[Rpm-ecosystem] [PATCH v6 07/11] Add file signature support to rpmsign command

Mimi Zohar zohar at linux.vnet.ibm.com
Mon Jul 6 18:52:21 UTC 2015


From: "fin at linux.vnet.ibm.com" <fin at linux.vnet.ibm.com>

This patch extends the rpmsign tool to sign package files. It adds new
options to rpmsign - signfiles and fskpath.

rpm --addsign [--signfiles [--fskpath <file-signing-key>]] PACKAGE

Signfiles signs all the file digests included in the package and stores
the signatures in the package header. The file signing key can be provided
with the new option fskpath or in a macro file with %_file_signing_key.
After including file signatures, the package is signed normally.

The package needs to be built with SHA-1 or SHA-2 digests before package
files are signed, this prerequisite is noted in rpmsign man page.
---
 rpmpopt.in     |  1 +
 rpmsign.c      | 24 +++++++++++++++++++++++-
 sign/rpmsign.h |  1 +
 3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/rpmpopt.in b/rpmpopt.in
index ca95702..4e1ebea 100644
--- a/rpmpopt.in
+++ b/rpmpopt.in
@@ -162,6 +162,7 @@ rpm	alias --httpproxy	--define '_httpproxy !#:+'
 rpm	exec --addsign		rpmsign --addsign
 rpm	exec --delsign		rpmsign --delsign
 rpm	exec --resign		rpmsign --resign
+#rpm	exec --signfiles	rpmsign --signfiles
 rpm	exec --checksig		rpmkeys --checksig
 rpm	exec -K			rpmkeys --checksig
 rpm	exec --import		rpmkeys --import
diff --git a/rpmsign.c b/rpmsign.c
index 9b93e39..3445749 100644
--- a/rpmsign.c
+++ b/rpmsign.c
@@ -20,6 +20,9 @@ enum modes {
 
 static int mode = 0;
 
+static int signfiles = 0;
+static char * fileSigningKey = NULL;
+
 static struct poptOption signOptsTable[] = {
     { "addsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_ADDSIGN,
 	N_("sign package(s)"), NULL },
@@ -27,6 +30,11 @@ static struct poptOption signOptsTable[] = {
 	N_("sign package(s) (identical to --addsign)"), NULL },
     { "delsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_DELSIGN,
 	N_("delete package signatures"), NULL },
+    { "signfiles", '\0', POPT_ARG_NONE, &signfiles, 0,
+	N_("sign package(s) files"), NULL},
+    { "fskpath", '\0', POPT_ARG_STRING, &fileSigningKey, 0,
+	N_("use file signing key <key>"),
+	N_("<key>") },
     POPT_TABLEEND
 };
 
@@ -47,16 +55,30 @@ static int doSign(poptContext optCon)
     int rc = EXIT_FAILURE;
     char * passPhrase = NULL;
     char * name = rpmExpand("%{?_gpg_name}", NULL);
+    struct rpmSignArgs sig = {NULL, 0, 0};
 
     if (rstreq(name, "")) {
 	fprintf(stderr, _("You must set \"%%_gpg_name\" in your macro file\n"));
 	goto exit;
     }
 
+    if (fileSigningKey) {
+	addMacro(NULL, "_file_signing_key", NULL, fileSigningKey, RMIL_GLOBAL);
+    }
+
+    if (signfiles) {
+	const char *key = rpmExpand("%{?_file_signing_key}", NULL);
+	if (rstreq(key, "")) {
+	    fprintf(stderr, _("You must set \"$$_file_signing_key\" in your macro file or on the command line with --fskpath\n"));
+	    goto exit;
+	}
+	sig.signfiles = 1;
+    }
+
     const char *arg;
     rc = 0;
     while ((arg = poptGetArg(optCon)) != NULL) {
-	rc += rpmPkgSign(arg, NULL);
+	rc += rpmPkgSign(arg, &sig);
     }
 
 exit:
diff --git a/sign/rpmsign.h b/sign/rpmsign.h
index e161aff..93db399 100644
--- a/sign/rpmsign.h
+++ b/sign/rpmsign.h
@@ -11,6 +11,7 @@ extern "C" {
 struct rpmSignArgs {
     char *keyid;
     pgpHashAlgo hashalgo;
+    int signfiles;
     /* ... what else? */
 };
 
-- 
2.1.0



More information about the Rpm-ecosystem mailing list