From 66cb2705c9c72f5d0d3966c9db3299078514a5a9 Mon Sep 17 00:00:00 2001 From: espie Date: Thu, 2 Jan 2014 13:45:14 +0000 Subject: [PATCH] adapt to signify changes allow a separate key for firmwares --- usr.sbin/pkg_add/OpenBSD/Paths.pm | 3 ++- usr.sbin/pkg_add/OpenBSD/signify.pm | 15 ++++++++++----- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/usr.sbin/pkg_add/OpenBSD/Paths.pm b/usr.sbin/pkg_add/OpenBSD/Paths.pm index 1d779139304..68e55561a01 100644 --- a/usr.sbin/pkg_add/OpenBSD/Paths.pm +++ b/usr.sbin/pkg_add/OpenBSD/Paths.pm @@ -1,5 +1,5 @@ # ex:ts=8 sw=4: -# $OpenBSD: Paths.pm,v 1.22 2013/12/31 11:21:10 espie Exp $ +# $OpenBSD: Paths.pm,v 1.23 2014/01/02 13:45:14 espie Exp $ # # Copyright (c) 2007 Marc Espie # @@ -34,6 +34,7 @@ sub openssl() { '/usr/sbin/openssl' } sub pkgca() { '/etc/ssl/pkgca.pem' } sub signify() { '/usr/bin/signify' } sub signifykey() { '/etc/openbsd.pubkey' } +sub signifyfwkey() { '/etc/openbsd-fw.pubkey' } sub pkg_add() { '/usr/sbin/pkg_add' } sub chmod() { '/bin/chmod' } # external command is used for symbolic modes. sub gzip() { '/usr/bin/gzip' } diff --git a/usr.sbin/pkg_add/OpenBSD/signify.pm b/usr.sbin/pkg_add/OpenBSD/signify.pm index e1ed4a4f31c..f32146eccb0 100644 --- a/usr.sbin/pkg_add/OpenBSD/signify.pm +++ b/usr.sbin/pkg_add/OpenBSD/signify.pm @@ -1,5 +1,5 @@ # ex:ts=8 sw=4: -# $OpenBSD: signify.pm,v 1.1 2013/12/31 11:21:10 espie Exp $ +# $OpenBSD: signify.pm,v 1.2 2014/01/02 13:45:14 espie Exp $ # # Copyright (c) 2013 Marc Espie # @@ -26,7 +26,6 @@ use File::Temp qw/mkstemp/; my $header = "signify -- signature\n"; my $cmd = OpenBSD::Paths->signify; -my $defaultpubkey = OpenBSD::Paths->signifykey; my $suffix = ".sig"; sub compute_signature @@ -39,7 +38,7 @@ sub compute_signature open my $fh, ">", $contents; $plist->write_no_sig($fh); close $fh; - $state->system($cmd, '-I', $contents, '-S', $key, '-V', 'sign') + $state->system($cmd, '-i', $contents, '-s', $key, '-S') == 0 or die "probleme generating signature"; open(my $sighandle, '<', $sigfile) or die "problem reading signature"; @@ -61,7 +60,13 @@ sub check_signature print $fh2 $header, $sig->{b64sig}, "\n"; close $fh; close $fh2; - my $pubkey = $defaultpubkey; + my $pubkey; + + if ($state->defines('FW_UPDATE')) { + $pubkey = OpenBSD::Paths->signifyfwkey; + } else { + $pubkey = OpenBSD::Paths->signifykey; + } if ($plist->has('vendor')) { my $vendor = $plist->get('vendor')->name; $pubkey = "/etc/signify/$vendor.pubkey"; @@ -72,7 +77,7 @@ sub check_signature } if ($state->system(sub { open STDERR, ">", "/dev/null"; open STDOUT, ">", "/dev/null";}, - $cmd, '-I', $fname, '-P', $pubkey, '-V', 'verify') != 0) { + $cmd, '-i', $fname, '-p', $pubkey, '-V') != 0) { $state->log("Bad signature"); return 0; } -- 2.20.1