Either the debian branch is not updated, or the Vcs-Git entry in debian/control needs the "-b debian" part removed.

Topic: Explore the possibility of replacing current /sources used by the transport into /source and /binary in order to distinguish between source package name and produced binary package names. It would have the advantage to also be consistent with current Debian snapshot API having start point /mr/package/... (well not source) and /mr/binary/... (see comment #28 (comment)). From the user point of view, it helps in understanding what exactly we are looking for and which (built) package. From rebuilder software point of view, it makes referring/linking produced in-toto metadata to all binary packages.

Original description: I'm trying to understand how originally debian-rebuilder-setup was intended to work. From what I can see, a rebuilder is supposed to POST to visualizer (https://salsa.debian.org/reproducible-builds/debian-rebuilder-setup/-/blob/master/builder/srebuild#L454) an in-toto metadata referenced by part of the name of buildinfo file (https://salsa.debian.org/reproducible-builds/debian-rebuilder-setup/-/blob/master/visualizer/accumulator.py#L69), mostly the source package name right? My question is how is supposed to be referenced for example mypackage-dev or any other packages built from a given sources mypackage.buildinfo?

Description of issue or feature request:

Make it possible to use HTTPS to access the actual apt repository.
Currently enabling intoto is by changing sources.list entry, for example:
from: deb https://deb.debian.org/debian bullseye main
to: deb intoto://deb.debian.org/debian bullseye main

Current behavior:

When enabling intoto this way, deb.debian.org is accessed via HTTP, not HTTPS.

Expected behavior:

A way to specify whether the repository should use HTTP or HTTPS. Maybe "intotos" symlink to "intoto", similar to "https" -> "http" symlink (plus, obviously appropriate handling in intoto.py)?

Description of feature request:
The apt in-toto transport should be configurable via an apt configuration file (see apt.conf(5)) in a suitably named file that remains in /etc/apt/apt.conf.d/, e.g. /etc/apt/apt.conf.d/intoto.

Current behavior:
In the general message flow between apt and an apt transport, apt responds to the first message from the transport (i.e. 100 Capabilities) with a 601 Configuration message containing all the individual Config-Item's read from apt configuration files (see above) on separate lines.

601 Configuration
Config-Item: APT::Architecture=amd64
Config-Item: APT::Build-Essential::=build-essential
... [further config items]

Which, when parsed using the in-toto deserialize_one function, looks like:

{
'info': 'Configuration', 
'fields': [
  ('Config-Item', 'APT::Architecture=amd64'), 
  ('Config-Item', 'APT::Build-Essential::=build-essential'), 
  ...], 
'code': 601
}

Expected behavior:
We need to define required (and optional) configuration parameters in order to perform in-toto verification. Any related configuration parameter may be prefixed with APT::intoto::. Note that parameters don't need to have unique names (or values). At least the following information should be configurable:

• URIs of available rebuilders
• Location of local root layout
• Keyids of root layout gpg keys, which must be present in a local keychain
• A path to a non-default gpg keychain, to load root layout public keys from (optional)

These parameters may be parsed and used in a suitable manner during the apt <-> transport message flow (see comments in the intoto.handle function for more details).

Description of issue or feature request:
The signature for /data/root.layout has expired:

"expires": "2021-01-06T18:30:57Z",

I have not checked much further, but i expect this means apt-transport-in-toto will now fail to do anything useful, as it can't trust its root layout.

Current behaviour:
Untested, but probably prevents apt-transport-in-tot from doing its job.

Expected behaviour:
The root.layout file should have a signature which has an expiry date in the future.

Description of issue or feature request:
The default apt configuration file (installed at /etc/apt/apt.conf.d/intoto) uses two rebuilders:

  Rebuilders {
    "http://158.39.77.214";
    "https://reproducible-builds.engineering.nyu.edu";
  };

One of these two rebuilders, https://reproducible-builds.engineering.nyu.edu/, appears to be offline.

Current behaviour:
/etc/apt/apt.conf.d/intoto should points to an offline rebuilder, leaving only one rebuilder to compare with, which a very small set.

Expected behaviour:
/etc/apt/apt.conf.d/intoto should point to active rebuilders, and have more than 1.

Small extra note
I believe it's customary to add a priority number on an apt.conf.d file, to provide apt information as to when to run / how important a configuration file is. Currently, the in-toto apt.conf.d file is just named /etc/apt.conf.d/intoto which isn't ideal.

I fill this issue as a TODO. When fetching in-toto metadata of a unreproducible package, the APT output looks not very user friendly:

$ apt reinstall bash
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
  bash-doc
The following packages will be upgraded:
  bash
1 upgraded, 0 newly installed, 0 to remove and 620 not upgraded.
Need to get 1,417 kB of archives.
After this operation, 1,024 B of additional disk space will be used.
Get:1 intoto://ftp.fr.debian.org/debian bullseye/main amd64 bash amd64 5.1-2+b1 [1,417 kB]
80% [1 bash 1,417 kB]Prepare in-toto verification for '/var/cache/apt/archives/partial/bash_5.1-2+b1_amd64.deb'
Create verification directory '/tmp/tmpcdvpjfuz'
Request in-toto metadata from 2 rebuilder(s) (apt config)
Request in-toto metadata from https://debian.notset.fr/rebuild/sources/bash/5.1-2+b1/metadata
Successfully downloaded in-toto metadata 'rebuild.8deb0bef.link' from rebuilder 'https://debian.notset.fr/rebuild/'
Request in-toto metadata from https://qubes.notset.fr/rebuild/deb/r4.1/vm/sources/bash/5.1-2+b1/metadata
Could not retrieve in-toto metadata from rebuilder 'https://qubes.notset.fr/rebuild/deb/r4.1/vm/', reason was: server response: 404
Copy final product to verification directory
Load in-toto layout '/var/lib/intoto/root.layout' (apt config)
Load in-toto layout key(s) '['9fa64b92f95e706bf28e2ca6484010b5cdc576e2']' (apt config)
Use gpg keyring '/var/lib/intoto/gnupg' (apt config)
Run in-toto verification
In-toto verification for '/var/cache/apt/archives/partial/bash_5.1-2+b1_amd64.deb' failed, reason was: 'DISALLOW *.deb' matched the following artifacts: ['bash_5.1-2+b1_amd64.deb']
Full trace for 'expected_materials' of item 'verify-reprobuilds':
Available materials (used for queue):
['bash_5.1-2+b1_amd64.deb']
Available products:
['bash_5.1-2+b1_amd64.deb']
Queue after 'MATCH *.deb WITH PRODUCTS FROM rebuild':
['bash_5.1-2+b1_amd64.deb']

Err:1 intoto://ftp.fr.debian.org/debian bullseye/main amd64 bash amd64 5.1-2+b1
  In-toto verification for '/var/cache/apt/archives/partial/bash_5.1-2+b1_amd64.deb' failed, reason was: 'DISALLOW *.deb' matched the following artifacts: ['bash_5.1-2+b1_amd64.deb']\nFull trace for 'expected_materials' of item 'verify-reprobuilds':\nAvailable materials (used for queue):\n['bash_5.1-2+b1_amd64.deb']\nAvailable products:\n['bash_5.1-2+b1_amd64.deb']\nQueue after 'MATCH *.deb WITH PRODUCTS FROM rebuild':\n['bash_5.1-2+b1_amd64.deb']\n
E: Failed to fetch intoto://ftp.fr.debian.org/debian/pool/main/b/bash/bash_5.1-2+b1_amd64.deb  In-toto verification for '/var/cache/apt/archives/partial/bash_5.1-2+b1_amd64.deb' failed, reason was: 'DISALLOW *.deb' matched the following artifacts: ['bash_5.1-2+b1_amd64.deb']\nFull trace for 'expected_materials' of item 'verify-reprobuilds':\nAvailable materials (used for queue):\n['bash_5.1-2+b1_amd64.deb']\nAvailable products:\n['bash_5.1-2+b1_amd64.deb']\nQueue after 'MATCH *.deb WITH PRODUCTS FROM rebuild':\n['bash_5.1-2+b1_amd64.deb']\n
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

The configuration and root.layout used can be found in https://github.com/fepitre/package-rebuilder#configure-apt-transport-in-toto. For this package bash the corresponding rebuild log shows that checksums comparison failed with the original. The produced metadata can be found in https://debian.notset.fr/rebuild/sources/bash/5.1-2%2Bb1/.

We would need to figure out the best way to present failing in-toto test with respect to a fail because of no metadata at all like e.g.:

In-toto verification for '/var/cache/apt/archives/partial/mc_3%3a4.8.26-1_amd64.deb' failed, reason was: Step 'rebuild' requires '1' link metadata file(s), found '0'.

Unrelated remark: we have made a policy choice to not fail on checksums verification because that would help user to identify a package being unreproducible/having possibly an issue.

in-toto reproducible builds resources

• reproducible-builds.engineering.nyu.edu rebuilder for debian packages, creating in-toto link metadata
• debian-rebuilder-setup source code for rebuilder
• buildinfo.debian.net hosts buildinfo files for debian packages
• lamby/buildinfo.debian.net#54 "implements an endpoint returning a list of buildinfo files since a given date given in Unix time."
• buildinfo.nyu.wtf mirror of buildinfo.debian.net including above PR

apt resources

• Debian package management
• Debian builtin transport methods (source)

apt transports resources

• APT method interface for building transports
• lucidsoftware/apt-boto-s3 "The fast and simple S3 transport for apt. Access S3-hosted apt repositories via the AWS APIs."
• APT transport for S3 Blogpost from apt-boto-s3 author

Description of issue or feature request:
Successful in-toto verification and thus package installation using apt and the intoto transport depends on a configured threshold of rebuilders providing valid in-toto link metadata that attests for the reproducibility of the package to be installed, as well as for its dependencies.

As of today there are two publicly accessible rebuilders that provide such link metadata for small and mostly different subsets of all debian packages [1], [2].

As a consequence it is not possible at the moment to install a debian package when using the intoto transport. For a slow roll-out, the client should be able to use the intoto transport with a nofail policy.

That policy should then be updated to a more restrictive policy, once there is broader support for rebuilder link metadata.

[1] https://reproducible-builds.engineering.nyu.edu/sources
[2] http://158.39.77.214/sources

Current behavior:
Installation fails if in-toto verification for a package to be installed, or for any of its dependencies, fails, e.g. if not enough link metadata can be found.

Expected behavior:
Allow the client to configure a "nofail" option, to install packages even if in-toto verification fails. For the foreseeable future this configuration might also be a default.

"nofail" may be applicable to certain in-toto verification failure reasons only. To address above issue, I suggest to only not fail on LinkNotFoundError if the "nofail" option is set.

Description of issue or feature request:
Add setup for automated testing of offline tests (see #9)

Current behavior:
No automated testing

Expected behavior:
Configure tox, coverage, pylint, Travis CI and coveralls.io

While I appreciate the honorable mention, it appears that I'm still listed in debian/control Uploaders field, despite debian/changelog mentioning removing me from Uploaders. Appears to be the same in both the "develop" and "debian" branches.

Unfortunately I haven't had much chance to help with apt-transport-in-toto, so probably worth making Uploaders reflect that actuality.

Thanks for apt-transport-in-toto, maybe someday I'll be able to contribute more meaningfully. :)

live well,
vagrant

The following files must be available on a client that uses the in-toto apt transport:

Layout
An example layout can be found in tests/data/root.layout it has one step, i.e. rebuild. That step's pubkeys field lists the authorized rebuilders' signing keyids, and the threshold field specifies the number of authorized rebuilders required to provide signed link metadata for rebuilding. An example rebuild link metadata file can be found in tests/data/rebuild.5863835e.link.

In addition the layout defines one dummy inspection, to associate the package to be installed with the product hash of the rebuild step (see in-toto/specification#27 for a discussion about dummy inspections).

Layout key
The layout's signing key(s) are the root of trust and the in-toto apt transport requires the corresponding public key(s) to be available in a local gpg keyring on the client.

NOTE: Above test layout is signed with a test private key that is publicly available in this repo tests/gpg_keyring and thus not secret.

Configuration file
An example layout can be found in apt.conf.d/intoto. It contains the following parameters:

• Rebuilders Location of remote rebuilders
• Layout Location of local root layout
• Keyids Keyid(s) of layout public keys
• LogLevel (optional) Configures verbosity of in-toto apt transport
• GPGHomedir (optional) Path to non-default gpg keyring
• Nofail (see #12)

Questions for discussion

• Is it okay to have one layout for all packages? And is above layout suited?
• Who should sign the layout?
• How does the user get/update a layout?
• When should the layout expire?
• How does the client get the layout signing public keys (root of trust)?
• What parts of the layout can the client override?
  • Authorized rebuilders?
  • Rebuilder threshold?
• How should the client override the layout?
  • By signing the layout with a key known to the client?
  • Using layout parameter substitution?

Description of issue or feature request:
Update README to fit current state of code and enhance installation and usage instructions.
Address this issue in accordance with #13, #12 and #11.

Current behavior:
REAMDE is outdated and insufficient.

Expected behavior:
Updated and enhanced README.

Description of issue or feature request:
deserialize_one attempts to parse the Message: field in the test suite in develop during test_bad_target and fails to do so. Should be easy to replicate with tox -e py37

Current behavior:

message_str

Message: In-toto verification for '/home/fox/Git/prosjekter/master/apt-transport-in-toto/tests/data/bad/final-product_0.0.0.0-0_all.deb' failed, reason was: 'DISALLOW *.deb' matched the following artifacts: ['final-product_0.0.0.0-0_all.deb']
Full trace for 'expected_materials' of item 'verify-reprobuilds':
Available materials (used for queue):
['final-product_0.0.0.0-0_all.deb']
Available products:
['final-product_0.0.0.0-0_all.deb']
Queue after 'MATCH *.deb WITH PRODUCTS FROM rebuild':
['final-product_0.0.0.0-0_all.deb']

We are failing the check in the loop as the .splitlines() will provide lines with only one string.

    if len(header_field_parts) < 2:
      raise Exception("Invalid header field: {}, message was:\n{}"
          .format(line, message_str))

Traceback:

Traceback (most recent call last):
  File "/home/fox/Git/prosjekter/master/apt-transport-in-toto/tests/test_intoto.py", line 215, in test_bad_target
    acquire_args={"filename": FINAL_PRODUCT_PATH_BAD})
  File "/home/fox/Git/prosjekter/master/apt-transport-in-toto/tests/test_intoto.py", line 148, in mock_apt
    return intoto.deserialize_one(intoto.read_one(intoto_proc.stdout))
  File "/home/fox/Git/prosjekter/master/apt-transport-in-toto/intoto.py", line 334, in deserialize_one
    .format(line, message_str))
Exception: Invalid header field: ['final-product_0.0.0.0-0_all.deb'], message was:
400 URI Failure
Message: In-toto verification for '/home/fox/Git/prosjekter/master/apt-transport-in-toto/tests/data/bad/final-product_0.0.0.0-0_all.deb' failed, reason was: 'DISALLOW *.deb' matched the following artifacts: ['final-product_0.0.0.0-0_all.deb']
Full trace for 'expected_materials' of item 'verify-reprobuilds':
Available materials (used for queue):
['final-product_0.0.0.0-0_all.deb']
Available products:
['final-product_0.0.0.0-0_all.deb']
Queue after 'MATCH *.deb WITH PRODUCTS FROM rebuild':
['final-product_0.0.0.0-0_all.deb']

Expected behavior:
I'm a little bit unsure if the error is that we are unable to parse Message: or if the fact that we have in-toto failure messages in Message:.

Description of issue or feature request:
Restructure existing online and offline tests and add more comprehensive test scenarios that may be used for both.

Current behavior:
Currently there are two ways of testing the apt transport:

1. Online test using real remote rebuilders and real debian apt and apt http transport (see tests/Dockerfile)
2. Offline test that mocks rebuilders, apt and apt http transport (see tests/test_intoto.py)

Each currently performs one specific scenario of package installation using apt, which triggers in-toto verification with the proposed intoto transport.

Expected behavior:

• Add more comprehensive test cases, i.e. passing/failing in-toto verification (with different combinations of configuration values).

• Adapt online and (above all) offline test setup so that both can run the same test cases.

Description of issue or feature request:
The intoto transport should be installable as debian package eventually, e.g. apt-get install apt-transport-intoto should make intoto.py available as executable in /usr/lib/apt/methods/intoto, and also install required metadata (default layout, layout key and configuration) to the right locations.

Note: The intoto transport depends on the in-toto package, which itself depends on the securesystemslib package, both of which are not yet available as debian packages. Ideally, these dependencies may also be installed as debian packages.

Current behavior:
No installation setup.

Expected behavior:
Provide installation setup.

Description of issue or feature request:

During installation a default layout (data/root.layout) and config file (data/intoto.conf) are copied to the system.

The layout defines generic supply chain policies, i.e. any package must be rebuilt by n rebuilders, and the corresponding attestations must be signed with the keys authorized by the layout.

As root of trust for the supply chain verification, the layout itself must be signed by at least one key, which is available in the system key chain and the corresponding keyid(s) must be defined in the config file.

See #13 for more details.

Current behavior:
Default layout is not signed and default config authorizes a dummy keyid. As a consequence, in-toto verification performed by the transport will immediately fail, because the first step in the verification routine is checking the layout signature(s).

Note: regardless of the default layout, users can aways change the layout locally, sign it with their own key and specify the keyid in the config file accordingly.

Expected behavior:
Default layout is signed by at least one Debian maintainer and the corresponding keyid(s) are listed in the config file.

Description of issue or feature request:
Modify all Python scripts of this repo intoto.py (transport) and test_intoto.py and serve_metadata.py (tests) to support Python in version 2 and 3.

FWIW, the intoto transport will usally be started from apt as executable, i.e. ./intoto, hence the Python interpreter specified in the first line (shebang) will be used. Since we don't specify an explicit version (see #!/usr/bin/env python) this will resolve to the default system Python, which, unless modified by the user, is Python2 (see Debian Python packaging manuals).

Current behavior:
Only supports Python2

Expected behavior:
From a quick check (using 2to3) the following packages have different names in Python2/Python3: Queue/queue, SocketServer/socketserver, SimpleHTTPServer/http.server, subprocess32 (requires external package)/subprocess.

Additionally, there is one call to dict.keys(), whose return value needs an explicit cast to list in Python3.