Require HTTPS for remote keyservers#39
Conversation
Add the local keyserver service, CLI publish/login/fetch commands, compose smoke wiring, and tests as a reviewable baseline for the security hardening work stacked above it. Constraint: Security fixes for issues #30-#34 target files that are not yet present on main. Rejected: Fold all security fixes into one PR | would make review and issue closure harder. Confidence: medium Scope-risk: broad Directive: Review this foundation before merging stacked hardening PRs into main. Tested: PYTHONPATH=. python3 -m unittest discover keyserver/tests; env -u GOROOT -u GOPATH /opt/homebrew/bin/go test ./... Not-tested: Docker compose smoke test was not run locally.
Remote keyserver URLs now default to HTTPS-only before any provider or publish token is exchanged. Local loopback HTTP remains available for development, and an explicit insecure override supports compose smoke tests. Constraint: Docker compose smoke uses an internal http://keyserver service name. Rejected: Ban all HTTP URLs | would break local and compose development flows. Confidence: high Scope-risk: moderate Directive: Keep insecure HTTP opt-in and test-only; do not make remote HTTP the default. Tested: env -u GOROOT -u GOPATH /opt/homebrew/bin/go test ./...; PYTHONPATH=. python3 -m unittest discover keyserver/tests Related: #34
![amazon-q-developer[bot]](https://avatars.githubusercontent.com/in/1220912?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR successfully implements HTTPS enforcement for remote keyserver URLs while maintaining backward compatibility for local development. The implementation is secure and well-tested.
Summary of Changes:
- Added HTTPS validation that rejects remote
http://URLs by default - Preserved HTTP support for loopback addresses (localhost, 127.0.0.1, ::1)
- Introduced
--insecure-httpflag andENDE_KEYSERVER_INSECURE_HTTPenvironment variable for explicit test overrides - Added comprehensive test coverage for the new validation logic
- Updated docker-compose configuration and documentation
Security Impact:
The changes effectively prevent accidental credential leakage over unencrypted connections to remote keyservers while maintaining usability for local development scenarios.
No blocking issues identified. The code is ready to merge.
You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.
|
Closing because this was opened against the wrong repository. The security triage is being redone against companyjupiter/quarkify. |
1 participant
Summary
http://keyserver URLs by default before token exchange or publishing.--insecure-httpandENDE_KEYSERVER_INSECURE_HTTP=1for explicit test-only overrides.Closes #34.
Validation
env -u GOROOT -u GOPATH /opt/homebrew/bin/go test ./...PYTHONPATH=. python3 -m unittest discover keyserver/tests