diff --git a/downloader.go b/downloader.go index 27e8d6a..894a4af 100644 --- a/downloader.go +++ b/downloader.go @@ -46,7 +46,20 @@ func New(opts ...ConfigOpt) (Downloader, error) { } } - key, err := crypto.NewKeyFromArmored(cfg.GPGKey) + keyRing, err := createKeyRing(cfg.GPGKey) + if err != nil { + return nil, err + } + + return &downloader{ + cfg, + tpl, + keyRing, + }, nil +} + +func createKeyRing(armoredKey string) (*crypto.KeyRing, error) { + key, err := crypto.NewKeyFromArmored(armoredKey) if err != nil { return nil, &InvalidConfigurationError{ Message: "Failed to decode GPG key", @@ -61,12 +74,7 @@ func New(opts ...ConfigOpt) (Downloader, error) { if err != nil { return nil, &InvalidConfigurationError{Message: "Cannot create keyring", Cause: err} } - - return &downloader{ - cfg, - tpl, - keyRing, - }, nil + return keyRing, nil } type downloader struct { diff --git a/mirror.go b/mirror.go index 2ed80e0..4ec8315 100644 --- a/mirror.go +++ b/mirror.go @@ -8,6 +8,9 @@ import ( "fmt" "net/http" "time" + + "github.com/ProtonMail/gopenpgp/v2/crypto" + "github.com/opentofu/tofudl/branding" ) // NewMirror creates a new mirror, optionally acting as a pull-through cache when passing a pullThroughDownloader. @@ -17,10 +20,20 @@ func NewMirror(config MirrorConfig, storage MirrorStorage, pullThroughDownloader "no storage and no pull-through downloader passed to NewMirror, cannot create a working mirror", ) } + if config.GPGKey == "" { + config.GPGKey = branding.DefaultGPGKey + } + + keyRing, err := createKeyRing(config.GPGKey) + if err != nil { + return nil, err + } + return &mirror{ storage, pullThroughDownloader, config, + keyRing, }, nil } @@ -57,10 +70,14 @@ type MirrorConfig struct { // ArtifactCacheTimeout is the time the cached artifacts should be considered valid. A duration of 0 means that // artifacts should not be cached. A duration of -1 means that artifacts should be cached indefinitely. ArtifactCacheTimeout time.Duration `json:"artifact_cache_timeout"` + + //GPGKey is the ASCII-armored key to verify downloaded artifacts against. This is only needed in standalone mode. + GPGKey string `json:"gpg_key"` } type mirror struct { storage MirrorStorage pullThroughDownloader Downloader config MirrorConfig + keyRing *crypto.KeyRing } diff --git a/mirror_download_version.go b/mirror_download_version.go index dbe4f19..c401a0f 100644 --- a/mirror_download_version.go +++ b/mirror_download_version.go @@ -8,5 +8,5 @@ import ( ) func (m *mirror) DownloadVersion(ctx context.Context, version VersionWithArtifacts, platform Platform, architecture Architecture) ([]byte, error) { - return downloadVersion(ctx, version, platform, architecture, m.DownloadArtifact, m.pullThroughDownloader.VerifyArtifact) + return downloadVersion(ctx, version, platform, architecture, m.DownloadArtifact, m.VerifyArtifact) } diff --git a/mirror_verify_artifact.go b/mirror_verify_artifact.go index fcee847..82517af 100644 --- a/mirror_verify_artifact.go +++ b/mirror_verify_artifact.go @@ -4,5 +4,8 @@ package tofudl func (m *mirror) VerifyArtifact(artifactName string, artifactContents []byte, sumsFileContents []byte, signatureFileContent []byte) error { - return m.pullThroughDownloader.VerifyArtifact(artifactName, artifactContents, sumsFileContents, signatureFileContent) + if m.pullThroughDownloader != nil { + return m.pullThroughDownloader.VerifyArtifact(artifactName, artifactContents, sumsFileContents, signatureFileContent) + } + return verifyArtifact(m.keyRing, artifactName, artifactContents, sumsFileContents, signatureFileContent) }