Skip to content

Add signing of SQL export #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 23, 2025
Merged

Add signing of SQL export #78

merged 3 commits into from
Jun 23, 2025

Conversation

aaannz
Copy link
Contributor

@aaannz aaannz commented May 14, 2025

  • export command extended by --signKey and --certificate options, defaults to spacewalk keys. Export SQL file is then signed by this key and cert is packaged together with export
  • import command extended by --verifyKey, --skip-verify and --ca options. Verify key is first validated against CA, then SQL file signature is checked by verify key.

Public certificate for validating the export is included in the export and is validated by CA on import.
Optionally it is possible to pass different verification key on import, which too is validated by CA and custom CA option is also provided.

OpenSSL is added as a dependency of the ISSv2.

Issues: https://github.com/SUSE/spacewalk/issues/27004 and https://github.com/SUSE/spacewalk/issues/27015

@aaannz
Add signing of SQL export
bba558c 
export command extented by --signKey and --certificate options, defaults
to spacewalk keys. Export SQL file is then signed by this key and cert
is packaged together with export

import command exteded by --verifyKey, --skip-verify and --ca options.
Verify key is first validated against CA, then SQL file signature is
checked by verify key.
@aaannz aaannz requested a review from rjmateus May 14, 2025 15:17
rjmateus
rjmateus approved these changes May 14, 2025
View reviewed changes
Copy link
Member

@rjmateus rjmateus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@aaannz
Add option to pass private pass in file
45f15b4 
- add checks for certificate existence
- add debug logs
@aaannz
Copy link
Contributor Author

aaannz commented May 15, 2025

Added new commit with checks if certs exists and also option to read private key passphrase from the file. Suggested by @cbosdo

@aaannz
Copy link
Contributor Author

aaannz commented Jun 16, 2025

Rewrote the PR to be compatible with openssl1.1 and openssl3.

@aaannz aaannz requested a review from rjmateus June 23, 2025 09:14
rjmateus
rjmateus approved these changes Jun 23, 2025
View reviewed changes
Copy link
Member

@rjmateus rjmateus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aaannz aaannz merged commit 0e4e7a9 into uyuni-project:main Jun 23, 2025
2 checks passed
@aaannz aaannz deleted the secure_dump branch June 23, 2025 11:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rjmateus rjmateus rjmateus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aaannz @rjmateus