blob: 8340acf9c8d5e5cbc81886463656c98c1dcfbc3f [file] [log] [blame]
# Copyright 2021 The Pigweed Authors
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of
# the License at
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under
# the License.
"""Upload update bundles to a GCS bucket for signing.
This module does not implement any actual signing logic; that is left up to the
remote signing service. This module takes care of uploading bundles to GCS for
signing, waiting the the signed version to appear, and downloading the signed
bundle from the output bucket. It can be used either as an entry point by
invoking it as a runnable module and providing all the necessary arguments (run
the tool with --help for details), or as a library by instantiating
RemoteSignClient and calling its sign() method.
The expected API for the remote signing service consists of the following:
- A pair of GCS buckets. One bucket to serve as a queue of update bundles
to be signed, and the other bucket to serve as the output area where
signed bundles are deposited.
- Three artifacts should be placed into the input queue bucket:
1. The update bundle to be signed
2. A signing request file whose name ends with "signing_request.json"
3. A public builder key named "<signing_request_name>.public_key.pem"
Builder keys are used to generate intermediate signatures for the signing
request. Specifically, a private builder key is used to generate an
intermediate signature for both the update bundle to be signed, and the signing
request file. These signatures are then added to the GCS blob metadata for
their respective blobs. The corresponding public builder key is uploaded
alongside the signing request.
The signing service should be set up to trigger whenever a new signing request
file is added anywhere inside the input queue bucket. The signing request file
is a JSON file with the following fields:
remote_signing_key_name: A string that should correspond to the name of a
signing key known to the remote signing service.
bundle_path: The path (relative to GCS input bucket root) to an update
bundle to be signed by the remote signing service.
bundle_public_key_path: The path (relative to GCS input bucket root) to a
public builder key .pem file corresponding to the private builder key
that was used to sign the update bundle and signing request file.
output_bucket: Name of the output GCS bucket into which the remote signing
service should place signed artifacts.
output_path: The path (relative to the GCS output bucket root) at which the
signed update bundle should be deposited by the remote signing service.
On the remote side, the signing service is expected to check the public builder
key against its list of allowed builder keys. Provided the key is found in the
allow list, the signing service should use it to verify the intermediate
signatures of both the update bundle to be signed and the signing request file.
If the key is not found in the allow list, or if the signature on the update
bundle or signing request file do not match the public builder key, the signing
service should reject the signing request.
If the builder public key is found in the allow list and the intermediate
signatures are verified, the signing service should produce a signed version of
the update bundle, and place it the GCS output bucket at the specified path.
In order to authenticate to GCS, the "Application Default Credentials" will be
used. This assumes is running in an environment that provides
such credentials. See the Google cloud platform documentation for details:
For development purposes, it is possible to provide an alternate method of
authenticating to GCS. The alternate authentication method should be a Python
module that is importable in the running Python environment. The module should
define a 'get_credentials()' function that takes no arguments and returns an
instance of google.auth.credentials.Credentials.
import argparse
import base64
import importlib
import json
from pathlib import Path
import time
from typing import Dict, Union
from cryptography.hazmat import backends
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import ed25519, padding, rsa
from google.auth.credentials import Credentials # type: ignore
from import storage # type: ignore
from import Bucket # type: ignore
PathOrBytes = Union[Path, bytes]
def _parse_args():
"""Parse CLI aguments."""
parser = argparse.ArgumentParser(description=__doc__)
help='GCP project that owns storage buckets.')
help='GCS bucket used as a signing queue')
help='GCS bucket to watch for signed bundles')
help='Update bundle to upload for signing')
help='Path to which to download signed bundle')
help='Name of signing key remote signing service should use')
help='Path to builder private key for intermediate signatures')
help='Path to builder public key')
help='Path in the input bucket at which to upload bundle')
help='Path in the input bucket at which to put signing request')
help='Path in the output bucket for the signed bundle')
help='Developer use only; custom auth module to use with GCS.')
help='Seconds to wait for signed bundle to appeaer before giving up.')
return parser.parse_args()
class BlobExistsError(Exception):
"""Raised if the blob to be uploaded already exists in the input bucket."""
class RemoteSignClient():
"""GCS client for use in remote signing."""
def __init__(self, input_bucket: Bucket, output_bucket: Bucket):
# "Application Default Credentials" are used implicitly when None is
# passed to Client() as credentials. See the cloud docs for details:
self._input_bucket = input_bucket
self._output_bucket = output_bucket
def from_names(cls,
project_name: str,
input_bucket_name: str,
output_bucket_name: str,
gcs_credentials: Credentials = None):
storage_client = storage.Client(project=project_name,
return cls(input_bucket=storage_client.bucket(input_bucket_name),
def sign(self,
bundle: Path,
signing_key_name: str,
builder_key: Path,
builder_public_key: Path,
bundle_blob_name: str = None,
request_blob_name: str = None,
signed_bundle_blob_name: str = None,
request_overrides: Dict = None,
timeout_s: int = DEFAULT_TIMEOUT_S) -> bytes:
"""Upload file to GCS and download signed counterpart when ready.
bundle: Path object for an UpdateBundle to upload for signing.
signing_key_name: Name of remote signing key to use for signing.
builder_key: Path to builder private key for intermediate signature.
builder_public_key: Path to corresponding builder public key.
bundle_blob_name: GCS path at which to upload bundle to sign.
request_blob_name: GCS path at which to upload request file.
signed_bundle_blob_name: GCS path in output bucket to request.
request_overrides: Dict of signing request JSON keys and values to
add to the signing requests. If this dict contains any keys whose
values are already in the signing request, the existing values
will be overwritten by the ones passed in here.
timeout_s: Maximum seconds to wait for output before failing.
if bundle_blob_name is None:
bundle_blob_name =
if request_blob_name is None:
request_blob_name = f't{time.time()}_signing_request.json'
if not request_blob_name.endswith('signing_request.json'):
raise ValueError(f'Signing request blob name {request_blob_name}'
' does not end with "signing_request.json".')
request_name = request_blob_name[:-5] # strip the ".json"
builder_public_key_blob_name = f'{request_name}.publickey.pem'
if signed_bundle_blob_name is None:
signed_bundle_blob_name = f'{}.signed'
signing_request = {
'remote_signing_key_names': [signing_key_name],
'bundle_path': bundle_blob_name,
'bundle_public_key_path': builder_public_key_blob_name,
'output_path': signed_bundle_blob_name,
if request_overrides is not None:
builder_public_key_blob = self._input_bucket.blob(
bundle_blob = self._input_bucket.blob(bundle_blob_name)
request_blob = self._input_bucket.blob(request_blob_name)
for blob in (builder_public_key_blob, bundle_blob, request_blob):
if blob.exists():
raise BlobExistsError(
f'A blob named "{blob}" already exists in the input bucket.'
' A unique blob name is required for uploading.')
bundle_blob.metadata = {
self._get_builder_signature(bundle, builder_key).decode('ascii')
encoded_json = bytes(json.dumps(signing_request), 'utf-8')
request_blob.metadata = {
# Despite its name, the upload_from_string() method can take either a
# str or bytes object; here we already pre-encoded the string in utf-8.
return self._wait_for_blob(signed_bundle_blob_name,
def _wait_for_blob(self,
interval: int = 1,
max_tries: int = None,
timeout_s: int = DEFAULT_TIMEOUT_S) -> storage.Blob:
"""Wait for a specific blob to appear in the output bucket.
blob_name: Name of the blob to wait for.
interval: Time (seconds) to wait between checks for blob's existence.
max_tries: Number of times to check for the blob before failing.
timeout_s: Maximum seconds to keep watching before failing.
blob = self._output_bucket.blob(blob_name)
end_time = time.time() + timeout_s
tries = 0
while (max_tries is None or tries < max_tries):
if time.time() > end_time:
raise FileNotFoundError(
'Timed out while waiting for signed blob.')
if blob.exists():
return blob
tries += 1
raise FileNotFoundError(
'Too many retries while waiting for signed blob.')
def _get_builder_signature(data: PathOrBytes, key: Path) -> bytes:
"""Generate a base64-encided builder signature for file.
In order for the remote signing system to have some level of trust in
the artifacts it's signing, an intermediate signature is used to verify
that the artifacts came from an approved builder.
if isinstance(data, Path):
data = data.read_bytes()
private_key = serialization.load_pem_private_key(
key.read_bytes(), None, backends.default_backend())
if isinstance(private_key, ed25519.Ed25519PrivateKey):
signature = private_key.sign(data)
elif isinstance(private_key, rsa.RSAPrivateKey):
signature = private_key.sign(
data, # type: ignore
raise TypeError(f'Key {private_key} has unsupported type'
f' ({type(private_key)}). Valid types are'
' Ed25519PrivateKey and RSAPrivateKey.')
return base64.b64encode(signature)
def _credentials_from_module(module_name: str) -> Credentials:
"""Return GCS Credential from the named auth module.
The module name should correspond to a module that's importable in the
running Python environment. It must define a get_credentials() function
that takes no args and returns a Credentials instance.
auth_module = importlib.import_module(module_name)
return auth_module.get_credentials() # type: ignore
def main( # pylint: disable=too-many-arguments
project: str, input_bucket: str, output_bucket: str, bundle: Path,
out: Path, signing_key_name: str, builder_key: Path,
builder_public_key: Path, bundle_blob_name: str,
request_blob_name: str, signed_bundle_blob_name: str,
dev_gcs_auth_module_override: str, timeout: int) -> None:
"""Send bundle for remote signing and write signed counterpart to disk.
project: Project name for GCS project containing signing bucket pair.
input_bucket: Name of GCS bucket to deposit to-be-signed artifacts in.
output_bucket: Name of GCS bucket to watch for signed artifacts.
bundle: Update bundle to be signed.
out: Path to which to download signed version of bundle.
signing_key_name: Name of key the remote signing service should use.
bundle_blob_name: Path in input bucket to upload bundle to.
request_blob_name: Path in input bucket to upload signing request to.
signed_bundle_blob_name: Output bucket path for signed bundle.
dev_gcs_auth_module_override: For developer use only; optional module
to use to generate GCS client credentials. Must be importable in
the running Python environment, and must define a get_credentials()
function that takes no args and returns a Credentials instance.
timeout: Seconds to wait for signed bundle before giving up.
credentials = None
if dev_gcs_auth_module_override is not None:
credentials = _credentials_from_module(dev_gcs_auth_module_override)
remote_sign_client = RemoteSignClient.from_names(
signed_bundle = remote_sign_client.sign(bundle,
if __name__ == '__main__':