diff options
| -rw-r--r-- | usr.sbin/pkg_add/Makefile | 3 | ||||
| -rw-r--r-- | usr.sbin/pkg_add/OpenBSD/Delete.pm | 10 | ||||
| -rw-r--r-- | usr.sbin/pkg_add/OpenBSD/PackingElement.pm | 9 | ||||
| -rw-r--r-- | usr.sbin/pkg_add/OpenBSD/PackingList.pm | 5 | ||||
| -rw-r--r-- | usr.sbin/pkg_add/OpenBSD/Paths.pm | 3 | ||||
| -rw-r--r-- | usr.sbin/pkg_add/OpenBSD/x509.pm | 108 | ||||
| -rw-r--r-- | usr.sbin/pkg_add/package.5 | 22 | ||||
| -rw-r--r-- | usr.sbin/pkg_add/pkg_add | 18 | ||||
| -rw-r--r-- | usr.sbin/pkg_add/pkg_add.1 | 27 | ||||
| -rw-r--r-- | usr.sbin/pkg_add/pkg_create | 88 | ||||
| -rw-r--r-- | usr.sbin/pkg_add/pkg_create.1 | 28 | ||||
| -rw-r--r-- | usr.sbin/pkg_add/pkg_delete.1 | 5 | ||||
| -rw-r--r-- | usr.sbin/pkg_add/pkg_info | 25 | ||||
| -rw-r--r-- | usr.sbin/pkg_add/pkg_info.1 | 8 |
14 files changed, 327 insertions, 32 deletions
diff --git a/usr.sbin/pkg_add/Makefile b/usr.sbin/pkg_add/Makefile index 1767569f6d3..8c75d5c79c0 100644 --- a/usr.sbin/pkg_add/Makefile +++ b/usr.sbin/pkg_add/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.51 2008/09/11 04:15:37 drahn Exp $ +# $OpenBSD: Makefile,v 1.52 2009/04/14 17:53:58 espie Exp $ .include <bsd.own.mk> @@ -49,6 +49,7 @@ PACKAGES= \ OpenBSD/Ustar.pm \ OpenBSD/Vstat.pm \ OpenBSD/md5.pm \ + OpenBSD/x509.pm PACKAGEDIRS=OpenBSD OpenBSD/PackageRepository diff --git a/usr.sbin/pkg_add/OpenBSD/Delete.pm b/usr.sbin/pkg_add/OpenBSD/Delete.pm index e7a9552cfe4..bf9174a9ffb 100644 --- a/usr.sbin/pkg_add/OpenBSD/Delete.pm +++ b/usr.sbin/pkg_add/OpenBSD/Delete.pm @@ -1,5 +1,5 @@ # ex:ts=8 sw=4: -# $OpenBSD: Delete.pm,v 1.78 2008/10/20 10:25:16 espie Exp $ +# $OpenBSD: Delete.pm,v 1.79 2009/04/14 17:53:58 espie Exp $ # # Copyright (c) 2003-2007 Marc Espie <espie@openbsd.org> # @@ -98,6 +98,14 @@ sub delete_package if ($plist->pkgname ne $pkgname) { Fatal "Package $pkgname real name does not match"; } + if ($plist->is_signed) { + if (!$state->{quick}) { + require OpenBSD::x509; + if (!OpenBSD::x509::check_signature($plist, $state)) { + Fatal "Package $pkgname is corrupted"; + } + } + } $state->{problems} = 0; validate_plist($plist, $state); diff --git a/usr.sbin/pkg_add/OpenBSD/PackingElement.pm b/usr.sbin/pkg_add/OpenBSD/PackingElement.pm index 4662cdd5dec..2b29a4b46d7 100644 --- a/usr.sbin/pkg_add/OpenBSD/PackingElement.pm +++ b/usr.sbin/pkg_add/OpenBSD/PackingElement.pm @@ -1,5 +1,5 @@ # ex:ts=8 sw=4: -# $OpenBSD: PackingElement.pm,v 1.154 2009/03/05 10:43:00 espie Exp $ +# $OpenBSD: PackingElement.pm,v 1.155 2009/04/14 17:53:58 espie Exp $ # # Copyright (c) 2003-2007 Marc Espie <espie@openbsd.org> # @@ -387,6 +387,7 @@ sub may_check_digest sub check_digest { my ($self, $file, $state) = @_; + return if $self->{link} or $self->{symlink}; if (!defined $self->{d}) { $state->fatal($self->fullname, " does not have a signature"); } @@ -1646,6 +1647,12 @@ sub new $class; } +sub new_x509 +{ + my ($class) = @_; + bless { key => 'x509', timestamp => time, b64sig => '' }, $class; +} + sub stringize { diff --git a/usr.sbin/pkg_add/OpenBSD/PackingList.pm b/usr.sbin/pkg_add/OpenBSD/PackingList.pm index 4a9c6d19a47..c60ce2bc828 100644 --- a/usr.sbin/pkg_add/OpenBSD/PackingList.pm +++ b/usr.sbin/pkg_add/OpenBSD/PackingList.pm @@ -1,5 +1,5 @@ # ex:ts=8 sw=4: -# $OpenBSD: PackingList.pm,v 1.86 2009/03/05 10:43:00 espie Exp $ +# $OpenBSD: PackingList.pm,v 1.87 2009/04/14 17:53:58 espie Exp $ # # Copyright (c) 2003-2007 Marc Espie <espie@openbsd.org> # @@ -377,7 +377,8 @@ sub localbase sub is_signed { - return 0; + my $self = shift; + return defined $self->{'digital-signature'}; } our @unique_categories = diff --git a/usr.sbin/pkg_add/OpenBSD/Paths.pm b/usr.sbin/pkg_add/OpenBSD/Paths.pm index 29f5a8ed1c6..b182b052393 100644 --- a/usr.sbin/pkg_add/OpenBSD/Paths.pm +++ b/usr.sbin/pkg_add/OpenBSD/Paths.pm @@ -1,5 +1,5 @@ # ex:ts=8 sw=4: -# $OpenBSD: Paths.pm,v 1.6 2007/08/28 10:39:03 espie Exp $ +# $OpenBSD: Paths.pm,v 1.7 2009/04/14 17:53:58 espie Exp $ # # Copyright (c) 2007 Marc Espie <espie@openbsd.org> # @@ -31,6 +31,7 @@ sub useradd() { '/usr/sbin/useradd' } sub groupadd() { '/usr/sbin/groupadd' } sub sysctl() { '/sbin/sysctl' } sub openssl() { '/usr/sbin/openssl' } +sub pkgca() { '/etc/ssl/pkgca.pem' } sub chmod() { '/bin/chmod' } # external command is used for symbolic modes. sub gzip() { '/usr/bin/gzip' } sub ftp() { $ENV{'FETCH_CMD'} || '/usr/bin/ftp' } diff --git a/usr.sbin/pkg_add/OpenBSD/x509.pm b/usr.sbin/pkg_add/OpenBSD/x509.pm new file mode 100644 index 00000000000..07d73a68627 --- /dev/null +++ b/usr.sbin/pkg_add/OpenBSD/x509.pm @@ -0,0 +1,108 @@ +# ex:ts=8 sw=4: +# $OpenBSD: x509.pm,v 1.1 2009/04/14 17:53:58 espie Exp $ +# +# Copyright (c) 2003-2007 Marc Espie <espie@openbsd.org> +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +use strict; +use warnings; + +package OpenBSD::x509; + +use OpenBSD::PackageInfo; +use OpenBSD::Paths; +use MIME::Base64; +use File::Temp qw/mkstemp/; + + +sub compute_signature +{ + my ($plist, $cert, $key) = @_; + + open my $fh, ">", $plist->infodir.CONTENTS; + $plist->write_no_sig($fh); + close $fh; + open(my $sighandle, "-|", OpenBSD::Paths->openssl, "smime", "-sign", + "-binary", "-signer", $cert ,"-in", $plist->infodir.CONTENTS, + "-inkey", $key, "-outform", "DEM") or die; + my $sig; + sysread($sighandle, $sig, 16384); + close($sighandle) or die "problem generating signature $!"; + + return encode_base64($sig, ''); +} + +sub dump_certificate_info +{ + my $fname2 = shift; + + open my $fh, "-|", OpenBSD::Paths->openssl, "asn1parse", + "-inform", "DEM", "-in", $fname2; + my %want = map {($_, 1)} + qw(countryName localityName organizationName + organizationalUnitName commonName emailAddress); + while (<$fh>) { + if (m/\sprim\:\s+OBJECT\s*\:(.*)\s*$/) { + my $objectname = $1; + $_ = <$fh>; + if (m/\sprim\:\s+[A-Z0-9]+\s*\:(.*)\s*$/) { + if ($want{$objectname}) { + print "$objectname=$1\n"; + } + } + } + } + close($fh); +} + +sub print_certificate_info +{ + my $plist = shift; + + my ($fh, $fname) = mkstemp("/tmp/pkgsig.XXXXXXXXX"); + print $fh decode_base64($plist->{'digital-signature'}->{b64sig}); + close $fh; + dump_certificate_info($fname); + unlink $fname; +} + +sub check_signature +{ + my ($plist, $state) = @_; + my $sig = $plist->get('digital-signature'); + if ($sig->{key} ne 'x509') { + $state->warn("Error: unknown signature style"); + return 0; + } + my ($fh, $fname) = mkstemp("/tmp/pkgcontent.XXXXXXXXX"); + my ($fh2, $fname2) = mkstemp("/tmp/pkgsig.XXXXXXXXX"); + $plist->write_no_sig($fh); + print $fh2 decode_base64($sig->{b64sig}); + close $fh; + close $fh2; + if (system (OpenBSD::Paths->openssl, "smime", "-verify", "-binary", + "-inform", "DEM", "-in", $fname2, "-content", $fname, + "-CAfile", OpenBSD::Paths->pkgca, "-out", "/dev/null") != 0) { + $state->warn("Bad signature"); + return 0; + } + if ($state->{verbose}) { + dump_certificate_info($fname2); + } + unlink $fname; + unlink $fname2; + return 1; +} + +1; diff --git a/usr.sbin/pkg_add/package.5 b/usr.sbin/pkg_add/package.5 index 09ff2be3858..9db2c72fd43 100644 --- a/usr.sbin/pkg_add/package.5 +++ b/usr.sbin/pkg_add/package.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: package.5,v 1.7 2008/12/14 10:56:51 jmc Exp $ +.\" $OpenBSD: package.5,v 1.8 2009/04/14 17:53:58 espie Exp $ .\" Copyright (c) 2005-2006 Marc Espie <espie@openbsd.org> .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -12,7 +12,7 @@ .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.Dd $Mdocdate: December 14 2008 $ +.Dd $Mdocdate: April 14 2009 $ .Dt PACKAGE 5 .Os .Sh NAME @@ -84,6 +84,24 @@ and long link names with .Pa LongLink#n . The packing-list will hold the real file names, and the package tools will reconstitute the correct names behind the scenes. +.Sh PACKAGE SIGNATURES +All information within a package is checksummed, using SHA256 since +.Ox 4.4 . +During creation and creation, meta-information, such as file owners and +permissions, are also checked: any important stuff that isn't recorded +in the packing-list is an error. +.Pp +Packing-lists can be signed. If a signature is found, then it will be checked +during installation, and failure to verify will prevent the package from +installing correctly. +Currently, only x509-style signatures are supported. +They rely on a certificate authority file being present as +.Pa /etc/ssl/pkgca.pem +and all signatures will be checked against it. +Once the packing-list signature is checked, all individual packing elements +will be checksummed, resulting in a +.Sq just-in-time +signature checking. .Sh FAT PACKAGES DESCRIPTION The .Xr pkg_merge 1 diff --git a/usr.sbin/pkg_add/pkg_add b/usr.sbin/pkg_add/pkg_add index 5348530c3af..3ba6eb89295 100644 --- a/usr.sbin/pkg_add/pkg_add +++ b/usr.sbin/pkg_add/pkg_add @@ -1,7 +1,7 @@ #! /usr/bin/perl # ex:ts=8 sw=4: -# $OpenBSD: pkg_add,v 1.332 2008/06/21 14:01:10 espie Exp $ +# $OpenBSD: pkg_add,v 1.333 2009/04/14 17:53:58 espie Exp $ # # Copyright (c) 2003-2007 Marc Espie <espie@openbsd.org> # @@ -291,6 +291,22 @@ sub really_add my $pkgname = $handle->{pkgname}; my $errors = 0; $state->set_name_from_handle($handle); + if ($plist->is_signed) { + if ($state->{defines}->{nosig}) { + print STDERR "NOT CHECKING DIGITAL SIGNATURE FOR ", + $plist->pkgname, "\n"; + $state->{check_digest} = 0; + } else { + require OpenBSD::x509; + + if (!OpenBSD::x509::check_signature($plist, $state)) { + Fatal "fatal issues in ", $set->print; + } + $state->{check_digest} = 1; + } + } else { + $state->{check_digest} = 0; + } $set->setup_header($state); diff --git a/usr.sbin/pkg_add/pkg_add.1 b/usr.sbin/pkg_add/pkg_add.1 index 94e007256b3..cc022060146 100644 --- a/usr.sbin/pkg_add/pkg_add.1 +++ b/usr.sbin/pkg_add/pkg_add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pkg_add.1,v 1.75 2008/10/29 12:35:10 espie Exp $ +.\" $OpenBSD: pkg_add.1,v 1.76 2009/04/14 17:53:58 espie Exp $ .\" .\" Documentation and design originally from FreeBSD. All the code has .\" been rewritten since. We keep the documentation's notice: @@ -15,7 +15,7 @@ .\" Jordan K. Hubbard .\" .\" -.Dd $Mdocdate: October 29 2008 $ +.Dd $Mdocdate: April 14 2009 $ .Dt PKG_ADD 1 .Os .Sh NAME @@ -71,6 +71,26 @@ option Details of packing-list internals are documented in .Xr pkg_create 1 . .Pp +If a package is digitally signed: +.Bl -bullet +.It +.Nm +checks that its packing-list is not corrupted and matches the cryptographic +signature stored within. +.It +.Nm +verifies that the signature was emitted by a valid user certificate, signed +by one of the authorities in +.Pa /etc/ssl/pkgca.pem +.It +.Nm +verifies that each file matches its sha256 checksum right after extraction, +before doing anything with it. +.It +.Nm +verifies that any dangerous mode or owner is registered in the packing-list. +.El +.Pp In normal mode, the package names given on the command lines are names of new packages that .Nm @@ -223,6 +243,9 @@ update when using .Fl u . .It Ar nonroot install even if not running as root. +.It Ar nosig +do not check digital signatures. +Still displays a very prominent message if a signature is found. .It Ar pkgpath with .Fl u , diff --git a/usr.sbin/pkg_add/pkg_create b/usr.sbin/pkg_add/pkg_create index ceec40fe428..409309ec8fe 100644 --- a/usr.sbin/pkg_add/pkg_create +++ b/usr.sbin/pkg_add/pkg_create @@ -1,6 +1,6 @@ #! /usr/bin/perl # ex:ts=8 sw=4: -# $OpenBSD: pkg_create,v 1.119 2008/10/24 16:50:27 espie Exp $ +# $OpenBSD: pkg_create,v 1.120 2009/04/14 17:53:58 espie Exp $ # # Copyright (c) 2003-2007 Marc Espie <espie@openbsd.org> # @@ -145,6 +145,9 @@ sub prepare_for_archival return $o; } +sub copy_over +{ +} package OpenBSD::PackingElement::SpecialFile; sub archive { @@ -187,6 +190,14 @@ sub prepare_for_archival return $o; } +sub copy_over +{ + my ($self, $wrarc, $rdarc) = @_; + $wrarc->destdir($rdarc->info); + my $e = $wrarc->prepare($self->{name}); + $e->write; +} + # override for CONTENTS: we cannot checksum this. package OpenBSD::PackingElement::FCONTENTS; sub makesum_plist @@ -261,6 +272,16 @@ sub verify_checksum $self->verify_checksum_with_base($base, $stash); } +sub copy_over +{ + my ($self, $wrarc, $rdarc) = @_; + my $e = $rdarc->next; + if (!$e->check_name($self)) { + die "Names don't match: ", $e->{name}, " ", $self->{name}; + } + $e->copy_long($wrarc); +} + package OpenBSD::PackingElement::InfoFile; sub makesum_plist { @@ -443,15 +464,17 @@ sub add_description our $errors = 0; -my (@contents, %dependencies, %wantlib); +my (@contents, %dependencies, %wantlib, @signature_params); my $regen_package = 0; +my $sign_only = 0; +my ($cert, $privkey); set_usage( 'pkg_create [-nQqv] [-A arches] [-B pkg-destdir] [-D name=value]', '[-i iscript] [-k dscript] [-L localbase] [-M displayfile]', -'[-P pkg-dependency] [-p prefix] [-S pkg-destdir]', +'[-P pkg-dependency] [-p prefix] [-s x509 -s cert -s priv] [-S pkg-destdir]', '[-U undisplayfile] [-W wantedlib] -c desc -d desc -f packinglist pkg-name'); my $plist = new OpenBSD::PackingList; @@ -473,6 +496,9 @@ try { 'W' => sub { my $w = shift; $wantlib{$w} = 1; + }, + 's' => sub { + push(@signature_params, shift); } }); } catchall { @@ -482,13 +508,21 @@ try { if (@ARGV == 0) { $regen_package = 1; } elsif (@ARGV != 1) { - Usage "Exactly one single package name is required: ", join(' ', @ARGV); + if (@contents || @signature_params == 0) { + Usage "Exactly one single package name is required: ", + join(' ', @ARGV); + } } try { -if (defined $opt_s) { - Usage "Option s is no longer supported"; +if (@signature_params > 0) { + if (@signature_params != 3 || $signature_params[0] ne 'x509' || + !-f $signature_params[1] || !-f $signature_params[2]) { + Usage "Signature only works as -s x509 -s cert -s privkey"; + } + $cert = $signature_params[1]; + $privkey = $signature_params[2]; } if (defined $opt_O) { @@ -500,7 +534,11 @@ if (defined $opt_Q) { } if (!@contents) { - Usage "Packing list required"; + if (@signature_params > 0) { + $sign_only = 1; + } else { + Usage "Packing list required"; + } } if ($regen_package) { @@ -515,6 +553,36 @@ if ($regen_package) { } $plist->fromfile($contents[0]) or Fatal "Can't read packing list $contents[0]"; +} elsif ($sign_only) { + if ($opt_n) { + Fatal "Can't pretend to sign existing packages"; + } + for my $pkgname (@ARGV) { + require OpenBSD::PackageLocator; + require OpenBSD::x509; + + my $true_package = OpenBSD::PackageLocator->find($pkgname); + die "No such package $pkgname" unless $true_package; + my $dir = $true_package->info; + my $plist = OpenBSD::PackingList->fromfile($dir.CONTENTS); + $plist->set_infodir($dir); + my $sig = OpenBSD::PackingElement::DigitalSignature->new_x509; + $sig->add_object($plist); + $sig->{b64sig} = OpenBSD::x509::compute_signature($plist, + $cert, $privkey); + $plist->save; + my $tmp = OpenBSD::Temp::permanent_file(".", "pkg"); + open( my $outfh, "|-", OpenBSD::Paths->gzip, "-o", $tmp); + + my $wrarc = OpenBSD::Ustar->new($outfh, "."); + $plist->copy_over($wrarc, $true_package); + $wrarc->close; + $true_package->wipe_info; + unlink($plist->pkgname.".tgz"); + rename($tmp, $plist->pkgname.".tgz") or + die "Can't create final signed package $!"; + } + exit(0); } else { if (defined $opt_i) { print STDERR "Warning: INSTALL scripts are deprecated\n"; @@ -620,6 +688,12 @@ if ($errors) { exit 1; } +if (defined $cert) { + my $sig = OpenBSD::PackingElement::DigitalSignature->new_x509; + $sig->add_object($plist); + require OpenBSD::x509; + $sig->{b64sig} = OpenBSD::x509::compute_signature($plist, $cert, $privkey); +} my $wname; if ($regen_package) { diff --git a/usr.sbin/pkg_add/pkg_create.1 b/usr.sbin/pkg_add/pkg_create.1 index 1d9163d75b4..71c4704aae8 100644 --- a/usr.sbin/pkg_add/pkg_create.1 +++ b/usr.sbin/pkg_add/pkg_create.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pkg_create.1,v 1.48 2008/07/26 01:11:30 jmc Exp $ +.\" $OpenBSD: pkg_create.1,v 1.49 2009/04/14 17:53:58 espie Exp $ .\" .\" Documentation and design originally from FreeBSD. All the code has .\" been rewritten since. We keep the documentation's notice: @@ -21,7 +21,7 @@ .\" [jkh] Took John's changes back and made some additional extensions for .\" better integration with FreeBSD's new ports collection. .\" -.Dd $Mdocdate: July 26 2008 $ +.Dd $Mdocdate: April 14 2009 $ .Dt PKG_CREATE 1 .Os .Sh NAME @@ -42,6 +42,7 @@ .Op Fl M Ar displayfile .Op Fl P Ar pkg-dependency .Op Fl p Ar prefix +.Op Fl s Ar signature-parameter .Op Fl S Ar pkg-destdir .Op Fl U Ar undisplayfile .Op Fl W Ar wantedlib @@ -189,6 +190,28 @@ Print out the actual packing-list of the package being generated (query mode). Most often used in combination with .Fl n . +.It Xo +.Fl s Ar x509 +.Fl s Ar cert +.Fl s Ar privkey +.Xc +Specify signature parameters for signed packages. +For now, the only supported use involves three +.Fl s +options: +.Ar x509 +to indicate x509-style signatures, +.Ar cert +the path to the signer's certificate +and +.Ar privkey +the path to the signer's private key. +The signer's certificate and the signer's private key should be generated +using standard openssl x509 commands. +This assumes the existence of a certificate authority (or several), whose +public information is recorded as a +.Pa /etc/ssl/pkgca.pem +file. .It Fl S Ar pkg-destdir Deprecated, use identical @@ -815,6 +838,7 @@ or option is specified. .El .Sh SEE ALSO +.Xr openssl 1 , .Xr pkg_add 1 , .Xr pkg_delete 1 , .Xr pkg_info 1 , diff --git a/usr.sbin/pkg_add/pkg_delete.1 b/usr.sbin/pkg_add/pkg_delete.1 index 202d414e657..c5281366610 100644 --- a/usr.sbin/pkg_add/pkg_delete.1 +++ b/usr.sbin/pkg_add/pkg_delete.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pkg_delete.1,v 1.28 2008/03/09 15:36:45 jmc Exp $ +.\" $OpenBSD: pkg_delete.1,v 1.29 2009/04/14 17:53:58 espie Exp $ .\" .\" Documentation and design originally from FreeBSD. All the code has .\" been rewritten since. We keep the documentation's notice: @@ -15,7 +15,7 @@ .\" Jordan K. Hubbard .\" .\" -.Dd $Mdocdate: March 9 2008 $ +.Dd $Mdocdate: April 14 2009 $ .Dt PKG_DELETE 1 .Os .Sh NAME @@ -93,6 +93,7 @@ would be taken if it were. .It Fl q Delete package quickly, do not bother with checksums before removing normal files. +For signed packages, do not bother verifying signatures either. If used twice, it will not bother with checksums for configuration files either. .It Fl v diff --git a/usr.sbin/pkg_add/pkg_info b/usr.sbin/pkg_add/pkg_info index 9fb73921426..64d2720a210 100644 --- a/usr.sbin/pkg_add/pkg_info +++ b/usr.sbin/pkg_add/pkg_info @@ -1,6 +1,6 @@ #! /usr/bin/perl # ex:ts=8 sw=4: -# $OpenBSD: pkg_info,v 1.71 2008/12/15 15:56:40 espie Exp $ +# $OpenBSD: pkg_info,v 1.72 2009/04/14 17:53:58 espie Exp $ # # Copyright (c) 2003-2007 Marc Espie <espie@openbsd.org> # @@ -226,8 +226,8 @@ sub find_by_path } } -our ($opt_c, $opt_D, $opt_d, $opt_f, $opt_I, $opt_i, $opt_k, $opt_K, $opt_L, - $opt_m, $opt_Q, $opt_q, $opt_R, $opt_r, $opt_s, $opt_v, $opt_h, +our ($opt_c, $opt_C, $opt_D, $opt_d, $opt_f, $opt_I, $opt_i, $opt_k, $opt_K, + $opt_L, $opt_m, $opt_Q, $opt_q, $opt_R, $opt_r, $opt_s, $opt_v, $opt_h, $opt_l, $opt_a, $opt_M, $opt_U, $opt_A, $opt_S, $opt_P, $opt_t); my $terse = 0; my $exit_code = 0; @@ -305,10 +305,10 @@ sub print_info print "\n"; } my $plist; - if ($opt_f || $opt_L || $opt_s || $opt_S) { + if ($opt_f || $opt_L || $opt_s || $opt_S || $opt_C) { require OpenBSD::PackingList; - if ($opt_f || $opt_s || $opt_S) { + if ($opt_f || $opt_s || $opt_S || $opt_C) { $plist = $handle->plist; } else { $plist = $handle->plist(\&OpenBSD::PackingList::FilesOnly); @@ -322,6 +322,17 @@ sub print_info $plist->dump_file($opt_K); print "\n"; } + if ($opt_C) { + just_in_time_header($pkg, $handle ,\$done); + if ($plist->is_signed) { + + require OpenBSD::x509; + print $opt_l, "Certificate info:\n" unless $opt_q; + OpenBSD::x509::print_certificate_info($plist); + } else { + print $opt_l, "No digital signature\n" unless $opt_q; + } + } if ($opt_s) { just_in_time_header($pkg, $handle ,\$done); my $size = 0; @@ -357,12 +368,12 @@ sub print_info } } -set_usage('pkg_info [-AacDdfIiKkLMPqRrSstUv] [-F opt] [-E filename] [-e pkg-name] [-l str] [-Q query] [pkg-name] [...]'); +set_usage('pkg_info [-AacCDdfIiKkLMPqRrSstUv] [-F opt] [-E filename] [-e pkg-name] [-l str] [-Q query] [pkg-name] [...]'); my %defines; my $locked; try { - getopts('cDdfF:hIikKLmPQ:qRrsSUve:E:Ml:aAt', + getopts('cCDdfF:hIikKLmPQ:qRrsSUve:E:Ml:aAt', {'e' => sub { my $pat = shift; diff --git a/usr.sbin/pkg_add/pkg_info.1 b/usr.sbin/pkg_add/pkg_info.1 index 066a949fd48..d13a1d6ecf2 100644 --- a/usr.sbin/pkg_add/pkg_info.1 +++ b/usr.sbin/pkg_add/pkg_info.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pkg_info.1,v 1.31 2009/04/13 22:44:16 schwarze Exp $ +.\" $OpenBSD: pkg_info.1,v 1.32 2009/04/14 17:53:58 espie Exp $ .\" .\" Documentation and design originally from FreeBSD. All the code has .\" been rewritten since. We keep the documentation's notice: @@ -15,7 +15,7 @@ .\" Jordan K. Hubbard .\" .\" -.Dd $Mdocdate: April 13 2009 $ +.Dd $Mdocdate: April 14 2009 $ .Dt PKG_INFO 1 .Os .Sh NAME @@ -24,7 +24,7 @@ .Sh SYNOPSIS .Nm pkg_info .Bk -words -.Op Fl AacDdfIiKkLMPqRrSstUv +.Op Fl AacCDdfIiKkLMPqRrSstUv .Op Fl E Ar filename .Op Fl e Ar pkg-name .Op Fl l Ar str @@ -70,6 +70,8 @@ including internal packages. Show information for all currently installed packages. .It Fl c Show the one-line comment field for each package. +.It Fl C +Show certificate information for signed packages. .It Fl D Show the install-message file (if any) for each package (deprecated option). .It Fl d |