Obnamblog2025 Obnam 3: command to create OpenPGP software key credential
  1. Goal
  2. Plan
  3. Notes
  4. Summary
  5. Comments?

Goal

Last time I changed things so that the chunk store can handle all kinds of chunks. Today I'll build on that to implement a command to create an OpenPGP software key credential.

Plan

  • Implement the obnam credential openpgp-soft command. It can assume an existing OpenPGP key.

Notes

Preliminary

  • Since last time I've cheated and added a rudimentary architecture document and fixed some small things found by the new clippy in Rust 1.89. The architecture document is based on my blog posts from last year.
  • Ran make to verify the current code base still builds, is lint free, and tests pass. All good.

Start onobnam credential openpgp-soft

  • Added a placeholder for the new subcommand. Just boilerplate.
  • Creating a credential chunk and adding it to the store was easy enough. However, I again did that by copy-pasting code. The code base is in need for tidying up and providing helpers to reduce unnecessary code duplication.
  • I've been copy-pasting because it's been easier until I know what the code needs to do. I don't regret that. Anything to avoid having to think.

Verifying credential creation

  • Now that I (think) I can create credential chunks, how do I verify that they are correct? How do I use them?
  • But first, I made the code to read the client key from a file. obnam already has a global. --client-key option. Changed the new code to use that.
  • I'll add a command to list credentials to help with testing.
  • Using that, added a simplistic verification scenario.

Status quo now and thinking about next step

  • I'm explicitly passing the client key, in plaintext, on the command line to create a credential. This is not acceptable, except to test things. The user should not ever be able to know the client key, except maybe for debugging.
  • The client key should be generated during obnam client init. At the moment that gets it from the global --client-key option. To store the client key we need to also create a credential when initializing the store.
  • To do that, we need to have at least one credential specified in the configuration file, and we should create a credential for everything specified there.
  • The credential specification will, basically, tell how to get the things used to encrypt and decrypt the client key for a credential. Something like:
credentials:
  soft1:
    kind: openpgpg-soft
    key: |
        -----BEGIN PGP PRIVATE KEY BLOCK-----
        ...
        -----END PGP PRIVATE KEY BLOCK-----
  • That means my next change will be to add credential specification to the configuration file and use those when creating a credential.
  • But I'm not going to have time for that today, and I don't even want to start.

Summary

I implemented very simplistic commands to create and list credentials. The credentials can't be used for anything yet, but I've planned how to move towards implementing that.

Comments?

If you have feedback on this development session, please use the following fediverse thread: https://toot.liw.fi/@liw/115002979746876577.