make gpg signing more robust for bootstrap

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
fluxcd · Nov 11, 2022 · f2d2d00 · f2d2d00
1 parent 7640fa5
commit f2d2d00
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/pkg/bootstrap/bootstrap_plain_git.go b/pkg/bootstrap/bootstrap_plain_git.go
@@ -430,14 +430,25 @@ func getOpenPgpEntity(keyRing openpgp.EntityList, passphrase, keyID string) (*op
 
 	var entity *openpgp.Entity
 	if keyID != "" {
+		if strings.HasPrefix(keyID, "0x") {
+			keyID = strings.TrimPrefix(keyID, "0x")
+		}
+		if len(keyID) != 16 {
+			return nil, fmt.Errorf("invalid GPG key id length; expected %d, got %d", 16, len(keyID))
+		}
+		keyID = strings.ToUpper(keyID)
+
 		for _, ent := range keyRing {
 			if ent.PrimaryKey.KeyIdString() == keyID {
 				entity = ent
 			}
 		}
 
 		if entity == nil {
-			return nil, fmt.Errorf("no GPG private key matching key id '%s' found", keyID)
+			return nil, fmt.Errorf("no GPG keyring matching key id '%s' found", keyID)
+		}
+		if entity.PrivateKey == nil {
+			return nil, fmt.Errorf("keyring does not contain private key for key id '%s'", keyID)
 		}
 	} else {
 		entity = keyRing[0]

diff --git a/pkg/bootstrap/options.go b/pkg/bootstrap/options.go
@@ -155,7 +155,7 @@ func LoadEntityListFromPath(path string) (openpgp.EntityList, error) {
 	}
 	entityList, err := openpgp.ReadKeyRing(r)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("unable to read GPG key ring: %w", err)
 	}
 	return entityList, nil
 }