2 * \file lib/signature.c
5 /* signature.c - RPM signature functions */
9 * Things have been cleaned up wrt PGP. We can now handle
10 * signatures of any length (which means you can use any
11 * size key you like). We also honor PGPPATH finally.
16 #if HAVE_ASM_BYTEORDER_H
17 #include <asm/byteorder.h>
21 #include <rpmmacro.h> /* XXX for rpmGetPath */
26 #include "signature.h"
28 typedef int (*md5func)(const char * fn, /*@out@*/unsigned char * digest);
30 int rpmLookupSignatureType(int action)
32 static int disabled = 0;
36 case RPMLOOKUPSIG_DISABLE:
39 case RPMLOOKUPSIG_ENABLE:
43 case RPMLOOKUPSIG_QUERY:
46 { const char *name = rpmExpand("%{_signature}", NULL);
47 if (!(name && *name != '%'))
49 else if (!strcasecmp(name, "none"))
51 else if (!strcasecmp(name, "pgp"))
53 else if (!strcasecmp(name, "pgp5")) /* XXX legacy */
55 else if (!strcasecmp(name, "gpg"))
58 rc = -1; /* Invalid %_signature spec in macro file */
65 /* rpmDetectPGPVersion() returns the absolute path to the "pgp" */
66 /* executable of the requested version, or NULL when none found. */
68 const char * rpmDetectPGPVersion(pgpVersion *pgpVer)
70 /* Actually this should support having more then one pgp version. */
71 /* At the moment only one version is possible since we only */
72 /* have one %_pgpbin and one %_pgp_path. */
74 static pgpVersion saved_pgp_version = PGP_UNKNOWN;
75 const char *pgpbin = rpmGetPath("%{_pgpbin}", NULL);
77 if (saved_pgp_version == PGP_UNKNOWN) {
81 if (!(pgpbin && pgpbin[0] != '%') || ! (pgpvbin = (char *)alloca(strlen(pgpbin) + 2))) {
82 if (pgpbin) xfree(pgpbin);
83 saved_pgp_version = -1;
86 sprintf(pgpvbin, "%sv", pgpbin);
88 if (stat(pgpvbin, &statbuf) == 0)
89 saved_pgp_version = PGP_5;
90 else if (stat(pgpbin, &statbuf) == 0)
91 saved_pgp_version = PGP_2;
93 saved_pgp_version = PGP_NOTDETECTED;
97 *pgpVer = saved_pgp_version;
101 static int checkSize(FD_t fd, int size, int sigsize)
103 int headerArchiveSize;
106 fstat(Fileno(fd), &statbuf);
108 if (S_ISREG(statbuf.st_mode)) {
109 headerArchiveSize = statbuf.st_size - sizeof(struct rpmlead) - sigsize;
111 rpmMessage(RPMMESS_DEBUG, _("sigsize : %d\n"), sigsize);
112 rpmMessage(RPMMESS_DEBUG, _("Header + Archive: %d\n"), headerArchiveSize);
113 rpmMessage(RPMMESS_DEBUG, _("expected size : %d\n"), size);
115 return size - headerArchiveSize;
117 rpmMessage(RPMMESS_DEBUG, _("file is not regular -- skipping size check\n"));
122 /* rpmReadSignature() emulates the new style signatures if it finds an */
123 /* old-style one. It also immediately verifies the header+archive */
124 /* size and returns an error if it doesn't match. */
126 int rpmReadSignature(FD_t fd, Header *headerp, short sig_type)
128 unsigned char buf[2048];
139 rpmMessage(RPMMESS_DEBUG, _("No signature\n"));
141 case RPMSIG_PGP262_1024:
142 rpmMessage(RPMMESS_DEBUG, _("Old PGP signature\n"));
143 /* These are always 256 bytes */
144 if (timedRead(fd, buf, 256) != 256)
147 *headerp = headerNew();
148 headerAddEntry(*headerp, RPMSIGTAG_PGP, RPM_BIN_TYPE, buf, 152);
153 rpmError(RPMERR_BADSIGTYPE,
154 _("Old (internal-only) signature! How did you get that!?"));
156 /*@notreached@*/ break;
157 case RPMSIG_HEADERSIG:
158 rpmMessage(RPMMESS_DEBUG, _("New Header signature\n"));
159 /* This is a new style signature */
160 h = headerRead(fd, HEADER_MAGIC_YES);
163 sigSize = headerSizeof(h, HEADER_MAGIC_YES);
164 pad = (8 - (sigSize % 8)) % 8; /* 8-byte pad */
165 rpmMessage(RPMMESS_DEBUG, _("Signature size: %d\n"), sigSize);
166 rpmMessage(RPMMESS_DEBUG, _("Signature pad : %d\n"), pad);
167 if (! headerGetEntry(h, RPMSIGTAG_SIZE, &type, (void **)&archSize, &count)) {
171 if (checkSize(fd, *archSize, sigSize + pad)) {
176 if (timedRead(fd, buf, pad) != pad) {
194 int rpmWriteSignature(FD_t fd, Header header)
197 unsigned char buf[8];
200 rc = headerWrite(fd, header, HEADER_MAGIC_YES);
204 sigSize = headerSizeof(header, HEADER_MAGIC_YES);
205 pad = (8 - (sigSize % 8)) % 8;
207 rpmMessage(RPMMESS_DEBUG, _("Signature size: %d\n"), sigSize);
208 rpmMessage(RPMMESS_DEBUG, _("Signature pad : %d\n"), pad);
210 if (Fwrite(buf, sizeof(buf[0]), pad, fd) != pad)
216 Header rpmNewSignature(void)
218 Header h = headerNew();
222 void rpmFreeSignature(Header h)
227 static int makePGPSignature(const char *file, /*@out@*/void **sig, /*@out@*/int_32 *size,
228 const char *passPhrase)
235 sprintf(sigfile, "%s.sig", file);
237 inpipe[0] = inpipe[1] = 0;
240 if (!(pid = fork())) {
241 const char *pgp_path = rpmExpand("%{_pgp_path}", NULL);
242 const char *name = rpmExpand("+myname=\"%{_pgp_name}\"", NULL);
250 dosetenv("PGPPASSFD", "3", 1);
251 if (pgp_path && *pgp_path != '%')
252 dosetenv("PGPPATH", pgp_path, 1);
254 /* dosetenv("PGPPASS", passPhrase, 1); */
256 if ((path = rpmDetectPGPVersion(&pgpVer)) != NULL) {
259 execlp(path, "pgp", "+batchmode=on", "+verbose=0", "+armor=off",
260 name, "-sb", file, sigfile, NULL);
263 execlp(path,"pgps", "+batchmode=on", "+verbose=0", "+armor=off",
264 name, "-b", file, "-o", sigfile, NULL);
267 case PGP_NOTDETECTED:
271 rpmError(RPMERR_EXEC, _("Couldn't exec pgp (%s)"), path);
276 (void)write(inpipe[1], passPhrase, strlen(passPhrase));
277 (void)write(inpipe[1], "\n", 1);
280 (void)waitpid(pid, &status, 0);
281 if (!WIFEXITED(status) || WEXITSTATUS(status)) {
282 rpmError(RPMERR_SIGGEN, _("pgp failed"));
286 if (stat(sigfile, &statbuf)) {
287 /* PGP failed to write signature */
288 unlink(sigfile); /* Just in case */
289 rpmError(RPMERR_SIGGEN, _("pgp failed to write signature"));
293 *size = statbuf.st_size;
294 rpmMessage(RPMMESS_DEBUG, _("PGP sig size: %d\n"), *size);
295 *sig = xmalloc(*size);
299 fd = Fopen(sigfile, "r.fdio");
300 rc = timedRead(fd, *sig, *size);
305 rpmError(RPMERR_SIGGEN, _("unable to read the signature"));
310 rpmMessage(RPMMESS_DEBUG, _("Got %d bytes of PGP sig\n"), *size);
315 /* This is an adaptation of the makePGPSignature function to use GPG instead
316 * of PGP to create signatures. I think I've made all the changes necessary,
317 * but this could be a good place to start looking if errors in GPG signature
320 static int makeGPGSignature(const char *file, /*@out@*/void **sig, /*@out@*/int_32 *size,
321 const char *passPhrase)
329 sprintf(sigfile, "%s.sig", file);
331 inpipe[0] = inpipe[1] = 0;
334 if (!(pid = fork())) {
335 const char *gpg_path = rpmExpand("%{_gpg_path}", NULL);
336 const char *name = rpmExpand("%{_gpg_name}", NULL);
342 if (gpg_path && *gpg_path != '%')
343 dosetenv("GNUPGHOME", gpg_path, 1);
345 "--batch", "--no-verbose", "--no-armor", "--passphrase-fd", "3",
346 "-u", name, "-sbo", sigfile, file,
348 rpmError(RPMERR_EXEC, _("Couldn't exec gpg"));
352 fpipe = fdopen(inpipe[1], "w");
354 fprintf(fpipe, "%s\n", passPhrase);
357 (void)waitpid(pid, &status, 0);
358 if (!WIFEXITED(status) || WEXITSTATUS(status)) {
359 rpmError(RPMERR_SIGGEN, _("gpg failed"));
363 if (stat(sigfile, &statbuf)) {
364 /* GPG failed to write signature */
365 unlink(sigfile); /* Just in case */
366 rpmError(RPMERR_SIGGEN, _("gpg failed to write signature"));
370 *size = statbuf.st_size;
371 rpmMessage(RPMMESS_DEBUG, _("GPG sig size: %d\n"), *size);
372 *sig = xmalloc(*size);
376 fd = Fopen(sigfile, "r.fdio");
377 rc = timedRead(fd, *sig, *size);
382 rpmError(RPMERR_SIGGEN, _("unable to read the signature"));
387 rpmMessage(RPMMESS_DEBUG, _("Got %d bytes of GPG sig\n"), *size);
392 int rpmAddSignature(Header header, const char *file, int_32 sigTag, const char *passPhrase)
396 unsigned char buf[16];
402 stat(file, &statbuf);
403 size = statbuf.st_size;
405 headerAddEntry(header, RPMSIGTAG_SIZE, RPM_INT32_TYPE, &size, 1);
408 ret = mdbinfile(file, buf);
410 headerAddEntry(header, sigTag, RPM_BIN_TYPE, buf, 16);
412 case RPMSIGTAG_PGP5: /* XXX legacy */
414 rpmMessage(RPMMESS_VERBOSE, _("Generating signature using PGP.\n"));
415 ret = makePGPSignature(file, &sig, &size, passPhrase);
417 headerAddEntry(header, sigTag, RPM_BIN_TYPE, sig, size);
420 rpmMessage(RPMMESS_VERBOSE, _("Generating signature using GPG.\n"));
421 ret = makeGPGSignature(file, &sig, &size, passPhrase);
423 headerAddEntry(header, sigTag, RPM_BIN_TYPE, sig, size);
430 static int verifySizeSignature(const char *datafile, int_32 size, char *result)
434 stat(datafile, &statbuf);
435 if (size != statbuf.st_size) {
436 sprintf(result, "Header+Archive size mismatch.\n"
437 "Expected %d, saw %d.\n",
438 size, (int)statbuf.st_size);
442 sprintf(result, "Header+Archive size OK: %d bytes\n", size);
446 #define X(_x) (unsigned)((_x) & 0xff)
448 static int verifyMD5Signature(const char *datafile, unsigned char *sig,
449 char *result, md5func fn)
451 unsigned char md5sum[16];
453 fn(datafile, md5sum);
454 if (memcmp(md5sum, sig, 16)) {
455 sprintf(result, "MD5 sum mismatch\n"
456 "Expected: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
457 "%02x%02x%02x%02x%02x\n"
458 "Saw : %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
459 "%02x%02x%02x%02x%02x\n",
460 X(sig[0]), X(sig[1]), X(sig[2]), X(sig[3]),
461 X(sig[4]), X(sig[5]), X(sig[6]), X(sig[7]),
462 X(sig[8]), X(sig[9]), X(sig[10]), X(sig[11]),
463 X(sig[12]), X(sig[13]), X(sig[14]), X(sig[15]),
464 X(md5sum[0]), X(md5sum[1]), X(md5sum[2]), X(md5sum[3]),
465 X(md5sum[4]), X(md5sum[5]), X(md5sum[6]), X(md5sum[7]),
466 X(md5sum[8]), X(md5sum[9]), X(md5sum[10]), X(md5sum[11]),
467 X(md5sum[12]), X(md5sum[13]), X(md5sum[14]), X(md5sum[15]) );
471 sprintf(result, "MD5 sum OK: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
472 "%02x%02x%02x%02x%02x\n",
473 X(md5sum[0]), X(md5sum[1]), X(md5sum[2]), X(md5sum[3]),
474 X(md5sum[4]), X(md5sum[5]), X(md5sum[6]), X(md5sum[7]),
475 X(md5sum[8]), X(md5sum[9]), X(md5sum[10]), X(md5sum[11]),
476 X(md5sum[12]), X(md5sum[13]), X(md5sum[14]), X(md5sum[15]) );
481 static int verifyPGPSignature(const char *datafile, void *sig,
482 int count, char *result)
484 int pid, status, outpipe[2];
487 unsigned char buf[BUFSIZ];
493 /* What version do we have? */
494 if ((path = rpmDetectPGPVersion(&pgpVer)) == NULL) {
496 rpmError(RPMERR_EXEC,
497 _("Could not run pgp. Use --nopgp to skip PGP checks."));
502 * Sad but true: pgp-5.0 returns exit value of 0 on bad signature.
503 * Instead we have to use the text output to detect a bad signature.
508 /* Write out the signature */
509 { const char *tmppath = rpmGetPath("%{_tmppath}", NULL);
510 sigfile = tempnam(tmppath, "rpmsig");
513 sfd = Fopen(sigfile, "w.fdio");
514 (void)Fwrite(sig, sizeof(char), count, sfd);
518 outpipe[0] = outpipe[1] = 0;
521 if (!(pid = fork())) {
522 const char *pgp_path = rpmExpand("%{_pgp_path}", NULL);
525 close(STDOUT_FILENO); /* XXX unnecessary */
526 dup2(outpipe[1], STDOUT_FILENO);
528 if (pgp_path && *pgp_path != '%')
529 dosetenv("PGPPATH", pgp_path, 1);
533 /* Some output (in particular "This signature applies to */
534 /* another message") is _always_ written to stderr; we */
535 /* want to catch that output, so dup stdout to stderr: */
536 { int save_stderr = dup(2);
538 execlp(path, "pgpv", "+batchmode=on", "+verbose=0",
539 /* Write "Good signature..." to stdout: */
540 "+OutputInformationFD=1",
541 /* Write "WARNING: ... is not trusted to... to stdout: */
542 "+OutputWarningFD=1",
543 sigfile, "-o", datafile, NULL);
544 /* Restore stderr so we can print the error message below. */
545 dup2(save_stderr, 2);
549 execlp(path, "pgp", "+batchmode=on", "+verbose=0",
550 sigfile, datafile, NULL);
553 case PGP_NOTDETECTED:
557 fprintf(stderr, _("exec failed!\n"));
558 rpmError(RPMERR_EXEC,
559 _("Could not run pgp. Use --nopgp to skip PGP checks."));
564 file = fdopen(outpipe[0], "r");
566 while (fgets(buf, 1024, file)) {
567 if (strncmp("File '", buf, 6) &&
568 strncmp("Text is assu", buf, 12) &&
569 strncmp("This signature applies to another message", buf, 41) &&
573 if (!strncmp("WARNING: Can't find the right public key", buf, 40))
575 else if (!strncmp("Signature by unknown keyid:", buf, 27))
577 else if (!strncmp("WARNING: The signing key is not trusted", buf, 39))
578 res = RPMSIG_NOTTRUSTED;
579 else if (!strncmp("Good signature", buf, 14))
584 (void)waitpid(pid, &status, 0);
586 if (!res && (!WIFEXITED(status) || WEXITSTATUS(status))) {
593 static int verifyGPGSignature(const char *datafile, void *sig,
594 int count, char *result)
596 int pid, status, outpipe[2];
599 unsigned char buf[8192];
603 /* Write out the signature */
604 { const char *tmppath = rpmGetPath("%{_tmppath}", NULL);
605 sigfile = tempnam(tmppath, "rpmsig");
608 sfd = Fopen(sigfile, "w.fdio");
609 (void)Fwrite(sig, sizeof(char), count, sfd);
613 outpipe[0] = outpipe[1] = 0;
616 if (!(pid = fork())) {
617 const char *gpg_path = rpmExpand("%{_gpg_path}", NULL);
620 /* gpg version 0.9 sends its output to stderr. */
621 dup2(outpipe[1], STDERR_FILENO);
623 if (gpg_path && *gpg_path != '%')
624 dosetenv("GNUPGHOME", gpg_path, 1);
627 "--batch", "--no-verbose",
628 "--verify", sigfile, datafile,
630 fprintf(stderr, _("exec failed!\n"));
631 rpmError(RPMERR_EXEC,
632 _("Could not run gpg. Use --nogpg to skip GPG checks."));
637 file = fdopen(outpipe[0], "r");
639 while (fgets(buf, 1024, file)) {
641 if (!strncmp("gpg: Can't check signature: Public key not found", buf, 48)) {
647 (void)waitpid(pid, &status, 0);
649 if (!res && (!WIFEXITED(status) || WEXITSTATUS(status))) {
656 static int checkPassPhrase(const char *passPhrase, const int sigTag)
658 int passPhrasePipe[2];
662 passPhrasePipe[0] = passPhrasePipe[1] = 0;
663 pipe(passPhrasePipe);
664 if (!(pid = fork())) {
666 close(STDOUT_FILENO);
667 close(passPhrasePipe[1]);
668 if (! rpmIsVerbose()) {
669 close(STDERR_FILENO);
671 if ((fd = open("/dev/null", O_RDONLY)) != STDIN_FILENO) {
672 dup2(fd, STDIN_FILENO);
675 if ((fd = open("/dev/null", O_WRONLY)) != STDOUT_FILENO) {
676 dup2(fd, STDOUT_FILENO);
679 dup2(passPhrasePipe[0], 3);
683 { const char *gpg_path = rpmExpand("%{_gpg_path}", NULL);
684 const char *name = rpmExpand("%{_gpg_name}", NULL);
685 if (gpg_path && *gpg_path != '%')
686 dosetenv("GNUPGHOME", gpg_path, 1);
688 "--batch", "--no-verbose", "--passphrase-fd", "3",
689 "-u", name, "-so", "-",
691 rpmError(RPMERR_EXEC, _("Couldn't exec gpg"));
693 } /*@notreached@*/ break;
694 case RPMSIGTAG_PGP5: /* XXX legacy */
696 { const char *pgp_path = rpmExpand("%{_pgp_path}", NULL);
697 const char *name = rpmExpand("+myname=\"%{_pgp_name}\"", NULL);
701 dosetenv("PGPPASSFD", "3", 1);
702 if (pgp_path && *pgp_path != '%')
703 dosetenv("PGPPATH", pgp_path, 1);
705 if ((path = rpmDetectPGPVersion(&pgpVer)) != NULL) {
708 execlp(path, "pgp", "+batchmode=on", "+verbose=0",
711 case PGP_5: /* XXX legacy */
712 execlp(path,"pgps", "+batchmode=on", "+verbose=0",
716 case PGP_NOTDETECTED:
720 rpmError(RPMERR_EXEC, _("Couldn't exec pgp"));
722 } /*@notreached@*/ break;
723 default: /* This case should have been screened out long ago. */
724 rpmError(RPMERR_SIGGEN, _("Invalid %%_signature spec in macro file"));
725 _exit(RPMERR_SIGGEN);
726 /*@notreached@*/ break;
730 close(passPhrasePipe[0]);
731 (void)write(passPhrasePipe[1], passPhrase, strlen(passPhrase));
732 (void)write(passPhrasePipe[1], "\n", 1);
733 close(passPhrasePipe[1]);
735 (void)waitpid(pid, &status, 0);
736 if (!WIFEXITED(status) || WEXITSTATUS(status)) {
740 /* passPhrase is good */
744 char *rpmGetPassPhrase(const char *prompt, const int sigTag)
751 { const char *name = rpmExpand("%{_gpg_name}", NULL);
752 aok = (name && *name != '%');
756 rpmError(RPMERR_SIGGEN,
757 _("You must set \"%%_gpg_name\" in your macro file"));
761 case RPMSIGTAG_PGP5: /* XXX legacy */
763 { const char *name = rpmExpand("%{_pgp_name}", NULL);
764 aok = (name && *name != '%');
768 rpmError(RPMERR_SIGGEN,
769 _("You must set \"%%_pgp_name\" in your macro file"));
774 /* Currently the calling function (rpm.c:main) is checking this and
775 * doing a better job. This section should never be accessed.
777 rpmError(RPMERR_SIGGEN, _("Invalid %%_signature spec in macro file"));
779 /*@notreached@*/ break;
782 pass = /*@-unrecog@*/ getpass( (prompt ? prompt : "") ) /*@=unrecog@*/ ;
784 if (checkPassPhrase(pass, sigTag))
790 int rpmVerifySignature(const char *file, int_32 sigTag, void *sig, int count,
795 if (verifySizeSignature(file, *(int_32 *)sig, result)) {
800 if (verifyMD5Signature(file, sig, result, mdbinfile)) {
804 case RPMSIGTAG_LEMD5_1:
805 case RPMSIGTAG_LEMD5_2:
806 if (verifyMD5Signature(file, sig, result, mdbinfileBroken)) {
810 case RPMSIGTAG_PGP5: /* XXX legacy */
812 return verifyPGPSignature(file, sig, count, result);
813 /*@notreached@*/ break;
815 return verifyGPGSignature(file, sig, count, result);
816 /*@notreached@*/ break;
818 sprintf(result, "Do not know how to verify sig type %d\n", sigTag);
819 return RPMSIG_UNKNOWN;