Switch to Travis's new authentication/integrity check scheme about savage HOT 10 OPEN

I believe this is related. travis-ci/travis-ci#6435

from savage.

On August 31 Travis announced that they would be dropping support for the Authorization header and instead using the Signature header as described here.

I don't see an accompanying change to Savage. Is it no longer working anywhere?

from savage.

Looking at twbs/bootstrap#21736, as an example, we can see that the statuses from Savage are not being updated prior to merging. :-(

from savage.

Your analysis is correct. I haven't had much time for Savage lately, and so the Authorization header logic is outdated relative to Travis's awesome bugfix.

from savage.

Certainly not your burden to carry alone @cvrebert. I took a rough stab at implementing the update authorization technique, but ultimately ran out of time due to my lack of Scala knowledge.

from savage.

Yeah, PRs welcomed. I'm happy to translate to Scala from Java if necessary.

from savage.

I also have no Scala knowledge (yet), but am willing to put a few hours into it.

from savage.

I've waded out about as far as I can, I think. I opened a WIP PR against my own branch that makes the changes that were obvious to me and lays out TODOs for what I think is left. Anybody is welcome to try to take it from there (no guarantees that Base64 stuff works), but I'll keep plugging away at it as I get time if no one else does: https://github.com/bobholt/savage/pull/1/files

from savage.

Assuming we pull in BouncyCastle for the public-key crypto, the verification part should start with doing Signature.getInstance("SHA1WithRSA", "BC") (based on Travis's code samples, they're using SHA-1 + RSA) and then you follow the dance explained in https://docs.oracle.com/javase/tutorial/security/apisign/vstep4.html

I am less clear on how to read Travis's public key into a PublicKey object.

from savage.

Okay, think I've got the crypto part all figured out now. PR incoming.

from savage.