From 4dce299b2ef08ee2ad556ad006f5793a54d346a9 Mon Sep 17 00:00:00 2001 From: espie Date: Fri, 17 Jan 2014 10:54:14 +0000 Subject: [PATCH] tweak the interface to generating signatures yet again. - assume key names match, deduce signer from sec key. e.g., -s signify -s 55pkg.sec will set signer to 55pkg and look for a pubkey named 55pkg.pub, either besides 55pkg.sec or in /etc/signify. - verify there's no mismatch, if possible, by verifying the first package signed. - also build a SHA256 on the fly while signing. --- usr.sbin/pkg_add/OpenBSD/Paths.pm | 3 ++- usr.sbin/pkg_add/OpenBSD/PkgCreate.pm | 35 +++++++++++++++++++++------ 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/usr.sbin/pkg_add/OpenBSD/Paths.pm b/usr.sbin/pkg_add/OpenBSD/Paths.pm index 8e1d2783955..da38e163d72 100644 --- a/usr.sbin/pkg_add/OpenBSD/Paths.pm +++ b/usr.sbin/pkg_add/OpenBSD/Paths.pm @@ -1,5 +1,5 @@ # ex:ts=8 sw=4: -# $OpenBSD: Paths.pm,v 1.26 2014/01/09 20:20:01 espie Exp $ +# $OpenBSD: Paths.pm,v 1.27 2014/01/17 10:54:14 espie Exp $ # # Copyright (c) 2007-2014 Marc Espie # @@ -54,6 +54,7 @@ sub hostname() { '/bin/hostname' } sub sudo() { '/usr/bin/sudo' } sub du() { '/usr/bin/du' } sub diff() { '/usr/bin/diff' } +sub sha256() { '/bin/sha256' } # Various paths sub shells() { '/etc/shells' } diff --git a/usr.sbin/pkg_add/OpenBSD/PkgCreate.pm b/usr.sbin/pkg_add/OpenBSD/PkgCreate.pm index f5fdd2a76bf..3d240d219f6 100644 --- a/usr.sbin/pkg_add/OpenBSD/PkgCreate.pm +++ b/usr.sbin/pkg_add/OpenBSD/PkgCreate.pm @@ -1,6 +1,6 @@ #! /usr/bin/perl # ex:ts=8 sw=4: -# $OpenBSD: PkgCreate.pm,v 1.93 2014/01/13 10:07:32 espie Exp $ +# $OpenBSD: PkgCreate.pm,v 1.94 2014/01/17 10:54:14 espie Exp $ # # Copyright (c) 2003-2014 Marc Espie # @@ -74,8 +74,21 @@ sub new if (@p != 2 || !-f $p[1]) { $state->usage("$p[0] signature wants -s privkey"); } - - bless {privkey => $p[1]}, $class; + my $o = bless {privkey => $p[1]}, $class; + my $signer = $o->{privkey}; + $signer =~ s/\.sec$//; + my $pubkey = "$signer.pub"; + $signer =~ s,.*/,,; + $o->{signer} = $signer; + if (!-f $pubkey) { + $pubkey =~ s,.*/,/etc/signify/,; + if (!-f $pubkey) { + $state->errsay("warning: public key not found"); + return $o; + } + } + $o->{pubkey} = $pubkey; + return $o; } sub new_sig @@ -88,11 +101,10 @@ sub compute_signature { my ($self, $state, $plist) = @_; - my $list = $state->signer_list; - OpenBSD::PackingElement::Signer->add($plist, $list->[0]); + OpenBSD::PackingElement::Signer->add($plist, $self->{signer}); return OpenBSD::signify::compute_signature($plist, $state, - $self->{privkey}); + $self->{privkey}, $self->{pubkey}); } package OpenBSD::PkgCreate::State; @@ -1198,10 +1210,14 @@ sub sign_existing_package $plist->copy_over($state, $wrarc, $pkg); $wrarc->close; $pkg->wipe_info; - unlink($plist->pkgname.".tgz") if $state->{output}; chmod((0666 & ~umask), $tmp); rename($tmp, $output.'/'.$plist->pkgname.".tgz") or $state->fatal("Can't create final signed package: #1", $!); + $state->system(sub { + chdir($output); + open(STDOUT, '>>', 'SHA256'); + }, + OpenBSD::Paths->sha256, $plist->pkgname.".tgz"); } sub sign_list @@ -1235,6 +1251,7 @@ sub sign_list } $n--; &$display($jobs->{$pid}); + delete $state->{signer}{pubkey}; delete $jobs->{$pid}; }; @@ -1260,8 +1277,12 @@ sub sign_list for my $name (@$l) { &$code($name); &$display($name); + delete $state->{signer}{pubkey}; } } + $state->system(sub { + chdir($state->{output_dir}) if $state->{output_dir}; + }, 'sort', 'SHA256'); } sub sign_existing_repository -- 2.20.1