]> Cypherpunks.ru repositories - gocheese.git/commitdiff
projects / gocheese.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 52f1599)
Drop PGP signatures support
authorSergey Matveev <stargrave@stargrave.org>
Sat, 3 Jun 2023 15:45:54 +0000 (18:45 +0300)
committerSergey Matveev <stargrave@stargrave.org>
Sat, 3 Jun 2023 17:10:11 +0000 (20:10 +0300)
As it did Warehouse and PyPI.

12 files changed:
contrib/pyshop2packages.sh patch | blob | history
doc/index.texi patch | blob | history
doc/proxy.texi patch | blob | history
doc/storage.texi patch | blob | history
doc/upload.texi patch | blob | history
go.mod patch | blob | history
list.go patch | blob | history
list.tmpl patch | blob | history
main.go patch | blob | history
refresh.go patch | blob | history
upload.go patch | blob | history
usage.go patch | blob | history

diff --git a/contrib/pyshop2packages.sh b/contrib/pyshop2packages.sh
index d007a3fdbfbd3e8c7134b6c3281dcb0d41554db8..6e3938fc8ba4f63eee523bc5271a5d168a1b20c1 100755 (executable)
--- a/contrib/pyshop2packages.sh
+++ b/contrib/pyshop2packages.sh
@@ -56,8 +56,8 @@ done
 cd packages
 for pkg in * ; do
     # Assume running:
-    # GOCHEESE_NO_SYNC=1 gocheese -bind "[::1]:8080" -gpgupdate /gpgupdate/
-    curl http://localhost:8080/gpgupdate/$pkg/ > /dev/null
+    # GOCHEESE_NO_SYNC=1 gocheese -bind "[::1]:8080" -refresh /simple/
+    curl http://localhost:8080/simple/$pkg/ > /dev/null
 done
 
 ########################################################################
diff --git a/doc/index.texi b/doc/index.texi
index c314649cd71c34daffcf26029319441abaa91033..36a657b04076822a3d11ddfeeec9a5a1514d4559 100644 (file)
--- a/doc/index.texi
+++ b/doc/index.texi
@@ -53,7 +53,7 @@ upstream PyPI installation.
 @item Supports uploading of internal packages through the standard
 Warehouse API, including signatures, metadata and checksums.
 
-@item Supports @url{https://pythonwheels.com/, wheels}, GPG signatures,
+@item Supports @url{https://pythonwheels.com/, wheels},
 @url{https://packaging.python.org/specifications/core-metadata/, Metadata}
 with @url{https://www.python.org/dev/peps/pep-0566/, PEP-0566} compatible
 conversion to JSON, multiple (MD5, SHA256, SHA512, BLAKE2b-256) integrity
diff --git a/doc/proxy.texi b/doc/proxy.texi
index ef8d30e99973d9df9e10c130e8f6aa029fbc9848..48e10ed59bb4c5d9b1f988f83433040841815d0e 100644 (file)
--- a/doc/proxy.texi
+++ b/doc/proxy.texi
@@ -19,13 +19,6 @@ refresh is needed. Each refresh update the package's metadata (if
 Same as above, but does not refresh data from the upstream, completely
 read only mode.
 
-@item @code{/gpgupdate/} (@option{-gpgupdate} option)
-Refresh the package state from the upstream as above, but additionally
-check and download missing GPG signatures. Intended to be used only
-manually, for example after database migration.
-It is probably useful to set @env{$GOCHEESE_NO_SYNC=1} environment
-variable to turn off filesystem synchronization calls.
-
 @item @code{/pypi/} (@option{-json} option)
 Read only (non refreshing) JSON API entrypoint, giving metadata for the
 packages and releases.
diff --git a/doc/storage.texi b/doc/storage.texi
index 87e4101ef9a2dad818d7146dd7bb762fe0ad46b5..573fe8ac745482e21fbbe27c75f04eab99f1cb7a 100644 (file)
--- a/doc/storage.texi
+++ b/doc/storage.texi
@@ -11,14 +11,12 @@ root
   |     +- public-package-0.1.tar.gz.blake2_256
   |     +- public-package-0.1.1.tar.gz.blake2_256
   |     +- public-package-0.2.tar.gz
-  |     +- public-package-0.2.tar.gz.asc
   |     +- public-package-0.2.tar.gz.sha256
   |     +- public-package-0.2.tar.gz.blake2_256
   +-- private-package
   |     +- .internal
   |     +- .metadata.rec
   |     +- private-package-0.1.tar.gz
-  |     +- private-package-0.1.tar.gz.asc
   |     +- private-package-0.1.tar.gz.sha256
   |     +- private-package-0.1.tar.gz.blake2_256
   |...
@@ -44,8 +42,7 @@ For example @file{public-package} has @code{0.1} version, downloaded a
 long time ago with MD5 checksum. @code{0.1.1} version is downloaded more
 recently with BLAKE2b-256 checksum, also storing that checksum for
 @code{0.1}. @code{0.2} version is downloaded tarball, having forced
-SHA256 and BLAKE2b-256 recalculated checksums. Also upstream has
-corresponding @file{.asc} signature file.
+SHA256 and BLAKE2b-256 recalculated checksums.
 
 @file{private-package} is private package, because it contains
 @file{.internal} file. It can be uploaded and queries to it are not
diff --git a/doc/upload.texi b/doc/upload.texi
index 75b9848aa0b1354c7b508b6b3e25c6d036fbb63b..7ad23fa74e27616df803379d80fda6429e9964d8 100644 (file)
--- a/doc/upload.texi
+++ b/doc/upload.texi
@@ -20,5 +20,4 @@ password: foo
 
 All metadata information sent by @command{twine} is stored on the disk.
 Package creation time will be server's current time. If @command{twine}
-send package checksums, then they are checked against. GPG signature
-file is also saved.
+send package checksums, then they are checked against.
diff --git a/go.mod b/go.mod
index e049717ed374095b83d27ed51a305c81a200bd76..dd0f33da60feee2c20f7727f88c3a4037a23c888 100644 (file)
--- a/go.mod
+++ b/go.mod
@@ -1,4 +1,4 @@
-module go.cypherpunks.ru/gocheese/v3
+module go.cypherpunks.ru/gocheese/v4
 
 go 1.17
 
diff --git a/list.go b/list.go
index 3c056415555c9aace1ccac3c1edff55b6344e1e7..3eb0beda670d8808af0ea515fbeac797007484c6 100644 (file)
--- a/list.go
+++ b/list.go
@@ -96,7 +96,6 @@ func (a PkgReleaseInfoByName) Less(i, j int) bool {
 // Version format is too complicated: https://www.python.org/dev/peps/pep-0386/
 // So here is very simple parser working good enough for most packages
 func filenameToVersion(fn string) string {
-       fn = strings.TrimSuffix(fn, GPGSigExt)
        var trimmed string
        for _, ext := range KnownExts {
                trimmed = strings.TrimSuffix(fn, ext)
@@ -176,10 +175,6 @@ func listDir(pkgName string, doSize bool) (int64, []*PkgReleaseInfo, error) {
                                        }
                                        delete(files, fnClean)
                                }
-                               if _, exists := files[fnClean+GPGSigExt]; exists {
-                                       release.HasSig = true
-                                       delete(files, fnClean+GPGSigExt)
-                               }
                        }
                        release.Digests[algo] = hex.EncodeToString(digest)
                }
@@ -204,15 +199,15 @@ func serveListDir(
        w http.ResponseWriter,
        r *http.Request,
        pkgName string,
-       autorefresh, gpgUpdate bool,
+       autorefresh bool,
 ) {
        dirPath := filepath.Join(Root, pkgName)
        if autorefresh {
-               if !refreshDir(w, r, pkgName, "", gpgUpdate) {
+               if !refreshDir(w, r, pkgName, "") {
                        return
                }
        } else if _, err := os.Stat(dirPath); os.IsNotExist(err) &&
-               !refreshDir(w, r, pkgName, "", false) {
+               !refreshDir(w, r, pkgName, "") {
                return
        }
        serial, releases, err := listDir(pkgName, false)
diff --git a/list.tmpl b/list.tmpl
index 59b2ed48bac56e7d2fc38f4f01000c873bce7cac..a8614b72f802de8a9d7d1a14a9c226aa87f58a3e 100644 (file)
--- a/list.tmpl
+++ b/list.tmpl
@@ -6,8 +6,7 @@
   </head>
   <body>{{$Refresh := .RefreshURLPath}}{{$PkgName := .PkgName}}{{range .Releases}}
     <a href="{{$Refresh}}{{$PkgName}}/{{.Filename -}}
-        #{{range $a, $d := .Digests}}{{$a}}={{$d}}{{end -}}"
-        {{- with .HasSig}} data-gpg-sig="true"{{end}}>{{.Filename}}</a><br/>
+        #{{range $a, $d := .Digests}}{{$a}}={{$d}}{{end -}}">{{.Filename}}</a><br/>
 {{- end}}
   </body>
 </html>
diff --git a/main.go b/main.go
index b2d3250a3fbf57365a5161eb1be888466836c09d..89aa5a62b6e59aa4e6a6174d5315a406ba24383a 100644 (file)
--- a/main.go
+++ b/main.go
@@ -44,7 +44,7 @@ import (
 )
 
 const (
-       Version   = "3.7.1"
+       Version   = "4.0.0"
        UserAgent = "GoCheese/" + Version
 )
 
@@ -59,7 +59,6 @@ var (
 
        NoRefreshURLPath = flag.String("norefresh", DefaultNoRefreshURLPath, "")
        RefreshURLPath   = flag.String("refresh", DefaultRefreshURLPath, "")
-       GPGUpdateURLPath = flag.String("gpgupdate", DefaultGPGUpdateURLPath, "")
        JSONURLPath      = flag.String("json", DefaultJSONURLPath, "")
 
        PyPIURL      = flag.String("pypi", DefaultPyPIURL, "")
@@ -82,7 +81,7 @@ func servePkg(w http.ResponseWriter, r *http.Request, pkgName, filename string)
        log.Println(r.RemoteAddr, "get", filename)
        path := filepath.Join(Root, pkgName, filename)
        if _, err := os.Stat(path); os.IsNotExist(err) {
-               if !refreshDir(w, r, pkgName, filename, false) {
+               if !refreshDir(w, r, pkgName, filename) {
                        return
                }
        }
@@ -95,16 +94,11 @@ func handler(w http.ResponseWriter, r *http.Request) {
        case "GET":
                var path string
                var autorefresh bool
-               var gpgUpdate bool
                if strings.HasPrefix(r.URL.Path, *NoRefreshURLPath) {
                        path = strings.TrimPrefix(r.URL.Path, *NoRefreshURLPath)
                } else if strings.HasPrefix(r.URL.Path, *RefreshURLPath) {
                        path = strings.TrimPrefix(r.URL.Path, *RefreshURLPath)
                        autorefresh = true
-               } else if strings.HasPrefix(r.URL.Path, *GPGUpdateURLPath) {
-                       path = strings.TrimPrefix(r.URL.Path, *GPGUpdateURLPath)
-                       autorefresh = true
-                       gpgUpdate = true
                } else {
                        http.Error(w, "unknown action", http.StatusBadRequest)
                        return
@@ -118,7 +112,7 @@ func handler(w http.ResponseWriter, r *http.Request) {
                        if parts[0] == "" {
                                listRoot(w, r)
                        } else {
-                               serveListDir(w, r, parts[0], autorefresh, gpgUpdate)
+                               serveListDir(w, r, parts[0], autorefresh)
                        }
                } else {
                        servePkg(w, r, parts[0], parts[1])
@@ -252,9 +246,6 @@ func main() {
        http.HandleFunc(*JSONURLPath, serveJSON)
        http.HandleFunc(*NoRefreshURLPath, handler)
        http.HandleFunc(*RefreshURLPath, handler)
-       if *GPGUpdateURLPath != "" {
-               http.HandleFunc(*GPGUpdateURLPath, handler)
-       }
 
        if *DoUCSPI {
                server.SetKeepAlivesEnabled(false)
diff --git a/refresh.go b/refresh.go
index 4179953179f7e703290409b69d8b6db349d9971f..78a8ca4b3c4de6cd2bbe647c9d2ae81968ff2f68 100644 (file)
--- a/refresh.go
+++ b/refresh.go
@@ -46,7 +46,6 @@ const (
        HashAlgoBLAKE2b256 = "blake2_256"
        HashAlgoSHA512     = "sha512"
        HashAlgoMD5        = "md5"
-       GPGSigExt          = ".asc"
        InternalFlag       = ".internal"
 )
 
@@ -88,7 +87,6 @@ func refreshDir(
        w http.ResponseWriter,
        r *http.Request,
        pkgName, filenameGet string,
-       gpgUpdate bool,
 ) bool {
        if _, err := os.Stat(filepath.Join(Root, pkgName, InternalFlag)); err == nil {
                return true
@@ -521,43 +519,6 @@ func refreshDir(
                        }
                }
 
-               if filename == filenameGet || gpgUpdate {
-                       resp, err := c.Do(agentedReq(uri + GPGSigExt))
-                       if err != nil {
-                               goto GPGSigSkip
-                       }
-                       if resp.StatusCode != http.StatusOK {
-                               resp.Body.Close()
-                               goto GPGSigSkip
-                       }
-                       sig, err := io.ReadAll(resp.Body)
-                       resp.Body.Close()
-                       if err != nil {
-                               goto GPGSigSkip
-                       }
-                       if !bytes.HasPrefix(sig, []byte("-----BEGIN PGP SIGNATURE-----")) {
-                               log.Println(r.RemoteAddr, "pypi", filename+GPGSigExt, "non PGP")
-                               goto GPGSigSkip
-                       }
-                       if err = WriteFileSync(dirPath, path+GPGSigExt, sig, mtime); err != nil {
-                               log.Println("error", r.RemoteAddr, "pypi", filename+GPGSigExt, err)
-                               http.Error(w, err.Error(), http.StatusInternalServerError)
-                               return false
-                       }
-                       log.Println(r.RemoteAddr, "pypi", filename+GPGSigExt, "downloaded")
-               }
-               if mtimeExists {
-                       stat, err := os.Stat(path + GPGSigExt)
-                       if err == nil && !stat.ModTime().Truncate(time.Second).Equal(mtime) {
-                               log.Println(r.RemoteAddr, "pypi", filename+GPGSigExt, "touch")
-                               if err = os.Chtimes(path+GPGSigExt, mtime, mtime); err != nil {
-                                       log.Println("error", r.RemoteAddr, "pypi", filename, err)
-                                       http.Error(w, err.Error(), http.StatusInternalServerError)
-                               }
-                       }
-               }
-
-       GPGSigSkip:
                if digest == nil {
                        continue
                }
diff --git a/upload.go b/upload.go
index 3765c56cacb4108d0bfa5697f5372c1c3d8f6272..a0068db483d95556268566e1256c4234ab24113c 100644 (file)
--- a/upload.go
+++ b/upload.go
@@ -67,7 +67,6 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
        }
        pkgName := strings.ToLower(NormalizationRe.ReplaceAllString(pkgNames[0], "-"))
        dirPath := filepath.Join(Root, pkgName)
-       gpgSigsExpected := make(map[string]struct{})
        now := time.Now().UTC()
 
        var digestSHA256Expected []byte
@@ -96,7 +95,6 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
 
        for _, file := range r.MultipartForm.File["content"] {
                filename := file.Filename
-               gpgSigsExpected[filename+GPGSigExt] = struct{}{}
                log.Println(r.RemoteAddr, "put", filename, "by", username)
                path := filepath.Join(dirPath, filename)
                if _, err = os.Stat(path); err == nil {
@@ -193,40 +191,6 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
                        return
                }
        }
-       for _, file := range r.MultipartForm.File["gpg_signature"] {
-               filename := file.Filename
-               if _, exists := gpgSigsExpected[filename]; !exists {
-                       log.Println(r.RemoteAddr, filename, "unexpected GPG signature filename")
-                       http.Error(w, "unexpected GPG signature filename", http.StatusBadRequest)
-                       return
-               }
-               delete(gpgSigsExpected, filename)
-               log.Println(r.RemoteAddr, "put", filename, "by", username)
-               path := filepath.Join(dirPath, filename)
-               if _, err = os.Stat(path); err == nil {
-                       log.Println(r.RemoteAddr, filename, "already exists")
-                       http.Error(w, "already exists", http.StatusBadRequest)
-                       return
-               }
-               src, err := file.Open()
-               if err != nil {
-                       log.Println("error", r.RemoteAddr, filename, err)
-                       http.Error(w, err.Error(), http.StatusInternalServerError)
-                       return
-               }
-               sig, err := io.ReadAll(src)
-               src.Close()
-               if err != nil {
-                       log.Println("error", r.RemoteAddr, filename, err)
-                       http.Error(w, err.Error(), http.StatusInternalServerError)
-                       return
-               }
-               if err = WriteFileSync(dirPath, path, sig, now); err != nil {
-                       log.Println("error", r.RemoteAddr, path, err)
-                       http.Error(w, err.Error(), http.StatusInternalServerError)
-                       return
-               }
-       }
 
        var buf bytes.Buffer
        wr := recfile.NewWriter(&buf)
diff --git a/usage.go b/usage.go
index c47f99b5a7af59185b31090b0bc1a8264aab5960..351a2b73a8127df7f8a146e416d04aa22d7a188a 100644 (file)
--- a/usage.go
+++ b/usage.go
@@ -27,7 +27,6 @@ const (
        DefaultMaxClients       = 128
        DefaultNoRefreshURLPath = "/norefresh/"
        DefaultRefreshURLPath   = "/simple/"
-       DefaultGPGUpdateURLPath = "/gpgupdate/"
        DefaultJSONURLPath      = "/pypi/"
        DefaultPyPIURL          = "https://pypi.org/simple/"
        DefaultJSONURL          = "https://pypi.org/pypi/"
@@ -60,7 +59,6 @@ TLS enabling options:
 HTTP endpoints:
   -norefresh URLPATH -- Non-refreshing Simple API path (default: %s)
   -refresh URLPATH   -- Auto-refreshing Simple API path (default: %s)
-  -gpgupdate URLPATH -- GPG forceful refreshing path (default: %s)
   -json URLPATH      -- JSON API path (default: %s)
 
 Upstream PyPI:
@@ -86,7 +84,6 @@ GOCHEESE_NO_SYNC=1 environment variable disable filesystem fsyncs.
                DefaultMaxClients,
                DefaultNoRefreshURLPath,
                DefaultRefreshURLPath,
-               DefaultGPGUpdateURLPath,
                DefaultJSONURLPath,
                DefaultPyPIURL,
                DefaultJSONURLPath,
Python private package repository and caching proxy