Digest signed package fixes

.appveyor.yml

@@ -2,10 +2,11 @@ version: '{build}'
 clone_folder: C:\gopath\src\github.com\xor-gate\debpkg
 environment:
   GOPATH: C:\gopath
+install:
+- cmd: git submodule update --init --recursive
 build_script:
 - cmd: go version
 - cmd: go env
-- cmd: go get -v github.com/xor-gate/debpkg/...
 - cmd: go build github.com/xor-gate/debpkg
 test_script:
 - cmd: go get github.com/stretchr/testify/assert

Makefile

@@ -10,7 +10,7 @@ build:
 	go install github.com/xor-gate/debpkg/cmd/debpkg
 
 test:
-	go test -v -race
+	go test -v
 
 lint:
 	go tool vet .

control.go

@@ -235,6 +235,10 @@ func (c *control) version() string {
 			c.info.version.patch)
 }
 
+func (c *control) size() int64 {
+	return c.tgz.Size()
+}
+
 // Create control file for control.tar.gz
 func (c *control) String(installedSize uint64) string {
 	var o string

debpkg.go

@@ -5,18 +5,12 @@
 package debpkg
 
 import (
-	"bytes"
 	"fmt"
 	"go/build"
 	"os"
 	"path/filepath"
-	"time"
 
 	"github.com/xor-gate/debpkg/lib/targzip"
-
-	"golang.org/x/crypto/openpgp"
-	"golang.org/x/crypto/openpgp/clearsign"
-	"golang.org/x/crypto/openpgp/packet"
 )
 
 // DebPkg holds data for a single debian package
@@ -52,7 +46,7 @@ func SetTempDir(dir string) error {
 }
 
 // TempDir returns the directory to use for temporary files.
-func TempDir() string () {
+func TempDir() string {
 	return debpkgTempDir
 }
 
@@ -76,8 +70,7 @@ func (deb *DebPkg) Close() error {
 	return nil
 }
 
-// Write the debian package to the filename
-func (deb *DebPkg) Write(filename string) error {
+func (deb *DebPkg) writeControlData() error {
 	err := deb.control.verify()
 	if err != nil {
 		return err
@@ -88,18 +81,24 @@ func (deb *DebPkg) Write(filename string) error {
 		return fmt.Errorf("error while creating control.tar.gz: %s", err)
 	}
 
-	if filename == "" {
-		filename = deb.GetFilename()
-	}
-
 	if err := deb.control.tgz.Close(); err != nil {
 		return fmt.Errorf("cannot close tgz writer: %v", err)
 	}
 
 	if err := deb.data.tgz.Close(); err != nil {
 		return fmt.Errorf("cannot close tgz writer: %v", err)
 	}
+	return nil
+}
 
+// Write the debian package to the filename
+func (deb *DebPkg) Write(filename string) error {
+	if err := deb.writeControlData(); err != nil {
+		return err
+	}
+	if filename == "" {
+		filename = deb.GetFilename()
+	}
 	return deb.createDebAr(filename)
 }
 
@@ -116,46 +115,6 @@ func (deb *DebPkg) GetFilename() string {
 		debianFileExtension)
 }
 
-// WriteSigned package with GPG entity
-func (deb *DebPkg) WriteSigned(filename string, entity *openpgp.Entity, keyid string) error {
-	var buf bytes.Buffer
-	var cfg packet.Config
-	var signer string
-	cfg.DefaultHash = digestDefaultHash
-
-	for id := range entity.Identities {
-		// TODO real search for keyid, need to investigate maybe a subkey?
-		signer = id
-	}
-
-	deb.digest.date = time.Now().Format(time.ANSIC)
-	deb.digest.signer = signer
-
-	clearsign, err := clearsign.Encode(&buf, entity.PrivateKey, &cfg)
-	if err != nil {
-		return fmt.Errorf("error while signing: %s", err)
-	}
-
-	err = createControlTarGz(deb)
-	if err != nil {
-		return fmt.Errorf("error while creating control.tar.gz: %s", err)
-	}
-
-	deb.digest.plaintext = createDigestFileString(deb)
-
-	if _, err = clearsign.Write([]byte(deb.digest.plaintext)); err != nil {
-		return fmt.Errorf("error from Write: %s", err)
-	}
-
-	if err = clearsign.Close(); err != nil {
-		return fmt.Errorf("error from Close: %s", err)
-	}
-
-	deb.digest.clearsign = buf.String()
-
-	return deb.createDebAr(filename)
-}
-
 // AddFile adds a file by filename to the package
 func (deb *DebPkg) AddFile(filename string, dest ...string) error {
 	return deb.data.addFile(filename, dest...)

digest.go

@@ -5,13 +5,19 @@
 package debpkg
 
 import (
+	"os"
+	"time"
 	"bytes"
 	"crypto"
 	"crypto/md5"
 	"crypto/sha1"
 	"fmt"
 	"hash"
 	"io"
+
+	"golang.org/x/crypto/openpgp"
+	"golang.org/x/crypto/openpgp/clearsign"
+	"golang.org/x/crypto/openpgp/packet"
 )
 
 const digestDefaultHash = crypto.SHA1
@@ -22,10 +28,8 @@ const digestRole = "builder"
 type digest struct {
 	plaintext string // Plaintext package digest (empty when unsigned)
 	clearsign string // GPG clearsigned package digest (empty when unsigned)
-	version   int    // Always version 4 (for dpkg-sig 0.13.1+nmu2)
 	signer    string // Name <email>
 	date      string // Mon Jan 2 15:04:05 2006 (time.ANSIC)
-	role      string // builder
 	files     string // Multiple "\t<md5sum> <sha1sum> <size> <filename>"
 	// E.g:
 	//       3cf918272ffa5de195752d73f3da3e5e 7959c969e092f2a5a8604e2287807ac5b1b384ad 4 debian-binary
@@ -42,40 +46,98 @@ Date: %s
 Role: %s
 Files: 
 %s`
-	deb.digest.version = digestVersion
-	deb.digest.role = digestRole
-
 	// debian-binary
+	md5sum, _ := digestCalcDataHash(bytes.NewBuffer([]byte(deb.debianBinary)), md5.New())
+	sha1sum, _ := digestCalcDataHash(bytes.NewBuffer([]byte(deb.debianBinary)), sha1.New())
 	deb.digest.files += fmt.Sprintf("\t%x %x %d %s\n",
-		digestCalcDataHash(bytes.NewBuffer([]byte(deb.debianBinary)), md5.New()),
-		digestCalcDataHash(bytes.NewBuffer([]byte(deb.debianBinary)), sha1.New()),
+		md5sum,
+		sha1sum,
 		len(deb.debianBinary),
 		"debian-binary")
 
 	// control.tar.gz
+	md5sum, _ = digestCalcDataHashFromFile(deb.control.tgz.Name(), md5.New())
+	sha1sum, _ = digestCalcDataHashFromFile(deb.control.tgz.Name(), sha1.New())
 	deb.digest.files += fmt.Sprintf("\t%x %x %d %s\n",
-		0, 0,
-		0, // TODO control size
+		md5sum,
+		sha1sum,
+		deb.control.tgz.Size(),
 		"control.tar.gz")
 
 	// data.tar.gz
+	md5sum, _ = digestCalcDataHashFromFile(deb.data.tgz.Name(), md5.New())
+	sha1sum, _ = digestCalcDataHashFromFile(deb.data.tgz.Name(), sha1.New())
 	deb.digest.files += fmt.Sprintf("\t%x %x %d %s\n",
-		0, 0,
-		0, // TODO data size
+		md5sum,
+		sha1sum,
+		deb.data.tgz.Size(),
 		"data.tar.gz")
 
 	return fmt.Sprintf(digestFileTmpl,
-		deb.digest.version,
+		digestVersion,
 		deb.digest.signer,
 		deb.digest.date,
-		deb.digest.role,
+		digestRole,
 		deb.digest.files)
 }
 
-func digestCalcDataHash(data *bytes.Buffer, hash hash.Hash) string {
+func digestCalcDataHashFromFile(filename string, hash hash.Hash) (string, error) {
+	f, err := os.Open(filename)
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+	return digestCalcDataHash(f, hash)
+}
+
+func digestCalcDataHash(in io.Reader, hash hash.Hash) (string, error) {
 	var result []byte
-	if _, err := io.Copy(hash, data); err != nil {
-		return ""
+	if _, err := io.Copy(hash, in); err != nil {
+		return "", err
+	}
+	return string(hash.Sum(result)),nil
+}
+
+// WriteSigned package with GPG entity
+func (deb *DebPkg) WriteSigned(filename string, entity *openpgp.Entity) error {
+	var buf bytes.Buffer
+	var cfg packet.Config
+	var signer string
+	cfg.DefaultHash = digestDefaultHash
+
+	for id := range entity.Identities {
+		// TODO real search for keyid, need to investigate maybe a subkey?
+		signer = id
+	}
+
+	deb.digest.date = time.Now().Format(time.ANSIC)
+	deb.digest.signer = signer
+
+	clearsign, err := clearsign.Encode(&buf, entity.PrivateKey, &cfg)
+	if err != nil {
+		return fmt.Errorf("error while signing: %s", err)
 	}
-	return string(hash.Sum(result))
+
+	if err := deb.writeControlData(); err != nil {
+		return err
+	}
+
+	deb.digest.plaintext = createDigestFileString(deb)
+
+	if _, err = clearsign.Write([]byte(deb.digest.plaintext)); err != nil {
+		return fmt.Errorf("error from Write: %s", err)
+	}
+
+	if err = clearsign.Close(); err != nil {
+		return fmt.Errorf("error from Close: %s", err)
+	}
+
+	deb.digest.clearsign = buf.String()
+
+	if filename == "" {
+		filename = deb.GetFilename()
+	}
+	return deb.createDebAr(filename)
 }
+
+