Merge pull request #7 from joemiller/gpg-release-signing

introduce a project GPG key and use it to sign releases

README.md

@@ -1,8 +1,10 @@
 vault-token-helper
 ==================
 
+[![Build Status](https://dev.azure.com/joeym0501/vault-token-helper/_apis/build/status/joemiller.vault-token-helper?branchName=master)](https://dev.azure.com/joeym0501/vault-token-helper/_build/latest?definitionId=1&branchName=master)
+
 A @hashicorp Vault [token helper](https://www.vaultproject.io/docs/commands/token-helper.html) with
-support of native secret storage backends on macOS, Linux, and Windows.
+support for native secret storage backends on macOS, Linux, and Windows.
 
 Features
 --------
@@ -41,6 +43,17 @@ Install
 | Linux   | amd64         | [vault-token-helper](https://github.com/joemiller/vault-token-helper/releases/latest) |
 | Windows | amd64         | [vault-token-helper](https://github.com/joemiller/vault-token-helper/releases/latest) |
 
+
+| OS      | Architectures | binaries                              | packages    | one-line install                                 |
+| ------- | ------------- | ------------------------------------- | ----------- | ------------------------------------------------ |
+| macos   | amd64         | [vault-token-helper][latest-binaries] |             | `brew install joemiller/taps/vault-token-helper` |
+| Linux   | amd64         |                                       | [rpm] [deb] | [vault-token-helper][latest-binaries]            |
+| Windows | amd64         |                                       |             | [vault-token-helper][latest-binaries]            |
+
+[latest-binaries]: https://github.com/joemiller/vault-token-helper/releases/latest
+[rpm]: https://github.com/joemiller/vault-token-helper/releases/latest
+[deb]: https://github.com/joemiller/vault-token-helper/releases/latest
+
 ### From source
 
 Clone this repo and compile for the current architecture:
@@ -57,19 +70,42 @@ cross-compile and link to platform-specific libraries such as the OSX SDK on mac
 make snapshot
 ```
 
+### Verifying releases
+
+Releases are signed using the project GPG key with key-ID `37F9D1272278CD32` and fingerprint
+`5EF2 2550 7053 ACC2 728A  A51C 37F9 D127 2278 CD32`. The key can be fetched from most keyservers.
+
+```console
+gpg --recv-keys 37F9D1272278CD32
+```
+
+Download and verify the signature on the checksum file:
+
+```console
+gpg --verify vault-token-helper_0.2.0_checksums.txt.sig vault-token-helper_0.2.0_checksums.txt
+```
+
+After verifying the checksum file signature use `shasum` to verify the checksums of the
+release artifacts:
+
+```console
+shasum --check vault-token-helper_0.2.0_checksums.txt
+```
+
 Usage
 -----
 
 ### Configure Vault
 
 Install `vault-token-helper` then run:
 
-```sh
+```console
 vault-token-helper enable
 ```
 
-This creates (overwrites) the `$HOME/.vault` config file with the following contents. The
-`vault` CLI uses this config file to find and execute the token helper.
+This creates (overwrites) the `$HOME/.vault` config file used by the `vault` CLI.
+
+Alternatively, edit the file and specify the full path to the `vault-token-helper` binary:
 
 ```toml
 token_helper = "/install/path/to/vault-token-helper"
@@ -106,10 +142,19 @@ helper [spec](https://www.vaultproject.io/docs/commands/token-helper.html).
 There are a few additional commands:
 
 * `enable`: Enable the vault-token-helper by (over)writing the ~/.vault config file.
-* `backends`: List the available backends on the current platform
+* `backends`: List the available secret storage backends on the current platform.
 * `list`: List tokens. Add `--extended` flag to lookup additional details about the stored
     token by quering the Vault instance's token lookup API.
 
+```console
+$ vault-token-helper list --extended
+VAULT_ADDR                       display_name      ttl         renewable  policies
+----------                       ------------      ---         ---------  --------
+https://vault-prod.dom.tld:8200  [email protected]  527h46m18s  true       [admin default]
+https://vault-dev.dom.tld:8200   [email protected]  275h13m17s  true       [admin default]
+https://localhost                ** ERROR **       Get https://localhost/v1/auth/token/lookup-self: dial tcp 127.0.0.1:443: connect: connection refused
+```
+
 Support
 -------
 
@@ -122,19 +167,21 @@ Development
 
 Run tests: `make test`.
 
+There is test coverage in `pkg/store` covering all of the supported backends. Additionally, there
+is an integration test in the `cmd` package.
+
 Some tests are platform specific and difficult to test outside of a full desktop environment
 due to interactive elements such as password prompts. To aid in development there are Vagrant
 VMs with GUIs enabled in the `./vagrant/` directory. See the
 [./vagrant/README.md](./vagrant/README.md) for further details.
 
-The most complete way to run all tests would be to run `make test` running under each platform.
-
-There is test coverage in `pkg/store` covering all of the supported backends. Additionally, there
-is an integration test in the `cmd` package.
+The most complete way to run all tests would be to run `make test` under each platform.
 
 ### CI/CD
 
-Azure DevOps Pipelines is used for CI and CD because it provides support for macos, windows, and linux.
+Azure DevOps Pipelines is used for CI and CD because it provides support for macos, windows,
+and linux.
+
 Tests are run on pull requests and releases are generated on successful master branch builds.
 
 ### Release Management
@@ -143,7 +190,7 @@ Releases are cut automatically on all successful master branch builds. This proj
 [autotag](https://github.com/pantheon-systems/autotag) and [goreleaser](https://goreleaser.com/) to
 automate this process.
 
-Semver (vMajor.Minor.Patch) is used for versioning and releases. By default, autotag will bump the
+Semver (`vMajor.Minor.Patch`) is used for versioning and releases. By default, autotag will bump the
 patch version on a successful master build, eg: `v1.0.0` -> `v1.0.1`.
 
 To bump the major or minor release instead, include `[major]` or `[minor]` in the commit message.
@@ -153,15 +200,25 @@ for more details.
 Include `[skip ci]` in the commit message to prevent a new version from being released. Only use this
 for things like documentation updates.
 
+A local release can be built and signed with a copy of the project GPG key's signing subkey:
+
+```console
+$ GPG_KEY="$(cat vault-token-helper.signing-key.gpg | base64)" make release
+
+# or a snapshot build:
+
+$ GPG_KEY="$(cat vault-token-helper.signing-key.gpg | base64)" make snapshot
+```
+
 TODO
 ----
 
 *after v0.1.0:*
 
-* [ ] The wincred lib used by 99designs/keyring has more configuration options available. Make these available in 99designs/keyring and vault-token-helper.
-* [ ] add a flag like `--lookup` to `list` that will query vault for additional token info, eg: valid/invalid, ttl, policies
+* [x] The wincred lib used by 99designs/keyring has more configuration options available. Make these available in 99designs/keyring and vault-token-helper.
+* [x] add a flag like `--extended` to `list` that will query vault for additional token info, eg: valid/invalid, ttl, policies
 * ci/cd:
-  * [ ] `sign` checksum.txt and assets in goreleaser.yaml GPG key
+  * [x] `sign` checksum.txt and assets in goreleaser.yaml GPG key
   * [ ] apple `codesign` the macos binaries
   * [ ] figure out how to cache go modules in azure pipelines, using this task maybe - https://github.com/microsoft/azure-pipelines-artifact-caching-tasks
   * [ ] linux tests, figure out how to test dbus secret-service in headless CI. probably need a stub to connect to Dbus and provide the 'prompt' service

azure-pipelines.yml

@@ -74,11 +74,15 @@ stages:
       pool:
         vmImage: 'ubuntu-16.04' # this is the only pool image that can run linux containers - https://docs.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops&tabs=yaml
       steps:
+      - task: DownloadSecureFile@1
+        name: gpg_signing_key
+        inputs:
+          secureFile: 'vault-token-helper.signing-key.gpg'
       - script: |
           set -e
           # XXX: not sure if this is the best approach here. Without this, autotag will fail
-          # with 'error getting head commit: object does not exist'. For now, since we only cut
-          # releases from master branch it should be ok.
+          # with 'error getting head commit: object does not exist'. It should be ok for now,
+          # since we only cut releases from master.
           git checkout master
           git reset --hard $(Build.SourceVersion)
 
@@ -90,6 +94,7 @@ stages:
             && chmod 755 ~/autotag
           ~/autotag
 
+          export GPG_KEY=`cat $(gpg_signing_key.secureFilePath) | base64`
           make release
         env:
           GITHUB_TOKEN: $(GITHUB_TOKEN)