summaryrefslogtreecommitdiff
path: root/usr.sbin/pkg_add/OpenBSD
diff options
context:
space:
mode:
authorMarc Espie <espie@cvs.openbsd.org>2014-01-17 10:54:15 +0000
committerMarc Espie <espie@cvs.openbsd.org>2014-01-17 10:54:15 +0000
commitf6a56f09e33bccb1ebe6bd4220feabd88fe57e6e (patch)
treeda80ade82098305e02c27c818c1de3b2e031fa6f /usr.sbin/pkg_add/OpenBSD
parent11d4cafd7cf99398c58662ca4d0612beb8e0fb74 (diff)
tweak the interface to generating signatures yet again.
- assume key names match, deduce signer from sec key. e.g., -s signify -s 55pkg.sec will set signer to 55pkg and look for a pubkey named 55pkg.pub, either besides 55pkg.sec or in /etc/signify. - verify there's no mismatch, if possible, by verifying the first package signed. - also build a SHA256 on the fly while signing.
Diffstat (limited to 'usr.sbin/pkg_add/OpenBSD')
-rw-r--r--usr.sbin/pkg_add/OpenBSD/Paths.pm3
-rw-r--r--usr.sbin/pkg_add/OpenBSD/PkgCreate.pm35
2 files changed, 30 insertions, 8 deletions
diff --git a/usr.sbin/pkg_add/OpenBSD/Paths.pm b/usr.sbin/pkg_add/OpenBSD/Paths.pm
index 8e1d2783955..da38e163d72 100644
--- a/usr.sbin/pkg_add/OpenBSD/Paths.pm
+++ b/usr.sbin/pkg_add/OpenBSD/Paths.pm
@@ -1,5 +1,5 @@
# ex:ts=8 sw=4:
-# $OpenBSD: Paths.pm,v 1.26 2014/01/09 20:20:01 espie Exp $
+# $OpenBSD: Paths.pm,v 1.27 2014/01/17 10:54:14 espie Exp $
#
# Copyright (c) 2007-2014 Marc Espie <espie@openbsd.org>
#
@@ -54,6 +54,7 @@ sub hostname() { '/bin/hostname' }
sub sudo() { '/usr/bin/sudo' }
sub du() { '/usr/bin/du' }
sub diff() { '/usr/bin/diff' }
+sub sha256() { '/bin/sha256' }
# Various paths
sub shells() { '/etc/shells' }
diff --git a/usr.sbin/pkg_add/OpenBSD/PkgCreate.pm b/usr.sbin/pkg_add/OpenBSD/PkgCreate.pm
index f5fdd2a76bf..3d240d219f6 100644
--- a/usr.sbin/pkg_add/OpenBSD/PkgCreate.pm
+++ b/usr.sbin/pkg_add/OpenBSD/PkgCreate.pm
@@ -1,6 +1,6 @@
#! /usr/bin/perl
# ex:ts=8 sw=4:
-# $OpenBSD: PkgCreate.pm,v 1.93 2014/01/13 10:07:32 espie Exp $
+# $OpenBSD: PkgCreate.pm,v 1.94 2014/01/17 10:54:14 espie Exp $
#
# Copyright (c) 2003-2014 Marc Espie <espie@openbsd.org>
#
@@ -74,8 +74,21 @@ sub new
if (@p != 2 || !-f $p[1]) {
$state->usage("$p[0] signature wants -s privkey");
}
-
- bless {privkey => $p[1]}, $class;
+ my $o = bless {privkey => $p[1]}, $class;
+ my $signer = $o->{privkey};
+ $signer =~ s/\.sec$//;
+ my $pubkey = "$signer.pub";
+ $signer =~ s,.*/,,;
+ $o->{signer} = $signer;
+ if (!-f $pubkey) {
+ $pubkey =~ s,.*/,/etc/signify/,;
+ if (!-f $pubkey) {
+ $state->errsay("warning: public key not found");
+ return $o;
+ }
+ }
+ $o->{pubkey} = $pubkey;
+ return $o;
}
sub new_sig
@@ -88,11 +101,10 @@ sub compute_signature
{
my ($self, $state, $plist) = @_;
- my $list = $state->signer_list;
- OpenBSD::PackingElement::Signer->add($plist, $list->[0]);
+ OpenBSD::PackingElement::Signer->add($plist, $self->{signer});
return OpenBSD::signify::compute_signature($plist, $state,
- $self->{privkey});
+ $self->{privkey}, $self->{pubkey});
}
package OpenBSD::PkgCreate::State;
@@ -1198,10 +1210,14 @@ sub sign_existing_package
$plist->copy_over($state, $wrarc, $pkg);
$wrarc->close;
$pkg->wipe_info;
- unlink($plist->pkgname.".tgz") if $state->{output};
chmod((0666 & ~umask), $tmp);
rename($tmp, $output.'/'.$plist->pkgname.".tgz") or
$state->fatal("Can't create final signed package: #1", $!);
+ $state->system(sub {
+ chdir($output);
+ open(STDOUT, '>>', 'SHA256');
+ },
+ OpenBSD::Paths->sha256, $plist->pkgname.".tgz");
}
sub sign_list
@@ -1235,6 +1251,7 @@ sub sign_list
}
$n--;
&$display($jobs->{$pid});
+ delete $state->{signer}{pubkey};
delete $jobs->{$pid};
};
@@ -1260,8 +1277,12 @@ sub sign_list
for my $name (@$l) {
&$code($name);
&$display($name);
+ delete $state->{signer}{pubkey};
}
}
+ $state->system(sub {
+ chdir($state->{output_dir}) if $state->{output_dir};
+ }, 'sort', 'SHA256');
}
sub sign_existing_repository