Skip to content

Commit

Permalink
pkg_install-20090127:
Browse files Browse the repository at this point in the history 
Add options to specify user-id and keyrings for GPG operations.
  • Loading branch information
joerg committed Jan 27, 2009
1 parent b4b489a commit e01f08e
Show file tree
Hide file tree
Showing 8 changed files with 58 additions and 22 deletions.
10 changes: 5 additions & 5 deletions pkgtools/pkg_install/files/lib/gpgsig.c
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* $NetBSD: gpgsig.c,v 1.1.2.1 2008/12/30 15:55:57 joerg Exp $ */
/* $NetBSD: gpgsig.c,v 1.1.2.2 2009/01/27 22:24:05 joerg Exp $ */
#if HAVE_CONFIG_H
#include "config.h"
#endif
Expand All @@ -7,7 +7,7 @@
#include <sys/cdefs.h>
#endif

__RCSID("$NetBSD: gpgsig.c,v 1.1.2.1 2008/12/30 15:55:57 joerg Exp $");
__RCSID("$NetBSD: gpgsig.c,v 1.1.2.2 2009/01/27 22:24:05 joerg Exp $");

/*-
* Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>.
Expand Down Expand Up @@ -108,9 +108,9 @@ verify_signature(const char *input, size_t input_len, const char *keyring,
}

int
inline_gpg_verify(const char *content, size_t len)
inline_gpg_verify(const char *content, size_t len, const char *keyring)
{
verify_signature(content, len, NULL, NULL);
verify_signature(content, len, keyring, NULL);

return 0;
}
Expand Down Expand Up @@ -212,7 +212,7 @@ detached_gpg_sign(const char *content, size_t len, char **sig, size_t *sig_len,
}
if (keyring != NULL) {
*argvp++ = "--no-default-keyring";
*argvp++ = "--keyring";
*argvp++ = "--secret-keyring";
*argvp++ = keyring;
}

Expand Down
8 changes: 6 additions & 2 deletions pkgtools/pkg_install/files/lib/lib.h
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* $NetBSD: lib.h,v 1.42.2.17 2009/01/08 00:01:31 joerg Exp $ */
/* $NetBSD: lib.h,v 1.42.2.18 2009/01/27 22:24:05 joerg Exp $ */

/* from FreeBSD Id: lib.h,v 1.25 1997/10/08 07:48:03 charnier Exp */

Expand Down Expand Up @@ -393,7 +393,7 @@ int easy_pkcs7_sign(const char *, size_t, char **, size_t *, const char *,
const char *);
#endif

int inline_gpg_verify(const char *, size_t);
int inline_gpg_verify(const char *, size_t, const char *);
int detached_gpg_verify(const char *, size_t, const char *, size_t,
const char *);
int detached_gpg_sign(const char *, size_t, char **, size_t *, const char *,
Expand All @@ -416,6 +416,10 @@ extern const char *check_vulnerabilities;
extern const char *config_file;
extern const char *verified_installation;
extern const char *gpg_cmd;
extern const char *gpg_keyring_pkgvuln;
extern const char *gpg_keyring_sign;
extern const char *gpg_keyring_verify;
extern const char *gpg_sign_as;
extern char fetch_flags[];

extern const char *pkg_vulnerabilities_dir;
Expand Down
12 changes: 10 additions & 2 deletions pkgtools/pkg_install/files/lib/parse-config.c
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* $NetBSD: parse-config.c,v 1.1.2.6 2009/01/08 00:01:31 joerg Exp $ */
/* $NetBSD: parse-config.c,v 1.1.2.7 2009/01/27 22:24:05 joerg Exp $ */

#if HAVE_CONFIG_H
#include "config.h"
Expand All @@ -8,7 +8,7 @@
#include <sys/cdefs.h>
#endif
#ifndef lint
__RCSID("$NetBSD: parse-config.c,v 1.1.2.6 2009/01/08 00:01:31 joerg Exp $");
__RCSID("$NetBSD: parse-config.c,v 1.1.2.7 2009/01/27 22:24:05 joerg Exp $");
#endif

/*-
Expand Down Expand Up @@ -61,6 +61,10 @@ const char *certs_pkg_vulnerabilities;
const char *check_vulnerabilities;
const char *verified_installation;
const char *gpg_cmd;
const char *gpg_keyring_pkgvuln;
const char *gpg_keyring_sign;
const char *gpg_keyring_verify;
const char *gpg_sign_as;
const char *pkg_vulnerabilities_dir;
const char *pkg_vulnerabilities_file;
const char *pkg_vulnerabilities_url;
Expand All @@ -80,6 +84,10 @@ static struct config_variable {
{ "GPG", &gpg_cmd },
{ "IGNORE_PROXY", &ignore_proxy },
{ "IGNORE_URL", &ignore_advisories },
{ "GPG_KEYRING_PKGVULN", &gpg_keyring_pkgvuln },
{ "GPG_KEYRING_SIGN", &gpg_keyring_sign },
{ "GPG_KEYRING_VERIFY", &gpg_keyring_verify },
{ "GPG_SIGN_AS", &gpg_sign_as },
{ "PKGVULNDIR", &pkg_vulnerabilities_dir },
{ "PKGVULNURL", &pkg_vulnerabilities_url },
{ "VERBOSE_NETIO", &verbose_netio },
Expand Down
13 changes: 11 additions & 2 deletions pkgtools/pkg_install/files/lib/pkg_install.conf.5
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
.\" $NetBSD: pkg_install.conf.5,v 1.1.2.5 2009/01/08 09:14:12 wiz Exp $
.\" $NetBSD: pkg_install.conf.5,v 1.1.2.6 2009/01/27 22:24:05 joerg Exp $
.\"
.\" Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
.\" All rights reserved.
Expand Down Expand Up @@ -80,7 +80,6 @@ A missing pkg-vulnerabilities file is considered an error.
The user is always asked to confirm installation of vulnerable packages.
.El
.It Dv GPG
Deprecated.
Path to
.Xr gpg 1 ,
which can be used to verify the signature in the
Expand All @@ -89,6 +88,16 @@ file when running
.Dl Ic pkg_admin check-pkg-vulnerabilities -s
or
.Dl Ic pkg_admin fetch-pkg-vulnerabilities -s
It can also be used to verify and sign binary packages.
.It Dv GPG_KEYRING_PKGVULN
Non-default keyring to use for verifying GPG signatures of
.Pa pkg-vulnerabilities.
.It Dv GPG_KEYRING_SIGN
Non-default keyring to use for signing packages with GPG.
.It Dv GPG_KEYRING_VERIFY
Non-default keyring to use for verifying GPG signature of packages.
.It Dv GPG_SIGN_AS
User-id to use for signing packages.
.It Dv IGNORE_PROXY
Use direct connections and ignore
.Ev FTP_PROXY
Expand Down
19 changes: 17 additions & 2 deletions pkgtools/pkg_install/files/lib/pkg_install.conf.cat5
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,11 +44,26 @@ DDEESSCCRRIIPPTTIIOONN
interactive The user is always asked to confirm installation
of vulnerable packages.

GPG Deprecated. Path to gpg(1), which can be used to verify the sig-
nature in the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file when running
GPG Path to gpg(1), which can be used to verify the signature in the
_p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file when running
ppkkgg__aaddmmiinn cchheecckk--ppkkgg--vvuullnneerraabbiilliittiieess --ss
or
ppkkgg__aaddmmiinn ffeettcchh--ppkkgg--vvuullnneerraabbiilliittiieess --ss
It can also be used to verify and sign binary packages.

GPG_KEYRING_PKGVULN
Non-default keyring to use for verifying GPG signatures of
_p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s_.

GPG_KEYRING_SIGN
Non-default keyring to use for signing packages with GPG.

GPG_KEYRING_VERIFY
Non-default keyring to use for verifying GPG signature of pack-
ages.

GPG_SIGN_AS
User-id to use for signing packages.

IGNORE_PROXY
Use direct connections and ignore FTP_PROXY and HTTP_PROXY.
Expand Down
8 changes: 4 additions & 4 deletions pkgtools/pkg_install/files/lib/pkg_signature.c
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* $NetBSD: pkg_signature.c,v 1.1.2.7 2008/12/30 15:55:57 joerg Exp $ */
/* $NetBSD: pkg_signature.c,v 1.1.2.8 2009/01/27 22:24:05 joerg Exp $ */

#if HAVE_CONFIG_H
#include "config.h"
Expand All @@ -7,7 +7,7 @@
#if HAVE_SYS_CDEFS_H
#include <sys/cdefs.h>
#endif
__RCSID("$NetBSD: pkg_signature.c,v 1.1.2.7 2008/12/30 15:55:57 joerg Exp $");
__RCSID("$NetBSD: pkg_signature.c,v 1.1.2.8 2009/01/27 22:24:05 joerg Exp $");

/*-
* Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>.
Expand Down Expand Up @@ -352,7 +352,7 @@ pkg_verify_signature(struct archive **archive, struct archive_entry **entry,
goto no_valid_signature;
}
has_sig = !detached_gpg_verify(hash_file, hash_len,
signature_file, signature_len, NULL);
signature_file, signature_len, gpg_keyring_verify);

free(signature_file);
} else {
Expand Down Expand Up @@ -636,7 +636,7 @@ pkg_sign_gpg(const char *name, const char *output)
hash_file = tmp;

if (detached_gpg_sign(hash_file, strlen(hash_file), &signature_file,
&signature_len, NULL, NULL))
&signature_len, gpg_keyring_sign, gpg_sign_as))
err(EXIT_FAILURE, "Cannot sign hash file");

lseek(fd, 0, SEEK_SET);
Expand Down
4 changes: 2 additions & 2 deletions pkgtools/pkg_install/files/lib/version.h
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* $NetBSD: version.h,v 1.102.2.20 2009/01/08 00:01:31 joerg Exp $ */
/* $NetBSD: version.h,v 1.102.2.21 2009/01/27 22:24:06 joerg Exp $ */

/*
* Copyright (c) 2001 Thomas Klausner. All rights reserved.
Expand Down Expand Up @@ -27,6 +27,6 @@
#ifndef _INST_LIB_VERSION_H_
#define _INST_LIB_VERSION_H_

#define PKGTOOLS_VERSION "20090108"
#define PKGTOOLS_VERSION "20090127"

#endif /* _INST_LIB_VERSION_H_ */
6 changes: 3 additions & 3 deletions pkgtools/pkg_install/files/lib/vulnerabilities-file.c
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* $NetBSD: vulnerabilities-file.c,v 1.3.4.8 2008/12/30 15:55:57 joerg Exp $ */
/* $NetBSD: vulnerabilities-file.c,v 1.3.4.9 2009/01/27 22:24:06 joerg Exp $ */

/*-
* Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>.
Expand Down Expand Up @@ -38,7 +38,7 @@
#if HAVE_SYS_CDEFS_H
#include <sys/cdefs.h>
#endif
__RCSID("$NetBSD: vulnerabilities-file.c,v 1.3.4.8 2008/12/30 15:55:57 joerg Exp $");
__RCSID("$NetBSD: vulnerabilities-file.c,v 1.3.4.9 2009/01/27 22:24:06 joerg Exp $");

#if HAVE_SYS_STAT_H
#include <sys/stat.h>
Expand Down Expand Up @@ -109,7 +109,7 @@ verify_signature(const char *input, size_t input_len)
"At least GPG or CERTIFICATE_ANCHOR_PKGVULN "
"must be configured");
if (gpg_cmd != NULL)
inline_gpg_verify(input, input_len);
inline_gpg_verify(input, input_len, gpg_keyring_pkgvuln);
if (certs_pkg_vulnerabilities != NULL)
verify_signature_pkcs7(input);
}
Expand Down

0 comments on commit e01f08e

Please sign in to comment.