tweak signing yet again. Have pkg_create automatically add signing

identities every time, and make matching identities mandatory.
e.g., pkg_create and pkg_add must have matching -DSIGNER.
by default, signer is derived from uname -r and role (pkg_add/fw_update),
e.g., 54pkg, 54fw...

diff --git a/usr.sbin/pkg_add/OpenBSD/AddCreateDelete.pm b/usr.sbin/pkg_add/OpenBSD/AddCreateDelete.pm
index 475a71e..3d7deb5 100644 (file)
--- a/usr.sbin/pkg_add/OpenBSD/AddCreateDelete.pm
+++ b/usr.sbin/pkg_add/OpenBSD/AddCreateDelete.pm
@@ -1,5 +1,5 @@
 # ex:ts=8 sw=4:
-# $OpenBSD: AddCreateDelete.pm,v 1.17 2013/12/23 16:50:29 espie Exp $
+# $OpenBSD: AddCreateDelete.pm,v 1.18 2014/01/09 10:36:52 espie Exp $
 #
 # Copyright (c) 2007-2010 Marc Espie <espie@openbsd.org>
 #
@@ -106,6 +106,26 @@ sub ntogo_string
        return $self->todo($offset // 0);
 }
 
+OpenBSD::Auto::cache(signer_list,
+       sub {
+               my $self = shift;
+               if ($self->defines('SIGNER')) {
+                       return [split /,/, $self->{subst}->value('SIGNER')];
+               } else {
+                       require OpenBSD::Paths;
+
+                       my $cmd = OpenBSD::Paths->uname." -r";
+                       my $value = `$cmd`;
+                       $value =~ s/\.//;
+                       chomp $value;
+                       if ($self->defines('FW_UPDATE')) {
+                               return [$value."fw"];
+                       } else {
+                               return [$value."pkg"];
+                       }
+               }
+       });
+
 package OpenBSD::AddCreateDelete;
 use OpenBSD::Error;
 

diff --git a/usr.sbin/pkg_add/OpenBSD/Paths.pm b/usr.sbin/pkg_add/OpenBSD/Paths.pm
index 8d7281d..831a612 100644 (file)
--- a/usr.sbin/pkg_add/OpenBSD/Paths.pm
+++ b/usr.sbin/pkg_add/OpenBSD/Paths.pm
@@ -1,5 +1,5 @@
 # ex:ts=8 sw=4:
-# $OpenBSD: Paths.pm,v 1.24 2014/01/04 00:14:08 espie Exp $
+# $OpenBSD: Paths.pm,v 1.25 2014/01/09 10:36:52 espie Exp $
 #
 # Copyright (c) 2007 Marc Espie <espie@openbsd.org>
 #
@@ -33,8 +33,7 @@ sub sysctl() { '/sbin/sysctl' }
 sub openssl() { '/usr/sbin/openssl' }
 sub pkgca() { '/etc/ssl/pkgca.pem' }
 sub signify() { '/usr/bin/signify' }
-sub signifykey() { '/etc/signify/openbsd.pub' }
-sub signifyfwkey() { '/etc/signify/openbsd-fw.pub' }
+sub signifykey { my $s = $_[1]; "/etc/signify/$s.pub" }
 sub pkg_add() { '/usr/sbin/pkg_add' }
 sub chmod() { '/bin/chmod' }   # external command is used for symbolic modes.
 sub gzip() { '/usr/bin/gzip' }

diff --git a/usr.sbin/pkg_add/OpenBSD/PkgCreate.pm b/usr.sbin/pkg_add/OpenBSD/PkgCreate.pm
index 36dc23a..43aca07 100644 (file)
--- a/usr.sbin/pkg_add/OpenBSD/PkgCreate.pm
+++ b/usr.sbin/pkg_add/OpenBSD/PkgCreate.pm
@@ -1,6 +1,6 @@
 #! /usr/bin/perl
 # ex:ts=8 sw=4:
-# $OpenBSD: PkgCreate.pm,v 1.86 2014/01/07 11:51:15 espie Exp $
+# $OpenBSD: PkgCreate.pm,v 1.87 2014/01/09 10:36:52 espie Exp $
 #
 # Copyright (c) 2003-2010 Marc Espie <espie@openbsd.org>
 #
@@ -1158,10 +1158,11 @@ sub add_signature
                }
        }
 
-       my $signer = $state->{subst}->value('SIGNER');
-       if (defined $signer) {
-               OpenBSD::PackingElement::Signer->add($plist, $signer);
+       my $list = $state->signer_list;
+       if (@$list != 1) {
+               $state->fatal("Ambiguous: single SIGNER identity required");
        }
+       OpenBSD::PackingElement::Signer->add($plist, $list->[0]);
 
        my $sig = $state->{signer}->new_sig;
        $sig->add_object($plist);

diff --git a/usr.sbin/pkg_add/OpenBSD/signify.pm b/usr.sbin/pkg_add/OpenBSD/signify.pm
index 76be398..1a2810e 100644 (file)
--- a/usr.sbin/pkg_add/OpenBSD/signify.pm
+++ b/usr.sbin/pkg_add/OpenBSD/signify.pm
@@ -1,5 +1,5 @@
 # ex:ts=8 sw=4:
-# $OpenBSD: signify.pm,v 1.5 2014/01/08 06:40:56 espie Exp $
+# $OpenBSD: signify.pm,v 1.6 2014/01/09 10:36:52 espie Exp $
 #
 # Copyright (c) 2013 Marc Espie <espie@openbsd.org>
 #
@@ -60,20 +60,23 @@ sub check_signature
        print $fh2 $header, $sig->{b64sig}, "\n";
        close $fh;
        close $fh2;
-       my $pubkey;
        
-       if ($state->defines('FW_UPDATE')) {
-               $pubkey = OpenBSD::Paths->signifyfwkey;
-       } else {
-               $pubkey = OpenBSD::Paths->signifykey;
+       if (!$plist->has('signer')) {
+               $state->errsay("Invalid signed plist: no \@signer");
+               return 0;
        }
-       if ($plist->has('signer')) {
-               my $signer = $plist->get('signer')->name;
-               $pubkey = "/etc/signify/$signer.pub";
+       my $pubkey;
+       my $signer = $plist->get('signer')->name;
+       if (grep {$_ eq $signer} @{$state->signer_list}) {
+               $pubkey = OpenBSD::Paths->signifykey($signer);
                if (!-f $pubkey) {
-                       $state->say("Unknown signer #1", $signer);
+                       $state->errsay("Can't find key #1 for signer #1", 
+                           $pubkey, $signer);
                        return 0;
                }
+       } else {
+               $state->errsay("Package signed by untrusted party #1", $signer);
+               return 0;
        }
        if ($state->system(sub {
            open STDOUT, ">", "/dev/null";},