Skip to content

Bump pgp key to version v6 #2319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Oct 27, 2025
+25 −18
Merged

Bump pgp key to version v6 #2319

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
900485f
Bump pgp key to version v6
barchw Oct 24, 2025
84b250b
Update cm in unit test
barchw Oct 24, 2025
68e11bc
Update access tests
barchw Oct 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion internal/access/access_cm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,4 @@ metadata:
name: apirule-access
namespace: kyma-system
binaryData:
access.sig: owGbwMvMwCXG+Pmv5SmepjrGNRJJzCn5yRk7je+XpBaX6BZn5OeX6CXn53J1lLIwiHExyIopsmgF3dY/0e5yW1vcaS1MJysTSA8DF6cATES7gpFh5aZXlgkd4QqTPputkT2ge2jN/Zar1kv9lry7+FS+fZVsDcN/t7PbX35LClFsTD53Zu+rC71HgleFCmydI9LXLf6KN1mWFQA=
access.sig: xEYGAAobIJlafv2mSyHN/z/szByJJ/aO9Qvq3bpexqSpy93iy0PF+8vQFjsiHcrLvmDfEy56Y/D9Xfq/Qtt6o41bvKMqJPUByxRiAAAAAAB0ZXN0LXNob290LmNvbcKYBgAbCgAAACkFgmj7krcioQb7y9AWOyIdysu+YN8TLnpj8P1d+r9C23qjjVu8oyok9QAAAACzMyCZWn79pkshzf8/7MwciSf2jvUL6t26Xsakqcvd4stDxd24MrntuzefppGyKVkNySilXb6+Mc/2cqKCMDs/Syl4y81XYWzTo9iviyL4oglBdT39NuPKwnteMO5exLmE9AM=
2 changes: 1 addition & 1 deletion internal/access/access_cm_wildcard.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,4 @@ metadata:
name: apirule-access
namespace: kyma-system
binaryData:
access.sig: owGbwMvMwCXG+Pmv5SmepjrGNVJJzCn5yRnPb/Jp6ZWkFpfoFmfk55foJefncnWUsjCIcTHIiimyaAXd1j/R7nJbW9xpLUwvKxNIFwMXpwBMxOM1I8PhZ1uDHT0trLV100+/+1jUsUrL6k3aym2KEdttz3o1rlFmZFjs8YJFouRw+Y3JBpGFi9rnOskLFOQkrH745Q2DgKuGBR8A
access.sig: xEYGAAobIJqklM/E1zS1bzXhwDsmHUyO+vnB5rDU+KyJdnqs+z0W+8vQFjsiHcrLvmDfEy56Y/D9Xfq/Qtt6o41bvKMqJPUByxZiAAAAAAAqLnRlc3Qtc2hvb3QuY29twpgGABsKAAAAKQWCaPuTACKhBvvL0BY7Ih3Ky75g3xMuemPw/V36v0LbeqONW7yjKiT1AAAAANq1IJqklM/E1zS1bzXhwDsmHUyO+vnB5rDU+KyJdnqs+z0WORuVAoFrric8z6ub/WkgQ64JBiEQgUDTybdpKZAi3RRJ4DMmZD3yRQ/1zA7crTuufRPypU8DHopkJRrJwRoIBQ==
2 changes: 1 addition & 1 deletion internal/access/access_cm_wrong_domain.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,4 @@ metadata:
name: apirule-access
namespace: kyma-system
binaryData:
access.sig: owGbwMvMwCXG+Pmv5SmepjrGNdJJLCn5yUYZOy33l6QWl+gWZ+Tnl+iVF+XnpXN1lLIwiHExyIopsmgF3dY/0e5yW1vcaS1MMysTSBcDF6cATIRzL8P/4LeuJcxhR9Y+vvB9kUy1NZfSlrAM3lL3tzbqhRxqUjwrGf6XrjzzJmLGYZ4Tv+dnz1d+snL162tGCuwun1t70hb3X/7JAAA=
access.sig: xEYGAAobIA054rOmwhXcXJ2xdkXolc8L86dnD3UVhhGopos7RJUi+8vQFjsiHcrLvmDfEy56Y/D9Xfq/Qtt6o41bvKMqJPUByxZiAAAAAAB0ZXN0LXNob290Lndyb25nwpgGABsKAAAAKQWCaPuTKCKhBvvL0BY7Ih3Ky75g3xMuemPw/V36v0LbeqONW7yjKiT1AAAAAJrfIA054rOmwhXcXJ2xdkXolc8L86dnD3UVhhGopos7RJUivzdpj6oiJcgE22xqvbit77ltZY3jqs30on6MQM8o/j6f4NMnC1gqhXeifFeVpO+3GfS5Hhq+gc2Anq9NQ96oCw==
2 changes: 1 addition & 1 deletion internal/reconciliations/oathkeeper/oathkeeper_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -372,7 +372,7 @@ func createApiGateway() *v1alpha1.APIGateway {
}

func apiruleAccessMaps() ([]crclient.Object, error) {
data, err := base64.StdEncoding.DecodeString("owGbwMvMwCXG+Pmv5SmepjrGNRJJzCn5yRn7Di7NyU9OzNHLrsxN1EtJLePqKGVhEONikBVTZNEKuq1/ot3ltra401qYTlYmkB4GLk4BmEhqE8MfjlXxNVnST0R6P6vkLLno6F3M80pRbpZS9yYXttS3vcmVjAxLj85ZvOYe19a9XF2ZO1Vqv3R0BbYpVMq9ernpwxWXww9YAQ==")
data, err := base64.StdEncoding.DecodeString("xEYGAAobIJRdbtfrgZYkBehKLGT3pI8YVu22FPHyHJWVjpTzvSPa+8vQFjsiHcrLvmDfEy56Y/D9Xfq/Qtt6o41bvKMqJPUByxRiAAAAAABsb2NhbC5reW1hLmRldsKYBgAbCgAAACkFgmj7jOoioQb7y9AWOyIdysu+YN8TLnpj8P1d+r9C23qjjVu8oyok9QAAAACp7CCUXW7X64GWJAXoSixk96SPGFbtthTx8hyVlY6U870j2t8v/C1gL5Vkw9+y7sfd/GKzAZGIwlf6+XDM8U4VlHtS/CRKP155fLX9g96/jixWU7JZgCf3Yo/a5Bwjg0TYkQM=")
if err != nil {
return nil, err
}
Expand Down
Binary file modified internal/signature/correctly_signed.sig
View file
Open in desktop
Binary file not shown.
22 changes: 14 additions & 8 deletions internal/signature/pub_key.pgp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,17 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEaLg/kRYJKwYBBAHaRw8BAQdAouWHoEldd8is5SoR9LNuI2VSHXkOTVzdvSX9
WCbKzX60b0t5bWEgQVBJR2F0ZXdheSAoS2V5IHVzZWQgdG8gc2lnbiBvZmYgYWNj
ZXNzIHRvIEFQSVJ1bGUgdjFiZXRhMS4pIDxETF82NDNFNjBFNDIwRjcxQTAyOEUx
MUFCNzZAZ2xvYmFsLmNvcnAuc2FwPoiTBBMWCgA7FiEEKlLbL8iHRNsrF0KtAfP9
OcoMgn4FAmi4P5ECGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQAfP9
OcoMgn5p1QEAmzhT4DqgHS0FP5IU0cVE+oVYuuS+p0bZ9ZKD+UikNmQA/j21HlZx
vPTUD2FBFw4mb5//5VaXg5tKW+gOc2yq8soA
=Si43
xioGaPuCtRsAAAAgOc1Hpy0up7O8bEn6yXF4y1zDCoapsEo2bH/Z3AZgwuPCsAYf
GwoAAABBBYJo+4K1AwsJBwMVCggDFgACApsDAh4JIqEG+8vQFjsiHcrLvmDfEy56
Y/D9Xfq/Qtt6o41bvKMqJPUFJwkCBwIAAAAAngYgt7psShI9Pl0w8R6SDbS5z/8D
3pUyKVSe6bX3pvF5jPKe3DoPPk+by1JOoC05RjQ02HKK/CLAN4JQHryvdkSR/pGb
MEZ+gZuA1SD4or/n1vi9WKmi/a1BvppzGWJ/LrULzT1LeW1hIEFQSUdhdGV3YXkg
PERMXzY0M0U2MEU0MjBGNzFBMDI4RTExQUI3NkBnbG9iYWwuY29ycC5zYXA+wpsG
ExsKAAAALAWCaPuCtQIZASKhBvvL0BY7Ih3Ky75g3xMuemPw/V36v0LbeqONW7yj
KiT1AAAAAAgJIHd8z2OYof9Q0xX4NZYX3YaQHJwSGTkR5neNVN60+uzvcK54B796
tPUeUPza5kbo0Xnv7AA5fL+wCJZ+kXU8ZttCsRqVQhKftZ7l+6X5rxU7+Z5ewSqW
+NMiDYHv7myAAc4qBmj7grUZAAAAIHmgsb7wAoMXXn23NzycnidHFCs4ssCT/dqZ
YDH5EQ90wpsGGBsKAAAALAWCaPuCtQKbDCKhBvvL0BY7Ih3Ky75g3xMuemPw/V36
v0LbeqONW7yjKiT1AAAAADLXIDge1yl1l/VgkaW7S1htJmTmzi0Feph3GUQnZxbB
+Ik2j/l6QXCYpfeSTdaj59+QoLFY7k9H5n+Do+nQlA+v8tqEqCQsYkCWcgAjT3z6
ejgLUBt/pn05Pv63IxODNBcBDg==
-----END PGP PUBLIC KEY BLOCK-----
3 changes: 2 additions & 1 deletion internal/signature/signature.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,14 @@ package signature
import (
_ "embed"
"github.com/ProtonMail/gopenpgp/v3/crypto"
"github.com/ProtonMail/gopenpgp/v3/profile"
)

//go:embed pub_key.pgp
var publicKey string

func DecryptAndVerifySignature(data []byte) (string, bool, error) {
pgp := crypto.PGP()
pgp := crypto.PGPWithProfile(profile.RFC9580())
keyObj, err := crypto.NewKeyFromArmored(publicKey)
if err != nil {
return "", false, err
Expand Down
8 changes: 4 additions & 4 deletions internal/signature/signature_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,14 @@ import (
"testing"
)

// Correctly signed message should be signed off by key with public identity
// EDDSA 2A52DB2FC88744DB2B1742AD01F3FD39CA0C827E
// Correctly signed message should be signed off by key with public hex identity
// fbcbd0163b221dca
//
//go:embed correctly_signed.sig
var correctlySignedSig []byte

// Message signed by impersonated key with public identity
// EDDSA B4877503B192609A2E22C81739FACBA528FDF429
// Message signed by impersonated key with public hex identity
// ddff4b9544cdb6c7
//
//go:embed signed_by_impersonated_key.sig
var signedByImpersonatedKeySig []byte
Expand Down
Binary file modified internal/signature/signed_by_impersonated_key.sig
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion tests/integration/pkg/hooks/v1-access.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ const (
v1AccessConfigMapNamespace = "kyma-system"
signatureKey = "access.sig"
accessSigEnvVar = "APIGATEWAY_ACCESS_SIG_BASE64"
localKymaDevSignature = "owGbwMvMwCXG+Pmv5SmepjrGNRJJzCn5yRn7Di7NyU9OzNHLrsxN1EtJLePqKGVhEONikBVTZNEKuq1/ot3ltra401qYTlYmkB4GLk4BmEhqE8MfjlXxNVnST0R6P6vkLLno6F3M80pRbpZS9yYXttS3vcmVjAxLj85ZvOYe19a9XF2ZO1Vqv3R0BbYpVMq9ernpwxWXww9YAQ=="
localKymaDevSignature = "xEYGAAobIJRdbtfrgZYkBehKLGT3pI8YVu22FPHyHJWVjpTzvSPa+8vQFjsiHcrLvmDfEy56Y/D9Xfq/Qtt6o41bvKMqJPUByxRiAAAAAABsb2NhbC5reW1hLmRldsKYBgAbCgAAACkFgmj7jOoioQb7y9AWOyIdysu+YN8TLnpj8P1d+r9C23qjjVu8oyok9QAAAACp7CCUXW7X64GWJAXoSixk96SPGFbtthTx8hyVlY6U870j2t8v/C1gL5Vkw9+y7sfd/GKzAZGIwlf6+XDM8U4VlHtS/CRKP155fLX9g96/jixWU7JZgCf3Yo/a5Bwjg0TYkQM="
)

func createAllowAPIRuleV1Signatures(ctx context.Context, c client.Client) error {
Expand Down
Loading