From: Sergey Matveev <stargrave@stargrave.org>
Date: Sat, 3 Jun 2023 15:45:54 +0000 (+0300)
Subject: Drop PGP signatures support
X-Git-Tag: v4.0.0~2
X-Git-Url: http://www.git.cypherpunks.ru/?p=gocheese.git;a=commitdiff_plain;h=09804703f3aa97a1a903f6bda2384cd64a2dbe85

Drop PGP signatures support

As it did Warehouse and PyPI.
---

diff --git a/contrib/pyshop2packages.sh b/contrib/pyshop2packages.sh
index d007a3f..6e3938f 100755
--- a/contrib/pyshop2packages.sh
+++ b/contrib/pyshop2packages.sh
@@ -56,8 +56,8 @@ done
 cd packages
 for pkg in * ; do
     # Assume running:
-    # GOCHEESE_NO_SYNC=1 gocheese -bind "[::1]:8080" -gpgupdate /gpgupdate/
-    curl http://localhost:8080/gpgupdate/$pkg/ > /dev/null
+    # GOCHEESE_NO_SYNC=1 gocheese -bind "[::1]:8080" -refresh /simple/
+    curl http://localhost:8080/simple/$pkg/ > /dev/null
 done
 
 ########################################################################
diff --git a/doc/index.texi b/doc/index.texi
index c314649..36a657b 100644
--- a/doc/index.texi
+++ b/doc/index.texi
@@ -53,7 +53,7 @@ upstream PyPI installation.
 @item Supports uploading of internal packages through the standard
 Warehouse API, including signatures, metadata and checksums.
 
-@item Supports @url{https://pythonwheels.com/, wheels}, GPG signatures,
+@item Supports @url{https://pythonwheels.com/, wheels},
 @url{https://packaging.python.org/specifications/core-metadata/, Metadata}
 with @url{https://www.python.org/dev/peps/pep-0566/, PEP-0566} compatible
 conversion to JSON, multiple (MD5, SHA256, SHA512, BLAKE2b-256) integrity
diff --git a/doc/proxy.texi b/doc/proxy.texi
index ef8d30e..48e10ed 100644
--- a/doc/proxy.texi
+++ b/doc/proxy.texi
@@ -19,13 +19,6 @@ refresh is needed. Each refresh update the package's metadata (if
 Same as above, but does not refresh data from the upstream, completely
 read only mode.
 
-@item @code{/gpgupdate/} (@option{-gpgupdate} option)
-Refresh the package state from the upstream as above, but additionally
-check and download missing GPG signatures. Intended to be used only
-manually, for example after database migration.
-It is probably useful to set @env{$GOCHEESE_NO_SYNC=1} environment
-variable to turn off filesystem synchronization calls.
-
 @item @code{/pypi/} (@option{-json} option)
 Read only (non refreshing) JSON API entrypoint, giving metadata for the
 packages and releases.
diff --git a/doc/storage.texi b/doc/storage.texi
index 87e4101..573fe8a 100644
--- a/doc/storage.texi
+++ b/doc/storage.texi
@@ -11,14 +11,12 @@ root
   |     +- public-package-0.1.tar.gz.blake2_256
   |     +- public-package-0.1.1.tar.gz.blake2_256
   |     +- public-package-0.2.tar.gz
-  |     +- public-package-0.2.tar.gz.asc
   |     +- public-package-0.2.tar.gz.sha256
   |     +- public-package-0.2.tar.gz.blake2_256
   +-- private-package
   |     +- .internal
   |     +- .metadata.rec
   |     +- private-package-0.1.tar.gz
-  |     +- private-package-0.1.tar.gz.asc
   |     +- private-package-0.1.tar.gz.sha256
   |     +- private-package-0.1.tar.gz.blake2_256
   |...
@@ -44,8 +42,7 @@ For example @file{public-package} has @code{0.1} version, downloaded a
 long time ago with MD5 checksum. @code{0.1.1} version is downloaded more
 recently with BLAKE2b-256 checksum, also storing that checksum for
 @code{0.1}. @code{0.2} version is downloaded tarball, having forced
-SHA256 and BLAKE2b-256 recalculated checksums. Also upstream has
-corresponding @file{.asc} signature file.
+SHA256 and BLAKE2b-256 recalculated checksums.
 
 @file{private-package} is private package, because it contains
 @file{.internal} file. It can be uploaded and queries to it are not
diff --git a/doc/upload.texi b/doc/upload.texi
index 75b9848..7ad23fa 100644
--- a/doc/upload.texi
+++ b/doc/upload.texi
@@ -20,5 +20,4 @@ password: foo
 
 All metadata information sent by @command{twine} is stored on the disk.
 Package creation time will be server's current time. If @command{twine}
-send package checksums, then they are checked against. GPG signature
-file is also saved.
+send package checksums, then they are checked against.
diff --git a/go.mod b/go.mod
index e049717..dd0f33d 100644
--- a/go.mod
+++ b/go.mod
@@ -1,4 +1,4 @@
-module go.cypherpunks.ru/gocheese/v3
+module go.cypherpunks.ru/gocheese/v4
 
 go 1.17
 
diff --git a/list.go b/list.go
index 3c05641..3eb0bed 100644
--- a/list.go
+++ b/list.go
@@ -96,7 +96,6 @@ func (a PkgReleaseInfoByName) Less(i, j int) bool {
 // Version format is too complicated: https://www.python.org/dev/peps/pep-0386/
 // So here is very simple parser working good enough for most packages
 func filenameToVersion(fn string) string {
-	fn = strings.TrimSuffix(fn, GPGSigExt)
 	var trimmed string
 	for _, ext := range KnownExts {
 		trimmed = strings.TrimSuffix(fn, ext)
@@ -176,10 +175,6 @@ func listDir(pkgName string, doSize bool) (int64, []*PkgReleaseInfo, error) {
 					}
 					delete(files, fnClean)
 				}
-				if _, exists := files[fnClean+GPGSigExt]; exists {
-					release.HasSig = true
-					delete(files, fnClean+GPGSigExt)
-				}
 			}
 			release.Digests[algo] = hex.EncodeToString(digest)
 		}
@@ -204,15 +199,15 @@ func serveListDir(
 	w http.ResponseWriter,
 	r *http.Request,
 	pkgName string,
-	autorefresh, gpgUpdate bool,
+	autorefresh bool,
 ) {
 	dirPath := filepath.Join(Root, pkgName)
 	if autorefresh {
-		if !refreshDir(w, r, pkgName, "", gpgUpdate) {
+		if !refreshDir(w, r, pkgName, "") {
 			return
 		}
 	} else if _, err := os.Stat(dirPath); os.IsNotExist(err) &&
-		!refreshDir(w, r, pkgName, "", false) {
+		!refreshDir(w, r, pkgName, "") {
 		return
 	}
 	serial, releases, err := listDir(pkgName, false)
diff --git a/list.tmpl b/list.tmpl
index 59b2ed4..a8614b7 100644
--- a/list.tmpl
+++ b/list.tmpl
@@ -6,8 +6,7 @@
   </head>
   <body>{{$Refresh := .RefreshURLPath}}{{$PkgName := .PkgName}}{{range .Releases}}
     <a href="{{$Refresh}}{{$PkgName}}/{{.Filename -}}
-        #{{range $a, $d := .Digests}}{{$a}}={{$d}}{{end -}}"
-        {{- with .HasSig}} data-gpg-sig="true"{{end}}>{{.Filename}}</a><br/>
+        #{{range $a, $d := .Digests}}{{$a}}={{$d}}{{end -}}">{{.Filename}}</a><br/>
 {{- end}}
   </body>
 </html>
diff --git a/main.go b/main.go
index b2d3250..89aa5a6 100644
--- a/main.go
+++ b/main.go
@@ -44,7 +44,7 @@ import (
 )
 
 const (
-	Version   = "3.7.1"
+	Version   = "4.0.0"
 	UserAgent = "GoCheese/" + Version
 )
 
@@ -59,7 +59,6 @@ var (
 
 	NoRefreshURLPath = flag.String("norefresh", DefaultNoRefreshURLPath, "")
 	RefreshURLPath   = flag.String("refresh", DefaultRefreshURLPath, "")
-	GPGUpdateURLPath = flag.String("gpgupdate", DefaultGPGUpdateURLPath, "")
 	JSONURLPath      = flag.String("json", DefaultJSONURLPath, "")
 
 	PyPIURL      = flag.String("pypi", DefaultPyPIURL, "")
@@ -82,7 +81,7 @@ func servePkg(w http.ResponseWriter, r *http.Request, pkgName, filename string)
 	log.Println(r.RemoteAddr, "get", filename)
 	path := filepath.Join(Root, pkgName, filename)
 	if _, err := os.Stat(path); os.IsNotExist(err) {
-		if !refreshDir(w, r, pkgName, filename, false) {
+		if !refreshDir(w, r, pkgName, filename) {
 			return
 		}
 	}
@@ -95,16 +94,11 @@ func handler(w http.ResponseWriter, r *http.Request) {
 	case "GET":
 		var path string
 		var autorefresh bool
-		var gpgUpdate bool
 		if strings.HasPrefix(r.URL.Path, *NoRefreshURLPath) {
 			path = strings.TrimPrefix(r.URL.Path, *NoRefreshURLPath)
 		} else if strings.HasPrefix(r.URL.Path, *RefreshURLPath) {
 			path = strings.TrimPrefix(r.URL.Path, *RefreshURLPath)
 			autorefresh = true
-		} else if strings.HasPrefix(r.URL.Path, *GPGUpdateURLPath) {
-			path = strings.TrimPrefix(r.URL.Path, *GPGUpdateURLPath)
-			autorefresh = true
-			gpgUpdate = true
 		} else {
 			http.Error(w, "unknown action", http.StatusBadRequest)
 			return
@@ -118,7 +112,7 @@ func handler(w http.ResponseWriter, r *http.Request) {
 			if parts[0] == "" {
 				listRoot(w, r)
 			} else {
-				serveListDir(w, r, parts[0], autorefresh, gpgUpdate)
+				serveListDir(w, r, parts[0], autorefresh)
 			}
 		} else {
 			servePkg(w, r, parts[0], parts[1])
@@ -252,9 +246,6 @@ func main() {
 	http.HandleFunc(*JSONURLPath, serveJSON)
 	http.HandleFunc(*NoRefreshURLPath, handler)
 	http.HandleFunc(*RefreshURLPath, handler)
-	if *GPGUpdateURLPath != "" {
-		http.HandleFunc(*GPGUpdateURLPath, handler)
-	}
 
 	if *DoUCSPI {
 		server.SetKeepAlivesEnabled(false)
diff --git a/refresh.go b/refresh.go
index 4179953..78a8ca4 100644
--- a/refresh.go
+++ b/refresh.go
@@ -46,7 +46,6 @@ const (
 	HashAlgoBLAKE2b256 = "blake2_256"
 	HashAlgoSHA512     = "sha512"
 	HashAlgoMD5        = "md5"
-	GPGSigExt          = ".asc"
 	InternalFlag       = ".internal"
 )
 
@@ -88,7 +87,6 @@ func refreshDir(
 	w http.ResponseWriter,
 	r *http.Request,
 	pkgName, filenameGet string,
-	gpgUpdate bool,
 ) bool {
 	if _, err := os.Stat(filepath.Join(Root, pkgName, InternalFlag)); err == nil {
 		return true
@@ -521,43 +519,6 @@ func refreshDir(
 			}
 		}
 
-		if filename == filenameGet || gpgUpdate {
-			resp, err := c.Do(agentedReq(uri + GPGSigExt))
-			if err != nil {
-				goto GPGSigSkip
-			}
-			if resp.StatusCode != http.StatusOK {
-				resp.Body.Close()
-				goto GPGSigSkip
-			}
-			sig, err := io.ReadAll(resp.Body)
-			resp.Body.Close()
-			if err != nil {
-				goto GPGSigSkip
-			}
-			if !bytes.HasPrefix(sig, []byte("-----BEGIN PGP SIGNATURE-----")) {
-				log.Println(r.RemoteAddr, "pypi", filename+GPGSigExt, "non PGP")
-				goto GPGSigSkip
-			}
-			if err = WriteFileSync(dirPath, path+GPGSigExt, sig, mtime); err != nil {
-				log.Println("error", r.RemoteAddr, "pypi", filename+GPGSigExt, err)
-				http.Error(w, err.Error(), http.StatusInternalServerError)
-				return false
-			}
-			log.Println(r.RemoteAddr, "pypi", filename+GPGSigExt, "downloaded")
-		}
-		if mtimeExists {
-			stat, err := os.Stat(path + GPGSigExt)
-			if err == nil && !stat.ModTime().Truncate(time.Second).Equal(mtime) {
-				log.Println(r.RemoteAddr, "pypi", filename+GPGSigExt, "touch")
-				if err = os.Chtimes(path+GPGSigExt, mtime, mtime); err != nil {
-					log.Println("error", r.RemoteAddr, "pypi", filename, err)
-					http.Error(w, err.Error(), http.StatusInternalServerError)
-				}
-			}
-		}
-
-	GPGSigSkip:
 		if digest == nil {
 			continue
 		}
diff --git a/upload.go b/upload.go
index 3765c56..a0068db 100644
--- a/upload.go
+++ b/upload.go
@@ -67,7 +67,6 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
 	}
 	pkgName := strings.ToLower(NormalizationRe.ReplaceAllString(pkgNames[0], "-"))
 	dirPath := filepath.Join(Root, pkgName)
-	gpgSigsExpected := make(map[string]struct{})
 	now := time.Now().UTC()
 
 	var digestSHA256Expected []byte
@@ -96,7 +95,6 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
 
 	for _, file := range r.MultipartForm.File["content"] {
 		filename := file.Filename
-		gpgSigsExpected[filename+GPGSigExt] = struct{}{}
 		log.Println(r.RemoteAddr, "put", filename, "by", username)
 		path := filepath.Join(dirPath, filename)
 		if _, err = os.Stat(path); err == nil {
@@ -193,40 +191,6 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
-	for _, file := range r.MultipartForm.File["gpg_signature"] {
-		filename := file.Filename
-		if _, exists := gpgSigsExpected[filename]; !exists {
-			log.Println(r.RemoteAddr, filename, "unexpected GPG signature filename")
-			http.Error(w, "unexpected GPG signature filename", http.StatusBadRequest)
-			return
-		}
-		delete(gpgSigsExpected, filename)
-		log.Println(r.RemoteAddr, "put", filename, "by", username)
-		path := filepath.Join(dirPath, filename)
-		if _, err = os.Stat(path); err == nil {
-			log.Println(r.RemoteAddr, filename, "already exists")
-			http.Error(w, "already exists", http.StatusBadRequest)
-			return
-		}
-		src, err := file.Open()
-		if err != nil {
-			log.Println("error", r.RemoteAddr, filename, err)
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-			return
-		}
-		sig, err := io.ReadAll(src)
-		src.Close()
-		if err != nil {
-			log.Println("error", r.RemoteAddr, filename, err)
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-			return
-		}
-		if err = WriteFileSync(dirPath, path, sig, now); err != nil {
-			log.Println("error", r.RemoteAddr, path, err)
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-			return
-		}
-	}
 
 	var buf bytes.Buffer
 	wr := recfile.NewWriter(&buf)
diff --git a/usage.go b/usage.go
index c47f99b..351a2b7 100644
--- a/usage.go
+++ b/usage.go
@@ -27,7 +27,6 @@ const (
 	DefaultMaxClients       = 128
 	DefaultNoRefreshURLPath = "/norefresh/"
 	DefaultRefreshURLPath   = "/simple/"
-	DefaultGPGUpdateURLPath = "/gpgupdate/"
 	DefaultJSONURLPath      = "/pypi/"
 	DefaultPyPIURL          = "https://pypi.org/simple/"
 	DefaultJSONURL          = "https://pypi.org/pypi/"
@@ -60,7 +59,6 @@ TLS enabling options:
 HTTP endpoints:
   -norefresh URLPATH -- Non-refreshing Simple API path (default: %s)
   -refresh URLPATH   -- Auto-refreshing Simple API path (default: %s)
-  -gpgupdate URLPATH -- GPG forceful refreshing path (default: %s)
   -json URLPATH      -- JSON API path (default: %s)
 
 Upstream PyPI:
@@ -86,7 +84,6 @@ GOCHEESE_NO_SYNC=1 environment variable disable filesystem fsyncs.
 		DefaultMaxClients,
 		DefaultNoRefreshURLPath,
 		DefaultRefreshURLPath,
-		DefaultGPGUpdateURLPath,
 		DefaultJSONURLPath,
 		DefaultPyPIURL,
 		DefaultJSONURLPath,