[Rpm-maint] [RFC v4 07/11] Add file signature support to rpmsign command
fin at linux.vnet.ibm.com
fin at linux.vnet.ibm.com
Tue Jan 13 18:33:10 UTC 2015
This patch extends the rpmsign tool to sign package files. It adds new options
to rpmsign - signfiles and fskpath.
rpm --addsign [--signfiles [--fskpath <file-signing-key>]] PACKAGE
Signfiles signs all the file digests included in the package and stores the
signatures in the package header. The file signing key can be provided with
the new option fskpath, or in a macro file with %_file_signing_key. After
including file signatures, the package is signed normally.
The package needs to be built with SHA-1 or SHA-2 digests before package files
are signed, this prerequisite is noted in rpmsign man page.
Signed-off-by: Fionnuala Gunter <fin at linux.vnet.ibm.com>
---
rpmpopt.in | 1 +
rpmsign.c | 24 +++++++++++++++++++++++-
sign/rpmsign.h | 1 +
3 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/rpmpopt.in b/rpmpopt.in
index 036ab4e..df5e2ec 100644
--- a/rpmpopt.in
+++ b/rpmpopt.in
@@ -162,6 +162,7 @@ rpm alias --httpproxy --define '_httpproxy !#:+'
rpm exec --addsign rpmsign --addsign
rpm exec --delsign rpmsign --delsign
rpm exec --resign rpmsign --resign
+#rpm exec --signfiles rpmsign --signfiles
rpm exec --checksig rpmkeys --checksig
rpm exec -K rpmkeys --checksig
rpm exec --import rpmkeys --import
diff --git a/rpmsign.c b/rpmsign.c
index b8e5598..2e03de8 100644
--- a/rpmsign.c
+++ b/rpmsign.c
@@ -20,6 +20,9 @@ enum modes {
static int mode = 0;
+static int signfiles = 0;
+static char * fileSigningKey = NULL;
+
static struct poptOption signOptsTable[] = {
{ "addsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_ADDSIGN,
N_("sign package(s)"), NULL },
@@ -27,6 +30,11 @@ static struct poptOption signOptsTable[] = {
N_("sign package(s) (identical to --addsign)"), NULL },
{ "delsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_DELSIGN,
N_("delete package signatures"), NULL },
+ { "signfiles", '\0', POPT_ARG_NONE, &signfiles, 0,
+ N_("sign package(s) files"), NULL},
+ { "fskpath", '\0', POPT_ARG_STRING, &fileSigningKey, 0,
+ N_("use file signing key <key>"),
+ N_("<key>") },
POPT_TABLEEND
};
@@ -113,12 +121,26 @@ static int doSign(poptContext optCon)
int rc = EXIT_FAILURE;
char * passPhrase = NULL;
char * name = rpmExpand("%{?_gpg_name}", NULL);
+ struct rpmSignArgs sig = {NULL, 0, 0};
if (rstreq(name, "")) {
fprintf(stderr, _("You must set \"%%_gpg_name\" in your macro file\n"));
goto exit;
}
+ if (fileSigningKey) {
+ addMacro(NULL, "_file_signing_key", NULL, fileSigningKey, RMIL_GLOBAL);
+ }
+
+ if (signfiles) {
+ const char *key = rpmExpand("%{?_file_signing_key}", NULL);
+ if (rstreq(key, "")) {
+ fprintf(stderr, _("You must set \"$$_file_signing_key\" in your macro file or on the command line with --fskpath\n"));
+ goto exit;
+ }
+ sig.signfiles = 1;
+ }
+
/* XXX FIXME: eliminate obsolete getpass() usage */
passPhrase = getpass(_("Enter pass phrase: "));
passPhrase = (passPhrase != NULL) ? rstrdup(passPhrase) : NULL;
@@ -127,7 +149,7 @@ static int doSign(poptContext optCon)
fprintf(stderr, _("Pass phrase is good.\n"));
rc = 0;
while ((arg = poptGetArg(optCon)) != NULL) {
- rc += rpmPkgSign(arg, NULL, passPhrase);
+ rc += rpmPkgSign(arg, &sig, passPhrase);
}
} else {
fprintf(stderr, _("Pass phrase check failed or gpg key expired\n"));
diff --git a/sign/rpmsign.h b/sign/rpmsign.h
index 15b3e0f..7a1b8e1 100644
--- a/sign/rpmsign.h
+++ b/sign/rpmsign.h
@@ -11,6 +11,7 @@ extern "C" {
struct rpmSignArgs {
char *keyid;
pgpHashAlgo hashalgo;
+ int signfiles;
/* ... what else? */
};
--
1.9.3
More information about the Rpm-maint
mailing list