Add VaultSigner and tests

[lukpueh]

Adds fully functional VaultSigner and basic "import_ -> from_priv_key_uri
-> sign -> verify" test loop using a local vault server.

Tests run on CI and can be run locally with tox, if vault is installed.

Note also that vault supports all key types and signing schemes supported by
SSlibKey. The here added VaultSigner, however, only supports ed25519
keys.

Other key types and schemes may be added in follow-up PRs

Fixes #307

[jku]

• fix ci failure (the test actually passes, but the vault tear down script seems to exit with non-zero and thus fails the job).

143 is what docker does when killed I think...

My guess is the initial vault server command has a signal handler that does exit 143

[lukpueh]

143 is what docker does when killed I think...

AFAIU not only on docker, but generally on linux. If a command receives SIGTERM it should exit with 143.

My guess is the initial vault server command has a signal handler that does exit 143

I think so too. But I cannot reproduce. I don't currently have a linux box at hand, and on my Mac the vault command does not exit with 143 when killed. (Interestingly, a different test command (tail -f /dev/null) indeed exits with 143 when killed).

I tried two independent workarounds to no avail:

securesystemslib/tests/scripts/init-vault.sh

Lines 3 to 5 in 85c8d0c

	# Start vault in background. `|| true` eats the non-zero exit code, when the
	# background process is killed, so that it does not fail the Github Action.
	{ vault server -dev -dev-root-token-id="${VAULT_TOKEN}" & } || true

securesystemslib/tests/scripts/stop-vault.sh

Lines 6 to 11 in 85c8d0c

	# make sure to exit with 0
	while kill -0 $pid
	do
	sleep 1
	done
	exit 0

Any ideas, @jku?

[lukpueh]

My guess is the initial vault server command has a signal handler that does exit 143

I think so too. But I cannot reproduce. I don't currently have a linux box at hand, and on my Mac the vault command does not exit with 143 when killed. (Interestingly, a different test command (tail -f /dev/null) indeed exits with 143 when killed).

I tried to debug this inside the GHA runner (with tmate) and vault exits with 0 there too when killed. This at least explains why my workarounds did not work.

[jku]

Now that I think about it, I was probably wrong and this actually kills tox instead of "vault server":

pid=$(pgrep -f vault)
kill $pid

EDIT: yes, I tested this with a slightly modified branch: this does indeed kill tox.

maybe pgrep -f "vault server"?

[lukpueh]

... actually kills tox

🤦 or the stop-vault.sh

[lukpueh]

@jku, this is ready for review. But we don't need to include it in 1.0.

[jku]

👍

[jku]

nit: assert seems unnecessary

Suggested change

	self.assertIsNone(public_key.verify_signature(signature, b"DATA"))
	public_key.verify_signature(signature, b"DATA")

[lukpueh]

🤷 I wanted to make it clear that this is a test scenario, and not some random function call that could return e.g. True or False and pass the test either way.

[jku]

we don't need to include it in 1.0.

Up to you, no strong feelings here.

[lukpueh]

we don't need to include it in 1.0.

Up to you, no strong feelings here.

In that case, let's ship it.