Add GPGKey and use with GPGSigner

[lukpueh]

EDIT 2023/01/20: remove key id param in private key URI

EDIT 2023/03/06:

• move min code coverage back to 90%, gpg signer is at 100%, nothing more we can do for coverage in this PR
• remove optional fields from GPGKey, we shouldn't use advanced PKI concepts from GnuPG -- subkeys, key expiration, etc. -- in tuf/in-toto metadata, which use these concepts themselves, instead assert that passed and returned key id match on import_ and sign
• remove obsolete "hashes" field from GPGKey (this is static for existing schemes, and should be encoded in the scheme for other schemes)

see #488 (comment) pp. and commit messages for more details

Closes #450

Kept as draft to,

• rebase on merged #486
• figure out GPGKey main/sub-key id mapping to signer (see discussion)
• add more tests

Description of the changes being introduced by the pull request:

GPGKey is a regular Key with additional GnuPG specific key fields,
and verification method. It also has conversion helpers to translate
from and to a non-in-toto/tuf-spec compliant key format, which is
still used by the underlying securesystemslib.gpg subpackage.

GPGSigner is updated to:

• take a GPGKey as constructor argument, and implement
• from_priv_key_uri, to load signer from gnupg:[<GnuPG homedir>]
• import_, to import a public key from a GnuPG keyring and return it along with a uri to create the signer.

Please verify and check that the pull request fulfils the following requirements:

• The code follows the Code Style Guidelines
• Tests have been added for the bug fix or new feature
• Docs have been added for the bug fix or new feature

[jku]

Looks pretty good to me: it's obviously a bit of a mess with going back and forth beween legacy gpg format and and shared one, but that's all hidden behind the signer API now...

I think requiring secretshandler to be none is wrong but that's the only complaint really.

Is there a test that ensures that the client usage (desdrialize + verify) works without gnupg being installed?

[jku]

UnsupportedLibraryError too maybe as this will run in the client?

[jku]

I think this is not useful -- code that uses from_priv_key_uri() is aiming to work with as many signers as it can, using the shared API. This seems to force me to write two code paths for no gain.

[lukpueh]

@jku, do you think we should just ignore it? Maybe log a warning/info? With current implementation of securesystemslib.gpg we cannot pass any secrets to the gpg command.

[jku]

No need for warning as far as I am concerned: the way I imagine this being used (and the way I am using it) is that the signing code doesn't care which signers are used or what they do:

• online signing app likely does not have a secrets handler
• an offline signing tool does provide a secrets handler
• even the offline signing tool does not care whether the secrets handler is used or not: a gpg signing might not use it but a yubikey signing will

[lukpueh]

rebased without changes

[lukpueh]

Thanks for the review.

it's obviously a bit of a mess with going back and forth beween legacy gpg format and and shared one, but that's all hidden behind the signer API now...

Agreed. This is not nice but can be easily fixed, once in-toto also transitions to the signer API.

I think requiring secretshandler to be none is wrong but that's the only complaint really.

Will change.

Is there a test that ensures that the client usage (desdrialize + verify) works without gnupg being installed?

Will (fix and) add tests before un-drafting this PR.

[lukpueh]

Thanks for the comments, @jku! I've addressed your concerns and added plenty of test, which also revealed a serialization bug (fixed in 3d140d5).

Beyond that, I removed the keyid field from GPGSigner, given that it also has a GPGKey attached, which has the same user-assigned keyid.

I am still unsure how to best resolve the issue that this signer keyid may differ from the keyid of a signature generated by that signer. This is because gpg may use a subkey of the key identified by the passed keyid and we assign the subkey keyid to the signature, so that we know, at verification time, which key or subkey of the public key bundle we should use.

I have a feeling that the signer API should just not support the subkey-masterkey relationship. It adds, for no benefit, a PKI hierarchy to tuf/in-toto, which already have their own PKI hierarchies.

This solution entails the following changes

• On public key import, users must pass the exact keyid of the key, they want to use for verification. This means, if gpg will use a subkey of a key bundle for signing, they must pass that subkey keyid.
• Public key import only returns the key identified by the keyid, and not the full public key bundle (as it does now even if a subkey keyid is passed).
• Signing fails, if gpg uses a different key for signing, than the one attached to the signer public key (e.g. because the user explicitly imported a master key, but the signing capability in gpg is set on a subkey).

caveat: Explicitly identifying a public key before signing requires additional tooling to allow signing with the default key, which is currently possible in in-toto.

An alternative solution, which allows both PKI hierarchies alongside each other, would be to accept public key bundles with subkeys, but always assign the master key keyid to the signature, regardless of what key/subkey was used. However, this would require a different way of matching the correct key in the public key bundle with a signature at verification time.

cc @jku, @adityasaky, @SantiagoTorres

[lukpueh]

One more minor thing I thought about is the hashes field of a GPGKey and whether we should merge the info with its scheme field.

For context:

• The field is currently hardcoded to ["pgp+SHA2"], but ignored at signature creation and verification, which both hard-code sha256 as digest algorithm.
• This PR already changes the gpg key format in a backwards-incompatible way, to make it in-toto/tuf specification compatible (see #450). Metadata backwards-compatibility will be guaranteed through in-toto/in-toto#534.
• #308 describes, among other things, how scheme can be used to encode the hash digest scheme. This is also what other supported keys in securesystemslib do.

cc @adityasaky, @SantiagoTorres

[adityasaky]

Public key import only returns the key identified by the keyid, and not the full public key bundle (as it does now even if a subkey keyid is passed).

I haven't had a chance to look through how this is used but would this change impact our notions of subkeys during verification? If only the subkey is returned, would in-toto (for example) have to look elsewhere when verifying that threshold wasn't met using subkeys?

In in-toto, we use securesystemslib.gpg.functions.export_pubkey (https://github.com/in-toto/in-toto/blob/develop/in_toto/models/layout.py#L362) and that in turn calls securesystemslib.gpg.common.get_pubkey_bundle.

[lukpueh]

would this change impact our notions of subkeys during verification?

Yes, both of my proposals are not compatible with current in-toto usage of GPG keys and signatures. in-toto currently considers all keys in a public key bundle (masterkey + subkeys), both, to check if a key is authorized via layout to provide a signature, and to identify the exact key or subkey in the bundle to verify the signature.

But this is not a concern, because the key and signature metadata formats of the GPGSigner API in securesystemslib are already incompatible with in-toto,. For in-toto-backwards- and securesystemslib-signer-compatibility, I proposed adding a custom _LegacyGPGSigner API to the in-toto code base (see my other comment above).

[lukpueh]

Another thought about parallel PKI: We export gpg keys with creation_time and validity_period fields from the gpg keychain, if present. This information is then considered at signature verification time and may raise KeyExpirationError.

Given that in-toto and TUF already have a mechanism to expire signing keys, that is via an expiration date in the delegating metadata, I wonder, if we should ignore expiration information of gpg keys, when verifying signatures, and leave it to the user to not add gpg keys to delegating metadata that would expire earlier than the metadata.

[jku]

I have a feeling that the signer API should just not support the subkey-masterkey relationship.

I agree with this, and both of your proposed solutions seem solid (although I admit I'm not fully immersed in the problem space of PGP subkeys).

I wonder, if we should ignore expiration information of gpg keys

This is a reasonable point: increasing the complexity of the serialization format doesn't seem useful if the same practical security advantage can be had by making the key-import code just slightly more complex.

[lukpueh]

I'll create a ticket for this. We can also partially re-use #190)

[jku]

👏 looks fine to me. Left a question about the keytype but since pgp key compatibility is mostly a in-toto issue, I'll leave it to you

[jku]

are these the same keytype/scheme combos that were used before, but the serialization format is now slightly different? Would it make sense sense to use e.g. a different keyname?

I guess in-toto is the only existing user... so do what makes sense there.

[lukpueh]

The thing is, these keytype/scheme combos are completely new. We did use the same values as type/method combos, but I think that's okay.