improve verification message and file permissions

aryan9600 · aryan9600 · commit fcd34a8ee704 · 2022-03-28T21:40:43.000+05:30
Signed-off-by: Sanskar Jaiswal &lt;jaiswalsanskar078@gmail.com&gt;
diff --git a/controllers/helmchart_controller.go b/controllers/helmchart_controller.go
@@ -1038,13 +1038,11 @@ func observeChartBuild(obj *sourcev1.HelmChart, build *chart.Build, err error) {
 
 	if build.VerificationSignature != nil && build.ProvFilePath != "" {
 		var sigVerMsg strings.Builder
-		sigVerMsg.WriteString(fmt.Sprintf("chart signed by: '%v'", strings.Join(build.VerificationSignature.Identities[:], ",")))
-		sigVerMsg.WriteString(fmt.Sprintf(" using key with fingeprint: '%X'", build.VerificationSignature.KeyFingerprint))
-		sigVerMsg.WriteString(fmt.Sprintf(" and hash verified: '%s'", build.VerificationSignature.FileHash))
+		sigVerMsg.WriteString(fmt.Sprintf("verified chart hash: '%s'", build.VerificationSignature.FileHash))
+		sigVerMsg.WriteString(fmt.Sprintf(" signed by: '%s'", build.VerificationSignature.Identity))
+		sigVerMsg.WriteString(fmt.Sprintf(" with key: '%X'", build.VerificationSignature.KeyFingerprint))
 
 		conditions.MarkTrue(obj, sourcev1.SourceVerifiedCondition, sourcev1.ChartVerificationSucceededReason, sigVerMsg.String())
-	} else {
-		conditions.Delete(obj, sourcev1.SourceVerifiedCondition)
 	}
 
 	if err != nil {
@@ -1080,6 +1078,7 @@ func reasonForBuild(build *chart.Build) string {
 
 func (r *HelmChartReconciler) getProvenanceKeyring(ctx context.Context, chart *sourcev1.HelmChart) ([]byte, error) {
 	if chart.Spec.VerificationKeyring == nil {
+		conditions.Delete(chart, sourcev1.SourceVerifiedCondition)
 		return nil, nil
 	}
 	name := types.NamespacedName{
diff --git a/controllers/helmchart_controller_test.go b/controllers/helmchart_controller_test.go
@@ -327,10 +327,10 @@ func TestHelmChartReconciler_reconcileStorage(t *testing.T) {
 					if err := testStorage.MkdirAll(*obj.Status.Artifact); err != nil {
 						return err
 					}
-					if err := testStorage.AtomicWriteFile(obj.Status.Artifact, strings.NewReader(v), 0644); err != nil {
+					if err := testStorage.AtomicWriteFile(obj.Status.Artifact, strings.NewReader(v), 0o644); err != nil {
 						return err
 					}
-					if err := testStorage.AtomicWriteFile(provArtifact, strings.NewReader(v), 0644); err != nil {
+					if err := testStorage.AtomicWriteFile(provArtifact, strings.NewReader(v), 0o644); err != nil {
 						return err
 					}
 				}
@@ -384,7 +384,7 @@ func TestHelmChartReconciler_reconcileStorage(t *testing.T) {
 				if err := testStorage.MkdirAll(*obj.Status.Artifact); err != nil {
 					return err
 				}
-				if err := testStorage.AtomicWriteFile(obj.Status.Artifact, strings.NewReader("file"), 0644); err != nil {
+				if err := testStorage.AtomicWriteFile(obj.Status.Artifact, strings.NewReader("file"), 0o644); err != nil {
 					return err
 				}
 				return nil
@@ -551,7 +551,7 @@ func TestHelmChartReconciler_reconcileSource(t *testing.T) {
 				g.Expect(obj.Status.ObservedSourceArtifactRevision).To(Equal(gitArtifact.Revision))
 				g.Expect(obj.Status.Conditions).To(conditions.MatchConditions([]metav1.Condition{
 					*conditions.TrueCondition(sourcev1.ArtifactOutdatedCondition, "NewChart", "pulled 'helmchart' chart with version '0.1.0'"),
-					*conditions.TrueCondition(sourcev1.SourceVerifiedCondition, sourcev1.ChartVerificationSucceededReason, "chart signed by: 'TestUser' using key with fingeprint: '943CB5929ECDA2B5B5EC88BC7035BA97D32A87C1' and hash verified: 'sha256:007c7b7446eebcb18caeffe9898a3356ba1795f54df40ad39cfcc7382874a10a'"),
+					*conditions.TrueCondition(sourcev1.SourceVerifiedCondition, sourcev1.ChartVerificationSucceededReason, "verified chart hash: 'sha256:007c7b7446eebcb18caeffe9898a3356ba1795f54df40ad39cfcc7382874a10a' signed by: 'TestUser' with key: '943CB5929ECDA2B5B5EC88BC7035BA97D32A87C1'"),
 				}))
 			},
 			cleanFunc: func(g *WithT, build *chart.Build) {
diff --git a/internal/helm/chart/verify.go b/internal/helm/chart/verify.go
@@ -74,7 +74,7 @@ func provenanceFilePath(path string) string {
 
 // ref: https://github.com/helm/helm/blob/v3.8.0/pkg/action/verify.go#L47-L51
 type VerificationSignature struct {
-	Identities     []string
+	Identity       string
 	KeyFingerprint [20]byte
 	FileHash       string
 }
@@ -84,7 +84,8 @@ func buildVerificationSig(ver *provenance.Verification) *VerificationSignature {
 	if ver != nil {
 		if ver.SignedBy != nil {
 			for name := range ver.SignedBy.Identities {
-				verSig.Identities = append(verSig.Identities, name)
+				verSig.Identity = name
+				break
 			}
 		}
 		verSig.FileHash = ver.FileHash

Original file line number	Diff line number	Diff line change
`@@ -327,10 +327,10 @@ func TestHelmChartReconciler_reconcileStorage(t *testing.T) {`
`327`	`327`	`if err := testStorage.MkdirAll(*obj.Status.Artifact); err != nil {`
`328`	`328`	`return err`
`329`	`329`	`}`
`330`		`- if err := testStorage.AtomicWriteFile(obj.Status.Artifact, strings.NewReader(v), 0644); err != nil {`
	`330`	`+ if err := testStorage.AtomicWriteFile(obj.Status.Artifact, strings.NewReader(v), 0o644); err != nil {`
`331`	`331`	`return err`
`332`	`332`	`}`
`333`		`- if err := testStorage.AtomicWriteFile(provArtifact, strings.NewReader(v), 0644); err != nil {`
	`333`	`+ if err := testStorage.AtomicWriteFile(provArtifact, strings.NewReader(v), 0o644); err != nil {`
`334`	`334`	`return err`
`335`	`335`	`}`
`336`	`336`	`}`
`@@ -384,7 +384,7 @@ func TestHelmChartReconciler_reconcileStorage(t *testing.T) {`
`384`	`384`	`if err := testStorage.MkdirAll(*obj.Status.Artifact); err != nil {`
`385`	`385`	`return err`
`386`	`386`	`}`
`387`		`- if err := testStorage.AtomicWriteFile(obj.Status.Artifact, strings.NewReader("file"), 0644); err != nil {`
	`387`	`+ if err := testStorage.AtomicWriteFile(obj.Status.Artifact, strings.NewReader("file"), 0o644); err != nil {`
`388`	`388`	`return err`
`389`	`389`	`}`
`390`	`390`	`return nil`
`@@ -551,7 +551,7 @@ func TestHelmChartReconciler_reconcileSource(t *testing.T) {`
`551`	`551`	`g.Expect(obj.Status.ObservedSourceArtifactRevision).To(Equal(gitArtifact.Revision))`
`552`	`552`	`g.Expect(obj.Status.Conditions).To(conditions.MatchConditions([]metav1.Condition{`
`553`	`553`	`*conditions.TrueCondition(sourcev1.ArtifactOutdatedCondition, "NewChart", "pulled 'helmchart' chart with version '0.1.0'"),`
`554`		`- *conditions.TrueCondition(sourcev1.SourceVerifiedCondition, sourcev1.ChartVerificationSucceededReason, "chart signed by: 'TestUser' using key with fingeprint: '943CB5929ECDA2B5B5EC88BC7035BA97D32A87C1' and hash verified: 'sha256:007c7b7446eebcb18caeffe9898a3356ba1795f54df40ad39cfcc7382874a10a'"),`
	`554`	`+ *conditions.TrueCondition(sourcev1.SourceVerifiedCondition, sourcev1.ChartVerificationSucceededReason, "verified chart hash: 'sha256:007c7b7446eebcb18caeffe9898a3356ba1795f54df40ad39cfcc7382874a10a' signed by: 'TestUser' with key: '943CB5929ECDA2B5B5EC88BC7035BA97D32A87C1'"),`
`555`	`555`	`}))`
`556`	`556`	`},`
`557`	`557`	`cleanFunc: func(g WithT, build chart.Build) {`
Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ func provenanceFilePath(path string) string {`
`74`	`74`
`75`	`75`	`// ref: https://github.com/helm/helm/blob/v3.8.0/pkg/action/verify.go#L47-L51`
`76`	`76`	`type VerificationSignature struct {`
`77`		`- Identities []string`
	`77`	`+ Identity string`
`78`	`78`	`KeyFingerprint [20]byte`
`79`	`79`	`FileHash string`
`80`	`80`	`}`
`@@ -84,7 +84,8 @@ func buildVerificationSig(ver provenance.Verification) VerificationSignature {`
`84`	`84`	`if ver != nil {`
`85`	`85`	`if ver.SignedBy != nil {`
`86`	`86`	`for name := range ver.SignedBy.Identities {`
`87`		`- verSig.Identities = append(verSig.Identities, name)`
	`87`	`+ verSig.Identity = name`
	`88`	`+ break`
`88`	`89`	`}`
`89`	`90`	`}`
`90`	`91`	`verSig.FileHash = ver.FileHash`