wip: new(falcoctl): add automatic signature verification for drivers #733
Conversation
… verification Signed-off-by: Luca Guerra <luca@guerra.sh>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: LucaGuerra The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| @@ -0,0 +1,82 @@ | |||
| -----BEGIN PGP PRIVATE KEY BLOCK----- | |||
There was a problem hiding this comment.
Note for the reviewer: this key is technically unused, however it is useful to have it if in the future we want to add some other test that are signed by the same entity as the other tests.
Obviously, like the filename says, this is a test key and its sole purpose is to run these tests.
| // {"valid remote pubkey", "testdata/hello.txt", "https://raw.githubusercontent.com/LucaGuerra/falcoctl/8875a534256686a936213b8b8dc5bbf74b5febfc/internal/signature/testdata/key.pub", true}, | ||
| // {"invalid remote pubkey", "testdata/hello.txt", "https://raw.githubusercontent.com/LucaGuerra/falcoctl/8875a534256686a936213b8b8dc5bbf74b5febfc/internal/signature/testdata/does_not_exist.pub", false}, |
There was a problem hiding this comment.
Note for the reviewer: These are disabled until the PR is merged, then, we can update the URL with the right repo and commit hash
…ut fails Signed-off-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: Luca Guerra <luca@guerra.sh>
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh with Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle rotten |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area cli
What this PR does / why we need it:
This adds two new command line options to
falcoctl driver--pubkeyallows you to specify a public key for signature verification. By default, it is the Falco public key used to sign packages:https://falco.org/repo/falcosecurity-packages.asc--no-verifyskips signature verification. By default signature verification is enforced.If the signature cannot be verified and driver build is allowed, the driver will be built locally.
This PR is still WIP because signatures are not yet present in the Falco repo. I am currently working to add them.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: