2 * \file lib/signature.c
5 /* signature.c - RPM signature functions */
9 * Things have been cleaned up wrt PGP. We can now handle
10 * signatures of any length (which means you can use any
11 * size key you like). We also honor PGPPATH finally.
16 #if HAVE_ASM_BYTEORDER_H
17 #include <asm/byteorder.h>
21 #include <rpmmacro.h> /* XXX for rpmGetPath */
26 #include "signature.h"
29 /*@access Header@*/ /* XXX compared with NULL */
31 typedef unsigned char byte;
33 typedef int (*md5func)(const char * fn, /*@out@*/ byte * digest);
35 int rpmLookupSignatureType(int action)
37 static int disabled = 0;
41 case RPMLOOKUPSIG_DISABLE:
44 case RPMLOOKUPSIG_ENABLE:
48 case RPMLOOKUPSIG_QUERY:
51 { const char *name = rpmExpand("%{_signature}", NULL);
52 if (!(name && *name != '%'))
54 else if (!strcasecmp(name, "none"))
56 else if (!strcasecmp(name, "pgp"))
58 else if (!strcasecmp(name, "pgp5")) /* XXX legacy */
60 else if (!strcasecmp(name, "gpg"))
63 rc = -1; /* Invalid %_signature spec in macro file */
70 /* rpmDetectPGPVersion() returns the absolute path to the "pgp" */
71 /* executable of the requested version, or NULL when none found. */
73 const char * rpmDetectPGPVersion(pgpVersion *pgpVer)
75 /* Actually this should support having more then one pgp version. */
76 /* At the moment only one version is possible since we only */
77 /* have one %_pgpbin and one %_pgp_path. */
79 static pgpVersion saved_pgp_version = PGP_UNKNOWN;
80 const char *pgpbin = rpmGetPath("%{_pgpbin}", NULL);
82 if (saved_pgp_version == PGP_UNKNOWN) {
86 if (!(pgpbin && pgpbin[0] != '%')) {
87 if (pgpbin) free((void *)pgpbin);
88 saved_pgp_version = -1;
91 pgpvbin = (char *)alloca(strlen(pgpbin) + sizeof("v"));
92 (void)stpcpy(stpcpy(pgpvbin, pgpbin), "v");
94 if (stat(pgpvbin, &st) == 0)
95 saved_pgp_version = PGP_5;
96 else if (stat(pgpbin, &st) == 0)
97 saved_pgp_version = PGP_2;
99 saved_pgp_version = PGP_NOTDETECTED;
102 if (pgpbin && pgpVer)
103 *pgpVer = saved_pgp_version;
107 static inline int checkSize(FD_t fd, int siglen, int pad, int datalen)
111 fstat(Fileno(fd), &st);
113 if (!S_ISREG(st.st_mode)) {
114 rpmMessage(RPMMESS_DEBUG,
115 _("file is not regular -- skipping size check\n"));
118 rpmMessage(RPMMESS_DEBUG,
119 _("Expected size: %12d = lead(%d)+sigs(%d)+pad(%d)+data(%d)\n"),
120 sizeof(struct rpmlead)+siglen+pad+datalen,
121 sizeof(struct rpmlead), siglen, pad, datalen);
122 rpmMessage(RPMMESS_DEBUG,
123 _(" Actual size: %12d\n"), st.st_size);
125 return ((sizeof(struct rpmlead) + siglen + pad + datalen) - st.st_size);
128 int rpmReadSignature(FD_t fd, Header *headerp, short sigType)
135 int rc = 1; /* assume failure */
140 /* XXX Yuck, see ALPHA_LOSSAGE in lib/rpmchecksig.c */
142 if (sigType == RPMSIG_NONE) sigType = RPMSIG_HEADERSIG;
147 rpmMessage(RPMMESS_DEBUG, _("No signature\n"));
150 case RPMSIG_PGP262_1024:
151 rpmMessage(RPMMESS_DEBUG, _("Old PGP signature\n"));
152 /* These are always 256 bytes */
153 if (timedRead(fd, buf, 256) != 256)
156 headerAddEntry(h, RPMSIGTAG_PGP, RPM_BIN_TYPE, buf, 152);
161 rpmError(RPMERR_BADSIGTYPE,
162 _("Old (internal-only) signature! How did you get that!?"));
164 case RPMSIG_HEADERSIG:
165 /* This is a new style signature */
166 h = headerRead(fd, HEADER_MAGIC_YES);
169 sigSize = headerSizeof(h, HEADER_MAGIC_YES);
171 /* XXX Legacy headers have a HEADER_IMAGE tag added. */
172 if (headerIsEntry(h, RPMTAG_HEADERIMAGE))
173 sigSize -= (16 + 16);
175 pad = (8 - (sigSize % 8)) % 8; /* 8-byte pad */
176 if (! headerGetEntry(h, RPMSIGTAG_SIZE, &type, (void **)&archSize, &count))
178 if (checkSize(fd, sigSize, pad, *archSize))
181 if (timedRead(fd, buf, pad) != pad)
190 if (rc == 0 && headerp)
198 int rpmWriteSignature(FD_t fd, Header header)
201 static byte buf[8] = "\000\000\000\000\000\000\000\000";
204 rc = headerWrite(fd, header, HEADER_MAGIC_YES);
208 sigSize = headerSizeof(header, HEADER_MAGIC_YES);
209 pad = (8 - (sigSize % 8)) % 8;
211 rpmMessage(RPMMESS_DEBUG, _("Signature size: %d\n"), sigSize);
212 rpmMessage(RPMMESS_DEBUG, _("Signature pad : %d\n"), pad);
213 if (Fwrite(buf, sizeof(buf[0]), pad, fd) != pad)
219 Header rpmNewSignature(void)
221 Header h = headerNew();
225 void rpmFreeSignature(Header h)
230 static int makePGPSignature(const char *file, /*@out@*/void **sig, /*@out@*/int_32 *size,
231 const char *passPhrase)
238 sprintf(sigfile, "%s.sig", file);
240 inpipe[0] = inpipe[1] = 0;
243 if (!(pid = fork())) {
244 const char *pgp_path = rpmExpand("%{_pgp_path}", NULL);
245 const char *name = rpmExpand("+myname=\"%{_pgp_name}\"", NULL);
253 dosetenv("PGPPASSFD", "3", 1);
254 if (pgp_path && *pgp_path != '%')
255 dosetenv("PGPPATH", pgp_path, 1);
257 /* dosetenv("PGPPASS", passPhrase, 1); */
259 if ((path = rpmDetectPGPVersion(&pgpVer)) != NULL) {
262 execlp(path, "pgp", "+batchmode=on", "+verbose=0", "+armor=off",
263 name, "-sb", file, sigfile, NULL);
266 execlp(path,"pgps", "+batchmode=on", "+verbose=0", "+armor=off",
267 name, "-b", file, "-o", sigfile, NULL);
270 case PGP_NOTDETECTED:
274 rpmError(RPMERR_EXEC, _("Couldn't exec pgp (%s)"), path);
279 (void)write(inpipe[1], passPhrase, strlen(passPhrase));
280 (void)write(inpipe[1], "\n", 1);
283 (void)waitpid(pid, &status, 0);
284 if (!WIFEXITED(status) || WEXITSTATUS(status)) {
285 rpmError(RPMERR_SIGGEN, _("pgp failed"));
289 if (stat(sigfile, &st)) {
290 /* PGP failed to write signature */
291 unlink(sigfile); /* Just in case */
292 rpmError(RPMERR_SIGGEN, _("pgp failed to write signature"));
297 rpmMessage(RPMMESS_DEBUG, _("PGP sig size: %d\n"), *size);
298 *sig = xmalloc(*size);
302 fd = Fopen(sigfile, "r.fdio");
303 rc = timedRead(fd, *sig, *size);
308 rpmError(RPMERR_SIGGEN, _("unable to read the signature"));
313 rpmMessage(RPMMESS_DEBUG, _("Got %d bytes of PGP sig\n"), *size);
318 /* This is an adaptation of the makePGPSignature function to use GPG instead
319 * of PGP to create signatures. I think I've made all the changes necessary,
320 * but this could be a good place to start looking if errors in GPG signature
323 static int makeGPGSignature(const char *file, /*@out@*/void **sig, /*@out@*/int_32 *size,
324 const char *passPhrase)
332 sprintf(sigfile, "%s.sig", file);
334 inpipe[0] = inpipe[1] = 0;
337 if (!(pid = fork())) {
338 const char *gpg_path = rpmExpand("%{_gpg_path}", NULL);
339 const char *name = rpmExpand("%{_gpg_name}", NULL);
345 if (gpg_path && *gpg_path != '%')
346 dosetenv("GNUPGHOME", gpg_path, 1);
348 "--batch", "--no-verbose", "--no-armor", "--passphrase-fd", "3",
349 "-u", name, "-sbo", sigfile, file,
351 rpmError(RPMERR_EXEC, _("Couldn't exec gpg"));
355 fpipe = fdopen(inpipe[1], "w");
357 fprintf(fpipe, "%s\n", passPhrase);
360 (void)waitpid(pid, &status, 0);
361 if (!WIFEXITED(status) || WEXITSTATUS(status)) {
362 rpmError(RPMERR_SIGGEN, _("gpg failed"));
366 if (stat(sigfile, &st)) {
367 /* GPG failed to write signature */
368 unlink(sigfile); /* Just in case */
369 rpmError(RPMERR_SIGGEN, _("gpg failed to write signature"));
374 rpmMessage(RPMMESS_DEBUG, _("GPG sig size: %d\n"), *size);
375 *sig = xmalloc(*size);
379 fd = Fopen(sigfile, "r.fdio");
380 rc = timedRead(fd, *sig, *size);
385 rpmError(RPMERR_SIGGEN, _("unable to read the signature"));
390 rpmMessage(RPMMESS_DEBUG, _("Got %d bytes of GPG sig\n"), *size);
395 int rpmAddSignature(Header header, const char *file, int_32 sigTag, const char *passPhrase)
408 headerAddEntry(header, RPMSIGTAG_SIZE, RPM_INT32_TYPE, &size, 1);
411 ret = mdbinfile(file, buf);
413 headerAddEntry(header, sigTag, RPM_BIN_TYPE, buf, 16);
415 case RPMSIGTAG_PGP5: /* XXX legacy */
417 rpmMessage(RPMMESS_VERBOSE, _("Generating signature using PGP.\n"));
418 ret = makePGPSignature(file, &sig, &size, passPhrase);
420 headerAddEntry(header, sigTag, RPM_BIN_TYPE, sig, size);
423 rpmMessage(RPMMESS_VERBOSE, _("Generating signature using GPG.\n"));
424 ret = makeGPGSignature(file, &sig, &size, passPhrase);
426 headerAddEntry(header, sigTag, RPM_BIN_TYPE, sig, size);
433 static rpmVerifySignatureReturn
434 verifySizeSignature(const char *datafile, int_32 size, char *result)
439 if (size != st.st_size) {
440 sprintf(result, "Header+Archive size mismatch.\n"
441 "Expected %d, saw %d.\n",
442 size, (int)st.st_size);
446 sprintf(result, "Header+Archive size OK: %d bytes\n", size);
450 #define X(_x) (unsigned)((_x) & 0xff)
452 static rpmVerifySignatureReturn
453 verifyMD5Signature(const char *datafile, const byte *sig,
454 char *result, md5func fn)
458 fn(datafile, md5sum);
459 if (memcmp(md5sum, sig, 16)) {
460 sprintf(result, "MD5 sum mismatch\n"
461 "Expected: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
462 "%02x%02x%02x%02x%02x\n"
463 "Saw : %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
464 "%02x%02x%02x%02x%02x\n",
465 X(sig[0]), X(sig[1]), X(sig[2]), X(sig[3]),
466 X(sig[4]), X(sig[5]), X(sig[6]), X(sig[7]),
467 X(sig[8]), X(sig[9]), X(sig[10]), X(sig[11]),
468 X(sig[12]), X(sig[13]), X(sig[14]), X(sig[15]),
469 X(md5sum[0]), X(md5sum[1]), X(md5sum[2]), X(md5sum[3]),
470 X(md5sum[4]), X(md5sum[5]), X(md5sum[6]), X(md5sum[7]),
471 X(md5sum[8]), X(md5sum[9]), X(md5sum[10]), X(md5sum[11]),
472 X(md5sum[12]), X(md5sum[13]), X(md5sum[14]), X(md5sum[15]) );
476 sprintf(result, "MD5 sum OK: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
477 "%02x%02x%02x%02x%02x\n",
478 X(md5sum[0]), X(md5sum[1]), X(md5sum[2]), X(md5sum[3]),
479 X(md5sum[4]), X(md5sum[5]), X(md5sum[6]), X(md5sum[7]),
480 X(md5sum[8]), X(md5sum[9]), X(md5sum[10]), X(md5sum[11]),
481 X(md5sum[12]), X(md5sum[13]), X(md5sum[14]), X(md5sum[15]) );
486 static rpmVerifySignatureReturn
487 verifyPGPSignature(const char *datafile, const void * sig, int count, char *result)
489 int pid, status, outpipe[2];
498 /* What version do we have? */
499 if ((path = rpmDetectPGPVersion(&pgpVer)) == NULL) {
501 rpmError(RPMERR_EXEC,
502 _("Could not run pgp. Use --nopgp to skip PGP checks."));
507 * Sad but true: pgp-5.0 returns exit value of 0 on bad signature.
508 * Instead we have to use the text output to detect a bad signature.
513 /* Write out the signature */
514 { const char *tmppath = rpmGetPath("%{_tmppath}", NULL);
515 sigfile = tempnam(tmppath, "rpmsig");
516 free((void *)tmppath);
518 sfd = Fopen(sigfile, "w.fdio");
519 (void)Fwrite(sig, sizeof(char), count, sfd);
523 outpipe[0] = outpipe[1] = 0;
526 if (!(pid = fork())) {
527 const char *pgp_path = rpmExpand("%{_pgp_path}", NULL);
530 close(STDOUT_FILENO); /* XXX unnecessary */
531 dup2(outpipe[1], STDOUT_FILENO);
533 if (pgp_path && *pgp_path != '%')
534 dosetenv("PGPPATH", pgp_path, 1);
538 /* Some output (in particular "This signature applies to */
539 /* another message") is _always_ written to stderr; we */
540 /* want to catch that output, so dup stdout to stderr: */
541 { int save_stderr = dup(2);
543 execlp(path, "pgpv", "+batchmode=on", "+verbose=0",
544 /* Write "Good signature..." to stdout: */
545 "+OutputInformationFD=1",
546 /* Write "WARNING: ... is not trusted to... to stdout: */
547 "+OutputWarningFD=1",
548 sigfile, "-o", datafile, NULL);
549 /* Restore stderr so we can print the error message below. */
550 dup2(save_stderr, 2);
554 execlp(path, "pgp", "+batchmode=on", "+verbose=0",
555 sigfile, datafile, NULL);
558 case PGP_NOTDETECTED:
562 rpmError(RPMERR_EXEC,
563 _("Could not run pgp. Use --nopgp to skip PGP checks."));
568 file = fdopen(outpipe[0], "r");
570 while (fgets(buf, 1024, file)) {
571 if (strncmp("File '", buf, 6) &&
572 strncmp("Text is assu", buf, 12) &&
573 strncmp("This signature applies to another message", buf, 41) &&
577 if (!strncmp("WARNING: Can't find the right public key", buf, 40))
579 else if (!strncmp("Signature by unknown keyid:", buf, 27))
581 else if (!strncmp("WARNING: The signing key is not trusted", buf, 39))
582 res = RPMSIG_NOTTRUSTED;
583 else if (!strncmp("Good signature", buf, 14))
588 (void)waitpid(pid, &status, 0);
590 if (!res && (!WIFEXITED(status) || WEXITSTATUS(status))) {
597 static rpmVerifySignatureReturn
598 verifyGPGSignature(const char *datafile, const void * sig, int count, char *result)
600 int pid, status, outpipe[2];
607 /* Write out the signature */
608 { const char *tmppath = rpmGetPath("%{_tmppath}", NULL);
609 sigfile = tempnam(tmppath, "rpmsig");
610 free((void *)tmppath);
612 sfd = Fopen(sigfile, "w.fdio");
613 (void)Fwrite(sig, sizeof(char), count, sfd);
617 outpipe[0] = outpipe[1] = 0;
620 if (!(pid = fork())) {
621 const char *gpg_path = rpmExpand("%{_gpg_path}", NULL);
624 /* gpg version 0.9 sends its output to stderr. */
625 dup2(outpipe[1], STDERR_FILENO);
627 if (gpg_path && *gpg_path != '%')
628 dosetenv("GNUPGHOME", gpg_path, 1);
631 "--batch", "--no-verbose",
632 "--verify", sigfile, datafile,
634 rpmError(RPMERR_EXEC,
635 _("Could not run gpg. Use --nogpg to skip GPG checks."));
640 file = fdopen(outpipe[0], "r");
642 while (fgets(buf, 1024, file)) {
644 if (!strncmp("gpg: Can't check signature: Public key not found", buf, 48)) {
650 (void)waitpid(pid, &status, 0);
652 if (!res && (!WIFEXITED(status) || WEXITSTATUS(status))) {
659 static int checkPassPhrase(const char *passPhrase, const int sigTag)
661 int passPhrasePipe[2];
665 passPhrasePipe[0] = passPhrasePipe[1] = 0;
666 pipe(passPhrasePipe);
667 if (!(pid = fork())) {
669 close(STDOUT_FILENO);
670 close(passPhrasePipe[1]);
671 if (! rpmIsVerbose()) {
672 close(STDERR_FILENO);
674 if ((fd = open("/dev/null", O_RDONLY)) != STDIN_FILENO) {
675 dup2(fd, STDIN_FILENO);
678 if ((fd = open("/dev/null", O_WRONLY)) != STDOUT_FILENO) {
679 dup2(fd, STDOUT_FILENO);
682 dup2(passPhrasePipe[0], 3);
686 { const char *gpg_path = rpmExpand("%{_gpg_path}", NULL);
687 const char *name = rpmExpand("%{_gpg_name}", NULL);
688 if (gpg_path && *gpg_path != '%')
689 dosetenv("GNUPGHOME", gpg_path, 1);
691 "--batch", "--no-verbose", "--passphrase-fd", "3",
692 "-u", name, "-so", "-",
694 rpmError(RPMERR_EXEC, _("Couldn't exec gpg"));
696 } /*@notreached@*/ break;
697 case RPMSIGTAG_PGP5: /* XXX legacy */
699 { const char *pgp_path = rpmExpand("%{_pgp_path}", NULL);
700 const char *name = rpmExpand("+myname=\"%{_pgp_name}\"", NULL);
704 dosetenv("PGPPASSFD", "3", 1);
705 if (pgp_path && *pgp_path != '%')
706 dosetenv("PGPPATH", pgp_path, 1);
708 if ((path = rpmDetectPGPVersion(&pgpVer)) != NULL) {
711 execlp(path, "pgp", "+batchmode=on", "+verbose=0",
714 case PGP_5: /* XXX legacy */
715 execlp(path,"pgps", "+batchmode=on", "+verbose=0",
719 case PGP_NOTDETECTED:
723 rpmError(RPMERR_EXEC, _("Couldn't exec pgp"));
725 } /*@notreached@*/ break;
726 default: /* This case should have been screened out long ago. */
727 rpmError(RPMERR_SIGGEN, _("Invalid %%_signature spec in macro file"));
728 _exit(RPMERR_SIGGEN);
729 /*@notreached@*/ break;
733 close(passPhrasePipe[0]);
734 (void)write(passPhrasePipe[1], passPhrase, strlen(passPhrase));
735 (void)write(passPhrasePipe[1], "\n", 1);
736 close(passPhrasePipe[1]);
738 (void)waitpid(pid, &status, 0);
739 if (!WIFEXITED(status) || WEXITSTATUS(status)) {
743 /* passPhrase is good */
747 char *rpmGetPassPhrase(const char *prompt, const int sigTag)
754 { const char *name = rpmExpand("%{_gpg_name}", NULL);
755 aok = (name && *name != '%');
759 rpmError(RPMERR_SIGGEN,
760 _("You must set \"%%_gpg_name\" in your macro file"));
764 case RPMSIGTAG_PGP5: /* XXX legacy */
766 { const char *name = rpmExpand("%{_pgp_name}", NULL);
767 aok = (name && *name != '%');
771 rpmError(RPMERR_SIGGEN,
772 _("You must set \"%%_pgp_name\" in your macro file"));
777 /* Currently the calling function (rpm.c:main) is checking this and
778 * doing a better job. This section should never be accessed.
780 rpmError(RPMERR_SIGGEN, _("Invalid %%_signature spec in macro file"));
782 /*@notreached@*/ break;
785 pass = /*@-unrecog@*/ getpass( (prompt ? prompt : "") ) /*@=unrecog@*/ ;
787 if (checkPassPhrase(pass, sigTag))
793 rpmVerifySignatureReturn
794 rpmVerifySignature(const char *file, int_32 sigTag, const void * sig, int count,
799 return verifySizeSignature(file, *(int_32 *)sig, result);
800 /*@notreached@*/ break;
802 return verifyMD5Signature(file, sig, result, mdbinfile);
803 /*@notreached@*/ break;
804 case RPMSIGTAG_LEMD5_1:
805 case RPMSIGTAG_LEMD5_2:
806 return verifyMD5Signature(file, sig, result, mdbinfileBroken);
807 /*@notreached@*/ break;
808 case RPMSIGTAG_PGP5: /* XXX legacy */
810 return verifyPGPSignature(file, sig, count, result);
811 /*@notreached@*/ break;
813 return verifyGPGSignature(file, sig, count, result);
814 /*@notreached@*/ break;
816 sprintf(result, "Do not know how to verify sig type %d\n", sigTag);
817 return RPMSIG_UNKNOWN;
projects / platform / upstream / rpm.git / blob