feat: add binary keys (#451)

Originally, the `duffle key add` allowed only ASCII armored keys. But the more common format is binary keys. So this makes binary keys the default, but provides the --armored/-a flag for loading ASCII keys
cnabio · Nov 19, 2018 · c347196 · c347196
1 parent d1f641d
commit c347196
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 15 deletions.
diff --git a/cmd/duffle/init.go b/cmd/duffle/init.go
@@ -174,7 +174,7 @@ func (i *initCmd) loadOrCreateSecretKeyRing(dest string) (*signature.KeyRing, er
 		if err != nil {
 			return ring, err
 		}
-		err = ring.Add(key)
+		err = ring.Add(key, true)
 		key.Close()
 		if err != nil {
 			return ring, err
@@ -244,7 +244,7 @@ func (i *initCmd) loadOrCreatePublicKeyRing(dest string, privateKeys *signature.
 		if err != nil {
 			return ring, err
 		}
-		err = ring.Add(keys)
+		err = ring.Add(keys, true)
 		keys.Close()
 		if err != nil {
 			return ring, err

diff --git a/cmd/duffle/key_add.go b/cmd/duffle/key_add.go
@@ -12,8 +12,9 @@ import (
 
 const keyAddDesc = `Add a key or keys to the keyring.
 
-Add keys to either the public (default) or secret (-s) keyring. The file must be an ASCII-armored
-key or keyring.
+Add keys to either the public (default) or secret (-s) keyring. By default, this
+expects binary keys (in the form generated by 'duffle key export'), but with the
+'--armored'/'-a' flag this can take ASCII armored keys as well.
 
 Keys added to the secret keyring must contain private key material. Keys added to the
 public keyring should be public keys, but private keys will be accepted (though the
@@ -22,6 +23,7 @@ private key material may be removed).
 
 func newKeyAddCmd(w io.Writer) *cobra.Command {
 	var secret bool
+	var armored bool
 	cmd := &cobra.Command{
 		Use:   "add FILE",
 		Short: "add one or more keys to the keyring",
@@ -37,19 +39,20 @@ func newKeyAddCmd(w io.Writer) *cobra.Command {
 				// any key added to the secret ring can be used to verify a
 				// bundle.
 				ring = h.SecretKeyRing()
-				if err := addKeys(args[0], ring, secret); err != nil {
+				if err := addKeys(args[0], ring, secret, armored); err != nil {
 					return err
 				}
 			}
 			ring = h.PublicKeyRing()
-			return addKeys(args[0], ring, false)
+			return addKeys(args[0], ring, false, armored)
 		},
 	}
-	cmd.Flags().BoolVarP(&secret, "secret", "s", false, "add a secret (private) key")
+	cmd.Flags().BoolVarP(&secret, "secret", "s", false, "Add a secret (private) key")
+	cmd.Flags().BoolVarP(&armored, "armored", "a", false, "Load an ASCII armored key")
 	return cmd
 }
 
-func addKeys(file, ring string, private bool) error {
+func addKeys(file, ring string, private, armored bool) error {
 	reader, err := os.Open(file)
 	if err != nil {
 		return err
@@ -60,7 +63,7 @@ func addKeys(file, ring string, private bool) error {
 		return err
 	}
 	kring.PassphraseFetcher = passwordFetcher
-	if err := kring.Add(reader); err != nil {
+	if err := kring.Add(reader, armored); err != nil {
 		return err
 	}
 	if private {

diff --git a/pkg/signature/keyring.go b/pkg/signature/keyring.go
@@ -30,8 +30,14 @@ func (r *KeyRing) Len() int {
 //
 // Add is idempotent. If provided keys already exist, they will be
 // silently ignored. This makes it easier to do bulk imports.
-func (r *KeyRing) Add(armoredKeys io.Reader) error {
-	entities, err := openpgp.ReadArmoredKeyRing(armoredKeys)
+func (r *KeyRing) Add(keyReader io.Reader, armored bool) error {
+	var entities openpgp.EntityList
+	var err error
+	if armored {
+		entities, err = openpgp.ReadArmoredKeyRing(keyReader)
+	} else {
+		entities, err = openpgp.ReadKeyRing(keyReader)
+	}
 	if err != nil {
 		return err
 	}

diff --git a/pkg/signature/keyring_test.go b/pkg/signature/keyring_test.go
@@ -69,13 +69,13 @@ func TestKeyring_KeyByID(t *testing.T) {
 	is.Equal(key.entity.Identities[key2Email].Name, key2Email)
 }
 
-func TestKeyRing_Add(t *testing.T) {
+func TestKeyRing_Add_Armored(t *testing.T) {
 	is := assert.New(t)
 	extras, err := os.Open("testdata/extra.gpg")
 	is.NoError(err)
 	kr, err := LoadKeyRing(keyringFile)
 	is.NoError(err)
-	is.NoError(kr.Add(extras))
+	is.NoError(kr.Add(extras, true))
 
 	k, err := kr.Key("[email protected]")
 	is.NoError(err)
@@ -89,13 +89,27 @@ func TestKeyRing_Add(t *testing.T) {
 	is.NoError(err)
 
 	// Re-add extras
-	is.NoError(kr.Add(extras))
+	is.NoError(kr.Add(extras, true))
 	k2, err := kr.Key("[email protected]")
 	is.NoError(err)
 	is.Equal(k2.entity.Identities[fullExtraID].Name, fullExtraID)
 	is.Equal(l, kr.Len())
 }
 
+func TestKeyRing_Add_NotArmored(t *testing.T) {
+	is := assert.New(t)
+	extras, err := os.Open("testdata/extra1-public.key")
+	is.NoError(err)
+	kr, err := LoadKeyRing(keyringFile)
+	is.NoError(err)
+	is.NoError(kr.Add(extras, false))
+
+	k, err := kr.Key("[email protected]")
+	is.NoError(err)
+	is.Equal(k.entity.Identities[fullExtraID].Name, fullExtraID)
+
+}
+
 func TestKeyRing_AddKey(t *testing.T) {
 	is := assert.New(t)
 
@@ -125,7 +139,7 @@ func TestCreateKeyRing(t *testing.T) {
 	is.NoError(err)
 
 	kr := CreateKeyRing(testPassphraseFetch)
-	is.NoError(kr.Add(extras))
+	is.NoError(kr.Add(extras, true))
 
 	k, err := kr.Key("[email protected]")
 	is.NoError(err)

diff --git a/pkg/signature/testdata/extra1-public.key b/pkg/signature/testdata/extra1-public.key