diff options
author | Adrian C. (anrxc) <anrxc@sysphere.org> | 2021-03-26 18:47:45 +0100 |
---|---|---|
committer | Adrian C. (anrxc) <anrxc@sysphere.org> | 2021-03-26 18:47:45 +0100 |
commit | aec40ae89f9bde4483b6eb44df2636de243d42a5 (patch) | |
tree | 11fd9881afebe8e3fb9c6b0e7e5e49ffbbb6c6e8 | |
parent | d099ec6ab71ea8732908c8f14c14653ac02efd58 (diff) | |
download | freebsd-pkgsign-aec40ae89f9bde4483b6eb44df2636de243d42a5.tar.xz |
pkgsign: support generic file signing
-rwxr-xr-x | pkgsign | 78 |
1 files changed, 46 insertions, 32 deletions
@@ -1,4 +1,4 @@ -#!/usr/bin/env python3.7 +#!/usr/bin/env python3 # -*- mode:python; coding:utf-8 -*- # # NAME @@ -6,6 +6,10 @@ # ssh-agent for private key management when signing # repositories # +# This copy was modified for generating generic file +# signatures, it accepts multi-line input and outputs +# no FreeBSD specific pkg information to the terminal. +# # LICENSE # Copyright (c) 2011 lars at oddbit dot com # Copyright (c) 2021 anrxc at sysphere dot org @@ -29,13 +33,11 @@ # SOFTWARE. # # SYNOPSIS -# /usr/sbin/pkg repo /path/to/repository signing_command: pkgsign [FINGERPRINT] -# /usr/sbin/pkg repo /path/to/repository signing_command: ssh signing-server pkgsign [FINGERPRINT] +# cat [FILE] | pkgsign --debug [FINGERPRINT] # # FILES # $HOME/.ssh/ssh-agent.info # $HOME/.gnupg/gpg-agent.info -# /usr/local/etc/ssl/public/[FINGERPRINT].pub # import paramiko.agent @@ -59,15 +61,27 @@ except IndexError: try: if _KDUMP < 1: if _DEBUG > 0: - _PKGID = stdin.readline().strip() + #_PKGID = stdin.readline().strip() + _PKGID = stdin.buffer.read() _KEYID = sysargv[2] else: - _PKGID = stdin.readline().strip() + #_PKGID = stdin.readline().strip() + _PKGID = stdin.buffer.read() _KEYID = sysargv[1] except IndexError: raise SystemExit("ERROR: key fingerprint missing from command line, aborting") +# # Support for signing large binary blobs +# # - sign_ssh_data() must use add_list() not add_string() for input over 256K, +# # create the list here and feed that to sign_ssh_data() instead of _PKGID +# _PKGIDS = [] +# while chunk := _PKGID.read(256): +# # But despite this paramiko still terminates agent connection with blobs +# # as small as 64MB. Look into that sometime. +# _PKGIDS.append(chunk) + + if "SSH_AUTH_SOCK" not in environ: import re ## gpg-agent untested, at some point in 2013 SSH support was broken @@ -129,36 +143,36 @@ for key in agent_keys: raw_sig = raw_sig[len+4:] sig = sig_parts[1] - # To convert key.get_base64() to pkcs8 would be more code than this - # entire thing. To use ssh-keygen instead we need a temporary file as - # it can't read it from stdin when performing a conversion. In the end - # it is much simpler to just read it from a pregenerated file. - pub_key = open("/usr/local/etc/ssl/public/%s.pub" % _KEYID, "r") - - # Print data in order that pkg-repo(8) is expecting - print("SIGNATURE") - # - flush to ensure order and prevent pkg-repo(8) segfault - stdout.flush() - # - write the signature raw bytes that pkg-repo(8) is expecting - stdout.buffer.write(sig) - stdout.flush() - print() - stdout.flush() - print("CERT") - stdout.flush() - print(pub_key.read().strip()) - stdout.flush() - print("END") - stdout.flush() - pub_key.close() + # # To convert key.get_base64() to pkcs8 would be more code than this + # # entire thing. To use ssh-keygen instead we need a temporary file as + # # it can't read it from stdin when performing a conversion. In the end + # # it is much simpler to just read it from a pregenerated file. + # pub_key = open("/usr/local/etc/ssl/public/%s.pub" % _KEYID, "r") + + # # Print data in order that pkg-repo(8) is expecting + # print("SIGNATURE") + # # - flush to ensure order and prevent pkg-repo(8) segfault + # stdout.flush() + # # - write the signature raw bytes that pkg-repo(8) is expecting + # stdout.buffer.write(sig) + # stdout.flush() + # print() + # stdout.flush() + # print("CERT") + # stdout.flush() + # print(pub_key.read().strip()) + # stdout.flush() + # print("END") + # stdout.flush() + # pub_key.close() # For validating signatures against/with openssl pkeyutl - # - generate: echo -n "[HASH]" | openssl dgst -sign [PRIVATEKEY] -sha256 -binary >signature-cmp + # - generate: openssl dgst -sign [PRIVATEKEY] -sha256 -binary [FILE] >signature-cmp.sig if _DEBUG > 0: - # - validate: echo -n "[HASH]" | openssl sha256 -binary | \ - # openssl pkeyutl -verify -sigfile signature-[HASH] -pubin \ + # - validate: cat [FILE] | openssl sha256 -binary | \ + # openssl pkeyutl -verify -sigfile signature.sig -pubin \ # -inkey [PUBLICKEY] -pkeyopt digest:sha256 - open("signature-%s" % _PKGID, "wb").write(sig) + open("signature.sig", "wb").write(sig) raise SystemExit(0) else: |