2 * \file lib/signature.c
5 /* signature.c - RPM signature functions */
9 * Things have been cleaned up wrt PGP. We can now handle
10 * signatures of any length (which means you can use any
11 * size key you like). We also honor PGPPATH finally.
16 #if HAVE_ASM_BYTEORDER_H
17 #include <asm/byteorder.h>
21 #include <rpmmacro.h> /* XXX for rpmGetPath */
26 #include "signature.h"
28 typedef int (*md5func)(const char * fn, /*@out@*/unsigned char * digest);
30 int rpmLookupSignatureType(int action)
32 static int disabled = 0;
36 case RPMLOOKUPSIG_DISABLE:
39 case RPMLOOKUPSIG_ENABLE:
43 case RPMLOOKUPSIG_QUERY:
46 { const char *name = rpmExpand("%{_signature}", NULL);
47 if (!(name && *name != '%'))
49 else if (!strcasecmp(name, "none"))
51 else if (!strcasecmp(name, "pgp"))
53 else if (!strcasecmp(name, "pgp5")) /* XXX legacy */
55 else if (!strcasecmp(name, "gpg"))
58 rc = -1; /* Invalid %_signature spec in macro file */
65 /* rpmDetectPGPVersion() returns the absolute path to the "pgp" */
66 /* executable of the requested version, or NULL when none found. */
68 const char * rpmDetectPGPVersion(pgpVersion *pgpVer)
70 /* Actually this should support having more then one pgp version. */
71 /* At the moment only one version is possible since we only */
72 /* have one %_pgpbin and one %_pgp_path. */
74 static pgpVersion saved_pgp_version = PGP_UNKNOWN;
75 const char *pgpbin = rpmGetPath("%{_pgpbin}", NULL);
77 if (saved_pgp_version == PGP_UNKNOWN) {
81 if (!(pgpbin && pgpbin[0] != '%') || ! (pgpvbin = (char *)alloca(strlen(pgpbin) + 2))) {
82 if (pgpbin) xfree(pgpbin);
83 saved_pgp_version = -1;
86 sprintf(pgpvbin, "%sv", pgpbin);
88 if (stat(pgpvbin, &statbuf) == 0)
89 saved_pgp_version = PGP_5;
90 else if (stat(pgpbin, &statbuf) == 0)
91 saved_pgp_version = PGP_2;
93 saved_pgp_version = PGP_NOTDETECTED;
97 *pgpVer = saved_pgp_version;
101 static int checkSize(FD_t fd, int size, int sigsize)
103 int headerArchiveSize;
106 fstat(Fileno(fd), &statbuf);
108 if (S_ISREG(statbuf.st_mode)) {
109 headerArchiveSize = statbuf.st_size - sizeof(struct rpmlead) - sigsize;
111 rpmMessage(RPMMESS_DEBUG, _("sigsize : %d\n"), sigsize);
112 rpmMessage(RPMMESS_DEBUG, _("Header + Archive: %d\n"), headerArchiveSize);
113 rpmMessage(RPMMESS_DEBUG, _("expected size : %d\n"), size);
115 return size - headerArchiveSize;
117 rpmMessage(RPMMESS_DEBUG, _("file is not regular -- skipping size check\n"));
122 /* rpmReadSignature() emulates the new style signatures if it finds an */
123 /* old-style one. It also immediately verifies the header+archive */
124 /* size and returns an error if it doesn't match. */
126 int rpmReadSignature(FD_t fd, Header *headerp, short sig_type)
128 unsigned char buf[2048];
139 rpmMessage(RPMMESS_DEBUG, _("No signature\n"));
141 case RPMSIG_PGP262_1024:
142 rpmMessage(RPMMESS_DEBUG, _("Old PGP signature\n"));
143 /* These are always 256 bytes */
144 if (timedRead(fd, buf, 256) != 256)
147 *headerp = headerNew();
148 headerAddEntry(*headerp, RPMSIGTAG_PGP, RPM_BIN_TYPE, buf, 152);
153 rpmError(RPMERR_BADSIGTYPE,
154 _("Old (internal-only) signature! How did you get that!?"));
156 /*@notreached@*/ break;
157 case RPMSIG_HEADERSIG:
158 rpmMessage(RPMMESS_DEBUG, _("New Header signature\n"));
159 /* This is a new style signature */
160 h = headerRead(fd, HEADER_MAGIC_YES);
163 sigSize = headerSizeof(h, HEADER_MAGIC_YES);
164 pad = (8 - (sigSize % 8)) % 8; /* 8-byte pad */
165 rpmMessage(RPMMESS_DEBUG, _("Signature size: %d\n"), sigSize);
166 rpmMessage(RPMMESS_DEBUG, _("Signature pad : %d\n"), pad);
167 if (! headerGetEntry(h, RPMSIGTAG_SIZE, &type, (void **)&archSize, &count)) {
171 if (checkSize(fd, *archSize, sigSize + pad)) {
176 if (timedRead(fd, buf, pad) != pad) {
194 int rpmWriteSignature(FD_t fd, Header header)
197 unsigned char buf[8];
200 rc = headerWrite(fd, header, HEADER_MAGIC_YES);
204 sigSize = headerSizeof(header, HEADER_MAGIC_YES);
205 pad = (8 - (sigSize % 8)) % 8;
207 rpmMessage(RPMMESS_DEBUG, _("Signature size: %d\n"), sigSize);
208 rpmMessage(RPMMESS_DEBUG, _("Signature pad : %d\n"), pad);
210 if (Fwrite(buf, sizeof(buf[0]), pad, fd) != pad)
216 Header rpmNewSignature(void)
218 Header h = headerNew();
222 void rpmFreeSignature(Header h)
227 static int makePGPSignature(const char *file, /*@out@*/void **sig, /*@out@*/int_32 *size,
228 const char *passPhrase)
235 sprintf(sigfile, "%s.sig", file);
237 inpipe[0] = inpipe[1] = 0;
240 if (!(pid = fork())) {
241 const char *pgp_path = rpmExpand("%{_pgp_path}", NULL);
242 const char *name = rpmExpand("+myname=\"%{_pgp_name}\"", NULL);
250 dosetenv("PGPPASSFD", "3", 1);
251 if (pgp_path && *pgp_path != '%')
252 dosetenv("PGPPATH", pgp_path, 1);
254 /* dosetenv("PGPPASS", passPhrase, 1); */
256 if ((path = rpmDetectPGPVersion(&pgpVer)) != NULL) {
259 execlp(path, "pgp", "+batchmode=on", "+verbose=0", "+armor=off",
260 name, "-sb", file, sigfile, NULL);
263 execlp(path,"pgps", "+batchmode=on", "+verbose=0", "+armor=off",
264 name, "-b", file, "-o", sigfile, NULL);
267 case PGP_NOTDETECTED:
271 rpmError(RPMERR_EXEC, _("Couldn't exec pgp (%s)"), path);
276 (void)write(inpipe[1], passPhrase, strlen(passPhrase));
277 (void)write(inpipe[1], "\n", 1);
280 (void)waitpid(pid, &status, 0);
281 if (!WIFEXITED(status) || WEXITSTATUS(status)) {
282 rpmError(RPMERR_SIGGEN, _("pgp failed"));
286 if (stat(sigfile, &statbuf)) {
287 /* PGP failed to write signature */
288 unlink(sigfile); /* Just in case */
289 rpmError(RPMERR_SIGGEN, _("pgp failed to write signature"));
293 *size = statbuf.st_size;
294 rpmMessage(RPMMESS_DEBUG, _("PGP sig size: %d\n"), *size);
295 *sig = xmalloc(*size);
299 fd = Fopen(sigfile, "r.fdio");
300 rc = timedRead(fd, *sig, *size);
305 rpmError(RPMERR_SIGGEN, _("unable to read the signature"));
310 rpmMessage(RPMMESS_DEBUG, _("Got %d bytes of PGP sig\n"), *size);
315 /* This is an adaptation of the makePGPSignature function to use GPG instead
316 * of PGP to create signatures. I think I've made all the changes necessary,
317 * but this could be a good place to start looking if errors in GPG signature
320 static int makeGPGSignature(const char *file, /*@out@*/void **sig, /*@out@*/int_32 *size,
321 const char *passPhrase)
329 sprintf(sigfile, "%s.sig", file);
331 inpipe[0] = inpipe[1] = 0;
334 if (!(pid = fork())) {
335 const char *gpg_path = rpmExpand("%{_gpg_path}", NULL);
336 const char *name = rpmExpand("%{_gpg_name}", NULL);
342 if (gpg_path && *gpg_path != '%')
343 dosetenv("GNUPGHOME", gpg_path, 1);
345 "--batch", "--no-verbose", "--no-armor", "--passphrase-fd", "3",
346 "-u", name, "-sbo", sigfile, file,
348 rpmError(RPMERR_EXEC, _("Couldn't exec gpg"));
352 fpipe = fdopen(inpipe[1], "w");
354 fprintf(fpipe, "%s\n", passPhrase);
357 (void)waitpid(pid, &status, 0);
358 if (!WIFEXITED(status) || WEXITSTATUS(status)) {
359 rpmError(RPMERR_SIGGEN, _("gpg failed"));
363 if (stat(sigfile, &statbuf)) {
364 /* GPG failed to write signature */
365 unlink(sigfile); /* Just in case */
366 rpmError(RPMERR_SIGGEN, _("gpg failed to write signature"));
370 *size = statbuf.st_size;
371 rpmMessage(RPMMESS_DEBUG, _("GPG sig size: %d\n"), *size);
372 *sig = xmalloc(*size);
376 fd = Fopen(sigfile, "r.fdio");
377 rc = timedRead(fd, *sig, *size);
382 rpmError(RPMERR_SIGGEN, _("unable to read the signature"));
387 rpmMessage(RPMMESS_DEBUG, _("Got %d bytes of GPG sig\n"), *size);
392 int rpmAddSignature(Header header, const char *file, int_32 sigTag, const char *passPhrase)
396 unsigned char buf[16];
402 stat(file, &statbuf);
403 size = statbuf.st_size;
405 headerAddEntry(header, RPMSIGTAG_SIZE, RPM_INT32_TYPE, &size, 1);
408 ret = mdbinfile(file, buf);
410 headerAddEntry(header, sigTag, RPM_BIN_TYPE, buf, 16);
412 case RPMSIGTAG_PGP5: /* XXX legacy */
414 rpmMessage(RPMMESS_VERBOSE, _("Generating signature using PGP.\n"));
415 ret = makePGPSignature(file, &sig, &size, passPhrase);
417 headerAddEntry(header, sigTag, RPM_BIN_TYPE, sig, size);
420 rpmMessage(RPMMESS_VERBOSE, _("Generating signature using GPG.\n"));
421 ret = makeGPGSignature(file, &sig, &size, passPhrase);
423 headerAddEntry(header, sigTag, RPM_BIN_TYPE, sig, size);
430 static enum rpmVerifySignatureReturn
431 verifySizeSignature(const char *datafile, int_32 size, char *result)
435 stat(datafile, &statbuf);
436 if (size != statbuf.st_size) {
437 sprintf(result, "Header+Archive size mismatch.\n"
438 "Expected %d, saw %d.\n",
439 size, (int)statbuf.st_size);
443 sprintf(result, "Header+Archive size OK: %d bytes\n", size);
447 #define X(_x) (unsigned)((_x) & 0xff)
449 static enum rpmVerifySignatureReturn
450 verifyMD5Signature(const char *datafile, unsigned char *sig,
451 char *result, md5func fn)
453 unsigned char md5sum[16];
455 fn(datafile, md5sum);
456 if (memcmp(md5sum, sig, 16)) {
457 sprintf(result, "MD5 sum mismatch\n"
458 "Expected: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
459 "%02x%02x%02x%02x%02x\n"
460 "Saw : %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
461 "%02x%02x%02x%02x%02x\n",
462 X(sig[0]), X(sig[1]), X(sig[2]), X(sig[3]),
463 X(sig[4]), X(sig[5]), X(sig[6]), X(sig[7]),
464 X(sig[8]), X(sig[9]), X(sig[10]), X(sig[11]),
465 X(sig[12]), X(sig[13]), X(sig[14]), X(sig[15]),
466 X(md5sum[0]), X(md5sum[1]), X(md5sum[2]), X(md5sum[3]),
467 X(md5sum[4]), X(md5sum[5]), X(md5sum[6]), X(md5sum[7]),
468 X(md5sum[8]), X(md5sum[9]), X(md5sum[10]), X(md5sum[11]),
469 X(md5sum[12]), X(md5sum[13]), X(md5sum[14]), X(md5sum[15]) );
473 sprintf(result, "MD5 sum OK: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
474 "%02x%02x%02x%02x%02x\n",
475 X(md5sum[0]), X(md5sum[1]), X(md5sum[2]), X(md5sum[3]),
476 X(md5sum[4]), X(md5sum[5]), X(md5sum[6]), X(md5sum[7]),
477 X(md5sum[8]), X(md5sum[9]), X(md5sum[10]), X(md5sum[11]),
478 X(md5sum[12]), X(md5sum[13]), X(md5sum[14]), X(md5sum[15]) );
483 static enum rpmVerifySignatureReturn
484 verifyPGPSignature(const char *datafile, void *sig, int count, char *result)
486 int pid, status, outpipe[2];
489 unsigned char buf[BUFSIZ];
495 /* What version do we have? */
496 if ((path = rpmDetectPGPVersion(&pgpVer)) == NULL) {
498 rpmError(RPMERR_EXEC,
499 _("Could not run pgp. Use --nopgp to skip PGP checks."));
504 * Sad but true: pgp-5.0 returns exit value of 0 on bad signature.
505 * Instead we have to use the text output to detect a bad signature.
510 /* Write out the signature */
511 { const char *tmppath = rpmGetPath("%{_tmppath}", NULL);
512 sigfile = tempnam(tmppath, "rpmsig");
515 sfd = Fopen(sigfile, "w.fdio");
516 (void)Fwrite(sig, sizeof(char), count, sfd);
520 outpipe[0] = outpipe[1] = 0;
523 if (!(pid = fork())) {
524 const char *pgp_path = rpmExpand("%{_pgp_path}", NULL);
527 close(STDOUT_FILENO); /* XXX unnecessary */
528 dup2(outpipe[1], STDOUT_FILENO);
530 if (pgp_path && *pgp_path != '%')
531 dosetenv("PGPPATH", pgp_path, 1);
535 /* Some output (in particular "This signature applies to */
536 /* another message") is _always_ written to stderr; we */
537 /* want to catch that output, so dup stdout to stderr: */
538 { int save_stderr = dup(2);
540 execlp(path, "pgpv", "+batchmode=on", "+verbose=0",
541 /* Write "Good signature..." to stdout: */
542 "+OutputInformationFD=1",
543 /* Write "WARNING: ... is not trusted to... to stdout: */
544 "+OutputWarningFD=1",
545 sigfile, "-o", datafile, NULL);
546 /* Restore stderr so we can print the error message below. */
547 dup2(save_stderr, 2);
551 execlp(path, "pgp", "+batchmode=on", "+verbose=0",
552 sigfile, datafile, NULL);
555 case PGP_NOTDETECTED:
559 fprintf(stderr, _("exec failed!\n"));
560 rpmError(RPMERR_EXEC,
561 _("Could not run pgp. Use --nopgp to skip PGP checks."));
566 file = fdopen(outpipe[0], "r");
568 while (fgets(buf, 1024, file)) {
569 if (strncmp("File '", buf, 6) &&
570 strncmp("Text is assu", buf, 12) &&
571 strncmp("This signature applies to another message", buf, 41) &&
575 if (!strncmp("WARNING: Can't find the right public key", buf, 40))
577 else if (!strncmp("Signature by unknown keyid:", buf, 27))
579 else if (!strncmp("WARNING: The signing key is not trusted", buf, 39))
580 res = RPMSIG_NOTTRUSTED;
581 else if (!strncmp("Good signature", buf, 14))
586 (void)waitpid(pid, &status, 0);
588 if (!res && (!WIFEXITED(status) || WEXITSTATUS(status))) {
595 static enum rpmVerifySignatureReturn
596 verifyGPGSignature(const char *datafile, void *sig, int count, char *result)
598 int pid, status, outpipe[2];
601 unsigned char buf[8192];
605 /* Write out the signature */
606 { const char *tmppath = rpmGetPath("%{_tmppath}", NULL);
607 sigfile = tempnam(tmppath, "rpmsig");
610 sfd = Fopen(sigfile, "w.fdio");
611 (void)Fwrite(sig, sizeof(char), count, sfd);
615 outpipe[0] = outpipe[1] = 0;
618 if (!(pid = fork())) {
619 const char *gpg_path = rpmExpand("%{_gpg_path}", NULL);
622 /* gpg version 0.9 sends its output to stderr. */
623 dup2(outpipe[1], STDERR_FILENO);
625 if (gpg_path && *gpg_path != '%')
626 dosetenv("GNUPGHOME", gpg_path, 1);
629 "--batch", "--no-verbose",
630 "--verify", sigfile, datafile,
632 fprintf(stderr, _("exec failed!\n"));
633 rpmError(RPMERR_EXEC,
634 _("Could not run gpg. Use --nogpg to skip GPG checks."));
639 file = fdopen(outpipe[0], "r");
641 while (fgets(buf, 1024, file)) {
643 if (!strncmp("gpg: Can't check signature: Public key not found", buf, 48)) {
649 (void)waitpid(pid, &status, 0);
651 if (!res && (!WIFEXITED(status) || WEXITSTATUS(status))) {
658 static int checkPassPhrase(const char *passPhrase, const int sigTag)
660 int passPhrasePipe[2];
664 passPhrasePipe[0] = passPhrasePipe[1] = 0;
665 pipe(passPhrasePipe);
666 if (!(pid = fork())) {
668 close(STDOUT_FILENO);
669 close(passPhrasePipe[1]);
670 if (! rpmIsVerbose()) {
671 close(STDERR_FILENO);
673 if ((fd = open("/dev/null", O_RDONLY)) != STDIN_FILENO) {
674 dup2(fd, STDIN_FILENO);
677 if ((fd = open("/dev/null", O_WRONLY)) != STDOUT_FILENO) {
678 dup2(fd, STDOUT_FILENO);
681 dup2(passPhrasePipe[0], 3);
685 { const char *gpg_path = rpmExpand("%{_gpg_path}", NULL);
686 const char *name = rpmExpand("%{_gpg_name}", NULL);
687 if (gpg_path && *gpg_path != '%')
688 dosetenv("GNUPGHOME", gpg_path, 1);
690 "--batch", "--no-verbose", "--passphrase-fd", "3",
691 "-u", name, "-so", "-",
693 rpmError(RPMERR_EXEC, _("Couldn't exec gpg"));
695 } /*@notreached@*/ break;
696 case RPMSIGTAG_PGP5: /* XXX legacy */
698 { const char *pgp_path = rpmExpand("%{_pgp_path}", NULL);
699 const char *name = rpmExpand("+myname=\"%{_pgp_name}\"", NULL);
703 dosetenv("PGPPASSFD", "3", 1);
704 if (pgp_path && *pgp_path != '%')
705 dosetenv("PGPPATH", pgp_path, 1);
707 if ((path = rpmDetectPGPVersion(&pgpVer)) != NULL) {
710 execlp(path, "pgp", "+batchmode=on", "+verbose=0",
713 case PGP_5: /* XXX legacy */
714 execlp(path,"pgps", "+batchmode=on", "+verbose=0",
718 case PGP_NOTDETECTED:
722 rpmError(RPMERR_EXEC, _("Couldn't exec pgp"));
724 } /*@notreached@*/ break;
725 default: /* This case should have been screened out long ago. */
726 rpmError(RPMERR_SIGGEN, _("Invalid %%_signature spec in macro file"));
727 _exit(RPMERR_SIGGEN);
728 /*@notreached@*/ break;
732 close(passPhrasePipe[0]);
733 (void)write(passPhrasePipe[1], passPhrase, strlen(passPhrase));
734 (void)write(passPhrasePipe[1], "\n", 1);
735 close(passPhrasePipe[1]);
737 (void)waitpid(pid, &status, 0);
738 if (!WIFEXITED(status) || WEXITSTATUS(status)) {
742 /* passPhrase is good */
746 char *rpmGetPassPhrase(const char *prompt, const int sigTag)
753 { const char *name = rpmExpand("%{_gpg_name}", NULL);
754 aok = (name && *name != '%');
758 rpmError(RPMERR_SIGGEN,
759 _("You must set \"%%_gpg_name\" in your macro file"));
763 case RPMSIGTAG_PGP5: /* XXX legacy */
765 { const char *name = rpmExpand("%{_pgp_name}", NULL);
766 aok = (name && *name != '%');
770 rpmError(RPMERR_SIGGEN,
771 _("You must set \"%%_pgp_name\" in your macro file"));
776 /* Currently the calling function (rpm.c:main) is checking this and
777 * doing a better job. This section should never be accessed.
779 rpmError(RPMERR_SIGGEN, _("Invalid %%_signature spec in macro file"));
781 /*@notreached@*/ break;
784 pass = /*@-unrecog@*/ getpass( (prompt ? prompt : "") ) /*@=unrecog@*/ ;
786 if (checkPassPhrase(pass, sigTag))
792 enum rpmVerifySignatureReturn
793 rpmVerifySignature(const char *file, int_32 sigTag, void *sig, int count,
798 return verifySizeSignature(file, *(int_32 *)sig, result);
799 /*@notreached@*/ break;
801 return verifyMD5Signature(file, sig, result, mdbinfile);
802 /*@notreached@*/ break;
803 case RPMSIGTAG_LEMD5_1:
804 case RPMSIGTAG_LEMD5_2:
805 return verifyMD5Signature(file, sig, result, mdbinfileBroken);
806 /*@notreached@*/ break;
807 case RPMSIGTAG_PGP5: /* XXX legacy */
809 return verifyPGPSignature(file, sig, count, result);
810 /*@notreached@*/ break;
812 return verifyGPGSignature(file, sig, count, result);
813 /*@notreached@*/ break;
815 sprintf(result, "Do not know how to verify sig type %d\n", sigTag);
816 return RPMSIG_UNKNOWN;
projects / platform / upstream / rpm.git / blob