pkgsign: support generic file signing

author: Adrian C. (anrxc) <anrxc@sysphere.org> 2021-03-26 18:47:45 +0100
committer: Adrian C. (anrxc) <anrxc@sysphere.org> 2021-03-26 18:47:45 +0100
commit: aec40ae89f9bde4483b6eb44df2636de243d42a5 (patch)
tree: 11fd9881afebe8e3fb9c6b0e7e5e49ffbbb6c6e8
parent: d099ec6ab71ea8732908c8f14c14653ac02efd58 (diff)
download: freebsd-pkgsign-aec40ae89f9bde4483b6eb44df2636de243d42a5.tar.xz
1 files changed, 46 insertions, 32 deletions
diff --git a/pkgsign b/pkgsign
index c908ab2..1caa4bc 100755
--- a/pkgsign
+++ b/pkgsign
@@ -1,4 +1,4 @@
-#!/usr/bin/env python3.7
+#!/usr/bin/env python3
 # -*- mode:python; coding:utf-8 -*-
 #
 # NAME
@@ -6,6 +6,10 @@
 #                ssh-agent for private key management when signing
 #                repositories
 #
+#                This copy was modified for generating generic file
+#                signatures, it accepts multi-line input and outputs
+#                no FreeBSD specific pkg information to the terminal.
+#
 # LICENSE
 #     Copyright (c) 2011 lars  at oddbit   dot com
 #     Copyright (c) 2021 anrxc at sysphere dot org
@@ -29,13 +33,11 @@
 #     SOFTWARE.
 #
 # SYNOPSIS
-#     /usr/sbin/pkg repo /path/to/repository signing_command: pkgsign [FINGERPRINT]
-#     /usr/sbin/pkg repo /path/to/repository signing_command: ssh signing-server pkgsign [FINGERPRINT]
+#     cat [FILE] | pkgsign --debug [FINGERPRINT]
 #
 # FILES
 #     $HOME/.ssh/ssh-agent.info
 #     $HOME/.gnupg/gpg-agent.info
-#     /usr/local/etc/ssl/public/[FINGERPRINT].pub
 #
 
 import paramiko.agent
@@ -59,15 +61,27 @@ except IndexError:
 try:
     if _KDUMP < 1:
         if _DEBUG > 0:
-            _PKGID = stdin.readline().strip()
+            #_PKGID = stdin.readline().strip()
+            _PKGID = stdin.buffer.read()
             _KEYID = sysargv[2]
         else:
-            _PKGID = stdin.readline().strip()
+            #_PKGID = stdin.readline().strip()
+            _PKGID = stdin.buffer.read()
             _KEYID = sysargv[1]
 except IndexError:
     raise SystemExit("ERROR: key fingerprint missing from command line, aborting")
 
 
+# # Support for signing large binary blobs
+# # - sign_ssh_data() must use add_list() not add_string() for input over 256K,
+# #   create the list here and feed that to sign_ssh_data() instead of _PKGID
+# _PKGIDS = []
+# while chunk := _PKGID.read(256):
+# #   But despite this paramiko still terminates agent connection with blobs
+# #   as small as 64MB. Look into that sometime.
+#     _PKGIDS.append(chunk)
+
+
 if "SSH_AUTH_SOCK" not in environ:
     import re
     ## gpg-agent untested, at some point in 2013 SSH support was broken
@@ -129,36 +143,36 @@ for key in agent_keys:
             raw_sig = raw_sig[len+4:]
         sig = sig_parts[1]
 
-        # To convert key.get_base64() to pkcs8 would be more code than this
-        # entire thing. To use ssh-keygen instead we need a temporary file as
-        # it can't read it from stdin when performing a conversion. In the end
-        # it is much simpler to just read it from a pregenerated file.
-        pub_key = open("/usr/local/etc/ssl/public/%s.pub" % _KEYID, "r")
-
-        # Print data in order that pkg-repo(8) is expecting
-        print("SIGNATURE")
-        # - flush to ensure order and prevent pkg-repo(8) segfault
-        stdout.flush()
-        # - write the signature raw bytes that pkg-repo(8) is expecting
-        stdout.buffer.write(sig)
-        stdout.flush()
-        print()
-        stdout.flush()
-        print("CERT")
-        stdout.flush()
-        print(pub_key.read().strip())
-        stdout.flush()
-        print("END")
-        stdout.flush()
-        pub_key.close()
+        # # To convert key.get_base64() to pkcs8 would be more code than this
+        # # entire thing. To use ssh-keygen instead we need a temporary file as
+        # # it can't read it from stdin when performing a conversion. In the end
+        # # it is much simpler to just read it from a pregenerated file.
+        # pub_key = open("/usr/local/etc/ssl/public/%s.pub" % _KEYID, "r")
+
+        # # Print data in order that pkg-repo(8) is expecting
+        # print("SIGNATURE")
+        # # - flush to ensure order and prevent pkg-repo(8) segfault
+        # stdout.flush()
+        # # - write the signature raw bytes that pkg-repo(8) is expecting
+        # stdout.buffer.write(sig)
+        # stdout.flush()
+        # print()
+        # stdout.flush()
+        # print("CERT")
+        # stdout.flush()
+        # print(pub_key.read().strip())
+        # stdout.flush()
+        # print("END")
+        # stdout.flush()
+        # pub_key.close()
 
         # For validating signatures against/with openssl pkeyutl
-        # - generate: echo -n "[HASH]" | openssl dgst -sign [PRIVATEKEY] -sha256 -binary >signature-cmp
+        # - generate: openssl dgst -sign [PRIVATEKEY] -sha256 -binary [FILE] >signature-cmp.sig
         if _DEBUG > 0:
-            # - validate: echo -n "[HASH]" | openssl sha256 -binary | \
-            #             openssl pkeyutl -verify -sigfile signature-[HASH] -pubin \
+            # - validate: cat [FILE] | openssl sha256 -binary | \
+            #             openssl pkeyutl -verify -sigfile signature.sig -pubin \
             #             -inkey [PUBLICKEY] -pkeyopt digest:sha256
-            open("signature-%s" % _PKGID, "wb").write(sig)
+            open("signature.sig", "wb").write(sig)
 
         raise SystemExit(0)
     else:
author	Adrian C. (anrxc) <anrxc@sysphere.org>	2021-03-26 18:47:45 +0100
committer	Adrian C. (anrxc) <anrxc@sysphere.org>	2021-03-26 18:47:45 +0100
commit	aec40ae89f9bde4483b6eb44df2636de243d42a5 (patch)
tree	11fd9881afebe8e3fb9c6b0e7e5e49ffbbb6c6e8
parent	d099ec6ab71ea8732908c8f14c14653ac02efd58 (diff)
download	freebsd-pkgsign-aec40ae89f9bde4483b6eb44df2636de243d42a5.tar.xz