Module: Artifact
- Defined in:
- lib/bundles/inspec-artifact/cli.rb
Overview
Notes:
Generate keys
The initial implementation uses 2048 bit RSA key pairs (public + private).
Public keys must be available for a customer to install and verify an artifact.
Private keys should be stored in a secure location and NOT be distributed.
(They're only for creating artifacts).
.IAF file format
.iaf = "Inspec Artifact File", easy to rename if you'd like something more appropriate.
The iaf file wraps a binary artifact with some metadata. The first implementation
looks like this:
INSPEC-PROFILE-1 name_of_signing_key algorithm signature <empty line> binary-blob <eof>
Let’s look at each line: INSPEC-PROFILE-1:
This is the artifact version descriptor. It should't change unless the
format of the archive changes.
name_of_signing_key
The name of the public key that can be used to verify an artifact
algorithm
The digest used to sign, I picked SHA512 to start with.
If we support multiple digests, we'll need to have the verify() method
support each digest.
signature
The result of passing the binary artifact through the digest algorithm above.
Result is base64 encoded.
<empty line>
We use an empty line to separate artifact header from artifact body (binary blob).
The artifact body can be anything you like.
binary-blob
A binary blob, most likely a .tar.gz or tar.xz file. We'll need to pick one and
stick with it as part of the "INSPEC-PROFILE-1" artifact version. If we change block
format, the artifact version descriptor must be incremented, and the sign()
and verify() methods must be updated to support a newer version.
Key revocation
This implementation doesn't support key revocation. However, a customer
can remove the public cert file before installation, and artifacts will then
fail verification.
Key locations
This implementation uses the current working directory to find public and
private keys. We should establish a common key directory (similar to /hab/cache/keys
or ~/.hab/cache/keys in Habitat).
Extracting artifacts outside of Inspec
As in Habitat, the artifact format for Inspec allows the use of common
Unix tools to read the header and body of an artifact.
To extract the header from a .iaf:
sed '/^$/q' foo.iaf
To extract the raw content from a .iaf:
sed '1,/^$/d' foo.iaf
Defined Under Namespace
Classes: CLI
Constant Summary collapse
- KEY_BITS =
2048
- KEY_ALG =
OpenSSL::PKey::RSA
- INSPEC_PROFILE_VERSION_1 =
'INSPEC-PROFILE-1'
- INSPEC_REPORT_VERSION_1 =
'INSPEC-REPORT-1'
- ARTIFACT_DIGEST =
OpenSSL::Digest::SHA512
- ARTIFACT_DIGEST_NAME =
'SHA512'
- VALID_PROFILE_VERSIONS =
Set.new [INSPEC_PROFILE_VERSION_1]
- VALID_PROFILE_DIGESTS =
Set.new [ARTIFACT_DIGEST_NAME]
- SIGNED_PROFILE_SUFFIX =
'iaf'
- SIGNED_REPORT_SUFFIX =
'iar'