Obnamblog2025 Obnam 3: command to create OpenPGP software key credential
  1. Goal
  2. Plan
  3. Notes
  4. Summary

Goal

Last time I changed things so that the chunk store can handle all kinds of chunks. Today I'll build on that to implement a command to create an OpenPGP software key credential.

Plan

  • Implement the obnam credential openpgp-soft command. It can assume an existing OpenPGP key.

Notes

Preliminary

  • Since last time I've cheated and added a rudimentary architecture document and fixed some small things found by the new clippy in Rust 1.89. The architecture document is based on my blog posts from last year.
  • Ran make to verify the current code base still builds, is lint free, and tests pass. All good.

Start onobnam credential openpgp-soft

  • Added a placeholder for the new subcommand. Just boilerplate.
  • Creating a credential chunk and adding it to the store was easy enough. However, I again did that by copy-pasting code. The code base is in need for tidying up and providing helpers to reduce unnecessary code duplication.
  • I've been copy-pasting because it's been easier until I know what the code needs to do. I don't regret that. Anything to avoid having to think.

Verifying credential creation

  • Now that I (think) I can create credential chunks, how do I verify that they are correct? How do I use them?
  • But first, I made the code to read the client key from a file. obnam already has a global. --client-key option. Changed the new code to use that.
  • I'll add a command to list credentials to help with testing.
  • Using that, added a simplistic verification scenario.

Status quo now and thinking about next step

  • I'm explicitly passing the client key, in plaintext, on the command line to create a credential. This is not acceptable, except to test things. The user should not ever be able to know the client key, except maybe for debugging.
  • The client key should be generated during obnam client init. At the moment that gets it from the global --client-key option. To store the client key we need to also create a credential when initializing the store.
  • To do that, we need to have at least one credential specified in the configuration file, and we should create a credential for everything specified there.
  • The credential specification will, basically, tell how to get the things used to encrypt and decrypt the client key for a credential. Something like:
credentials:
  soft1:
    kind: openpgpg-soft
    key: |
        -----BEGIN PGP PRIVATE KEY BLOCK-----
        ...
        -----END PGP PRIVATE KEY BLOCK-----
  • That means my next change will be to add credential specification to the configuration file and use those when creating a credential.
  • But I'm not going to have time for that today, and I don't even want to start.

Summary

I implemented very simplistic commands to create and list credentials. The credentials can't be used for anything yet, but I've planned how to move towards implementing that.