[Rpm-maint] [RFC v5 07/11] Add file signature support to rpmsign command

fin at linux.vnet.ibm.com fin at linux.vnet.ibm.com
Tue Jan 27 15:04:55 UTC 2015


This patch extends the rpmsign tool to sign package files. It adds new options
to rpmsign - signfiles and fskpath.

rpm --addsign [--signfiles [--fskpath <file-signing-key>]] PACKAGE

Signfiles signs all the file digests included in the package and stores the
signatures in the package header. The file signing key can be provided with
the new option fskpath, or in a macro file with %_file_signing_key. After 
including file signatures, the package is signed normally.

The package needs to be built with SHA-1 or SHA-2 digests before package files
are signed, this prerequisite is noted in rpmsign man page.

Signed-off-by: Fionnuala Gunter <fin at linux.vnet.ibm.com>
---
 rpmpopt.in     |  1 +
 rpmsign.c      | 24 +++++++++++++++++++++++-
 sign/rpmsign.h |  1 +
 3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/rpmpopt.in b/rpmpopt.in
index 036ab4e..df5e2ec 100644
--- a/rpmpopt.in
+++ b/rpmpopt.in
@@ -162,6 +162,7 @@ rpm	alias --httpproxy	--define '_httpproxy !#:+'
 rpm	exec --addsign		rpmsign --addsign
 rpm	exec --delsign		rpmsign --delsign
 rpm	exec --resign		rpmsign --resign
+#rpm	exec --signfiles	rpmsign --signfiles
 rpm	exec --checksig		rpmkeys --checksig
 rpm	exec -K			rpmkeys --checksig
 rpm	exec --import		rpmkeys --import
diff --git a/rpmsign.c b/rpmsign.c
index b8e5598..2e03de8 100644
--- a/rpmsign.c
+++ b/rpmsign.c
@@ -20,6 +20,9 @@ enum modes {
 
 static int mode = 0;
 
+static int signfiles = 0;
+static char * fileSigningKey = NULL;
+
 static struct poptOption signOptsTable[] = {
     { "addsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_ADDSIGN,
 	N_("sign package(s)"), NULL },
@@ -27,6 +30,11 @@ static struct poptOption signOptsTable[] = {
 	N_("sign package(s) (identical to --addsign)"), NULL },
     { "delsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_DELSIGN,
 	N_("delete package signatures"), NULL },
+    { "signfiles", '\0', POPT_ARG_NONE, &signfiles, 0,
+	N_("sign package(s) files"), NULL},
+    { "fskpath", '\0', POPT_ARG_STRING, &fileSigningKey, 0,
+	N_("use file signing key <key>"),
+	N_("<key>") },
     POPT_TABLEEND
 };
 
@@ -113,12 +121,26 @@ static int doSign(poptContext optCon)
     int rc = EXIT_FAILURE;
     char * passPhrase = NULL;
     char * name = rpmExpand("%{?_gpg_name}", NULL);
+    struct rpmSignArgs sig = {NULL, 0, 0};
 
     if (rstreq(name, "")) {
 	fprintf(stderr, _("You must set \"%%_gpg_name\" in your macro file\n"));
 	goto exit;
     }
 
+    if (fileSigningKey) {
+	addMacro(NULL, "_file_signing_key", NULL, fileSigningKey, RMIL_GLOBAL);
+    }
+
+    if (signfiles) {
+	const char *key = rpmExpand("%{?_file_signing_key}", NULL);
+	if (rstreq(key, "")) {
+	    fprintf(stderr, _("You must set \"$$_file_signing_key\" in your macro file or on the command line with --fskpath\n"));
+	    goto exit;
+	}
+	sig.signfiles = 1;
+    }
+
     /* XXX FIXME: eliminate obsolete getpass() usage */
     passPhrase = getpass(_("Enter pass phrase: "));
     passPhrase = (passPhrase != NULL) ? rstrdup(passPhrase) : NULL;
@@ -127,7 +149,7 @@ static int doSign(poptContext optCon)
 	fprintf(stderr, _("Pass phrase is good.\n"));
 	rc = 0;
 	while ((arg = poptGetArg(optCon)) != NULL) {
-	    rc += rpmPkgSign(arg, NULL, passPhrase);
+	    rc += rpmPkgSign(arg, &sig, passPhrase);
 	}
     } else {
 	fprintf(stderr, _("Pass phrase check failed or gpg key expired\n"));
diff --git a/sign/rpmsign.h b/sign/rpmsign.h
index 15b3e0f..7a1b8e1 100644
--- a/sign/rpmsign.h
+++ b/sign/rpmsign.h
@@ -11,6 +11,7 @@ extern "C" {
 struct rpmSignArgs {
     char *keyid;
     pgpHashAlgo hashalgo;
+    int signfiles;
     /* ... what else? */
 };
 
-- 
2.1.0



More information about the Rpm-maint mailing list