[Rpm-maint] [PATCH v9 08/13] Add file signature support to rpmsign command

Fionnuala Gunter fionnuala.gunter at gmail.com
Tue Jul 21 17:00:42 UTC 2015


From: "fin at linux.vnet.ibm.com" <fin at linux.vnet.ibm.com>

This patch extends the rpmsign tool to sign package files. It defines a new
rpmsign option called "signfiles".

rpm --addsign [--signfiles] PACKAGE

Signfiles signs all the file digests included in the package and stores
the signatures in the package header. The file signing key, used to sign
the file digests, can be provided one the command line with --fskpath or
in a macro file with %_file_signing_key. After including file signatures,
the package is signed normally.

The package needs to be built with SHA-1 or SHA-2 digests before package
files are signed, this prerequisite is noted in rpmsign man page.

Changelog:
- throw argerror when --fskpath is used without --signfiles
---
 rpmpopt.in     |  1 +
 rpmsign.c      | 28 +++++++++++++++++++++++++++-
 sign/rpmsign.h |  1 +
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/rpmpopt.in b/rpmpopt.in
index 48c5c55..5ad164c 100644
--- a/rpmpopt.in
+++ b/rpmpopt.in
@@ -162,6 +162,7 @@ rpm	alias --httpproxy	--define '_httpproxy !#:+'
 rpm	exec --addsign		rpmsign --addsign
 rpm	exec --delsign		rpmsign --delsign
 rpm	exec --resign		rpmsign --resign
+#rpm	exec --signfiles	rpmsign --signfiles
 rpm	exec --checksig		rpmkeys --checksig
 rpm	exec -K			rpmkeys --checksig
 rpm	exec --import		rpmkeys --import
diff --git a/rpmsign.c b/rpmsign.c
index 9b93e39..ce4198a 100644
--- a/rpmsign.c
+++ b/rpmsign.c
@@ -20,6 +20,9 @@ enum modes {
 
 static int mode = 0;
 
+static int signfiles = 0;
+static char * fileSigningKey = NULL;
+
 static struct poptOption signOptsTable[] = {
     { "addsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_ADDSIGN,
 	N_("sign package(s)"), NULL },
@@ -27,6 +30,11 @@ static struct poptOption signOptsTable[] = {
 	N_("sign package(s) (identical to --addsign)"), NULL },
     { "delsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_DELSIGN,
 	N_("delete package signatures"), NULL },
+    { "signfiles", '\0', POPT_ARG_NONE, &signfiles, 0,
+	N_("sign package(s) files"), NULL},
+    { "fskpath", '\0', POPT_ARG_STRING, &fileSigningKey, 0,
+	N_("use file signing key <key>"),
+	N_("<key>") },
     POPT_TABLEEND
 };
 
@@ -47,16 +55,30 @@ static int doSign(poptContext optCon)
     int rc = EXIT_FAILURE;
     char * passPhrase = NULL;
     char * name = rpmExpand("%{?_gpg_name}", NULL);
+    struct rpmSignArgs sig = {NULL, 0, 0};
 
     if (rstreq(name, "")) {
 	fprintf(stderr, _("You must set \"%%_gpg_name\" in your macro file\n"));
 	goto exit;
     }
 
+    if (fileSigningKey) {
+	addMacro(NULL, "_file_signing_key", NULL, fileSigningKey, RMIL_GLOBAL);
+    }
+
+    if (signfiles) {
+	const char *key = rpmExpand("%{?_file_signing_key}", NULL);
+	if (rstreq(key, "")) {
+	    fprintf(stderr, _("You must set \"$$_file_signing_key\" in your macro file or on the command line with --fskpath\n"));
+	    goto exit;
+	}
+	sig.signfiles = 1;
+    }
+
     const char *arg;
     rc = 0;
     while ((arg = poptGetArg(optCon)) != NULL) {
-	rc += rpmPkgSign(arg, NULL);
+	rc += rpmPkgSign(arg, &sig);
     }
 
 exit:
@@ -80,6 +102,10 @@ int main(int argc, char *argv[])
 	argerror(_("no arguments given"));
     }
 
+    if (fileSigningKey && !signfiles) {
+	argerror(_("--fskpath may only be specified when signing files"));
+    }
+
     switch (mode) {
     case MODE_ADDSIGN:
     case MODE_RESIGN:
diff --git a/sign/rpmsign.h b/sign/rpmsign.h
index e161aff..93db399 100644
--- a/sign/rpmsign.h
+++ b/sign/rpmsign.h
@@ -11,6 +11,7 @@ extern "C" {
 struct rpmSignArgs {
     char *keyid;
     pgpHashAlgo hashalgo;
+    int signfiles;
     /* ... what else? */
 };
 
-- 
2.4.3



More information about the Rpm-maint mailing list