|
 |
657fb1 |
From c5afc6f0ceb8a126c76a13656241897ea93bda85 Mon Sep 17 00:00:00 2001
|
|
|
657fb1 |
From: Jes Sorensen <jsorensen@fb.com>
|
|
|
657fb1 |
Date: Wed, 10 Jun 2020 12:30:54 -0400
|
|
|
657fb1 |
Subject: [PATCH 33/33] rpmsign: Add argument to specify algorithm for fsverity
|
|
|
657fb1 |
signatures
|
|
|
657fb1 |
|
|
|
657fb1 |
The argument --verity-algo can be used to specify the algorithm for
|
|
|
657fb1 |
the fsverity signatures. If nothing is specified, this will default to
|
|
|
657fb1 |
sha256. The available algorithms depend on libfsverity, currently
|
|
|
657fb1 |
sha256 and sha512 are supported.
|
|
|
657fb1 |
|
|
|
657fb1 |
Signed-off-by: Jes Sorensen <jsorensen@fb.com>
|
|
|
657fb1 |
---
|
|
|
657fb1 |
doc/rpmsign.8 | 3 +++
|
|
|
657fb1 |
rpmsign.c | 7 +++++++
|
|
|
657fb1 |
sign/rpmgensig.c | 21 +++++++++++++++++++--
|
|
|
657fb1 |
sign/rpmsignverity.c | 6 +++---
|
|
|
657fb1 |
sign/rpmsignverity.h | 2 +-
|
|
|
657fb1 |
5 files changed, 33 insertions(+), 6 deletions(-)
|
|
|
657fb1 |
|
|
|
657fb1 |
diff --git a/doc/rpmsign.8 b/doc/rpmsign.8
|
|
|
657fb1 |
index a212746fe..5165e39f9 100644
|
|
|
657fb1 |
--- a/doc/rpmsign.8
|
|
|
657fb1 |
+++ b/doc/rpmsign.8
|
|
|
657fb1 |
@@ -55,6 +55,9 @@ Used with \fB--signfiles\fR, use file signing key \fIKey\fR.
|
|
|
657fb1 |
\fB--certpath \fICERT\fB\fR
|
|
|
657fb1 |
Used with \fB--signverity\fR, use file signing certificate \fICert\fR.
|
|
|
657fb1 |
.TP
|
|
|
657fb1 |
+\fB--verityalgo \fIALG\fB\fR
|
|
|
657fb1 |
+Used with \fB--signverity\fR, to specify the signing algorithm. sha256 and sha512 are supported, with sha256 being the default if this argument is not specified. This can also be specified with the macro %_verity_algorithm
|
|
|
657fb1 |
+.TP
|
|
|
657fb1 |
\fB--signfiles\fR
|
|
|
657fb1 |
Sign package files. The macro \fB%_binary_filedigest_algorithm\fR must
|
|
|
657fb1 |
be set to a supported algorithm before building the package. The
|
|
|
657fb1 |
diff --git a/rpmsign.c b/rpmsign.c
|
|
|
657fb1 |
index e43811e9f..12299379c 100644
|
|
|
657fb1 |
--- a/rpmsign.c
|
|
|
657fb1 |
+++ b/rpmsign.c
|
|
|
657fb1 |
@@ -25,6 +25,7 @@ static char * fileSigningKey = NULL;
|
|
|
657fb1 |
#endif
|
|
|
657fb1 |
#ifdef WITH_FSVERITY
|
|
|
657fb1 |
static char * fileSigningCert = NULL;
|
|
|
657fb1 |
+static char * verityAlgorithm = NULL;
|
|
|
657fb1 |
#endif
|
|
|
657fb1 |
|
|
|
657fb1 |
static struct rpmSignArgs sargs = {NULL, 0, 0};
|
|
|
657fb1 |
@@ -52,6 +53,9 @@ static struct poptOption signOptsTable[] = {
|
|
|
657fb1 |
{ "signverity", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR),
|
|
|
657fb1 |
&sargs.signflags, RPMSIGN_FLAG_FSVERITY,
|
|
|
657fb1 |
N_("generate fsverity signatures for package(s) files"), NULL},
|
|
|
657fb1 |
+ { "verityalgo", '\0', POPT_ARG_STRING, &verityAlgorithm, 0,
|
|
|
657fb1 |
+ N_("algorithm to use for verity signatures, default sha256"),
|
|
|
657fb1 |
+ N_("<algorithm>") },
|
|
|
657fb1 |
{ "certpath", '\0', POPT_ARG_STRING, &fileSigningCert, 0,
|
|
|
657fb1 |
N_("use file signing cert <cert>"),
|
|
|
657fb1 |
N_("<cert>") },
|
|
|
657fb1 |
@@ -138,6 +142,9 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
|
|
|
657fb1 |
if (fileSigningCert) {
|
|
|
657fb1 |
rpmPushMacro(NULL, "_file_signing_cert", NULL, fileSigningCert, RMIL_GLOBAL);
|
|
|
657fb1 |
}
|
|
|
657fb1 |
+ if (verityAlgorithm) {
|
|
|
657fb1 |
+ rpmPushMacro(NULL, "_verity_algorithm", NULL, verityAlgorithm, RMIL_GLOBAL);
|
|
|
657fb1 |
+ }
|
|
|
657fb1 |
#endif
|
|
|
657fb1 |
|
|
|
657fb1 |
if (flags_sign_files(sargs->signflags)) {
|
|
|
657fb1 |
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
|
|
|
657fb1 |
index f2fddb898..7b1895555 100644
|
|
|
657fb1 |
--- a/sign/rpmgensig.c
|
|
|
657fb1 |
+++ b/sign/rpmgensig.c
|
|
|
657fb1 |
@@ -8,6 +8,9 @@
|
|
|
657fb1 |
#include <errno.h>
|
|
|
657fb1 |
#include <sys/wait.h>
|
|
|
657fb1 |
#include <popt.h>
|
|
|
657fb1 |
+#ifdef WITH_FSVERITY
|
|
|
657fb1 |
+#include <libfsverity.h>
|
|
|
657fb1 |
+#endif
|
|
|
657fb1 |
|
|
|
657fb1 |
#include <rpm/rpmlib.h> /* RPMSIGTAG & related */
|
|
|
657fb1 |
#include <rpm/rpmmacro.h>
|
|
|
657fb1 |
@@ -451,23 +454,37 @@ static rpmRC includeFileSignatures(Header *sigp, Header *hdrp)
|
|
|
657fb1 |
static rpmRC includeVeritySignatures(FD_t fd, Header *sigp, Header *hdrp)
|
|
|
657fb1 |
{
|
|
|
657fb1 |
#ifdef WITH_FSVERITY
|
|
|
657fb1 |
- rpmRC rc;
|
|
|
657fb1 |
+ rpmRC rc = RPMRC_OK;
|
|
|
657fb1 |
char *key = rpmExpand("%{?_file_signing_key}", NULL);
|
|
|
657fb1 |
char *keypass = rpmExpand("%{?_file_signing_key_password}", NULL);
|
|
|
657fb1 |
char *cert = rpmExpand("%{?_file_signing_cert}", NULL);
|
|
|
657fb1 |
+ char *algorithm = rpmExpand("%{?_verity_algorithm}", NULL);
|
|
|
657fb1 |
+ uint16_t algo = 0;
|
|
|
657fb1 |
|
|
|
657fb1 |
if (rstreq(keypass, "")) {
|
|
|
657fb1 |
free(keypass);
|
|
|
657fb1 |
keypass = NULL;
|
|
|
657fb1 |
}
|
|
|
657fb1 |
|
|
|
657fb1 |
+ if (algorithm && strlen(algorithm) > 0) {
|
|
|
657fb1 |
+ algo = libfsverity_find_hash_alg_by_name(algorithm);
|
|
|
657fb1 |
+ rpmlog(RPMLOG_DEBUG, _("Searching for algorithm %s got %i\n"),
|
|
|
657fb1 |
+ algorithm, algo);
|
|
|
657fb1 |
+ if (!algo) {
|
|
|
657fb1 |
+ rpmlog(RPMLOG_ERR, _("Unsupported fsverity algorithm %s\n"),
|
|
|
657fb1 |
+ algorithm);
|
|
|
657fb1 |
+ rc = RPMRC_FAIL;
|
|
|
657fb1 |
+ goto out;
|
|
|
657fb1 |
+ }
|
|
|
657fb1 |
+ }
|
|
|
657fb1 |
if (key && cert) {
|
|
|
657fb1 |
- rc = rpmSignVerity(fd, *sigp, *hdrp, key, keypass, cert);
|
|
|
657fb1 |
+ rc = rpmSignVerity(fd, *sigp, *hdrp, key, keypass, cert, algo);
|
|
|
657fb1 |
} else {
|
|
|
657fb1 |
rpmlog(RPMLOG_ERR, _("fsverity signatures requires a key and a cert\n"));
|
|
|
657fb1 |
rc = RPMRC_FAIL;
|
|
|
657fb1 |
}
|
|
|
657fb1 |
|
|
|
657fb1 |
+ out:
|
|
|
657fb1 |
free(keypass);
|
|
|
657fb1 |
free(key);
|
|
|
657fb1 |
free(cert);
|
|
|
657fb1 |
diff --git a/sign/rpmsignverity.c b/sign/rpmsignverity.c
|
|
|
657fb1 |
index 55096e732..e6c830cdc 100644
|
|
|
657fb1 |
--- a/sign/rpmsignverity.c
|
|
|
657fb1 |
+++ b/sign/rpmsignverity.c
|
|
|
657fb1 |
@@ -95,7 +95,7 @@ static char *rpmVeritySignFile(rpmfi fi, size_t *sig_size, char *key,
|
|
|
657fb1 |
}
|
|
|
657fb1 |
|
|
|
657fb1 |
rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key,
|
|
|
657fb1 |
- char *keypass, char *cert)
|
|
|
657fb1 |
+ char *keypass, char *cert, uint16_t algo)
|
|
|
657fb1 |
{
|
|
|
657fb1 |
int rc;
|
|
|
657fb1 |
FD_t gzdi;
|
|
|
657fb1 |
@@ -111,7 +111,6 @@ rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key,
|
|
|
657fb1 |
char **signatures = NULL;
|
|
|
657fb1 |
size_t sig_size;
|
|
|
657fb1 |
int nr_files, idx;
|
|
|
657fb1 |
- uint16_t algo;
|
|
|
657fb1 |
uint32_t algo32;
|
|
|
657fb1 |
|
|
|
657fb1 |
Fseek(fd, 0, SEEK_SET);
|
|
|
657fb1 |
@@ -156,7 +155,8 @@ rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key,
|
|
|
657fb1 |
nr_files = rpmfiFC(hfi);
|
|
|
657fb1 |
signatures = xcalloc(nr_files, sizeof(char *));
|
|
|
657fb1 |
|
|
|
657fb1 |
- algo = FS_VERITY_HASH_ALG_SHA256;
|
|
|
657fb1 |
+ if (!algo)
|
|
|
657fb1 |
+ algo = FS_VERITY_HASH_ALG_SHA256;
|
|
|
657fb1 |
|
|
|
657fb1 |
rpmlog(RPMLOG_DEBUG, _("file count - header: %i, payload %i\n"),
|
|
|
657fb1 |
nr_files, rpmfiFC(fi));
|
|
|
657fb1 |
diff --git a/sign/rpmsignverity.h b/sign/rpmsignverity.h
|
|
|
657fb1 |
index 69bbaf7f7..d869e8d8e 100644
|
|
|
657fb1 |
--- a/sign/rpmsignverity.h
|
|
|
657fb1 |
+++ b/sign/rpmsignverity.h
|
|
|
657fb1 |
@@ -27,7 +27,7 @@ extern "C" {
|
|
|
657fb1 |
*/
|
|
|
657fb1 |
RPM_GNUC_INTERNAL
|
|
|
657fb1 |
rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key,
|
|
|
657fb1 |
- char *keypass, char *cert);
|
|
|
657fb1 |
+ char *keypass, char *cert, uint16_t algo);
|
|
|
657fb1 |
|
|
|
657fb1 |
#ifdef _cplusplus
|
|
|
657fb1 |
}
|
|
|
657fb1 |
--
|
|
|
657fb1 |
2.13.5
|
|
|
657fb1 |
|