Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using CAS for content-trust #3382

Merged
merged 8 commits into from
Feb 10, 2022
Merged

Using CAS for content-trust #3382

merged 8 commits into from
Feb 10, 2022

Conversation

pvizeli
Copy link
Member

@pvizeli pvizeli commented Dec 28, 2021

Proposed change

Type of change

  • Dependency upgrade
  • Bugfix (non-breaking change which fixes an issue)
  • New feature (which adds functionality to the supervisor)
  • Breaking change (fix/feature causing existing functionality to break)
  • Code quality improvements to existing code or addition of tests

Additional information

  • This PR fixes or closes issue: fixes #
  • This PR is related to issue:
  • Link to documentation pull request:
  • Link to cli pull request:

Checklist

  • The code change is tested and works locally.
  • Local tests pass. Your PR cannot be merged unless tests pass
  • There is no commented out code in this PR.
  • I have followed the development checklist
  • The code has been formatted using Black (black --fast supervisor tests)
  • Tests have been added to verify that the new code works.

If API endpoints of add-on configuration are added/changed:

@pvizeli pvizeli changed the title Cas Using CAS for content-trust Dec 28, 2021
@mdegat01
Copy link
Contributor

mdegat01 commented Feb 9, 2022
edited
Loading

@pvizeli ok so test_fetch_versions is failing because the first time you run cas authenticate on a clean system you get a response like this:
Screen Shot 2022-02-08 at 8 30 17 PM

Notice that message at the top. That's what's breaking it because the response isn't JSON with that there. It happens the first time you run cas authenticate on a clean system like we're doing in the workflow. The public key is then cached in ~/.cas-trusted-signing-pub-key and the message doesn't appear again after that. It's unfortunately in stdout not stderr so no good way to separate it other then string manipulation before parsing as json.

Think we can just ship the image with this key? I assume based on this that it's stable. That would eliminate this from the response.

As for the other errors I'm not entirely sure what to make of them. Neither seems like they could be related to this change. The one on the Build Supervisor workflow actually sounds like a bug with the action itself based on the output. Found this issue but I don't see a force push in the history of this PR so not sure how that would've happened.

@pvizeli
Copy link
Member Author

pvizeli commented Feb 9, 2022

Think we can just ship the image with this key? I assume based on this that it's stable. That would eliminate this from the response.

Yeah, we should ship the image with preinstalled key on dockerfile + install the key:

Then it should be solved on our workflows as well

@pvizeli
Copy link
Member Author

pvizeli commented Feb 9, 2022

Yeah, push the file into is even better over the rootfs, nice catch

@mdegat01 mdegat01 marked this pull request as ready for review February 9, 2022 18:54
@pvizeli pvizeli merged commit 3478005 into main Feb 10, 2022
@pvizeli pvizeli deleted the cas branch February 10, 2022 08:21
@github-actions github-actions bot locked and limited conversation to collaborators Feb 12, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ludeeus ludeeus ludeeus left review comments

@mdegat01 mdegat01 mdegat01 left review comments

Assignees
No one assigned
Labels
cla-signed enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pvizeli @mdegat01 @ludeeus @homeassistant