed to retrigger
 	// the main sync status loop.
@@ -197,6 +204,20 @@ func (optr *Operator) InitializeFromPayload() error {
 
 	optr.releaseCreated = update.ImageRef.CreationTimestamp.Time
 	optr.releaseVersion = update.ImageRef.Name
+
+	// attempt to load a verifier as defined in the payload
+	verifier, err := verify.LoadFromPayload(update)
+	if err != nil {
+		return err
+	}
+	if verifier != nil {
+		glog.Infof("Verifying release authenticity: %v", verifier)
+	} else {
+		glog.Warningf("WARNING: No release authenticity verification is configured, all releases are considered unverified")
+		verifier = verify.Reject
+	}
+	optr.verifier = verifier
+
 	return nil
 }
 

pkg/start/start_integration_test.go

@@ -3,6 +3,7 @@ package start
 import (
 	"context"
 	"encoding/json"
+	"flag"
 	"fmt"
 	"io/ioutil"
 	"net/http"
@@ -17,6 +18,7 @@ import (
 	"time"
 
 	"github.com/google/uuid"
+
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -25,6 +27,7 @@ import (
 	randutil "k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/klog"
 
 	configv1 "github.com/openshift/api/config/v1"
 	clientset "github.com/openshift/client-go/config/clientset/versioned"
@@ -33,6 +36,12 @@ import (
 	"github.com/openshift/cluster-version-operator/pkg/cvo"
 )
 
+func init() {
+	klog.InitFlags(flag.CommandLine)
+	flag.CommandLine.Lookup("v").Value.Set("5")
+	flag.CommandLine.Lookup("alsologtostderr").Value.Set("true")
+}
+
 var (
 	version_0_0_1 = map[string]interface{}{
 		"release-manifests": map[string]interface{}{

pkg/verify/testdata/keyrings/redhat.txt

@@ -0,0 +1,34 @@
+pub   4096R/FD431D51 2009-10-22
+      Key fingerprint = 567E 347A D004 4ADE 55BA  8A5F 199E 2F91 FD43 1D51
+uid                  Red Hat, Inc. (release key 2) <security@redhat.com>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.5 (GNU/Linux)
+
+mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF
+0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF
+0DNRB2ix3bXG9Rh/RXpFsNxDp2CEMdUvbYCzE79K1EnUTVh1L0Of023FtPSZXX0c
+u7Pb5DI5lX5YeoXO6RoodrIGYJsVBQWnrWw4xNTconUfNPk0EGZtEnzvH2zyPoJh
+XGF+Ncu9XwbalnYde10OCvSWAZ5zTCpoLMTvQjWpbCdWXJzCm6G+/hx9upke546H
+5IjtYm4dTIVTnc3wvDiODgBKRzOl9rEOCIgOuGtDxRxcQkjrC+xvg5Vkqn7vBUyW
+9pHedOU+PoF3DGOM+dqv+eNKBvh9YF9ugFAQBkcG7viZgvGEMGGUpzNgN7XnS1gj
+/DPo9mZESOYnKceve2tIC87p2hqjrxOHuI7fkZYeNIcAoa83rBltFXaBDYhWAKS1
+PcXS1/7JzP0ky7d0L6Xbu/If5kqWQpKwUInXtySRkuraVfuK3Bpa+X1XecWi24JY
+HVtlNX025xx1ewVzGNCTlWn1skQN2OOoQTV4C8/qFpTW6DTWYurd4+fE0OJFJZQF
+buhfXYwmRlVOgN5i77NTIJZJQfYFj38c/Iv5vZBPokO6mffrOTv3MHWVgQARAQAB
+tDNSZWQgSGF0LCBJbmMuIChyZWxlYXNlIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0
+LmNvbT6JAjYEEwECACAFAkrgSTsCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAK
+CRAZni+R/UMdUWzpD/9s5SFR/ZF3yjY5VLUFLMXIKUztNN3oc45fyLdTI3+UClKC
+2tEruzYjqNHhqAEXa2sN1fMrsuKec61Ll2NfvJjkLKDvgVIh7kM7aslNYVOP6BTf
+C/JJ7/ufz3UZmyViH/WDl+AYdgk3JqCIO5w5ryrC9IyBzYv2m0HqYbWfphY3uHw5
+un3ndLJcu8+BGP5F+ONQEGl+DRH58Il9Jp3HwbRa7dvkPgEhfFR+1hI+Btta2C7E
+0/2NKzCxZw7Lx3PBRcU92YKyaEihfy/aQKZCAuyfKiMvsmzs+4poIX7I9NQCJpyE
+IGfINoZ7VxqHwRn/d5mw2MZTJjbzSf+Um9YJyA0iEEyD6qjriWQRbuxpQXmlAJbh
+8okZ4gbVFv1F8MzK+4R8VvWJ0XxgtikSo72fHjwha7MAjqFnOq6eo6fEC/75g3NL
+Ght5VdpGuHk0vbdENHMC8wS99e5qXGNDued3hlTavDMlEAHl34q2H9nakTGRF5Ki
+JUfNh3DVRGhg8cMIti21njiRh7gyFI2OccATY7bBSr79JhuNwelHuxLrCFpY7V25
+OFktl15jZJaMxuQBqYdBgSay2G0U6D1+7VsWufpzd/Abx1/c3oi9ZaJvW22kAggq
+dzdA27UUYjWvx42w9menJwh/0jeQcTecIUd0d0rFcw/c1pvgMMl/Q73yzKgKYw==
+=zbHE
+-----END PGP PUBLIC KEY BLOCK-----
+

pkg/verify/testdata/keyrings/simple.txt

@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFy9Q6sBCAD1MvcwX9f1Vu/M/dh+SJYbuAP4urtZZ7YoZOlzo6lw/xDF9z0E
+ef8BXAtO7YMStfbxn5Rqb3kPnA20CRXraW4PqA5mB37ubDGThxb8catCTeWpd/5o
+mrbjLMrKCpg0ODfTgNZYj9gRDyDTKPjlW2xjX9Cmj/lmmGPYDG4qdrNpeicmMjpY
+XyYDVxFTRFMdifxTjHQRT5R9Pdq8WDFLrd3ZZWo4fN5Rb+ByWh8MusHj+FyHxA4J
+fD/G6VHyn19T7xT/g53JfPobKLdaoXKdSaorCYKWuyGaGyLStAn1MXgchswcBZcU
+92EegcoZY8K3cYhRbw7rQUUkx3p0yviS1DrPABEBAAG0DG9wZW5zaGlmdC1jaYkB
+VAQTAQgAPhYhBNBHYbEWIDsMCFm2Fii3bgW5I4iOBQJcvUOrAhsDBQkDwmcABQsJ
+CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJECi3bgW5I4iOqwUH+wTRXXZkB6PdksQ2
+tF/x3vT3YAp1Fvm+aBt0L3+nUyI4W4wWmCvQ9mYqkXMDSx8rgSwMtwwJe7xJBkA1
+fK8CoPeCqHc/omoLUS6/BjcbsXyS/ns6d5Zv0fKVHumZ23V2qVJwPpmNdpkdfBhw
+HFKm0HLPaCyKM38fOPhrUwEW8OceVdHfBnkkAyYXA9+9qGF3gHC3MXMLkaH6pDYY
+Nfx2P4+qYnMnTMSOOvKsJWY7t8Tnv1Qotag/uW8yWlIBSnvg1BQ7u1ZJs1EKSwhw
+QbIrYj+eS+e8ddN7qSHJToMzHstTjSYQThA1iCVU6S+KHaLFeynf1d6PqkyeH/GD
+bk+E+hu5AQ0EXL1DqwEIANhU5FczwquEAcjhA+kf+ni0Ul9Q2aq+rAL31dg+sGMZ
+awcDu5aocwolXeBIkVl235GFfJSdYRzIbk5lSqVK+Wt5Yj4yOIO+QEAk5I51dzOC
+5i3APTqOM0UPQ168ubcoT5LY/aWLJqnVAjgY/Sn2vXAwsYvkuJZMpeOPoNgocAWw
+wGxXkPEy//OA3rwyy6PER2U7xLWL5SOH8oxjnsnHA98nF4iuOQqbwPTwfyWN7xr7
+HAY6KiawHmD0T3ywswR1bEZ1CYn8KxpNMuHf7tbaMPONvawVEqM1xc9+4tB3ImdM
+UB9eIiwIspq68mdE43eyUeM9f2foNR67Kj6F7hvBwDsAEQEAAYkBNgQYAQgAIBYh
+BNBHYbEWIDsMCFm2Fii3bgW5I4iOBQJcvUOrAhsMAAoJECi3bgW5I4iOLCAIANNd
+BwFFJpTaEZhOvDEsfOmHDFE+xG2fBq+SO53A4M/4xfJ6BVnpRvAgPvEu/ED8LMIB
+buaMUpXjAwULIOnNEBsYem+m3IKcrZAIhfXAjI8EqzprjciUiVEx0+XR6eIbsFm2
+gm61vHfbviKSyQg3hpKG8/g2sFgQ9CNi5DFghIYesp+7NwCC+UOVGBu90O4SIq+I
+Ms2n3OTR2GIEz0LgEvC/3R7pkBNjLNTccExBNqOShJy3XnwntvYflxVwEBVsyEbK
+LvLU2xtlIE/IdGssKQR8UFFsgFmGiX3t1TcahFnLlr6Et+vB4J02Xr+uvZ81v/Zq
+1OHz7iIjrd28MslYu24=
+=xMCa
+-----END PGP PUBLIC KEY BLOCK-----