Drop PGP signatures support

As it did Warehouse and PyPI.

diff --git a/contrib/pyshop2packages.sh b/contrib/pyshop2packages.sh
index d007a3fdbfbd3e8c7134b6c3281dcb0d41554db8..6e3938fc8ba4f63eee523bc5271a5d168a1b20c1 100755 (executable)
--- a/contrib/pyshop2packages.sh
+++ b/contrib/pyshop2packages.sh
@@ -56,8 +56,8 @@ done
 cd packages
 for pkg in * ; do
     # Assume running:
 cd packages
 for pkg in * ; do
     # Assume running:

-    # GOCHEESE_NO_SYNC=1 gocheese -bind "[::1]:8080" -gpgupdate /gpgupdate/
-    curl http://localhost:8080/gpgupdate/$pkg/ > /dev/null
+    # GOCHEESE_NO_SYNC=1 gocheese -bind "[::1]:8080" -refresh /simple/
+    curl http://localhost:8080/simple/$pkg/ > /dev/null

 done
 
 ########################################################################
 done
 
 ########################################################################

diff --git a/doc/index.texi b/doc/index.texi
index c314649cd71c34daffcf26029319441abaa91033..36a657b04076822a3d11ddfeeec9a5a1514d4559 100644 (file)
--- a/doc/index.texi
+++ b/doc/index.texi
@@ -53,7 +53,7 @@ upstream PyPI installation.
 @item Supports uploading of internal packages through the standard
 Warehouse API, including signatures, metadata and checksums.
 
 @item Supports uploading of internal packages through the standard
 Warehouse API, including signatures, metadata and checksums.
 

-@item Supports @url{https://pythonwheels.com/, wheels}, GPG signatures,
+@item Supports @url{https://pythonwheels.com/, wheels},

 @url{https://packaging.python.org/specifications/core-metadata/, Metadata}
 with @url{https://www.python.org/dev/peps/pep-0566/, PEP-0566} compatible
 conversion to JSON, multiple (MD5, SHA256, SHA512, BLAKE2b-256) integrity
 @url{https://packaging.python.org/specifications/core-metadata/, Metadata}
 with @url{https://www.python.org/dev/peps/pep-0566/, PEP-0566} compatible
 conversion to JSON, multiple (MD5, SHA256, SHA512, BLAKE2b-256) integrity

diff --git a/doc/proxy.texi b/doc/proxy.texi
index ef8d30e99973d9df9e10c130e8f6aa029fbc9848..48e10ed59bb4c5d9b1f988f83433040841815d0e 100644 (file)
--- a/doc/proxy.texi
+++ b/doc/proxy.texi
@@ -19,13 +19,6 @@ refresh is needed. Each refresh update the package's metadata (if
 Same as above, but does not refresh data from the upstream, completely
 read only mode.
 
 Same as above, but does not refresh data from the upstream, completely
 read only mode.
 

-@item @code{/gpgupdate/} (@option{-gpgupdate} option)
-Refresh the package state from the upstream as above, but additionally
-check and download missing GPG signatures. Intended to be used only
-manually, for example after database migration.
-It is probably useful to set @env{$GOCHEESE_NO_SYNC=1} environment
-variable to turn off filesystem synchronization calls.
-

 @item @code{/pypi/} (@option{-json} option)
 Read only (non refreshing) JSON API entrypoint, giving metadata for the
 packages and releases.
 @item @code{/pypi/} (@option{-json} option)
 Read only (non refreshing) JSON API entrypoint, giving metadata for the
 packages and releases.

diff --git a/doc/storage.texi b/doc/storage.texi
index 87e4101ef9a2dad818d7146dd7bb762fe0ad46b5..573fe8ac745482e21fbbe27c75f04eab99f1cb7a 100644 (file)
--- a/doc/storage.texi
+++ b/doc/storage.texi
@@ -11,14 +11,12 @@ root
   |     +- public-package-0.1.tar.gz.blake2_256
   |     +- public-package-0.1.1.tar.gz.blake2_256
   |     +- public-package-0.2.tar.gz
   |     +- public-package-0.1.tar.gz.blake2_256
   |     +- public-package-0.1.1.tar.gz.blake2_256
   |     +- public-package-0.2.tar.gz

-  |     +- public-package-0.2.tar.gz.asc

   |     +- public-package-0.2.tar.gz.sha256
   |     +- public-package-0.2.tar.gz.blake2_256
   +-- private-package
   |     +- .internal
   |     +- .metadata.rec
   |     +- private-package-0.1.tar.gz
   |     +- public-package-0.2.tar.gz.sha256
   |     +- public-package-0.2.tar.gz.blake2_256
   +-- private-package
   |     +- .internal
   |     +- .metadata.rec
   |     +- private-package-0.1.tar.gz

-  |     +- private-package-0.1.tar.gz.asc

   |     +- private-package-0.1.tar.gz.sha256
   |     +- private-package-0.1.tar.gz.blake2_256
   |...
   |     +- private-package-0.1.tar.gz.sha256
   |     +- private-package-0.1.tar.gz.blake2_256
   |...


@@ -44,8 +42,7 @@ For example @file{public-package} has @code{0.1} version, downloaded a
 long time ago with MD5 checksum. @code{0.1.1} version is downloaded more
 recently with BLAKE2b-256 checksum, also storing that checksum for
 @code{0.1}. @code{0.2} version is downloaded tarball, having forced
 long time ago with MD5 checksum. @code{0.1.1} version is downloaded more
 recently with BLAKE2b-256 checksum, also storing that checksum for
 @code{0.1}. @code{0.2} version is downloaded tarball, having forced

-SHA256 and BLAKE2b-256 recalculated checksums. Also upstream has
-corresponding @file{.asc} signature file.
+SHA256 and BLAKE2b-256 recalculated checksums.

 
 @file{private-package} is private package, because it contains
 @file{.internal} file. It can be uploaded and queries to it are not
 
 @file{private-package} is private package, because it contains
 @file{.internal} file. It can be uploaded and queries to it are not

diff --git a/doc/upload.texi b/doc/upload.texi
index 75b9848aa0b1354c7b508b6b3e25c6d036fbb63b..7ad23fa74e27616df803379d80fda6429e9964d8 100644 (file)
--- a/doc/upload.texi
+++ b/doc/upload.texi
@@ -20,5 +20,4 @@ password: foo
 
 All metadata information sent by @command{twine} is stored on the disk.
 Package creation time will be server's current time. If @command{twine}
 
 All metadata information sent by @command{twine} is stored on the disk.
 Package creation time will be server's current time. If @command{twine}

-send package checksums, then they are checked against. GPG signature
-file is also saved.
+send package checksums, then they are checked against.

diff --git a/go.mod b/go.mod
index e049717ed374095b83d27ed51a305c81a200bd76..dd0f33da60feee2c20f7727f88c3a4037a23c888 100644 (file)
--- a/go.mod
+++ b/go.mod
@@ -1,4 +1,4 @@
-module go.cypherpunks.ru/gocheese/v3
+module go.cypherpunks.ru/gocheese/v4

 
 go 1.17
 
 
 go 1.17
 

diff --git a/list.go b/list.go
index 3c056415555c9aace1ccac3c1edff55b6344e1e7..3eb0beda670d8808af0ea515fbeac797007484c6 100644 (file)
--- a/list.go
+++ b/list.go
@@ -96,7 +96,6 @@ func (a PkgReleaseInfoByName) Less(i, j int) bool {
 // Version format is too complicated: https://www.python.org/dev/peps/pep-0386/
 // So here is very simple parser working good enough for most packages
 func filenameToVersion(fn string) string {
 // Version format is too complicated: https://www.python.org/dev/peps/pep-0386/
 // So here is very simple parser working good enough for most packages
 func filenameToVersion(fn string) string {

-       fn = strings.TrimSuffix(fn, GPGSigExt)

        var trimmed string
        for _, ext := range KnownExts {
                trimmed = strings.TrimSuffix(fn, ext)
        var trimmed string
        for _, ext := range KnownExts {
                trimmed = strings.TrimSuffix(fn, ext)


@@ -176,10 +175,6 @@ func listDir(pkgName string, doSize bool) (int64, []*PkgReleaseInfo, error) {
                                        }
                                        delete(files, fnClean)
                                }
                                        }
                                        delete(files, fnClean)
                                }

-                               if _, exists := files[fnClean+GPGSigExt]; exists {
-                                       release.HasSig = true
-                                       delete(files, fnClean+GPGSigExt)
-                               }

                        }
                        release.Digests[algo] = hex.EncodeToString(digest)
                }
                        }
                        release.Digests[algo] = hex.EncodeToString(digest)
                }


@@ -204,15 +199,15 @@ func serveListDir(
        w http.ResponseWriter,
        r *http.Request,
        pkgName string,
        w http.ResponseWriter,
        r *http.Request,
        pkgName string,

-       autorefresh, gpgUpdate bool,
+       autorefresh bool,

 ) {
        dirPath := filepath.Join(Root, pkgName)
        if autorefresh {
 ) {
        dirPath := filepath.Join(Root, pkgName)
        if autorefresh {

-               if !refreshDir(w, r, pkgName, "", gpgUpdate) {
+               if !refreshDir(w, r, pkgName, "") {

                        return
                }
        } else if _, err := os.Stat(dirPath); os.IsNotExist(err) &&
                        return
                }
        } else if _, err := os.Stat(dirPath); os.IsNotExist(err) &&

-               !refreshDir(w, r, pkgName, "", false) {
+               !refreshDir(w, r, pkgName, "") {

                return
        }
        serial, releases, err := listDir(pkgName, false)
                return
        }
        serial, releases, err := listDir(pkgName, false)

diff --git a/list.tmpl b/list.tmpl
index 59b2ed48bac56e7d2fc38f4f01000c873bce7cac..a8614b72f802de8a9d7d1a14a9c226aa87f58a3e 100644 (file)
--- a/list.tmpl
+++ b/list.tmpl
@@ -6,8 +6,7 @@
   </head>
   <body>{{$Refresh := .RefreshURLPath}}{{$PkgName := .PkgName}}{{range .Releases}}
     <a href="{{$Refresh}}{{$PkgName}}/{{.Filename -}}
   </head>
   <body>{{$Refresh := .RefreshURLPath}}{{$PkgName := .PkgName}}{{range .Releases}}
     <a href="{{$Refresh}}{{$PkgName}}/{{.Filename -}}

-        #{{range $a, $d := .Digests}}{{$a}}={{$d}}{{end -}}"
-        {{- with .HasSig}} data-gpg-sig="true"{{end}}>{{.Filename}}</a><br/>
+        #{{range $a, $d := .Digests}}{{$a}}={{$d}}{{end -}}">{{.Filename}}</a><br/>

 {{- end}}
   </body>
 </html>
 {{- end}}
   </body>
 </html>

diff --git a/main.go b/main.go
index b2d3250a3fbf57365a5161eb1be888466836c09d..89aa5a62b6e59aa4e6a6174d5315a406ba24383a 100644 (file)
--- a/main.go
+++ b/main.go
@@ -44,7 +44,7 @@ import (
 )
 
 const (
 )
 
 const (

-       Version   = "3.7.1"
+       Version   = "4.0.0"

        UserAgent = "GoCheese/" + Version
 )
 
        UserAgent = "GoCheese/" + Version
 )
 


@@ -59,7 +59,6 @@ var (
 
        NoRefreshURLPath = flag.String("norefresh", DefaultNoRefreshURLPath, "")
        RefreshURLPath   = flag.String("refresh", DefaultRefreshURLPath, "")
 
        NoRefreshURLPath = flag.String("norefresh", DefaultNoRefreshURLPath, "")
        RefreshURLPath   = flag.String("refresh", DefaultRefreshURLPath, "")

-       GPGUpdateURLPath = flag.String("gpgupdate", DefaultGPGUpdateURLPath, "")

        JSONURLPath      = flag.String("json", DefaultJSONURLPath, "")
 
        PyPIURL      = flag.String("pypi", DefaultPyPIURL, "")
        JSONURLPath      = flag.String("json", DefaultJSONURLPath, "")
 
        PyPIURL      = flag.String("pypi", DefaultPyPIURL, "")


@@ -82,7 +81,7 @@ func servePkg(w http.ResponseWriter, r *http.Request, pkgName, filename string)
        log.Println(r.RemoteAddr, "get", filename)
        path := filepath.Join(Root, pkgName, filename)
        if _, err := os.Stat(path); os.IsNotExist(err) {
        log.Println(r.RemoteAddr, "get", filename)
        path := filepath.Join(Root, pkgName, filename)
        if _, err := os.Stat(path); os.IsNotExist(err) {

-               if !refreshDir(w, r, pkgName, filename, false) {
+               if !refreshDir(w, r, pkgName, filename) {

                        return
                }
        }
                        return
                }
        }


@@ -95,16 +94,11 @@ func handler(w http.ResponseWriter, r *http.Request) {
        case "GET":
                var path string
                var autorefresh bool
        case "GET":
                var path string
                var autorefresh bool

-               var gpgUpdate bool

                if strings.HasPrefix(r.URL.Path, *NoRefreshURLPath) {
                        path = strings.TrimPrefix(r.URL.Path, *NoRefreshURLPath)
                } else if strings.HasPrefix(r.URL.Path, *RefreshURLPath) {
                        path = strings.TrimPrefix(r.URL.Path, *RefreshURLPath)
                        autorefresh = true
                if strings.HasPrefix(r.URL.Path, *NoRefreshURLPath) {
                        path = strings.TrimPrefix(r.URL.Path, *NoRefreshURLPath)
                } else if strings.HasPrefix(r.URL.Path, *RefreshURLPath) {
                        path = strings.TrimPrefix(r.URL.Path, *RefreshURLPath)
                        autorefresh = true

-               } else if strings.HasPrefix(r.URL.Path, *GPGUpdateURLPath) {
-                       path = strings.TrimPrefix(r.URL.Path, *GPGUpdateURLPath)
-                       autorefresh = true
-                       gpgUpdate = true

                } else {
                        http.Error(w, "unknown action", http.StatusBadRequest)
                        return
                } else {
                        http.Error(w, "unknown action", http.StatusBadRequest)
                        return


@@ -118,7 +112,7 @@ func handler(w http.ResponseWriter, r *http.Request) {
                        if parts[0] == "" {
                                listRoot(w, r)
                        } else {
                        if parts[0] == "" {
                                listRoot(w, r)
                        } else {

-                               serveListDir(w, r, parts[0], autorefresh, gpgUpdate)
+                               serveListDir(w, r, parts[0], autorefresh)

                        }
                } else {
                        servePkg(w, r, parts[0], parts[1])
                        }
                } else {
                        servePkg(w, r, parts[0], parts[1])


@@ -252,9 +246,6 @@ func main() {
        http.HandleFunc(*JSONURLPath, serveJSON)
        http.HandleFunc(*NoRefreshURLPath, handler)
        http.HandleFunc(*RefreshURLPath, handler)
        http.HandleFunc(*JSONURLPath, serveJSON)
        http.HandleFunc(*NoRefreshURLPath, handler)
        http.HandleFunc(*RefreshURLPath, handler)

-       if *GPGUpdateURLPath != "" {
-               http.HandleFunc(*GPGUpdateURLPath, handler)
-       }

 
        if *DoUCSPI {
                server.SetKeepAlivesEnabled(false)
 
        if *DoUCSPI {
                server.SetKeepAlivesEnabled(false)

diff --git a/refresh.go b/refresh.go
index 4179953179f7e703290409b69d8b6db349d9971f..78a8ca4b3c4de6cd2bbe647c9d2ae81968ff2f68 100644 (file)
--- a/refresh.go
+++ b/refresh.go
@@ -46,7 +46,6 @@ const (
        HashAlgoBLAKE2b256 = "blake2_256"
        HashAlgoSHA512     = "sha512"
        HashAlgoMD5        = "md5"
        HashAlgoBLAKE2b256 = "blake2_256"
        HashAlgoSHA512     = "sha512"
        HashAlgoMD5        = "md5"

-       GPGSigExt          = ".asc"

        InternalFlag       = ".internal"
 )
 
        InternalFlag       = ".internal"
 )
 


@@ -88,7 +87,6 @@ func refreshDir(
        w http.ResponseWriter,
        r *http.Request,
        pkgName, filenameGet string,
        w http.ResponseWriter,
        r *http.Request,
        pkgName, filenameGet string,

-       gpgUpdate bool,

 ) bool {
        if _, err := os.Stat(filepath.Join(Root, pkgName, InternalFlag)); err == nil {
                return true
 ) bool {
        if _, err := os.Stat(filepath.Join(Root, pkgName, InternalFlag)); err == nil {
                return true


@@ -521,43 +519,6 @@ func refreshDir(
                        }
                }
 
                        }
                }
 

-               if filename == filenameGet || gpgUpdate {
-                       resp, err := c.Do(agentedReq(uri + GPGSigExt))
-                       if err != nil {
-                               goto GPGSigSkip
-                       }
-                       if resp.StatusCode != http.StatusOK {
-                               resp.Body.Close()
-                               goto GPGSigSkip
-                       }
-                       sig, err := io.ReadAll(resp.Body)
-                       resp.Body.Close()
-                       if err != nil {
-                               goto GPGSigSkip
-                       }
-                       if !bytes.HasPrefix(sig, []byte("-----BEGIN PGP SIGNATURE-----")) {
-                               log.Println(r.RemoteAddr, "pypi", filename+GPGSigExt, "non PGP")
-                               goto GPGSigSkip
-                       }
-                       if err = WriteFileSync(dirPath, path+GPGSigExt, sig, mtime); err != nil {
-                               log.Println("error", r.RemoteAddr, "pypi", filename+GPGSigExt, err)
-                               http.Error(w, err.Error(), http.StatusInternalServerError)
-                               return false
-                       }
-                       log.Println(r.RemoteAddr, "pypi", filename+GPGSigExt, "downloaded")
-               }
-               if mtimeExists {
-                       stat, err := os.Stat(path + GPGSigExt)
-                       if err == nil && !stat.ModTime().Truncate(time.Second).Equal(mtime) {
-                               log.Println(r.RemoteAddr, "pypi", filename+GPGSigExt, "touch")
-                               if err = os.Chtimes(path+GPGSigExt, mtime, mtime); err != nil {
-                                       log.Println("error", r.RemoteAddr, "pypi", filename, err)
-                                       http.Error(w, err.Error(), http.StatusInternalServerError)
-                               }
-                       }
-               }
-
-       GPGSigSkip:

                if digest == nil {
                        continue
                }
                if digest == nil {
                        continue
                }

diff --git a/upload.go b/upload.go
index 3765c56cacb4108d0bfa5697f5372c1c3d8f6272..a0068db483d95556268566e1256c4234ab24113c 100644 (file)
--- a/upload.go
+++ b/upload.go
@@ -67,7 +67,6 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
        }
        pkgName := strings.ToLower(NormalizationRe.ReplaceAllString(pkgNames[0], "-"))
        dirPath := filepath.Join(Root, pkgName)
        }
        pkgName := strings.ToLower(NormalizationRe.ReplaceAllString(pkgNames[0], "-"))
        dirPath := filepath.Join(Root, pkgName)

-       gpgSigsExpected := make(map[string]struct{})

        now := time.Now().UTC()
 
        var digestSHA256Expected []byte
        now := time.Now().UTC()
 
        var digestSHA256Expected []byte


@@ -96,7 +95,6 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
 
        for _, file := range r.MultipartForm.File["content"] {
                filename := file.Filename
 
        for _, file := range r.MultipartForm.File["content"] {
                filename := file.Filename

-               gpgSigsExpected[filename+GPGSigExt] = struct{}{}

                log.Println(r.RemoteAddr, "put", filename, "by", username)
                path := filepath.Join(dirPath, filename)
                if _, err = os.Stat(path); err == nil {
                log.Println(r.RemoteAddr, "put", filename, "by", username)
                path := filepath.Join(dirPath, filename)
                if _, err = os.Stat(path); err == nil {


@@ -193,40 +191,6 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
                        return
                }
        }
                        return
                }
        }

-       for _, file := range r.MultipartForm.File["gpg_signature"] {
-               filename := file.Filename
-               if _, exists := gpgSigsExpected[filename]; !exists {
-                       log.Println(r.RemoteAddr, filename, "unexpected GPG signature filename")
-                       http.Error(w, "unexpected GPG signature filename", http.StatusBadRequest)
-                       return
-               }
-               delete(gpgSigsExpected, filename)
-               log.Println(r.RemoteAddr, "put", filename, "by", username)
-               path := filepath.Join(dirPath, filename)
-               if _, err = os.Stat(path); err == nil {
-                       log.Println(r.RemoteAddr, filename, "already exists")
-                       http.Error(w, "already exists", http.StatusBadRequest)
-                       return
-               }
-               src, err := file.Open()
-               if err != nil {
-                       log.Println("error", r.RemoteAddr, filename, err)
-                       http.Error(w, err.Error(), http.StatusInternalServerError)
-                       return
-               }
-               sig, err := io.ReadAll(src)
-               src.Close()
-               if err != nil {
-                       log.Println("error", r.RemoteAddr, filename, err)
-                       http.Error(w, err.Error(), http.StatusInternalServerError)
-                       return
-               }
-               if err = WriteFileSync(dirPath, path, sig, now); err != nil {
-                       log.Println("error", r.RemoteAddr, path, err)
-                       http.Error(w, err.Error(), http.StatusInternalServerError)
-                       return
-               }
-       }

 
        var buf bytes.Buffer
        wr := recfile.NewWriter(&buf)
 
        var buf bytes.Buffer
        wr := recfile.NewWriter(&buf)

diff --git a/usage.go b/usage.go
index c47f99b5a7af59185b31090b0bc1a8264aab5960..351a2b73a8127df7f8a146e416d04aa22d7a188a 100644 (file)
--- a/usage.go
+++ b/usage.go
@@ -27,7 +27,6 @@ const (
        DefaultMaxClients       = 128
        DefaultNoRefreshURLPath = "/norefresh/"
        DefaultRefreshURLPath   = "/simple/"
        DefaultMaxClients       = 128
        DefaultNoRefreshURLPath = "/norefresh/"
        DefaultRefreshURLPath   = "/simple/"

-       DefaultGPGUpdateURLPath = "/gpgupdate/"

        DefaultJSONURLPath      = "/pypi/"
        DefaultPyPIURL          = "https://pypi.org/simple/"
        DefaultJSONURL          = "https://pypi.org/pypi/"
        DefaultJSONURLPath      = "/pypi/"
        DefaultPyPIURL          = "https://pypi.org/simple/"
        DefaultJSONURL          = "https://pypi.org/pypi/"


@@ -60,7 +59,6 @@ TLS enabling options:
 HTTP endpoints:
   -norefresh URLPATH -- Non-refreshing Simple API path (default: %s)
   -refresh URLPATH   -- Auto-refreshing Simple API path (default: %s)
 HTTP endpoints:
   -norefresh URLPATH -- Non-refreshing Simple API path (default: %s)
   -refresh URLPATH   -- Auto-refreshing Simple API path (default: %s)

-  -gpgupdate URLPATH -- GPG forceful refreshing path (default: %s)

   -json URLPATH      -- JSON API path (default: %s)
 
 Upstream PyPI:
   -json URLPATH      -- JSON API path (default: %s)
 
 Upstream PyPI:


@@ -86,7 +84,6 @@ GOCHEESE_NO_SYNC=1 environment variable disable filesystem fsyncs.
                DefaultMaxClients,
                DefaultNoRefreshURLPath,
                DefaultRefreshURLPath,
                DefaultMaxClients,
                DefaultNoRefreshURLPath,
                DefaultRefreshURLPath,

-               DefaultGPGUpdateURLPath,

                DefaultJSONURLPath,
                DefaultPyPIURL,
                DefaultJSONURLPath,
                DefaultJSONURLPath,
                DefaultPyPIURL,
                DefaultJSONURLPath,