# get the keystore location if not options.KEYSTORE_LOCATION: options.KEYSTORE_LOCATION = get_keystore_location() # build the keystore key_db = keystore.KeyStore(options.KEYSTORE_LOCATION) key_ids = {} for k in ["root", "targets", "release", "timestamp"]: threshold = getattr(options, k.upper() + "_THRESHOLD") if not threshold and not options.DEFAULT_THRESHOLD: threshold = get_threshold(k) elif options.DEFAULT_THRESHOLD: threshold = options.DEFAULT_THRESHOLD for i in range(threshold): key = signerlib.generate_key(options.DEFAULT_KEY_SIZE) if TEST: password = '******' else: password = signercli._get_password() key_db.add_key(key, password) try: key_ids[k][0].append(key.get_key_id()) except KeyError: key_ids[k] = ([key.get_key_id()], threshold) key_db.save() # get the server root if not options.SERVER_ROOT_LOCATION: options.SERVER_ROOT_LOCATION = get_server_root() # build the server root metadata_loc = options.SERVER_ROOT_LOCATION + pathsep + "meta" print metadata_loc
def genkey(args): options, args = getopt.getopt(args, "", ["keystore="]) keystore = _get_keystore(options) # TODO: Allow specifying key length. signerlib.generate_key(bits=None, keystore=keystore)
def update_metadata(keystore_path, project_root, root_cfg_path, server_dir, add_keys, remove_keys, thresholds, keysize, state=BUILD_ROOT): logger.info(state) # normalize the paths metadata_root = os.path.join(server_dir, "meta") targets_root = os.path.join(server_dir, "targets") # build the keydb key_db = keystore.KeyStore(keystore_path) if TEST: key_db.load(['test']) while True: if TEST: break line = signercli._get_password("Please input a decryption password for the keystore, or -- to stop: ") if line != '--': key_db.load([line]) else: break # these are the keys we'll sign with and those that will wind up in the # root.cfg when we're done fuzzy_keys = {'root': set(), 'targets': set(), 'release': set(), 'timestamp': set()} if not thresholds: thresholds = { 'root': 1, 'targets': 1, 'release': 1, 'timestamp': 1} # generate any new keys for role, add in add_keys.items(): if add: key = signerlib.generate_key(keysize) pw = signercli._get_password() key_db.add_key(key, pw) fuzzy_keys[role].add(key.get_key_id()) key_db.save() # get the config data root_cfg = ConfigParser() root_cfg.read(root_cfg_path) # read the config data known_keys = list(key_db._keys) for role in fuzzy_keys: for key_id in root_cfg.get(role, "keyids").split(","): if key_id in known_keys: fuzzy_keys[role].add(key_id) if not thresholds[role]: thresholds[role] = root_cfg.get(role, 'threshold') # remove any removed keys for role in fuzzy_keys: fuzzy_keys[role].discard(remove_keys[role]) # write the results back to the root.cfg expiration = root_cfg.get('expiration', 'days') keydata = {} for role in fuzzy_keys: previous_keys = set(root_cfg.get(role, 'keyids').split(',')) previous_keys.discard(remove_keys[role]) previous_keys |= set(fuzzy_keys[role]) if len(previous_keys) < thresholds[role]: msg = "Number of keys for %s is less then threshold." msg += "Threshold set: %s, keys provided: %s" msg = msg % (role, thresholds[role], previous_keys) log.error(msg) return keydata[role] = (previous_keys, thresholds[role]) build_root_cfg(server_dir, expiration, keydata) # copy the project over to the targets root if project_root != targets_root: rmtree(targets_root) logger.info("removed the tree") copytree(project_root, targets_root) logger.info("copied the tree") # started if state == BUILD_ROOT: try: build_root_txt(root_cfg_path, fuzzy_keys['root'], key_db, metadata_root) state += 1 except Exception, e: print e logger.info('Quickstart was unable to build root.txt. Please send the incomplete update to your root key holder.') logger.info('They can continue the update process by running quickstart with the \'-step build_root\' argument') state = FINISH