Chore: more verbose error messages for missing TUF private keys

Signed-off-by: Volodymyr Khoroz <[email protected]>
foundriesio · Jan 23, 2024 · cf2e218 · cf2e218
1 parent 6cefc66
commit cf2e218
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 13 deletions.
diff --git a/subcommands/keys/tuf_updates_delete_offline_key.go b/subcommands/keys/tuf_updates_delete_offline_key.go
@@ -104,7 +104,7 @@ func doTufUpdatesDeleteOfflineKey(cmd *cobra.Command, args []string) {
 	fmt.Println("= Delete keyid:", keyId)
 	if keyId == "" {
 		oldKey, err := FindOneTufSigner(newCiRoot, creds, validKeyIds)
-		subcommands.DieNotNil(err)
+		subcommands.DieNotNil(err, fmt.Sprintf("Error reading TUF %s private key:\n", roleName))
 		keyId = oldKey.Id
 	} else if !slices.Contains(validKeyIds, keyId) {
 		subcommands.DieNotNil(fmt.Errorf(

diff --git a/subcommands/keys/tuf_updates_rotate_offline_key.go b/subcommands/keys/tuf_updates_rotate_offline_key.go
@@ -183,7 +183,7 @@ func doTufUpdatesRotateOfflineTargetsKey(cmd *cobra.Command) {
 		// Seaching for old key in curCiRoot supports several rotations in one transaction.
 		oldestKey, err = FindOneTufSigner(curCiRoot, targetsCreds,
 			subcommands.SliceRemove(curCiRoot.Signed.Roles["targets"].KeyIDs, onlineTargetsId))
-		subcommands.DieNotNil(err)
+		subcommands.DieNotNil(err, "Error reading old TUF targets private key:\n")
 	}
 
 	targetsProdMap, err := api.ProdTargetsList(factory, false)
@@ -226,7 +226,7 @@ func replaceOfflineRootKey(
 ) (TufSigner, OfflineCreds) {
 	oldKids := root.Signed.Roles["root"].KeyIDs
 	oldKey, err := FindOneTufSigner(root, creds, oldKids)
-	subcommands.DieNotNil(err)
+	subcommands.DieNotNil(err, "Error reading old TUF root private key:\n")
 	oldKids = subcommands.SliceRemove(oldKids, oldKey.Id)
 
 	kp := genTufKeyPair(keyType)
@@ -242,7 +242,7 @@ func replaceOfflineTargetsKey(
 	oldKids := root.Signed.Roles["targets"].KeyIDs
 	if len(oldKids) > 1 {
 		oldKey, err := FindOneTufSigner(root, creds, subcommands.SliceRemove(oldKids, onlineTargetsId))
-		subcommands.DieNotNil(err)
+		subcommands.DieNotNil(err, "Error reading old TUF targets private key:\n")
 		oldKids = subcommands.SliceRemove(oldKids, oldKey.Id)
 	}
 

diff --git a/subcommands/keys/tuf_updates_sign_prod_targets.go b/subcommands/keys/tuf_updates_sign_prod_targets.go
@@ -69,7 +69,7 @@ For example, add a new offline TUF targets key, before signing production target
 	}
 	signer, err := FindOneTufSigner(newCiRoot, creds,
 		subcommands.SliceRemove(newCiRoot.Signed.Roles["targets"].KeyIDs, onlineTargetsId))
-	subcommands.DieNotNil(err)
+	subcommands.DieNotNil(err, "Error reading TUF targets private key:\n")
 
 	var newTargetsProdSigs, newTargetsWaveSigs map[string][]tuf.Signature
 

diff --git a/subcommands/keys/tuf_utils.go b/subcommands/keys/tuf_utils.go
@@ -24,7 +24,7 @@ import (
 	"github.com/foundriesio/fioctl/subcommands"
 )
 
-var errFoundNoKey = errors.New("Found no active signing key")
+var errFoundNoKey = errors.New("Found no active private key")
 
 type OfflineCreds map[string][]byte
 
@@ -232,9 +232,9 @@ func FindOneTufSigner(root *client.AtsTufRoot, creds OfflineCreds, keyids []stri
 	var signers []TufSigner
 	if signers, err = findTufSigners(root, creds, keyids); err == nil {
 		if len(signers) == 0 {
-			err = fmt.Errorf("%w for: %v.", errFoundNoKey, keyids)
+			err = fmt.Errorf("%w for key IDs: %v.", errFoundNoKey, keyids)
 		} else if len(signers) > 1 {
-			err = fmt.Errorf(`Found more than one active signing key for: %v.
+			err = fmt.Errorf(`Found more than one active private key for key IDs: %v.
 This is an unsupported and insecure way to store private keys.
 Please, provide a keys file which contains a single active signing key.`, keyids)
 		} else {
@@ -248,7 +248,7 @@ func checkNoTufSigner(root *client.AtsTufRoot, creds OfflineCreds, keyids []stri
 	var signers []TufSigner
 	if signers, err = findTufSigners(root, creds, keyids); err == nil {
 		if len(signers) > 0 {
-			err = errors.New("It is not allowed to store more than one active signing key into one file")
+			err = errors.New("It is not allowed to store more than one active private key into one file.")
 		}
 	}
 	return
@@ -432,20 +432,24 @@ func signNewTufRoot(curCiRoot, newCiRoot, newProdRoot *client.AtsTufRoot, creds
 	signers := make([]TufSigner, 0, 2)
 	newKey, newErr := FindOneTufSigner(newCiRoot, creds, newCiRoot.Signed.Roles["root"].KeyIDs)
 	if !errors.Is(newErr, errFoundNoKey) {
-		subcommands.DieNotNil(newErr)
+		subcommands.DieNotNil(newErr, "Error reading new TUF root private key:\n")
 		signers = append(signers, newKey)
 	}
 	oldKey, oldErr := FindOneTufSigner(curCiRoot, creds, curCiRoot.Signed.Roles["root"].KeyIDs)
 	if !errors.Is(oldErr, errFoundNoKey) {
-		subcommands.DieNotNil(oldErr)
+		subcommands.DieNotNil(oldErr, "Error reading old TUF root private key:\n")
 		if len(signers) == 0 || oldKey.Id != newKey.Id {
 			signers = append(signers, oldKey)
 		}
 	}
 
 	// At this point either oldKey or newKey was found, or both newErr and oldErr are errFoundNoKey
 	if len(signers) == 0 {
-		subcommands.DieNotNil(fmt.Errorf("%s\n%s", oldErr, newErr))
+		if oldErr.Error() == newErr.Error() { // TUF root key is not being rotated
+			subcommands.DieNotNil(oldErr, "Error reading TUF root private keys:\n")
+		} else { // TUF root key is being rotated
+			subcommands.DieNotNil(fmt.Errorf("Error reading TUF root private keys:\n %s\n %s", oldErr, newErr))
+		}
 	}
 
 	fmt.Println("= Signing new TUF root")

diff --git a/subcommands/waves/init.go b/subcommands/waves/init.go
@@ -222,7 +222,7 @@ Please, run "fioctl keys tuf rotate-offline-key --role=targets" in order to crea
 	}
 
 	signer, err := keys.FindOneTufSigner(root, offlineKeys, signerKids)
-	subcommands.DieNotNil(err)
+	subcommands.DieNotNil(err, "Error reading TUF targets private key:\n")
 	signatures, err := keys.SignTufMeta(meta, signer)
 	subcommands.DieNotNil(err, "Failed to sign new targets")
 	return signatures