launchpad-reviewers team mailing list archive

Thread
Date

[Merge] ~lgp171188/launchpad:ppa-generate-keys-propagate-only-the-4096-bit-rsa-signing-keys-from-the-default-ppa into launchpad:master

To: mp+465868@xxxxxxxxxxxxxxxxxx
From: Guruprasad <mp+465868@xxxxxxxxxxxxxxxxxx>
Date: Thu, 09 May 2024 15:21:28 -0000
Reply-to: mp+465868@xxxxxxxxxxxxxxxxxx
Sender: noreply@xxxxxxxxxxxxx

Guruprasad has proposed merging ~lgp171188/launchpad:ppa-generate-keys-propagate-only-the-4096-bit-rsa-signing-keys-from-the-default-ppa into launchpad:master.

Commit message:
Propagate only the 4096R key from the default PPA with a 1024R and a 4096R signing key

New, non-default PPAs need not have the legacy 1024-bit RSA signing key.


Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~lgp171188/launchpad/+git/launchpad/+merge/465868
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~lgp171188/launchpad:ppa-generate-keys-propagate-only-the-4096-bit-rsa-signing-keys-from-the-default-ppa into launchpad:master.

diff --git a/lib/lp/archivepublisher/archivegpgsigningkey.py b/lib/lp/archivepublisher/archivegpgsigningkey.py
index b4278c5..7d7db67 100644
--- a/lib/lp/archivepublisher/archivegpgsigningkey.py
+++ b/lib/lp/archivepublisher/archivegpgsigningkey.py
@@ -289,8 +289,16 @@ class ArchiveGPGSigningKey(SignableArchive):
 
             def propagate_key(_):
                 self.archive.signing_key_owner = default_ppa.signing_key_owner
-                self.archive.signing_key_fingerprint = (
-                    default_ppa.signing_key_fingerprint
+                default_ppa_new_signing_key = getUtility(
+                    IArchiveSigningKeySet
+                ).get4096BitRSASigningKey(default_ppa)
+                if default_ppa_new_signing_key:
+                    fingerprint = default_ppa_new_signing_key.fingerprint
+                else:
+                    fingerprint = default_ppa.signing_key_fingerprint
+                self.archive.signing_key_fingerprint = fingerprint
+                getUtility(IArchiveSigningKeySet).create(
+                    self.archive, None, default_ppa_new_signing_key
                 )
                 del get_property_cache(self.archive).signing_key
                 del get_property_cache(self.archive).signing_key_display_name
diff --git a/lib/lp/archivepublisher/tests/test_archivegpgsigningkey.py b/lib/lp/archivepublisher/tests/test_archivegpgsigningkey.py
index ff2ce27..15b0f1b 100644
--- a/lib/lp/archivepublisher/tests/test_archivegpgsigningkey.py
+++ b/lib/lp/archivepublisher/tests/test_archivegpgsigningkey.py
@@ -624,3 +624,63 @@ class TestArchiveGPGSigningKey(TestCaseWithFactory):
                 ),
             ),
         )
+
+    def test_generateSigningKey_ppa_default_ppa_has_1024R_and_4096R_keys(self):
+        default_ppa = self.factory.makeArchive()
+        owner = default_ppa.owner
+        another_ppa = self.factory.makeArchive(owner=owner)
+        self.assertIsNone(default_ppa.signing_key_fingerprint)
+        self.assertIsNone(another_ppa.signing_key_fingerprint)
+        # The follow steps simulate the steps taken by the PPA key
+        # updater script when it encounters a default PPA with a
+        # 1024-bit RSA signing key. We are doing them manually to
+        # avoid a dependency on that function which will go away
+        # after the key migration is completed. But this logic
+        # of propagating the appropriate key from the default PPA
+        # has to be present forever.
+        fingerprint_1024R = self.factory.getUniqueHexString(digits=40).upper()
+        signing_key_1024R = self.factory.makeSigningKey(
+            key_type=SigningKeyType.OPENPGP,
+            fingerprint=fingerprint_1024R,
+        )
+        gpg_key_1024R = self.factory.makeGPGKey(
+            owner=owner,
+            keyid=fingerprint_1024R[-8:],
+            fingerprint=fingerprint_1024R,
+            keysize=1024,
+        )
+        default_ppa.signing_key_fingerprint = fingerprint_1024R
+        fingerprint_4096R = self.factory.getUniqueHexString(digits=40).upper()
+        signing_key_4096R = self.factory.makeSigningKey(
+            key_type=SigningKeyType.OPENPGP, fingerprint=fingerprint_4096R
+        )
+        gpg_key_4096R = self.factory.makeGPGKey(
+            owner=owner,
+            keyid=fingerprint_4096R[-8:],
+            fingerprint=fingerprint_4096R,
+            keysize=4096,
+        )
+        getUtility(IArchiveSigningKeySet).create(
+            default_ppa,
+            None,
+            signing_key_1024R,
+        )
+        getUtility(IArchiveSigningKeySet).create(
+            default_ppa,
+            None,
+            signing_key_4096R,
+        )
+        logger = BufferLogger()
+        IArchiveGPGSigningKey(another_ppa).generateSigningKey(log=logger)
+        # The 'another_ppa' PPA should now have the fingerprint of the
+        # default PPA's 4096-bit RSA signing key as its signing key fingerprint
+        self.assertEqual(
+            fingerprint_4096R, another_ppa.signing_key_fingerprint
+        )
+        # `another_ppa` should also have a row in the `archivesigningkey` table
+        # with its new signing key propagated from the default PPA.
+        self.assertIsNotNone(
+            getUtility(IArchiveSigningKeySet).get4096BitRSASigningKey(
+                another_ppa
+            )
+        )