From patchwork Sat Jan 1 19:49:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Huntwork X-Patchwork-Id: 2002 Return-Path: Delivered-To: patchwork@archlinux.org Received: from mail.archlinux.org [2a01:4f9:c010:3052::1] by patchwork.archlinux.org with IMAP (fetchmail-6.4.25) for (single-drop); Sat, 01 Jan 2022 19:50:04 +0000 (UTC) Received: from mail.archlinux.org by mail.archlinux.org with LMTP id GDuwFWyw0GH4qgcAK+/4rw (envelope-from ) for ; Sat, 01 Jan 2022 19:50:04 +0000 Received: from lists.archlinux.org (lists.archlinux.org [IPv6:2a01:4f9:c010:9eb4::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.archlinux.org (Postfix) with ESMTPS id 2864EBD5D97; Sat, 1 Jan 2022 19:50:03 +0000 (UTC) Received: from lists.archlinux.org (localhost [IPv6:::1]) by lists.archlinux.org (Postfix) with ESMTP id F3A1CB5DEDB; Sat, 1 Jan 2022 19:50:02 +0000 (UTC) X-Original-To: pacman-dev@lists.archlinux.org Delivered-To: pacman-dev@lists.archlinux.org Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) by lists.archlinux.org (Postfix) with ESMTPS id B6D8AB5DEC7 for ; Sat, 1 Jan 2022 19:50:00 +0000 (UTC) Received: by mail-qt1-x835.google.com with SMTP id bp39so26534274qtb.6 for ; Sat, 01 Jan 2022 11:50:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=merelinux-org.20210112.gappssmtp.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=aY2TXmEls2VazBzH+IpQuTGxAVVdwFMcfSHOSBdvLAw=; b=IRtxAvt9TpsRbeO1e3UPRfyFql5VKDW0rdLdbuCsUzNi/uv1qbt3DMXkJf9K5L9nR3 bSgkIWsEBebG9x9Hvb6GpKa86Q/pJcaBVVuVl0hNAPa3WHBhW+K0OCwM23fULAKkTUg1 HJUAxbteAlnEC7ryo2Cq8wjhi/sngTKvwGT4/IeU+LaAKVJoiv7RbBH8JizGdLUDkdLt r81VPKuRR5Y8W/AMSRyPrhzi6WUhHP3GQOAsdlB751BotLtAwaaAt83hL5jsBoNXgx02 kzsI309cmx8shJ197vgDHbOHPyJESNIv+InlHzQY+oaraTi5wgX2PUvGP61aXjeSiaQ+ Aj8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=aY2TXmEls2VazBzH+IpQuTGxAVVdwFMcfSHOSBdvLAw=; b=E8q8I7h553p7vpq2nqgDbuI0mL7nLAyaNJaAFIgmb3X2rkM/XlW3HxccW3JlAvX/Ci H2X/R3BwsAwjhs01cY657QvXn2zjeZ0W8vMzqllaZ9Ii874LwAhEjqWeInmaVGGV+Qdg n5RYIabPKlKyQwFUug8R79pbrTa1xuRR/nbvuNF4VDl/Jno6Md1XvNLNaoxE+2FGN/Dk fdY9n3l0FuvUkV9utSFxXXb5BdX/i62h/285S0Eilw7T1vM3UTECAPrjQuBcBXA44mX9 2XIobAMXdXbhDweXEPcDW2Sd2VQ7YPg6Im0uy+R+xPh75vQ/E4bMqXXecb/QMfyJI/SW wxdQ== X-Gm-Message-State: AOAM530s9+BVXXxUB2lzFMf0YHOnjiXrmLYIZX1yhk/OOBjmwCY418OE J7kBJZrA3gIZOXU5x+Y1J9Jvdj71tWpA2SOy X-Google-Smtp-Source: ABdhPJxpYqjDPcjihPdPPbNsPeKrY2BAFGlO2eOX8Z7AWaThKbDGbUPRMVWwAAe1Tl39kRF1Ufeczw== X-Received: by 2002:a05:622a:389:: with SMTP id j9mr35906215qtx.504.1641066598674; Sat, 01 Jan 2022 11:49:58 -0800 (PST) Received: from localhost.localdomain ([208.74.141.240]) by smtp.gmail.com with ESMTPSA id s3sm24743353qkp.93.2022.01.01.11.49.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 01 Jan 2022 11:49:58 -0800 (PST) From: Jeremy Huntwork To: pacman-dev@lists.archlinux.org Cc: Jeremy Huntwork Subject: [PATCH 1/4] libalpm: Add support for asignify signatures Date: Sat, 1 Jan 2022 14:49:31 -0500 Message-Id: <20220101194934.8229-2-jeremy@merelinux.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220101194934.8229-1-jeremy@merelinux.org> References: <20220101194934.8229-1-jeremy@merelinux.org> MIME-Version: 1.0 X-BeenThere: pacman-dev@lists.archlinux.org X-Mailman-Version: 2.1.39 Precedence: list List-Id: Discussion list for pacman development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: pacman-dev-bounces@lists.archlinux.org Sender: "pacman-dev" Authentication-Results: mail.archlinux.org; dkim=pass header.d=merelinux-org.20210112.gappssmtp.com header.s=20210112 header.b=IRtxAvt9; dmarc=none; spf=pass (mail.archlinux.org: domain of pacman-dev-bounces@lists.archlinux.org designates 2a01:4f9:c010:9eb4::1 as permitted sender) smtp.mailfrom=pacman-dev-bounces@lists.archlinux.org X-Rspamd-Queue-Id: 2864EBD5D97 X-Spamd-Result: default: False [-3.91 / 15.00]; REPLY(-4.00)[]; MID_CONTAINS_FROM(1.00)[]; R_MISSING_CHARSET(0.50)[]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; MAILLIST(-0.20)[mailman]; R_DKIM_ALLOW(-0.20)[merelinux-org.20210112.gappssmtp.com:s=20210112]; RCVD_IN_DNSWL_MED(-0.20)[2a01:4f9:c010:9eb4::1:from]; R_SPF_ALLOW(-0.20)[+ip6:2a01:4f9:c010:9eb4::1:c]; MIME_GOOD(-0.10)[text/plain]; HAS_LIST_UNSUB(-0.01)[]; DMARC_NA(0.00)[merelinux.org]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::835:received]; PREVIOUSLY_DELIVERED(0.00)[pacman-dev@lists.archlinux.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:24940, ipnet:2a01:4f9::/32, country:DE]; FROM_NEQ_ENVFROM(0.00)[jeremy@merelinux.org,pacman-dev-bounces@lists.archlinux.org]; RCPT_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[merelinux-org.20210112.gappssmtp.com:+]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; NEURAL_HAM(-0.00)[-1.000]; FORGED_SENDER_MAILLIST(0.00)[] X-Rspamd-Server: mail.archlinux.org Provide an alternative way to validate package and repository signatures using libasignify. See: https://github.com/vstakhov/asignify Signed-off-by: Jeremy Huntwork --- lib/libalpm/alpm.c | 2 +- lib/libalpm/alpm.h | 19 ++++++++++++ lib/libalpm/be_package.c | 22 +++++++++++--- lib/libalpm/be_sync.c | 2 +- lib/libalpm/error.c | 8 ++--- lib/libalpm/handle.c | 23 ++++++++++++-- lib/libalpm/handle.h | 1 + lib/libalpm/signing.c | 65 ++++++++++++++++++++++++++++++++++++++++ lib/libalpm/signing.h | 1 + 9 files changed, 130 insertions(+), 13 deletions(-) diff --git a/lib/libalpm/alpm.c b/lib/libalpm/alpm.c index 5b326ab0..d1261660 100644 --- a/lib/libalpm/alpm.c +++ b/lib/libalpm/alpm.c @@ -137,7 +137,7 @@ int SYMEXPORT alpm_capabilities(void) #ifdef HAVE_LIBCURL | ALPM_CAPABILITY_DOWNLOADER #endif -#ifdef HAVE_LIBGPGME +#if defined(HAVE_LIBGPGME) || defined(HAVE_LIBASIGNIFY) | ALPM_CAPABILITY_SIGNATURES #endif | 0; diff --git a/lib/libalpm/alpm.h b/lib/libalpm/alpm.h index 7f3fc8d5..aaa0acb9 100644 --- a/lib/libalpm/alpm.h +++ b/lib/libalpm/alpm.h @@ -1833,6 +1833,25 @@ int alpm_option_set_gpgdir(alpm_handle_t *handle, const char *gpgdir); /* End of gpdir accessors */ /** @} */ +/** @name Accessors to asignify's trusted public keys directory + * + * This controls where libalpm will store asignify's public keys. + * @{ + */ + +/** Returns the path to libalpm's asignify trusted public keys directory. + * @param handle the context handle + * @return the path to libalpms's trusted public keys directory + */ +const char *alpm_option_get_asignifydir(alpm_handle_t *handle); + +/** Sets the path to libalpm's asignify trusted public keys directory. + * @param handle the context handle + * @param asignifydir the asignifydir to set + */ +int alpm_option_set_asignifydir(alpm_handle_t *handle, const char *asignifydir); +/* End of asignifydir accessors */ +/** @} */ /** @name Accessors for use syslog * diff --git a/lib/libalpm/be_package.c b/lib/libalpm/be_package.c index 5ca2865c..db6341d6 100644 --- a/lib/libalpm/be_package.c +++ b/lib/libalpm/be_package.c @@ -342,12 +342,23 @@ int _alpm_pkg_validate_internal(alpm_handle_t *handle, handle->pm_errno = ALPM_ERR_PKG_MISSING_SIG; return -1; } +#ifdef HAVE_LIBGPGME if(_alpm_check_pgp_helper(handle, pkgfile, sig, level & ALPM_SIG_PACKAGE_OPTIONAL, level & ALPM_SIG_PACKAGE_MARGINAL_OK, level & ALPM_SIG_PACKAGE_UNKNOWN_OK, sigdata)) { handle->pm_errno = ALPM_ERR_PKG_INVALID_SIG; return -1; } +#endif +#ifdef HAVE_LIBASIGNIFY + if (sigdata) { + _alpm_log(handle, ALPM_LOG_DEBUG, "sigdata is unused with libasignify\n"); + } + if(_alpm_check_asignify_helper(handle, pkgfile)) { + handle->pm_errno = ALPM_ERR_PKG_INVALID_SIG; + return -1; + } +#endif if(validation && has_sig) { *validation |= ALPM_PKG_VALIDATION_SIGNATURE; } @@ -722,8 +733,6 @@ int SYMEXPORT alpm_pkg_load(alpm_handle_t *handle, const char *filename, int ful { int validation = 0; char *sigpath; - alpm_pkg_t *pkg_temp; - char *packager; CHECK_HANDLE(handle, return -1); ASSERT(pkg != NULL, RET_ERR(handle, ALPM_ERR_WRONG_ARGS, -1)); @@ -731,8 +740,6 @@ int SYMEXPORT alpm_pkg_load(alpm_handle_t *handle, const char *filename, int ful sigpath = _alpm_sigpath(handle, filename); if(sigpath && !_alpm_access(handle, NULL, sigpath, R_OK)) { if(level & ALPM_SIG_PACKAGE) { - alpm_list_t *keys = NULL; - int fail = 0; unsigned char *sig = NULL; int len = read_sigfile(sigpath, &sig); @@ -743,6 +750,12 @@ int SYMEXPORT alpm_pkg_load(alpm_handle_t *handle, const char *filename, int ful return -1; } +#ifdef HAVE_LIBGPGME + alpm_list_t *keys = NULL; + int fail = 0; + alpm_pkg_t *pkg_temp; + char *packager; + if(alpm_extract_keyid(handle, filename, sig, len, &keys) == 0) { alpm_list_t *k; for(k = keys; k; k = k->next) { @@ -771,6 +784,7 @@ int SYMEXPORT alpm_pkg_load(alpm_handle_t *handle, const char *filename, int ful free(sigpath); return -1; } +#endif } } free(sigpath); diff --git a/lib/libalpm/be_sync.c b/lib/libalpm/be_sync.c index ede25985..81654902 100644 --- a/lib/libalpm/be_sync.c +++ b/lib/libalpm/be_sync.c @@ -697,7 +697,7 @@ alpm_db_t *_alpm_db_register_sync(alpm_handle_t *handle, const char *treename, _alpm_log(handle, ALPM_LOG_DEBUG, "registering sync database '%s'\n", treename); -#ifndef HAVE_LIBGPGME +#if !defined(HAVE_LIBGPGME) || !defined(HAVE_LIBASIGNIFY) if(level != 0 && level != ALPM_SIG_USE_DEFAULT) { RET_ERR(handle, ALPM_ERR_MISSING_CAPABILITY_SIGNATURES, NULL); } diff --git a/lib/libalpm/error.c b/lib/libalpm/error.c index 644a6577..78b44418 100644 --- a/lib/libalpm/error.c +++ b/lib/libalpm/error.c @@ -71,7 +71,7 @@ const char SYMEXPORT *alpm_strerror(alpm_errno_t err) case ALPM_ERR_DB_INVALID: return _("invalid or corrupted database"); case ALPM_ERR_DB_INVALID_SIG: - return _("invalid or corrupted database (PGP signature)"); + return _("invalid or corrupted database (signature)"); case ALPM_ERR_DB_VERSION: return _("database is incorrect version"); case ALPM_ERR_DB_WRITE: @@ -114,7 +114,7 @@ const char SYMEXPORT *alpm_strerror(alpm_errno_t err) case ALPM_ERR_PKG_INVALID_CHECKSUM: return _("invalid or corrupted package (checksum)"); case ALPM_ERR_PKG_INVALID_SIG: - return _("invalid or corrupted package (PGP signature)"); + return _("invalid or corrupted package (signature)"); case ALPM_ERR_PKG_MISSING_SIG: return _("package missing required signature"); case ALPM_ERR_PKG_OPEN: @@ -127,9 +127,9 @@ const char SYMEXPORT *alpm_strerror(alpm_errno_t err) return _("package architecture is not valid"); /* Signatures */ case ALPM_ERR_SIG_MISSING: - return _("missing PGP signature"); + return _("missing signature"); case ALPM_ERR_SIG_INVALID: - return _("invalid PGP signature"); + return _("invalid signature"); /* Dependencies */ case ALPM_ERR_UNSATISFIED_DEPS: return _("could not satisfy dependencies"); diff --git a/lib/libalpm/handle.c b/lib/libalpm/handle.c index 101d4a78..4b588e58 100644 --- a/lib/libalpm/handle.c +++ b/lib/libalpm/handle.c @@ -270,6 +270,12 @@ const char SYMEXPORT *alpm_option_get_gpgdir(alpm_handle_t *handle) return handle->gpgdir; } +const char SYMEXPORT *alpm_option_get_asignifydir(alpm_handle_t *handle) +{ + CHECK_HANDLE(handle, return NULL); + return handle->asignifydir; +} + int SYMEXPORT alpm_option_get_usesyslog(alpm_handle_t *handle) { CHECK_HANDLE(handle, return -1); @@ -573,6 +579,17 @@ int SYMEXPORT alpm_option_set_gpgdir(alpm_handle_t *handle, const char *gpgdir) return 0; } +int SYMEXPORT alpm_option_set_asignifydir(alpm_handle_t *handle, const char *asignifydir) +{ + int err; + CHECK_HANDLE(handle, return -1); + if((err = _alpm_set_directory_option(asignifydir, &(handle->asignifydir), 0))) { + RET_ERR(handle, err, -1); + } + _alpm_log(handle, ALPM_LOG_DEBUG, "option 'asignifydir' = %s\n", handle->asignifydir); + return 0; +} + int SYMEXPORT alpm_option_set_usesyslog(alpm_handle_t *handle, int usesyslog) { CHECK_HANDLE(handle, return -1); @@ -829,7 +846,7 @@ int SYMEXPORT alpm_option_set_default_siglevel(alpm_handle_t *handle, if(level == ALPM_SIG_USE_DEFAULT) { RET_ERR(handle, ALPM_ERR_WRONG_ARGS, -1); } -#ifdef HAVE_LIBGPGME +#if defined(HAVE_LIBGPGME) || defined(HAVE_LIBASIGNIFY) handle->siglevel = level; #else if(level != 0) { @@ -849,7 +866,7 @@ int SYMEXPORT alpm_option_set_local_file_siglevel(alpm_handle_t *handle, int level) { CHECK_HANDLE(handle, return -1); -#ifdef HAVE_LIBGPGME +#if defined(HAVE_LIBGPGME) || defined(HAVE_LIBASIGNIFY) handle->localfilesiglevel = level; #else if(level != 0 && level != ALPM_SIG_USE_DEFAULT) { @@ -873,7 +890,7 @@ int SYMEXPORT alpm_option_set_remote_file_siglevel(alpm_handle_t *handle, int level) { CHECK_HANDLE(handle, return -1); -#ifdef HAVE_LIBGPGME +#if defined(HAVE_LIBGPGME) || defined(HAVE_LIBASIGNIFY) handle->remotefilesiglevel = level; #else if(level != 0 && level != ALPM_SIG_USE_DEFAULT) { diff --git a/lib/libalpm/handle.h b/lib/libalpm/handle.h index e1af117d..22b0689d 100644 --- a/lib/libalpm/handle.h +++ b/lib/libalpm/handle.h @@ -91,6 +91,7 @@ struct _alpm_handle_t { char *logfile; /* Name of the log file */ char *lockfile; /* Name of the lock file */ char *gpgdir; /* Directory where GnuPG files are stored */ + char *asignifydir; /* Directory where asignify trusted public keys are stored */ alpm_list_t *cachedirs; /* Paths to pacman cache directories */ alpm_list_t *hookdirs; /* Paths to hook directories */ alpm_list_t *overwrite_files; /* Paths that may be overwritten */ diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c index 66cc3923..aa4ba19f 100644 --- a/lib/libalpm/signing.c +++ b/lib/libalpm/signing.c @@ -26,6 +26,11 @@ #include #endif +#ifdef HAVE_LIBASIGNIFY +#include +#include +#endif + /* libalpm */ #include "signing.h" #include "package.h" @@ -810,6 +815,66 @@ char *_alpm_sigpath(alpm_handle_t *handle, const char *path) return sigpath; } +#ifdef HAVE_LIBASIGNIFY +/** + * Helper for checking the asignify signature for the given file path. + * @param handle the context handle + * @param path the full path to a file + * @return 0 on success, -1 on error (consult pm_errno or sigdata) + */ +int _alpm_check_asignify_helper(alpm_handle_t *handle, const char *path) +{ + int ret = 0; + struct dirent *entry; + struct stat statbuf; + + char *sigpath = _alpm_sigpath(handle, path); + asignify_verify_t *vrf = asignify_verify_init(); + + DIR *ad = opendir(handle->asignifydir); + if(ad == NULL) { + _alpm_log(handle, ALPM_LOG_DEBUG, "cannot open directory: %s\n", handle->asignifydir); + return -1; + } + + while((entry = readdir(ad)) != NULL) { + char *fullpath = malloc(strlen(handle->asignifydir) + strlen(entry->d_name) + 2); + if (fullpath == NULL) { + _alpm_log(handle, ALPM_LOG_DEBUG, "malloc error\n"); + return -1; + } + sprintf(fullpath, "%s/%s", handle->asignifydir, entry->d_name); + stat(fullpath, &statbuf); + if (S_ISREG(statbuf.st_mode)) { + if (!asignify_verify_load_pubkey(vrf, fullpath)) { + /* Don't return here because there may be multiple public keys to load. */ + _alpm_log(handle, ALPM_LOG_DEBUG, "cannot load public key file: %s\n", fullpath); + } + } + free(fullpath); + } + + if (!asignify_verify_load_signature(vrf, sigpath)) { + _alpm_log(handle, ALPM_LOG_DEBUG, "cannot load signature\n"); + ret = -1; + goto asignify_cleanup; + } + + if (!asignify_verify_file(vrf, path)) { + _alpm_log(handle, ALPM_LOG_DEBUG, "signature is not valid\n"); + ret = -1; + goto asignify_cleanup; + } + + _alpm_log(handle, ALPM_LOG_DEBUG, "signature is valid\n"); + +asignify_cleanup: + free(sigpath); + asignify_verify_free(vrf); + return ret; +} +#endif + /** * Helper for checking the PGP signature for the given file path. * This wraps #_alpm_gpgme_checksig in a slightly friendlier manner to simplify diff --git a/lib/libalpm/signing.h b/lib/libalpm/signing.h index 112b2a1f..a7f75ad7 100644 --- a/lib/libalpm/signing.h +++ b/lib/libalpm/signing.h @@ -25,6 +25,7 @@ char *_alpm_sigpath(alpm_handle_t *handle, const char *path); int _alpm_gpgme_checksig(alpm_handle_t *handle, const char *path, const char *base64_sig, alpm_siglist_t *result); +int _alpm_check_asignify_helper(alpm_handle_t *handle, const char *path); int _alpm_check_pgp_helper(alpm_handle_t *handle, const char *path, const char *base64_sig, int optional, int marginal, int unknown, alpm_siglist_t **sigdata);