-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #7 from joemiller/gpg-release-signing
introduce a project GPG key and use it to sign releases
- Loading branch information
Showing
2 changed files
with
78 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,10 @@ | ||
vault-token-helper | ||
================== | ||
|
||
[![Build Status](https://dev.azure.com/joeym0501/vault-token-helper/_apis/build/status/joemiller.vault-token-helper?branchName=master)](https://dev.azure.com/joeym0501/vault-token-helper/_build/latest?definitionId=1&branchName=master) | ||
|
||
A @hashicorp Vault [token helper](https://www.vaultproject.io/docs/commands/token-helper.html) with | ||
support of native secret storage backends on macOS, Linux, and Windows. | ||
support for native secret storage backends on macOS, Linux, and Windows. | ||
|
||
Features | ||
-------- | ||
|
@@ -41,6 +43,17 @@ Install | |
| Linux | amd64 | [vault-token-helper](https://github.com/joemiller/vault-token-helper/releases/latest) | | ||
| Windows | amd64 | [vault-token-helper](https://github.com/joemiller/vault-token-helper/releases/latest) | | ||
|
||
|
||
| OS | Architectures | binaries | packages | one-line install | | ||
| ------- | ------------- | ------------------------------------- | ----------- | ------------------------------------------------ | | ||
| macos | amd64 | [vault-token-helper][latest-binaries] | | `brew install joemiller/taps/vault-token-helper` | | ||
| Linux | amd64 | | [rpm] [deb] | [vault-token-helper][latest-binaries] | | ||
| Windows | amd64 | | | [vault-token-helper][latest-binaries] | | ||
|
||
[latest-binaries]: https://github.com/joemiller/vault-token-helper/releases/latest | ||
[rpm]: https://github.com/joemiller/vault-token-helper/releases/latest | ||
[deb]: https://github.com/joemiller/vault-token-helper/releases/latest | ||
|
||
### From source | ||
|
||
Clone this repo and compile for the current architecture: | ||
|
@@ -57,19 +70,42 @@ cross-compile and link to platform-specific libraries such as the OSX SDK on mac | |
make snapshot | ||
``` | ||
|
||
### Verifying releases | ||
|
||
Releases are signed using the project GPG key with key-ID `37F9D1272278CD32` and fingerprint | ||
`5EF2 2550 7053 ACC2 728A A51C 37F9 D127 2278 CD32`. The key can be fetched from most keyservers. | ||
|
||
```console | ||
gpg --recv-keys 37F9D1272278CD32 | ||
``` | ||
|
||
Download and verify the signature on the checksum file: | ||
|
||
```console | ||
gpg --verify vault-token-helper_0.2.0_checksums.txt.sig vault-token-helper_0.2.0_checksums.txt | ||
``` | ||
|
||
After verifying the checksum file signature use `shasum` to verify the checksums of the | ||
release artifacts: | ||
|
||
```console | ||
shasum --check vault-token-helper_0.2.0_checksums.txt | ||
``` | ||
|
||
Usage | ||
----- | ||
|
||
### Configure Vault | ||
|
||
Install `vault-token-helper` then run: | ||
|
||
```sh | ||
```console | ||
vault-token-helper enable | ||
``` | ||
|
||
This creates (overwrites) the `$HOME/.vault` config file with the following contents. The | ||
`vault` CLI uses this config file to find and execute the token helper. | ||
This creates (overwrites) the `$HOME/.vault` config file used by the `vault` CLI. | ||
|
||
Alternatively, edit the file and specify the full path to the `vault-token-helper` binary: | ||
|
||
```toml | ||
token_helper = "/install/path/to/vault-token-helper" | ||
|
@@ -106,10 +142,19 @@ helper [spec](https://www.vaultproject.io/docs/commands/token-helper.html). | |
There are a few additional commands: | ||
|
||
* `enable`: Enable the vault-token-helper by (over)writing the ~/.vault config file. | ||
* `backends`: List the available backends on the current platform | ||
* `backends`: List the available secret storage backends on the current platform. | ||
* `list`: List tokens. Add `--extended` flag to lookup additional details about the stored | ||
token by quering the Vault instance's token lookup API. | ||
|
||
```console | ||
$ vault-token-helper list --extended | ||
VAULT_ADDR display_name ttl renewable policies | ||
---------- ------------ --- --------- -------- | ||
https://vault-prod.dom.tld:8200 [email protected] 527h46m18s true [admin default] | ||
https://vault-dev.dom.tld:8200 [email protected] 275h13m17s true [admin default] | ||
https://localhost ** ERROR ** Get https://localhost/v1/auth/token/lookup-self: dial tcp 127.0.0.1:443: connect: connection refused | ||
``` | ||
|
||
Support | ||
------- | ||
|
||
|
@@ -122,19 +167,21 @@ Development | |
|
||
Run tests: `make test`. | ||
|
||
There is test coverage in `pkg/store` covering all of the supported backends. Additionally, there | ||
is an integration test in the `cmd` package. | ||
|
||
Some tests are platform specific and difficult to test outside of a full desktop environment | ||
due to interactive elements such as password prompts. To aid in development there are Vagrant | ||
VMs with GUIs enabled in the `./vagrant/` directory. See the | ||
[./vagrant/README.md](./vagrant/README.md) for further details. | ||
|
||
The most complete way to run all tests would be to run `make test` running under each platform. | ||
|
||
There is test coverage in `pkg/store` covering all of the supported backends. Additionally, there | ||
is an integration test in the `cmd` package. | ||
The most complete way to run all tests would be to run `make test` under each platform. | ||
|
||
### CI/CD | ||
|
||
Azure DevOps Pipelines is used for CI and CD because it provides support for macos, windows, and linux. | ||
Azure DevOps Pipelines is used for CI and CD because it provides support for macos, windows, | ||
and linux. | ||
|
||
Tests are run on pull requests and releases are generated on successful master branch builds. | ||
|
||
### Release Management | ||
|
@@ -143,7 +190,7 @@ Releases are cut automatically on all successful master branch builds. This proj | |
[autotag](https://github.com/pantheon-systems/autotag) and [goreleaser](https://goreleaser.com/) to | ||
automate this process. | ||
|
||
Semver (vMajor.Minor.Patch) is used for versioning and releases. By default, autotag will bump the | ||
Semver (`vMajor.Minor.Patch`) is used for versioning and releases. By default, autotag will bump the | ||
patch version on a successful master build, eg: `v1.0.0` -> `v1.0.1`. | ||
|
||
To bump the major or minor release instead, include `[major]` or `[minor]` in the commit message. | ||
|
@@ -153,15 +200,25 @@ for more details. | |
Include `[skip ci]` in the commit message to prevent a new version from being released. Only use this | ||
for things like documentation updates. | ||
|
||
A local release can be built and signed with a copy of the project GPG key's signing subkey: | ||
|
||
```console | ||
$ GPG_KEY="$(cat vault-token-helper.signing-key.gpg | base64)" make release | ||
|
||
# or a snapshot build: | ||
|
||
$ GPG_KEY="$(cat vault-token-helper.signing-key.gpg | base64)" make snapshot | ||
``` | ||
|
||
TODO | ||
---- | ||
|
||
*after v0.1.0:* | ||
|
||
* [ ] The wincred lib used by 99designs/keyring has more configuration options available. Make these available in 99designs/keyring and vault-token-helper. | ||
* [ ] add a flag like `--lookup` to `list` that will query vault for additional token info, eg: valid/invalid, ttl, policies | ||
* [x] The wincred lib used by 99designs/keyring has more configuration options available. Make these available in 99designs/keyring and vault-token-helper. | ||
* [x] add a flag like `--extended` to `list` that will query vault for additional token info, eg: valid/invalid, ttl, policies | ||
* ci/cd: | ||
* [ ] `sign` checksum.txt and assets in goreleaser.yaml GPG key | ||
* [x] `sign` checksum.txt and assets in goreleaser.yaml GPG key | ||
* [ ] apple `codesign` the macos binaries | ||
* [ ] figure out how to cache go modules in azure pipelines, using this task maybe - https://github.com/microsoft/azure-pipelines-artifact-caching-tasks | ||
* [ ] linux tests, figure out how to test dbus secret-service in headless CI. probably need a stub to connect to Dbus and provide the 'prompt' service |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters