Define configuration format and required parameters
lukpueh opened this issue · comments
Description of feature request:
The apt in-toto transport should be configurable via an apt configuration file (see apt.conf(5)
) in a suitably named file that remains in /etc/apt/apt.conf.d/
, e.g. /etc/apt/apt.conf.d/intoto
.
Current behavior:
In the general message flow between apt and an apt transport, apt responds to the first message from the transport (i.e. 100 Capabilities
) with a 601 Configuration
message containing all the individual Config-Item
's read from apt configuration files (see above) on separate lines.
601 Configuration
Config-Item: APT::Architecture=amd64
Config-Item: APT::Build-Essential::=build-essential
... [further config items]
Which, when parsed using the in-toto deserialize_one
function, looks like:
{
'info': 'Configuration',
'fields': [
('Config-Item', 'APT::Architecture=amd64'),
('Config-Item', 'APT::Build-Essential::=build-essential'),
...],
'code': 601
}
Expected behavior:
We need to define required (and optional) configuration parameters in order to perform in-toto verification. Any related configuration parameter may be prefixed with APT::intoto::
. Note that parameters don't need to have unique names (or values). At least the following information should be configurable:
- URIs of available rebuilders
- Location of local root layout
- Keyids of root layout gpg keys, which must be present in a local keychain
- A path to a non-default gpg keychain, to load root layout public keys from (optional)
These parameters may be parsed and used in a suitable manner during the apt <-> transport message flow (see comments in the intoto.handle
function for more details).