Closed Bug 1452266 Opened 7 years ago Closed 7 years ago

we may need to indent or armor the chain of trust artifact in docker-worker

Categories

(Taskcluster :: Workers, enhancement)

Product:
Taskcluster
Component:
Workers
Type:
enhancement
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mozilla, Assigned: wcosta)

Details

Attachments

(3 files)

line-too-long chainOfTrust.json.asc
35.88 KB, text/plain
Details
indent chainOfTrust.json
53 bytes, text/x-github-pull-request
jonasfj
: review+
Details | Review
replicate issue - test.py
2.85 KB, text/plain
Details
Right now, the docker-worker chainOfTrust.json.asc file appears to have very long lines - no formatting, but it's signed. We may need to either armor it or indent the json. For example, if you download https://taskcluster-artifacts.net/KK4rRgaBStasZwwA-ncmPA/0/public/chainOfTrust.json.asc and try to extract the unsigned file, we get gpg: invalid armor: line longer than 20000 characters Per the openpgpjs docs [1], we might be able to set an `armor: true` in the signature call [2]; that's probably the correct fix. Another fix that would help, and would also help legibility, is indenting the json rather than putting it all on one line. A third fix that would help here is when we stop generating such a long commandline for the task :) [1] https://openpgpjs.org/openpgpjs/doc/module-openpgp.html [2] https://github.com/taskcluster/docker-worker/blob/master/src/lib/features/chain_of_trust.js#L97
Attachment #8966333 - Flags: review?(jopsen)
Commits pushed to master at https://github.com/taskcluster/docker-worker https://github.com/taskcluster/docker-worker/commit/ced22e4d86287d491c0d4d53a6b49edaee525e27 bug 1452266 - indent chainOfTrust.json gpg signature verification has a max line length of 20k chars. By using newlines and indents, we avoid hitting this limit. https://github.com/taskcluster/docker-worker/commit/d0fb58c86b75407d4e4f0786850749138c66f000 Merge pull request #388 from escapewindow/patch-1 bug 1452266 - indent chainOfTrust.json
Comment on attachment 8966333 [details] [review] indent chainOfTrust.json I'm super surprised that there's line length limits. I would imagine that GPG could handle binary data. We probably should dig into this at some point. Or maybe switch to another system as ulfr suggested :)
Attachment #8966333 - Flags: review?(jopsen) → review+
(In reply to Jonas Finnemann Jensen (:jonasfj) from comment #4) > Comment on attachment 8966333 [details] [review] > indent chainOfTrust.json > > I'm super surprised that there's line length limits. > I would imagine that GPG could handle binary data. > > We probably should dig into this at some point. > Or maybe switch to another system as ulfr suggested :) I think binary/ascii-armored data is base64 encoded and wrapped, so it doesn't hit long line lengths. And yeah, I think an openssl CA that signs each host's cert makes sense. The main challenge is getting the same openssl cert into four different worker codebases.
(In reply to Aki Sasaki [:aki] from comment #5) > The > main challenge is getting the same openssl cert into four different worker > codebases. I think I meant same openssl workflow.
Wander, what are the chances of a new docker-worker release for this? We're finishing up our partner-repack migration to taskcluster. That's the final piece to move off buildbot (other than esr52), and we would love to land that this week or early next week. Unfortunately, our current solution breaks on this 20k line length limit.
Flags: needinfo?(wcosta)
Wander: I know I asked you to ignore docker-worker for a while, but this is actively blocking the final piece of the buildbot migration. Can I ask you to take a look, please?
Assignee: nobody → wcosta
Severity: normal → blocker
I am going to deploy it on Monday :)
Flags: needinfo?(wcosta)
FWIW the generic-worker chain of trust is formatted json, so shouldn't hit this problem.
Wander was doing testing today and will deploy tomorrow AM.
docker-worker has been deployed!
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
09:04 <aki> wcosta: thanks for the rollout! sadly, https://taskcluster-artifacts.net/P9-x2hBsRCm3W2o4NrRxrA/0/public/chainOfTrust.json.asc doesn't look indented, and is still breaking on the 20k char limit. is https://tools.taskcluster.net/provisioners/aws-provisioner-v1/worker-types/gecko-3-decision/workers/us-west-2/i-0bf67b487c6b92557 using the new ami? if so, we may 09:04 <aki> need a new patch 09:04 <aki> if not, the current patch may still work when we start using the new ami 09:10 <aki> wishing the docker-worker version and/or ami id were logged. do we have access to that info?
Flags: needinfo?(wcosta)
09:42 <wcosta> aki: this is using old AMI 09:42 <aki> phew 09:42 <aki> i think we have a test running on the new ami, fingers crossed 09:44 <bhearsum> it's running on i-00becaa452f43163a 09:45 <wcosta> aki: this is a new AMI 09:45 <aki> fingers crossed! 09:45 <wcosta> ^bhearsum 09:45 <bhearsum> yay 09:46 CristianB|sheriffduty → CristianB 09:47 <aki> indented! https://taskcluster-artifacts.net/IVpWi_K9T0e51tU9OBXDwA/1/public/chainOfTrust.json.asc \o/ 09:48 <aki> thank you!
Flags: needinfo?(wcosta)
Component: Docker-Worker → Workers
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: