tweak the interface to generating signatures yet again.

- assume key names match, deduce signer from sec key.
e.g., -s signify -s 55pkg.sec
will set signer to 55pkg and look for a pubkey named 55pkg.pub,
either besides 55pkg.sec or in /etc/signify.
- verify there's no mismatch, if possible, by verifying the first package
signed.

- also build a SHA256 on the fly while signing.

diff --git a/usr.sbin/pkg_add/OpenBSD/Paths.pm b/usr.sbin/pkg_add/OpenBSD/Paths.pm
index 8e1d278..da38e16 100644 (file)
--- a/usr.sbin/pkg_add/OpenBSD/Paths.pm
+++ b/usr.sbin/pkg_add/OpenBSD/Paths.pm
@@ -1,5 +1,5 @@
 # ex:ts=8 sw=4:
-# $OpenBSD: Paths.pm,v 1.26 2014/01/09 20:20:01 espie Exp $
+# $OpenBSD: Paths.pm,v 1.27 2014/01/17 10:54:14 espie Exp $
 #
 # Copyright (c) 2007-2014 Marc Espie <espie@openbsd.org>
 #
@@ -54,6 +54,7 @@ sub hostname() { '/bin/hostname' }
 sub sudo() { '/usr/bin/sudo' }
 sub du() { '/usr/bin/du' }
 sub diff() { '/usr/bin/diff' }
+sub sha256() { '/bin/sha256' }
 
 # Various paths
 sub shells() { '/etc/shells' }

diff --git a/usr.sbin/pkg_add/OpenBSD/PkgCreate.pm b/usr.sbin/pkg_add/OpenBSD/PkgCreate.pm
index f5fdd2a..3d240d2 100644 (file)
--- a/usr.sbin/pkg_add/OpenBSD/PkgCreate.pm
+++ b/usr.sbin/pkg_add/OpenBSD/PkgCreate.pm
@@ -1,6 +1,6 @@
 #! /usr/bin/perl
 # ex:ts=8 sw=4:
-# $OpenBSD: PkgCreate.pm,v 1.93 2014/01/13 10:07:32 espie Exp $
+# $OpenBSD: PkgCreate.pm,v 1.94 2014/01/17 10:54:14 espie Exp $
 #
 # Copyright (c) 2003-2014 Marc Espie <espie@openbsd.org>
 #
@@ -74,8 +74,21 @@ sub new
        if (@p != 2 || !-f $p[1]) {
                $state->usage("$p[0] signature wants -s privkey");
        }
-
-       bless {privkey => $p[1]}, $class;
+       my $o = bless {privkey => $p[1]}, $class;
+       my $signer = $o->{privkey};
+       $signer =~ s/\.sec$//;
+       my $pubkey = "$signer.pub";
+       $signer =~ s,.*/,,;
+       $o->{signer} = $signer;
+       if (!-f $pubkey) {
+               $pubkey =~ s,.*/,/etc/signify/,;
+               if (!-f $pubkey) {
+                       $state->errsay("warning: public key not found");
+                       return $o;
+               }
+       }
+       $o->{pubkey} = $pubkey;
+       return $o;
 }
 
 sub new_sig
@@ -88,11 +101,10 @@ sub compute_signature
 {
        my ($self, $state, $plist) = @_;
 
-       my $list = $state->signer_list;
-       OpenBSD::PackingElement::Signer->add($plist, $list->[0]);
+       OpenBSD::PackingElement::Signer->add($plist, $self->{signer});
 
        return OpenBSD::signify::compute_signature($plist, $state, 
-           $self->{privkey});
+           $self->{privkey}, $self->{pubkey});
 }
 
 package OpenBSD::PkgCreate::State;
@@ -1198,10 +1210,14 @@ sub sign_existing_package
        $plist->copy_over($state, $wrarc, $pkg);
        $wrarc->close;
        $pkg->wipe_info;
-       unlink($plist->pkgname.".tgz") if $state->{output};
        chmod((0666 & ~umask), $tmp);
        rename($tmp, $output.'/'.$plist->pkgname.".tgz") or
            $state->fatal("Can't create final signed package: #1", $!);
+       $state->system(sub {
+           chdir($output);
+           open(STDOUT, '>>', 'SHA256');
+           },
+           OpenBSD::Paths->sha256, $plist->pkgname.".tgz");
 }
 
 sub sign_list
@@ -1235,6 +1251,7 @@ sub sign_list
                        }
                        $n--;
                        &$display($jobs->{$pid});
+                       delete $state->{signer}{pubkey};
                        delete $jobs->{$pid};
                };
                        
@@ -1260,8 +1277,12 @@ sub sign_list
                for my $name (@$l) {
                        &$code($name);
                        &$display($name);
+                       delete $state->{signer}{pubkey};
                }
        }
+       $state->system(sub {
+           chdir($state->{output_dir}) if $state->{output_dir};
+           }, 'sort', 'SHA256');
 }
 
 sub sign_existing_repository