From 8fde399fe62c3a08310e1830bb15b6e93ed360f9 Mon Sep 17 00:00:00 2001 From: Geoffroy Carrier Date: Mon, 2 Jun 2008 10:27:01 +0200 Subject: Add PGPSIG field in repo-add Use base64 encoding to store the value in the database if a .sig file exists for the package being added. Signed-off-by: Geoffroy Carrier Signed-off-by: Dan McGee --- scripts/repo-add.sh.in | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'scripts/repo-add.sh.in') diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index dfc93974..70cfd63c 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -268,6 +268,12 @@ db_write_entry() msg2 "$(gettext "Computing md5 checksums...")" echo -e "%MD5SUM%\n$md5sum\n" >>desc + # add base64'd PGP signature + if [[ -f $startdir/$pkgfile.sig ]]; then + pgpsig=$(openssl base64 -in "$startdir/$pkgfile.sig" | tr -d '\n') + echo -e "%PGPSIG%\n$pgpsig\n" >>desc + fi + [[ -n $url ]] && echo -e "%URL%\n$url\n" >>desc write_list_entry "LICENSE" "$_licenses" "desc" [[ -n $arch ]] && echo -e "%ARCH%\n$arch\n" >>desc -- cgit v1.2.3-24-g4f1b From a4120f2015ae4d5880642e16c81acadbab77555d Mon Sep 17 00:00:00 2001 From: Dan McGee Date: Mon, 24 Aug 2009 13:23:44 -0500 Subject: repo-add: allow signing of the package database In order to be fully secure, we can't only sign packages. We also need to sign our repository metadata to prevent database falsification, dependency injection, etc. Add an '-s/--sign' option that allows this functionality, and will generate a .sig file side-by-side with the package database. While at it, fix the issue where a signature file would never be found because of 'cd' madness (this needs fixing in another commit). Signed-off-by: Dan McGee --- scripts/repo-add.sh.in | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'scripts/repo-add.sh.in') diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index 70cfd63c..ebe226a1 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -30,6 +30,7 @@ confdir='@sysconfdir@' QUIET=0 DELTA=0 WITHFILES=0 +SIGN=0 REPO_DB_FILE= LOCKFILE= CLEAN_LOCK=0 @@ -184,6 +185,24 @@ db_remove_delta() return 1 } # end db_remove_delta +# sign the package database once repackaged +create_signature() { + (( ! SIGN )) && return + local dbfile="$1" + local ret=0 + msg "$(gettext "Signing database...")" + if [ ! $(type -p "gpg") ]; then + error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" + exit 1 # $E_MISSING_PROGRAM + fi + gpg --detach-sign --use-agent "$dbfile" || ret=$? + if (( ! ret )); then + msg2 "$(gettext "Created signature file %s.")" "$dbfile.sig" + else + warning "$(gettext "Failed to sign package database.")" + fi +} + # write an entry to the pacman database # arg1 - path to package db_write_entry() @@ -488,6 +507,7 @@ for arg in "$@"; do -q|--quiet) QUIET=1;; -d|--delta) DELTA=1;; -f|--files) WITHFILES=1;; + -s|--sign) SIGN=1;; *) if [[ -z $REPO_DB_FILE ]]; then REPO_DB_FILE="$arg" @@ -520,6 +540,7 @@ if (( success )); then pushd "$tmpdir" >/dev/null if [[ -n $(ls) ]]; then bsdtar -c${TAR_OPT}f "$filename" * + create_signature "$filename" else # we have no packages remaining? zip up some emptyness warning "$(gettext "No packages remain, creating empty database.")" @@ -528,7 +549,9 @@ if (( success )); then popd >/dev/null [[ -f $REPO_DB_FILE ]] && mv -f "$REPO_DB_FILE" "${REPO_DB_FILE}.old" + [[ -f $REPO_DB_FILE.sig ]] && rm -f "$REPO_DB_FILE.sig" [[ -f $tmpdir/$filename ]] && mv "$tmpdir/$filename" "$REPO_DB_FILE" + [[ -f $tmpdir/$filename.sig ]] && mv "$tmpdir/$filename.sig" "$REPO_DB_FILE.sig" dblink="${REPO_DB_FILE%.tar.*}" target=${REPO_DB_FILE##*/} ln -sf "$target" "$dblink" 2>/dev/null || \ -- cgit v1.2.3-24-g4f1b From 38f94da47d71780fdaaf0f06e0bf4dd37456fc00 Mon Sep 17 00:00:00 2001 From: Dan McGee Date: Mon, 24 Aug 2009 16:52:23 -0500 Subject: repo-add: add -v/--verify option This is intended to verify an existing signature on a database before making further changes to it and performing updates. Rarely would you use this without immediately resigning it via the -s/--sign option. Instead, it is intended as a "chain of trust" operation where the previous signature is verified to give you some sense that what you sign off on is also safe. Still todo: don't make changes unless the signature is not only good, but also in the accepted list of keys. Signed-off-by: Dan McGee --- scripts/repo-add.sh.in | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'scripts/repo-add.sh.in') diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index ebe226a1..8a738b4b 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -31,6 +31,7 @@ QUIET=0 DELTA=0 WITHFILES=0 SIGN=0 +VERIFY=0 REPO_DB_FILE= LOCKFILE= CLEAN_LOCK=0 @@ -203,6 +204,29 @@ create_signature() { fi } +# verify the existing package database signature +verify_signature() { + (( ! VERIFY )) && return + local dbfile="$1" + local ret=0 + msg "$(gettext "Verifying database signature...")" + if [ ! $(type -p "gpg") ]; then + error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" + exit 1 # $E_MISSING_PROGRAM + fi + if [[ ! -f $dbfile.sig ]]; then + warning "$(gettext "No existing signature found, skipping verification.")" + return + fi + gpg --verify "$dbfile.sig" || ret=$? + if (( ! ret )); then + msg2 "$(gettext "Database signature file verified.")" + else + error "$(gettext "Database signature was NOT valid!")" + exit 1 + fi +} + # write an entry to the pacman database # arg1 - path to package db_write_entry() @@ -377,6 +401,7 @@ check_repo_db() exit 1 fi fi + verify_signature "$REPO_DB_FILE" msg "$(gettext "Extracting database to a temporary location...")" bsdtar -xf "$REPO_DB_FILE" -C "$tmpdir" else @@ -508,6 +533,7 @@ for arg in "$@"; do -d|--delta) DELTA=1;; -f|--files) WITHFILES=1;; -s|--sign) SIGN=1;; + -v|--verify) VERIFY=1;; *) if [[ -z $REPO_DB_FILE ]]; then REPO_DB_FILE="$arg" -- cgit v1.2.3-24-g4f1b From f0f83197694edb055b074a4b339e07c31627205c Mon Sep 17 00:00:00 2001 From: Dan McGee Date: Thu, 29 Oct 2009 21:35:25 -0500 Subject: repo-add: Fix up usage with GPG options Signed-off-by: Dan McGee --- scripts/repo-add.sh.in | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'scripts/repo-add.sh.in') diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index 8a738b4b..c55eac3f 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -64,7 +64,7 @@ error() { # print usage instructions usage() { printf "repo-add, repo-remove (pacman) %s\n\n" "$myver" - printf "$(gettext "Usage: repo-add [-d] [-f] [-q] ...\n")" + printf "$(gettext "Usage: repo-add [-d] [-f] [-q] [-s] [-v] ...\n")" printf "$(gettext "Usage: repo-remove [-q] ...\n\n")" printf "$(gettext "\ repo-add will update a package database by reading a package file.\n\ @@ -81,7 +81,8 @@ Use the -d/--delta flag to automatically generate and add a delta file\n\ between the old entry and the new one, if the old package file is found\n\ next to the new one.\n\n")" printf "$(gettext "\ -Use the -f/--files flag to update a database including file entries.\n\n")" +Use the -f/--files flag to update a database including file entries.\n\n +See repo-add(8) for more details and descriptions of the available options.\n\n")" echo "$(gettext "Example: repo-add /path/to/repo.db.tar.gz pacman-3.0.0.pkg.tar.gz")" echo "$(gettext "Example: repo-remove /path/to/repo.db.tar.gz kernel26")" } -- cgit v1.2.3-24-g4f1b From 93591d428fa553a03fee1f63228311f92e85d1ed Mon Sep 17 00:00:00 2001 From: Allan McRae Date: Tue, 23 Nov 2010 14:57:58 +1000 Subject: repo-add: add symlink to signature file Signed-off-by: Allan McRae --- scripts/repo-add.sh.in | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'scripts/repo-add.sh.in') diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index c55eac3f..76005757 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -584,6 +584,11 @@ if (( success )); then ln -sf "$target" "$dblink" 2>/dev/null || \ ln -f "$target" "$dblink" 2>/dev/null || \ cp "$REPO_DB_FILE" "$dblink" + if [[ -f "$target.sig" ]]; then + ln -sf "$target.sig" "$dblink.sig" 2>/dev/null || \ + ln -f "$target.sig" "$dblink.sig" 2>/dev/null || \ + cp "$REPO_DB_FILE.sig" "$dblink.sig" + fi else msg "$(gettext "No packages modified, nothing to do.")" exit 1 -- cgit v1.2.3-24-g4f1b From a31d091fb3bd250416d419b30e99c900b1608efc Mon Sep 17 00:00:00 2001 From: Dan McGee Date: Wed, 23 Mar 2011 00:10:36 -0500 Subject: repo-add: add sha256sum values to repo database Implements FS#23103. Also modify libalpm so it ignores this value without any warning as we know it is likely to exist. Signed-off-by: Dan McGee --- scripts/repo-add.sh.in | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'scripts/repo-add.sh.in') diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index 76005757..59e98cfe 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -263,9 +263,6 @@ db_write_entry() IFS=$OLDIFS - # get md5sum and compressed size of package - md5sum="$(openssl dgst -md5 "$pkgfile")" - md5sum="${md5sum##* }" csize=$(@SIZECMD@ "$pkgfile") # ensure $pkgname and $pkgver variables were found @@ -287,6 +284,13 @@ db_write_entry() fi fi + # compute checksums + msg2 "$(gettext "Computing checksums...")" + md5sum="$(openssl dgst -md5 "$pkgfile")" + md5sum="${md5sum##* }" + sha256sum="$(openssl dgst -sha256 "$pkgfile")" + sha256sum="${sha256sum##* }" + # remove an existing entry if it exists, ignore failures db_remove_entry "$pkgname" @@ -308,9 +312,9 @@ db_write_entry() [[ -n $csize ]] && echo -e "%CSIZE%\n$csize\n" >>desc [[ -n $size ]] && echo -e "%ISIZE%\n$size\n" >>desc - # compute checksums - msg2 "$(gettext "Computing md5 checksums...")" + # add checksums echo -e "%MD5SUM%\n$md5sum\n" >>desc + echo -e "%SHA256SUM%\n$sha256sum\n" >>desc # add base64'd PGP signature if [[ -f $startdir/$pkgfile.sig ]]; then -- cgit v1.2.3-24-g4f1b