1 /* signature.c - RPM signature functions */
5 * Things have been cleaned up wrt PGP. We can now handle
6 * signatures of any length (which means you can use any
7 * size key you like). We also honor PGPPATH finally.
12 #if HAVE_ASM_BYTEORDER_H
13 #include <asm/byteorder.h>
17 #include <rpmmacro.h> /* XXX for rpmGetPath */
22 #include "signature.h"
24 typedef int (*md5func)(const char * fn, unsigned char * digest);
26 int rpmLookupSignatureType(int action)
28 static int disabled = 0;
32 case RPMLOOKUPSIG_DISABLE:
35 case RPMLOOKUPSIG_ENABLE:
38 case RPMLOOKUPSIG_QUERY:
41 { const char *name = rpmExpand("%{_signature}", NULL);
42 if (!(name && *name != '%'))
44 else if (!strcasecmp(name, "none"))
46 else if (!strcasecmp(name, "pgp"))
48 else if (!strcasecmp(name, "pgp5")) /* XXX legacy */
50 else if (!strcasecmp(name, "gpg"))
53 rc = -1; /* Invalid %_signature spec in macro file */
60 /* rpmDetectPGPVersion() returns the absolute path to the "pgp" */
61 /* executable of the requested version, or NULL when none found. */
63 const char * rpmDetectPGPVersion(pgpVersion *pgpVer)
65 /* Actually this should support having more then one pgp version. */
66 /* At the moment only one version is possible since we only */
67 /* have one %_pgpbin and one %_pgp_path. */
69 static pgpVersion saved_pgp_version = PGP_UNKNOWN;
70 const char *pgpbin = rpmGetPath("%{_pgpbin}", NULL);
72 if (saved_pgp_version == PGP_UNKNOWN) {
76 if (!pgpbin || ! (pgpvbin = (char *)alloca(strlen(pgpbin) + 2))) {
77 saved_pgp_version = -1;
80 sprintf(pgpvbin, "%sv", pgpbin);
82 if (stat(pgpvbin, &statbuf) == 0)
83 saved_pgp_version = PGP_5;
84 else if (stat(pgpbin, &statbuf) == 0)
85 saved_pgp_version = PGP_2;
87 saved_pgp_version = PGP_NOTDETECTED;
91 *pgpVer = saved_pgp_version;
95 static int checkSize(FD_t fd, int size, int sigsize)
97 int headerArchiveSize;
100 fstat(fdFileno(fd), &statbuf);
102 if (S_ISREG(statbuf.st_mode)) {
103 headerArchiveSize = statbuf.st_size - sizeof(struct rpmlead) - sigsize;
105 rpmMessage(RPMMESS_DEBUG, _("sigsize : %d\n"), sigsize);
106 rpmMessage(RPMMESS_DEBUG, _("Header + Archive: %d\n"), headerArchiveSize);
107 rpmMessage(RPMMESS_DEBUG, _("expected size : %d\n"), size);
109 return size - headerArchiveSize;
111 rpmMessage(RPMMESS_DEBUG, _("file is not regular -- skipping size check\n"));
116 /* rpmReadSignature() emulates the new style signatures if it finds an */
117 /* old-style one. It also immediately verifies the header+archive */
118 /* size and returns an error if it doesn't match. */
120 int rpmReadSignature(FD_t fd, Header *headerp, short sig_type)
122 unsigned char buf[2048];
133 rpmMessage(RPMMESS_DEBUG, _("No signature\n"));
135 case RPMSIG_PGP262_1024:
136 rpmMessage(RPMMESS_DEBUG, _("Old PGP signature\n"));
137 /* These are always 256 bytes */
138 if (timedRead(fd, buf, 256) != 256)
141 *headerp = headerNew();
142 headerAddEntry(*headerp, RPMSIGTAG_PGP, RPM_BIN_TYPE, buf, 152);
147 rpmError(RPMERR_BADSIGTYPE,
148 _("Old (internal-only) signature! How did you get that!?"));
151 case RPMSIG_HEADERSIG:
152 rpmMessage(RPMMESS_DEBUG, _("New Header signature\n"));
153 /* This is a new style signature */
154 h = headerRead(fd, HEADER_MAGIC_YES);
157 sigSize = headerSizeof(h, HEADER_MAGIC_YES);
158 pad = (8 - (sigSize % 8)) % 8; /* 8-byte pad */
159 rpmMessage(RPMMESS_DEBUG, _("Signature size: %d\n"), sigSize);
160 rpmMessage(RPMMESS_DEBUG, _("Signature pad : %d\n"), pad);
161 if (! headerGetEntry(h, RPMSIGTAG_SIZE, &type, (void **)&archSize, &count)) {
165 if (checkSize(fd, *archSize, sigSize + pad)) {
170 if (timedRead(fd, buf, pad) != pad) {
188 int rpmWriteSignature(FD_t fd, Header header)
191 unsigned char buf[8];
194 rc = headerWrite(fd, header, HEADER_MAGIC_YES);
198 sigSize = headerSizeof(header, HEADER_MAGIC_YES);
199 pad = (8 - (sigSize % 8)) % 8;
201 rpmMessage(RPMMESS_DEBUG, _("Signature size: %d\n"), sigSize);
202 rpmMessage(RPMMESS_DEBUG, _("Signature pad : %d\n"), pad);
204 if (fdWrite(fd, buf, pad) != pad)
210 Header rpmNewSignature(void)
215 void rpmFreeSignature(Header h)
220 static int makePGPSignature(const char *file, void **sig, int_32 *size,
221 const char *passPhrase)
228 sprintf(sigfile, "%s.sig", file);
232 if (!(pid = fork())) {
233 const char *pgp_path = rpmExpand("%{_pgp_path}", NULL);
234 const char *name = rpmExpand("+myname=\"%{_pgp_name}\"", NULL);
242 dosetenv("PGPPASSFD", "3", 1);
243 if (pgp_path && *pgp_path != '%')
244 dosetenv("PGPPATH", pgp_path, 1);
246 /* dosetenv("PGPPASS", passPhrase, 1); */
248 if ((path = rpmDetectPGPVersion(&pgpVer)) != NULL) {
251 execlp(path, "pgp", "+batchmode=on", "+verbose=0", "+armor=off",
252 name, "-sb", file, sigfile, NULL);
255 execlp(path,"pgps", "+batchmode=on", "+verbose=0", "+armor=off",
256 name, "-b", file, "-o", sigfile, NULL);
259 case PGP_NOTDETECTED:
263 rpmError(RPMERR_EXEC, _("Couldn't exec pgp (%s)"), path);
268 write(inpipe[1], passPhrase, strlen(passPhrase));
269 write(inpipe[1], "\n", 1);
272 (void)waitpid(pid, &status, 0);
273 if (!WIFEXITED(status) || WEXITSTATUS(status)) {
274 rpmError(RPMERR_SIGGEN, _("pgp failed"));
278 if (stat(sigfile, &statbuf)) {
279 /* PGP failed to write signature */
280 unlink(sigfile); /* Just in case */
281 rpmError(RPMERR_SIGGEN, _("pgp failed to write signature"));
285 *size = statbuf.st_size;
286 rpmMessage(RPMMESS_DEBUG, _("PGP sig size: %d\n"), *size);
287 *sig = malloc(*size);
291 fd = fdOpen(sigfile, O_RDONLY, 0);
292 rc = timedRead(fd, *sig, *size);
297 rpmError(RPMERR_SIGGEN, _("unable to read the signature"));
302 rpmMessage(RPMMESS_DEBUG, _("Got %d bytes of PGP sig\n"), *size);
307 /* This is an adaptation of the makePGPSignature function to use GPG instead
308 * of PGP to create signatures. I think I've made all the changes necessary,
309 * but this could be a good place to start looking if errors in GPG signature
312 static int makeGPGSignature(const char *file, void **sig, int_32 *size,
313 const char *passPhrase)
321 sprintf(sigfile, "%s.sig", file);
325 if (!(pid = fork())) {
326 const char *gpg_path = rpmExpand("%{_gpg_path}", NULL);
327 const char *name = rpmExpand("%{_gpg_name}", NULL);
333 if (gpg_path && *gpg_path != '%')
334 dosetenv("GNUPGHOME", gpg_path, 1);
336 "--batch", "--no-verbose", "--no-armor", "--passphrase-fd", "3",
337 "-u", name, "-sbo", sigfile, file,
339 rpmError(RPMERR_EXEC, _("Couldn't exec gpg"));
343 fpipe = fdopen(inpipe[1], "w");
345 fprintf(fpipe, "%s\n", passPhrase);
348 (void)waitpid(pid, &status, 0);
349 if (!WIFEXITED(status) || WEXITSTATUS(status)) {
350 rpmError(RPMERR_SIGGEN, _("gpg failed"));
354 if (stat(sigfile, &statbuf)) {
355 /* GPG failed to write signature */
356 unlink(sigfile); /* Just in case */
357 rpmError(RPMERR_SIGGEN, _("gpg failed to write signature"));
361 *size = statbuf.st_size;
362 rpmMessage(RPMMESS_DEBUG, _("GPG sig size: %d\n"), *size);
363 *sig = malloc(*size);
367 fd = fdOpen(sigfile, O_RDONLY, 0);
368 rc = timedRead(fd, *sig, *size);
373 rpmError(RPMERR_SIGGEN, _("unable to read the signature"));
378 rpmMessage(RPMMESS_DEBUG, _("Got %d bytes of GPG sig\n"), *size);
383 int rpmAddSignature(Header header, const char *file, int_32 sigTag, const char *passPhrase)
387 unsigned char buf[16];
393 stat(file, &statbuf);
394 size = statbuf.st_size;
396 headerAddEntry(header, RPMSIGTAG_SIZE, RPM_INT32_TYPE, &size, 1);
399 ret = mdbinfile(file, buf);
401 headerAddEntry(header, sigTag, RPM_BIN_TYPE, buf, 16);
403 case RPMSIGTAG_PGP5: /* XXX legacy */
405 rpmMessage(RPMMESS_VERBOSE, _("Generating signature using PGP.\n"));
406 ret = makePGPSignature(file, &sig, &size, passPhrase);
408 headerAddEntry(header, sigTag, RPM_BIN_TYPE, sig, size);
411 rpmMessage(RPMMESS_VERBOSE, _("Generating signature using GPG.\n"));
412 ret = makeGPGSignature(file, &sig, &size, passPhrase);
414 headerAddEntry(header, sigTag, RPM_BIN_TYPE, sig, size);
421 static int verifySizeSignature(const char *datafile, int_32 size, char *result)
425 stat(datafile, &statbuf);
426 if (size != statbuf.st_size) {
427 sprintf(result, "Header+Archive size mismatch.\n"
428 "Expected %d, saw %d.\n",
429 size, (int)statbuf.st_size);
433 sprintf(result, "Header+Archive size OK: %d bytes\n", size);
437 static int verifyMD5Signature(const char *datafile, unsigned char *sig,
438 char *result, md5func fn)
440 unsigned char md5sum[16];
442 fn(datafile, md5sum);
443 if (memcmp(md5sum, sig, 16)) {
444 sprintf(result, "MD5 sum mismatch\n"
445 "Expected: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
446 "%02x%02x%02x%02x%02x\n"
447 "Saw : %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
448 "%02x%02x%02x%02x%02x\n",
449 sig[0], sig[1], sig[2], sig[3],
450 sig[4], sig[5], sig[6], sig[7],
451 sig[8], sig[9], sig[10], sig[11],
452 sig[12], sig[13], sig[14], sig[15],
453 md5sum[0], md5sum[1], md5sum[2], md5sum[3],
454 md5sum[4], md5sum[5], md5sum[6], md5sum[7],
455 md5sum[8], md5sum[9], md5sum[10], md5sum[11],
456 md5sum[12], md5sum[13], md5sum[14], md5sum[15]);
460 sprintf(result, "MD5 sum OK: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
461 "%02x%02x%02x%02x%02x\n",
462 md5sum[0], md5sum[1], md5sum[2], md5sum[3],
463 md5sum[4], md5sum[5], md5sum[6], md5sum[7],
464 md5sum[8], md5sum[9], md5sum[10], md5sum[11],
465 md5sum[12], md5sum[13], md5sum[14], md5sum[15]);
470 static int verifyPGPSignature(const char *datafile, void *sig,
471 int count, char *result)
473 int pid, status, outpipe[2];
476 unsigned char buf[8192];
482 /* What version do we have? */
483 if ((path = rpmDetectPGPVersion(&pgpVer)) == NULL) {
485 rpmError(RPMERR_EXEC,
486 _("Could not run pgp. Use --nopgp to skip PGP checks."));
491 * Sad but true: pgp-5.0 returns exit value of 0 on bad signature.
492 * Instead we have to use the text output to detect a bad signature.
497 /* Write out the signature */
498 { const char *tmppath = rpmGetPath("%{_tmppath}", NULL);
499 sigfile = tempnam(tmppath, "rpmsig");
502 sfd = fdOpen(sigfile, O_WRONLY|O_CREAT|O_TRUNC, 0644);
503 (void)fdWrite(sfd, sig, count);
509 if (!(pid = fork())) {
510 const char *pgp_path = rpmExpand("%{_pgp_path}", NULL);
513 close(STDOUT_FILENO); /* XXX unnecessary */
514 dup2(outpipe[1], STDOUT_FILENO);
516 if (pgp_path && *pgp_path != '%')
517 dosetenv("PGPPATH", pgp_path, 1);
521 /* Some output (in particular "This signature applies to */
522 /* another message") is _always_ written to stderr; we */
523 /* want to catch that output, so dup stdout to stderr: */
524 { int save_stderr = dup(2);
526 execlp(path, "pgpv", "+batchmode=on", "+verbose=0",
527 /* Write "Good signature..." to stdout: */
528 "+OutputInformationFD=1",
529 /* Write "WARNING: ... is not trusted to... to stdout: */
530 "+OutputWarningFD=1",
531 sigfile, "-o", datafile, NULL);
532 /* Restore stderr so we can print the error message below. */
533 dup2(save_stderr, 2);
537 execlp(path, "pgp", "+batchmode=on", "+verbose=0",
538 sigfile, datafile, NULL);
541 case PGP_NOTDETECTED:
545 fprintf(stderr, _("exec failed!\n"));
546 rpmError(RPMERR_EXEC,
547 _("Could not run pgp. Use --nopgp to skip PGP checks."));
552 file = fdopen(outpipe[0], "r");
554 while (fgets(buf, 1024, file)) {
555 if (strncmp("File '", buf, 6) &&
556 strncmp("Text is assu", buf, 12) &&
557 strncmp("This signature applies to another message", buf, 41) &&
561 if (!strncmp("WARNING: Can't find the right public key", buf, 40))
563 else if (!strncmp("Signature by unknown keyid:", buf, 27))
565 else if (!strncmp("WARNING: The signing key is not trusted", buf, 39))
566 res = RPMSIG_NOTTRUSTED;
567 else if (!strncmp("Good signature", buf, 14))
572 (void)waitpid(pid, &status, 0);
574 if (!res && (!WIFEXITED(status) || WEXITSTATUS(status))) {
581 static int verifyGPGSignature(const char *datafile, void *sig,
582 int count, char *result)
584 int pid, status, outpipe[2];
587 unsigned char buf[8192];
591 /* Write out the signature */
592 { const char *tmppath = rpmGetPath("%{_tmppath}", NULL);
593 sigfile = tempnam(tmppath, "rpmsig");
596 sfd = fdOpen(sigfile, O_WRONLY|O_CREAT|O_TRUNC, 0644);
597 (void)fdWrite(sfd, sig, count);
603 if (!(pid = fork())) {
604 const char *gpg_path = rpmExpand("%{_gpg_path}", NULL);
607 /* gpg version 0.9 sends its output to stderr. */
608 dup2(outpipe[1], STDERR_FILENO);
610 if (gpg_path && *gpg_path != '%')
611 dosetenv("GNUPGHOME", gpg_path, 1);
614 "--batch", "--no-verbose",
615 "--verify", sigfile, datafile,
617 fprintf(stderr, _("exec failed!\n"));
618 rpmError(RPMERR_EXEC,
619 _("Could not run gpg. Use --nogpg to skip GPG checks."));
624 file = fdopen(outpipe[0], "r");
626 while (fgets(buf, 1024, file)) {
628 if (!strncmp("gpg: Can't check signature: Public key not found", buf, 48)) {
634 (void)waitpid(pid, &status, 0);
636 if (!res && (!WIFEXITED(status) || WEXITSTATUS(status))) {
643 static int checkPassPhrase(const char *passPhrase, const int sigTag)
645 int passPhrasePipe[2];
649 pipe(passPhrasePipe);
650 if (!(pid = fork())) {
652 close(STDOUT_FILENO);
653 close(passPhrasePipe[1]);
654 if (! rpmIsVerbose()) {
655 close(STDERR_FILENO);
657 if ((fd = open("/dev/null", O_RDONLY)) != STDIN_FILENO) {
658 dup2(fd, STDIN_FILENO);
661 if ((fd = open("/dev/null", O_WRONLY)) != STDOUT_FILENO) {
662 dup2(fd, STDOUT_FILENO);
665 dup2(passPhrasePipe[0], 3);
669 { const char *gpg_path = rpmExpand("%{_gpg_path}", NULL);
670 const char *name = rpmExpand("%{_gpg_name}", NULL);
671 if (gpg_path && *gpg_path != '%')
672 dosetenv("GNUPGHOME", gpg_path, 1);
674 "--batch", "--no-verbose", "--passphrase-fd", "3",
675 "-u", name, "-so", "-",
677 rpmError(RPMERR_EXEC, _("Couldn't exec gpg"));
680 case RPMSIGTAG_PGP5: /* XXX legacy */
682 { const char *pgp_path = rpmExpand("%{_pgp_path}", NULL);
683 const char *name = rpmExpand("+myname=\"%{_pgp_name}\"", NULL);
687 dosetenv("PGPPASSFD", "3", 1);
688 if (pgp_path && *pgp_path != '%')
689 dosetenv("PGPPATH", pgp_path, 1);
691 if ((path = rpmDetectPGPVersion(&pgpVer)) != NULL) {
694 execlp(path, "pgp", "+batchmode=on", "+verbose=0",
697 case PGP_5: /* XXX legacy */
698 execlp(path,"pgps", "+batchmode=on", "+verbose=0",
702 case PGP_NOTDETECTED:
706 rpmError(RPMERR_EXEC, _("Couldn't exec pgp"));
709 default: /* This case should have been screened out long ago. */
710 rpmError(RPMERR_SIGGEN, _("Invalid %%_signature spec in macro file"));
711 _exit(RPMERR_SIGGEN);
716 close(passPhrasePipe[0]);
717 write(passPhrasePipe[1], passPhrase, strlen(passPhrase));
718 write(passPhrasePipe[1], "\n", 1);
719 close(passPhrasePipe[1]);
721 (void)waitpid(pid, &status, 0);
722 if (!WIFEXITED(status) || WEXITSTATUS(status)) {
726 /* passPhrase is good */
730 char *rpmGetPassPhrase(const char *prompt, const int sigTag)
737 { const char *name = rpmExpand("%{_gpg_name}", NULL);
738 aok = (name && *name != '%');
742 rpmError(RPMERR_SIGGEN,
743 _("You must set \"%%_gpg_name\" in your macro file"));
747 case RPMSIGTAG_PGP5: /* XXX legacy */
749 { const char *name = rpmExpand("%{_pgp_name}", NULL);
750 aok = (name && *name != '%');
754 rpmError(RPMERR_SIGGEN,
755 _("You must set \"%%_pgp_name\" in your macro file"));
760 /* Currently the calling function (rpm.c:main) is checking this and
761 * doing a better job. This section should never be accessed.
763 rpmError(RPMERR_SIGGEN, _("Invalid %%_signature spec in macro file"));
769 pass = getpass(prompt);
774 if (checkPassPhrase(pass, sigTag)) {
781 int rpmVerifySignature(const char *file, int_32 sigTag, void *sig, int count,
786 if (verifySizeSignature(file, *(int_32 *)sig, result)) {
791 if (verifyMD5Signature(file, sig, result, mdbinfile)) {
795 case RPMSIGTAG_LEMD5_1:
796 case RPMSIGTAG_LEMD5_2:
797 if (verifyMD5Signature(file, sig, result, mdbinfileBroken)) {
801 case RPMSIGTAG_PGP5: /* XXX legacy */
803 return verifyPGPSignature(file, sig, count, result);
806 return verifyGPGSignature(file, sig, count, result);
809 sprintf(result, "Do not know how to verify sig type %d\n", sigTag);
810 return RPMSIG_UNKNOWN;