* Change nginx config to return 403 on unauthorized access to
the non-white TLP locations. We cannot hide the existence anyway,
as it is listed in the provider-metadata.json, even when restricted.
* Change options when creating the armored version of the signature
to leave out the optional headers, which would be `Version:`
and `Comment:`, as it is considered uncommon for a while now to
set these.
* Change checking to use client certs and verbose for html
as this is what can be displayed on a webbrowser.
* Rename the json result file to indicate why the result will differ
without using the access of the client certificate.
* Modify script to call checker twice with difference options,
including one with json and --verbose.
* Add json result as build artifact to be uploaded.
* Move the config variables which could be specified as tables in TOML
to the bottom of the documentation, to avoid that a regular toplevel
variable is used below them (which would be wrong in TOML).
* Be more specific about the value of the `upload_limit`.
* Change the displayed string in the HTML output
for the date and time of the run
to be human readable and in the local timezone.
The `datetime` attribute of the `time` tag still has the RFC 3339 UTC
version for machine processing.
* Do chgrp and chmod not recursively as we have just created the
directory and if taken as example the recursive chmod with the
s bit will produce unwanted results on files.
* Change comment to better indicate setting in nginx example conf
which serves the TLP != white locations of the prodiver.
We do advertise them in the provider-metadata.json, but we still
want to use 404 to not reveal more about the directory contents.
* Improve aggregator setup docs
* Add hints how to serve the aggregator output using nginx.
* Add hint that the permission of the aggregator config file should be
restricted.
* Add a setuid bit to the aggregator integration test script
to easy manual serving.
* Wording
Co-authored-by: Sascha L. Teichmann <sascha.teichmann@intevation.de>
* Adjust provider and aggregator to copy the used openpgp pubkey into a locally
provided directory `openpgp` beside the `prodiver-metadata.json`.
This more robust and self-reliant than using a public pubkey server,
which is the reason why the CSAF 2.0 csd02 mentions it as example in
"7.1.20 Requirement 20: Public OpenPGP Key".
* Improve aggregator by removing a typo `aggreator` from one written paths.
(Done with this change as it also affects the openpgp/ paths writing.)
solve #85
* Implement a logging client and activate it using verbose parameter or option
in checker and aggregator.
Co-authored-by: Sascha L. Teichmann <sascha.teichmann@intevation.de>
* Decouple loading of provider metadata from processor and moved in the base library.
* Integrate new code into checker and aggregator
* Adhere to csd02 revision of CSAF 2.0.
resolve #60
