Bump pgp key to version v6 (#2319)

barchw · web-flow · commit a433195f8fb9 · 2025-10-27T12:09:08.000+01:00
* Bump pgp key to version v6

* Update cm in unit test

* Update access tests
diff --git a/internal/access/access_cm.yaml b/internal/access/access_cm.yaml
@@ -4,4 +4,4 @@ metadata:
   name: apirule-access
   namespace: kyma-system
 binaryData:
-  access.sig: owGbwMvMwCXG+Pmv5SmepjrGNRJJzCn5yRk7je+XpBaX6BZn5OeX6CXn53J1lLIwiHExyIopsmgF3dY/0e5yW1vcaS1MJysTSA8DF6cATES7gpFh5aZXlgkd4QqTPputkT2ge2jN/Zar1kv9lry7+FS+fZVsDcN/t7PbX35LClFsTD53Zu+rC71HgleFCmydI9LXLf6KN1mWFQA=
+  access.sig: xEYGAAobIJlafv2mSyHN/z/szByJJ/aO9Qvq3bpexqSpy93iy0PF+8vQFjsiHcrLvmDfEy56Y/D9Xfq/Qtt6o41bvKMqJPUByxRiAAAAAAB0ZXN0LXNob290LmNvbcKYBgAbCgAAACkFgmj7krcioQb7y9AWOyIdysu+YN8TLnpj8P1d+r9C23qjjVu8oyok9QAAAACzMyCZWn79pkshzf8/7MwciSf2jvUL6t26Xsakqcvd4stDxd24MrntuzefppGyKVkNySilXb6+Mc/2cqKCMDs/Syl4y81XYWzTo9iviyL4oglBdT39NuPKwnteMO5exLmE9AM=
diff --git a/internal/access/access_cm_wildcard.yaml b/internal/access/access_cm_wildcard.yaml
@@ -4,4 +4,4 @@ metadata:
   name: apirule-access
   namespace: kyma-system
 binaryData:
-  access.sig: owGbwMvMwCXG+Pmv5SmepjrGNVJJzCn5yRnPb/Jp6ZWkFpfoFmfk55foJefncnWUsjCIcTHIiimyaAXd1j/R7nJbW9xpLUwvKxNIFwMXpwBMxOM1I8PhZ1uDHT0trLV100+/+1jUsUrL6k3aym2KEdttz3o1rlFmZFjs8YJFouRw+Y3JBpGFi9rnOskLFOQkrH745Q2DgKuGBR8A
+  access.sig: xEYGAAobIJqklM/E1zS1bzXhwDsmHUyO+vnB5rDU+KyJdnqs+z0W+8vQFjsiHcrLvmDfEy56Y/D9Xfq/Qtt6o41bvKMqJPUByxZiAAAAAAAqLnRlc3Qtc2hvb3QuY29twpgGABsKAAAAKQWCaPuTACKhBvvL0BY7Ih3Ky75g3xMuemPw/V36v0LbeqONW7yjKiT1AAAAANq1IJqklM/E1zS1bzXhwDsmHUyO+vnB5rDU+KyJdnqs+z0WORuVAoFrric8z6ub/WkgQ64JBiEQgUDTybdpKZAi3RRJ4DMmZD3yRQ/1zA7crTuufRPypU8DHopkJRrJwRoIBQ==
diff --git a/internal/access/access_cm_wrong_domain.yaml b/internal/access/access_cm_wrong_domain.yaml
@@ -4,4 +4,4 @@ metadata:
   name: apirule-access
   namespace: kyma-system
 binaryData:
-  access.sig: owGbwMvMwCXG+Pmv5SmepjrGNdJJLCn5yUYZOy33l6QWl+gWZ+Tnl+iVF+XnpXN1lLIwiHExyIopsmgF3dY/0e5yW1vcaS1MMysTSBcDF6cATIRzL8P/4LeuJcxhR9Y+vvB9kUy1NZfSlrAM3lL3tzbqhRxqUjwrGf6XrjzzJmLGYZ4Tv+dnz1d+snL162tGCuwun1t70hb3X/7JAAA=
+  access.sig: xEYGAAobIA054rOmwhXcXJ2xdkXolc8L86dnD3UVhhGopos7RJUi+8vQFjsiHcrLvmDfEy56Y/D9Xfq/Qtt6o41bvKMqJPUByxZiAAAAAAB0ZXN0LXNob290Lndyb25nwpgGABsKAAAAKQWCaPuTKCKhBvvL0BY7Ih3Ky75g3xMuemPw/V36v0LbeqONW7yjKiT1AAAAAJrfIA054rOmwhXcXJ2xdkXolc8L86dnD3UVhhGopos7RJUivzdpj6oiJcgE22xqvbit77ltZY3jqs30on6MQM8o/j6f4NMnC1gqhXeifFeVpO+3GfS5Hhq+gc2Anq9NQ96oCw==
diff --git a/internal/reconciliations/oathkeeper/oathkeeper_test.go b/internal/reconciliations/oathkeeper/oathkeeper_test.go
@@ -372,7 +372,7 @@ func createApiGateway() *v1alpha1.APIGateway {
 }
 
 func apiruleAccessMaps() ([]crclient.Object, error) {
-	data, err := base64.StdEncoding.DecodeString("owGbwMvMwCXG+Pmv5SmepjrGNRJJzCn5yRn7Di7NyU9OzNHLrsxN1EtJLePqKGVhEONikBVTZNEKuq1/ot3ltra401qYTlYmkB4GLk4BmEhqE8MfjlXxNVnST0R6P6vkLLno6F3M80pRbpZS9yYXttS3vcmVjAxLj85ZvOYe19a9XF2ZO1Vqv3R0BbYpVMq9ernpwxWXww9YAQ==")
+	data, err := base64.StdEncoding.DecodeString("xEYGAAobIJRdbtfrgZYkBehKLGT3pI8YVu22FPHyHJWVjpTzvSPa+8vQFjsiHcrLvmDfEy56Y/D9Xfq/Qtt6o41bvKMqJPUByxRiAAAAAABsb2NhbC5reW1hLmRldsKYBgAbCgAAACkFgmj7jOoioQb7y9AWOyIdysu+YN8TLnpj8P1d+r9C23qjjVu8oyok9QAAAACp7CCUXW7X64GWJAXoSixk96SPGFbtthTx8hyVlY6U870j2t8v/C1gL5Vkw9+y7sfd/GKzAZGIwlf6+XDM8U4VlHtS/CRKP155fLX9g96/jixWU7JZgCf3Yo/a5Bwjg0TYkQM=")
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/signature/correctly_signed.sig b/internal/signature/correctly_signed.sig
diff --git a/internal/signature/pub_key.pgp b/internal/signature/pub_key.pgp
@@ -1,11 +1,17 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mDMEaLg/kRYJKwYBBAHaRw8BAQdAouWHoEldd8is5SoR9LNuI2VSHXkOTVzdvSX9
-WCbKzX60b0t5bWEgQVBJR2F0ZXdheSAoS2V5IHVzZWQgdG8gc2lnbiBvZmYgYWNj
-ZXNzIHRvIEFQSVJ1bGUgdjFiZXRhMS4pIDxETF82NDNFNjBFNDIwRjcxQTAyOEUx
-MUFCNzZAZ2xvYmFsLmNvcnAuc2FwPoiTBBMWCgA7FiEEKlLbL8iHRNsrF0KtAfP9
-OcoMgn4FAmi4P5ECGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQAfP9
-OcoMgn5p1QEAmzhT4DqgHS0FP5IU0cVE+oVYuuS+p0bZ9ZKD+UikNmQA/j21HlZx
-vPTUD2FBFw4mb5//5VaXg5tKW+gOc2yq8soA
-=Si43
+xioGaPuCtRsAAAAgOc1Hpy0up7O8bEn6yXF4y1zDCoapsEo2bH/Z3AZgwuPCsAYf
+GwoAAABBBYJo+4K1AwsJBwMVCggDFgACApsDAh4JIqEG+8vQFjsiHcrLvmDfEy56
+Y/D9Xfq/Qtt6o41bvKMqJPUFJwkCBwIAAAAAngYgt7psShI9Pl0w8R6SDbS5z/8D
+3pUyKVSe6bX3pvF5jPKe3DoPPk+by1JOoC05RjQ02HKK/CLAN4JQHryvdkSR/pGb
+MEZ+gZuA1SD4or/n1vi9WKmi/a1BvppzGWJ/LrULzT1LeW1hIEFQSUdhdGV3YXkg
+PERMXzY0M0U2MEU0MjBGNzFBMDI4RTExQUI3NkBnbG9iYWwuY29ycC5zYXA+wpsG
+ExsKAAAALAWCaPuCtQIZASKhBvvL0BY7Ih3Ky75g3xMuemPw/V36v0LbeqONW7yj
+KiT1AAAAAAgJIHd8z2OYof9Q0xX4NZYX3YaQHJwSGTkR5neNVN60+uzvcK54B796
+tPUeUPza5kbo0Xnv7AA5fL+wCJZ+kXU8ZttCsRqVQhKftZ7l+6X5rxU7+Z5ewSqW
++NMiDYHv7myAAc4qBmj7grUZAAAAIHmgsb7wAoMXXn23NzycnidHFCs4ssCT/dqZ
+YDH5EQ90wpsGGBsKAAAALAWCaPuCtQKbDCKhBvvL0BY7Ih3Ky75g3xMuemPw/V36
+v0LbeqONW7yjKiT1AAAAADLXIDge1yl1l/VgkaW7S1htJmTmzi0Feph3GUQnZxbB
++Ik2j/l6QXCYpfeSTdaj59+QoLFY7k9H5n+Do+nQlA+v8tqEqCQsYkCWcgAjT3z6
+ejgLUBt/pn05Pv63IxODNBcBDg==
 -----END PGP PUBLIC KEY BLOCK-----
diff --git a/internal/signature/signature.go b/internal/signature/signature.go
@@ -3,13 +3,14 @@ package signature
 import (
 	_ "embed"
 	"github.com/ProtonMail/gopenpgp/v3/crypto"
+	"github.com/ProtonMail/gopenpgp/v3/profile"
 )
 
 //go:embed pub_key.pgp
 var publicKey string
 
 func DecryptAndVerifySignature(data []byte) (string, bool, error) {
-	pgp := crypto.PGP()
+	pgp := crypto.PGPWithProfile(profile.RFC9580())
 	keyObj, err := crypto.NewKeyFromArmored(publicKey)
 	if err != nil {
 		return "", false, err
diff --git a/internal/signature/signature_test.go b/internal/signature/signature_test.go
@@ -7,14 +7,14 @@ import (
 	"testing"
 )
 
-// Correctly signed message should be signed off by key with public identity
-// EDDSA 2A52DB2FC88744DB2B1742AD01F3FD39CA0C827E
+// Correctly signed message should be signed off by key with public hex identity
+// fbcbd0163b221dca
 //
 //go:embed correctly_signed.sig
 var correctlySignedSig []byte
 
-// Message signed by impersonated key with public identity
-// EDDSA B4877503B192609A2E22C81739FACBA528FDF429
+// Message signed by impersonated key with public hex identity
+// ddff4b9544cdb6c7
 //
 //go:embed signed_by_impersonated_key.sig
 var signedByImpersonatedKeySig []byte
diff --git a/internal/signature/signed_by_impersonated_key.sig b/internal/signature/signed_by_impersonated_key.sig
diff --git a/tests/integration/pkg/hooks/v1-access.go b/tests/integration/pkg/hooks/v1-access.go
@@ -22,7 +22,7 @@ const (
 	v1AccessConfigMapNamespace  = "kyma-system"
 	signatureKey                = "access.sig"
 	accessSigEnvVar             = "APIGATEWAY_ACCESS_SIG_BASE64"
-	localKymaDevSignature       = "owGbwMvMwCXG+Pmv5SmepjrGNRJJzCn5yRn7Di7NyU9OzNHLrsxN1EtJLePqKGVhEONikBVTZNEKuq1/ot3ltra401qYTlYmkB4GLk4BmEhqE8MfjlXxNVnST0R6P6vkLLno6F3M80pRbpZS9yYXttS3vcmVjAxLj85ZvOYe19a9XF2ZO1Vqv3R0BbYpVMq9ernpwxWXww9YAQ=="
+	localKymaDevSignature       = "xEYGAAobIJRdbtfrgZYkBehKLGT3pI8YVu22FPHyHJWVjpTzvSPa+8vQFjsiHcrLvmDfEy56Y/D9Xfq/Qtt6o41bvKMqJPUByxRiAAAAAABsb2NhbC5reW1hLmRldsKYBgAbCgAAACkFgmj7jOoioQb7y9AWOyIdysu+YN8TLnpj8P1d+r9C23qjjVu8oyok9QAAAACp7CCUXW7X64GWJAXoSixk96SPGFbtthTx8hyVlY6U870j2t8v/C1gL5Vkw9+y7sfd/GKzAZGIwlf6+XDM8U4VlHtS/CRKP155fLX9g96/jixWU7JZgCf3Yo/a5Bwjg0TYkQM="
 )
 
 func createAllowAPIRuleV1Signatures(ctx context.Context, c client.Client) error {

Original file line number	Diff line number	Diff line change
`@@ -372,7 +372,7 @@ func createApiGateway() *v1alpha1.APIGateway {`
`372`	`372`	`}`
`373`	`373`
`374`	`374`	`func apiruleAccessMaps() ([]crclient.Object, error) {`
`375`		`- data, err := base64.StdEncoding.DecodeString("owGbwMvMwCXG+Pmv5SmepjrGNRJJzCn5yRn7Di7NyU9OzNHLrsxN1EtJLePqKGVhEONikBVTZNEKuq1/ot3ltra401qYTlYmkB4GLk4BmEhqE8MfjlXxNVnST0R6P6vkLLno6F3M80pRbpZS9yYXttS3vcmVjAxLj85ZvOYe19a9XF2ZO1Vqv3R0BbYpVMq9ernpwxWXww9YAQ==")`
	`375`	`+ data, err := base64.StdEncoding.DecodeString("xEYGAAobIJRdbtfrgZYkBehKLGT3pI8YVu22FPHyHJWVjpTzvSPa+8vQFjsiHcrLvmDfEy56Y/D9Xfq/Qtt6o41bvKMqJPUByxRiAAAAAABsb2NhbC5reW1hLmRldsKYBgAbCgAAACkFgmj7jOoioQb7y9AWOyIdysu+YN8TLnpj8P1d+r9C23qjjVu8oyok9QAAAACp7CCUXW7X64GWJAXoSixk96SPGFbtthTx8hyVlY6U870j2t8v/C1gL5Vkw9+y7sfd/GKzAZGIwlf6+XDM8U4VlHtS/CRKP155fLX9g96/jixWU7JZgCf3Yo/a5Bwjg0TYkQM=")`
`376`	`376`	`if err != nil {`
`377`	`377`	`return nil, err`
`378`	`378`	`}`
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ const (`
`22`	`22`	`v1AccessConfigMapNamespace = "kyma-system"`
`23`	`23`	`signatureKey = "access.sig"`
`24`	`24`	`accessSigEnvVar = "APIGATEWAY_ACCESS_SIG_BASE64"`
`25`		`- localKymaDevSignature = "owGbwMvMwCXG+Pmv5SmepjrGNRJJzCn5yRn7Di7NyU9OzNHLrsxN1EtJLePqKGVhEONikBVTZNEKuq1/ot3ltra401qYTlYmkB4GLk4BmEhqE8MfjlXxNVnST0R6P6vkLLno6F3M80pRbpZS9yYXttS3vcmVjAxLj85ZvOYe19a9XF2ZO1Vqv3R0BbYpVMq9ernpwxWXww9YAQ=="`
	`25`	`+ localKymaDevSignature = "xEYGAAobIJRdbtfrgZYkBehKLGT3pI8YVu22FPHyHJWVjpTzvSPa+8vQFjsiHcrLvmDfEy56Y/D9Xfq/Qtt6o41bvKMqJPUByxRiAAAAAABsb2NhbC5reW1hLmRldsKYBgAbCgAAACkFgmj7jOoioQb7y9AWOyIdysu+YN8TLnpj8P1d+r9C23qjjVu8oyok9QAAAACp7CCUXW7X64GWJAXoSixk96SPGFbtthTx8hyVlY6U870j2t8v/C1gL5Vkw9+y7sfd/GKzAZGIwlf6+XDM8U4VlHtS/CRKP155fLX9g96/jixWU7JZgCf3Yo/a5Bwjg0TYkQM="`
`26`	`26`	`)`
`27`	`27`
`28`	`28`	`func createAllowAPIRuleV1Signatures(ctx context.Context, c client.Client) error {`