From 996e2095af8fc8ca651458793992d018fa6680b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89rico=20Rolim?= Date: Sat, 6 Mar 2021 00:01:55 -0300 Subject: [PATCH 1/6] xbps-install: add --verify-sig option. Forcing signature verification for local packages can be useful for innumerous reasons, the simplest one being the possibility of adding a test suite for this part of the code without requiring a test setup running a server or similar. For this, it was necessary to add a new flag value to xbps_handle, and I took the opportunity to re-organize the code a bit, including always checking sha256 for all packages and reporting when remove(3) fails. --- bin/xbps-install/main.c | 5 ++++ include/xbps.h.in | 7 ++++++ lib/transaction_fetch.c | 56 +++++++++++++++++++++++++---------------- 3 files changed, 46 insertions(+), 22 deletions(-) diff --git a/bin/xbps-install/main.c b/bin/xbps-install/main.c index c626d407b..176478bc8 100644 --- a/bin/xbps-install/main.c +++ b/bin/xbps-install/main.c @@ -63,6 +63,7 @@ usage(bool fail) " --reproducible Enable reproducible mode in pkgdb\n" " -S, --sync Sync remote repository index\n" " -u, --update Update target package(s)\n" + " --verify-sigs Verify package signatures even for local repositories\n" " -v, --verbose Verbose messages\n" " -y, --yes Assume yes to all questions\n" " -V, --version Show XBPS version\n"); @@ -118,6 +119,7 @@ main(int argc, char **argv) { "version", no_argument, NULL, 'V' }, { "yes", no_argument, NULL, 'y' }, { "reproducible", no_argument, NULL, 1 }, + { "verify-sig", no_argument, NULL, 2 }, { NULL, 0, NULL, 0 } }; struct xbps_handle xh; @@ -138,6 +140,9 @@ main(int argc, char **argv) case 1: flags |= XBPS_FLAG_INSTALL_REPRO; break; + case 2: + flags |= XBPS_FLAG_VERIFY_LOCAL_REPO; + break; case 'A': flags |= XBPS_FLAG_INSTALL_AUTO; break; diff --git a/include/xbps.h.in b/include/xbps.h.in index b0f421569..bf43755a2 100644 --- a/include/xbps.h.in +++ b/include/xbps.h.in @@ -240,6 +240,13 @@ */ #define XBPS_FLAG_KEEP_CONFIG 0x00010000 +/** + * @def XBPS_FLAG_VERIFY_LOCAL_REPO + * Verify package signatures even for local repositories. + * Must be set through the xbps_handle::flags member. + */ +#define XBPS_FLAG_VERIFY_LOCAL_REPO 0x00020000 + /** * @def XBPS_FETCH_CACHECONN * Default (global) limit of cached connections used in libfetch. diff --git a/lib/transaction_fetch.c b/lib/transaction_fetch.c index c3cc7ed03..a89de7bee 100644 --- a/lib/transaction_fetch.c +++ b/lib/transaction_fetch.c @@ -47,8 +47,9 @@ verify_binpkg(struct xbps_handle *xhp, xbps_dictionary_t pkgd) return ENOMEM; } /* - * For pkgs in local repos check the sha256 hash. - * For pkgs in remote repos check the RSA signature. + * For all pkgs, check the sha256 hash. + * For pkgs in local repos, check the RSA sig if requested. + * For pkgs in remote repos, always check the RSA signature. */ if ((repo = xbps_rpool_get_repo(repoloc)) == NULL) { rv = errno; @@ -56,35 +57,46 @@ verify_binpkg(struct xbps_handle *xhp, xbps_dictionary_t pkgd) "%s: %s\n", pkgver, repoloc, strerror(errno)); goto out; } - if (repo->is_remote) { - /* remote repo */ + + /* check sha256 */ + xbps_set_cb_state(xhp, XBPS_STATE_VERIFY, 0, pkgver, + "%s: verifying SHA256 hash...", pkgver); + xbps_dictionary_get_cstring_nocopy(pkgd, "filename-sha256", &sha256); + if ((rv = xbps_file_sha256_check(binfile, sha256)) != 0) { + xbps_set_cb_state(xhp, XBPS_STATE_VERIFY_FAIL, rv, pkgver, + "%s: SHA256 hash is not valid: %s", pkgver, strerror(rv)); + goto out; + } + + if (repo->is_remote || xhp->flags & XBPS_FLAG_VERIFY_LOCAL_REPO) { + /* check RSA sig */ xbps_set_cb_state(xhp, XBPS_STATE_VERIFY, 0, pkgver, "%s: verifying RSA signature...", pkgver); if (!xbps_verify_file_signature(repo, binfile)) { - char *sigfile; rv = EPERM; xbps_set_cb_state(xhp, XBPS_STATE_VERIFY_FAIL, rv, pkgver, "%s: the RSA signature is not valid!", pkgver); - xbps_set_cb_state(xhp, XBPS_STATE_VERIFY_FAIL, rv, pkgver, - "%s: removed pkg archive and its signature.", pkgver); - (void)remove(binfile); - sigfile = xbps_xasprintf("%s.sig", binfile); - (void)remove(sigfile); - free(sigfile); - goto out; - } - } else { - /* local repo */ - xbps_set_cb_state(xhp, XBPS_STATE_VERIFY, 0, pkgver, - "%s: verifying SHA256 hash...", pkgver); - xbps_dictionary_get_cstring_nocopy(pkgd, "filename-sha256", &sha256); - if ((rv = xbps_file_sha256_check(binfile, sha256)) != 0) { - xbps_set_cb_state(xhp, XBPS_STATE_VERIFY_FAIL, rv, pkgver, - "%s: SHA256 hash is not valid: %s", pkgver, strerror(rv)); + if (repo->is_remote) { + /* + * Don't remove files from local repositories, since we might + * not be the "owner"; with the XBPS cache, we are the owners. + */ + char *sigfile; + const char *errmsg; + sigfile = xbps_xasprintf("%s.sig", binfile); + assert(sigfile); + if (remove(binfile) == 0 && remove(sigfile) == 0) { + errmsg = "removed pkg archive and its signature"; + } else { + errmsg = "there was an error removing pkg archive and its signature"; + } + free(sigfile); + xbps_set_cb_state(xhp, XBPS_STATE_VERIFY_FAIL, rv, pkgver, + "%s: %s.", pkgver, errmsg); + } goto out; } - } out: free(binfile); From 2e427b0f14e392b648a2d45e4501c863ee95a748 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89rico=20Rolim?= Date: Sat, 6 Mar 2021 18:44:43 -0300 Subject: [PATCH 2/6] lib/transaction_fetch: add xbps_file_sha256_check_raw. This function allows us to check the sha256 sum for a particular file, while at the same storing the calculated digest in the provided struct. This allows us to always check the sha256 sum for packages during installation, but also not have to scan the package twice when checking its signature. In order to simplify the code and necessary error checking, and because some functions take a length parameter for the binary hash, while others don't, introduce the xbps_sha256_digest struct, which guarantees we are always passing a binary digest to functions which require one and guarantees it has the necessary length to hold the digest, therefore providing some form of type and memory safety and avoiding the need to pass and propagate length parameters everywhere. --- include/xbps.h.in | 29 ++++++++++++++++++++++++++++- lib/transaction_fetch.c | 16 +++++++++------- lib/util_hash.c | 28 +++++++++++++++++----------- lib/verifysig.c | 12 ++++++------ 4 files changed, 60 insertions(+), 25 deletions(-) diff --git a/include/xbps.h.in b/include/xbps.h.in index bf43755a2..7c764647d 100644 --- a/include/xbps.h.in +++ b/include/xbps.h.in @@ -688,6 +688,19 @@ struct xbps_handle { int flags; }; +/** + * @struct xbps_sha256_digest xbps.h "xbps.h" + * @brief Structure to contain a binary SHA256 digest. + */ +struct xbps_sha256_digest { + /** + * @var buffer + * + * Buffer containing a SHA256 binary digest. + */ + unsigned char buffer[XBPS_SHA256_DIGEST_SIZE]; +}; + void xbps_dbg_printf(struct xbps_handle *, const char *, ...) __attribute__ ((format (printf, 2, 3))); void xbps_dbg_printf_append(struct xbps_handle *, const char *, ...)__attribute__ ((format (printf, 2, 3))); void xbps_error_printf(const char *, ...)__attribute__ ((format (printf, 1, 2))); @@ -1958,6 +1971,20 @@ bool xbps_file_sha256_raw(unsigned char *dst, size_t len, const char *file); */ int xbps_file_sha256_check(const char *file, const char *sha256); +/** + * Compares the sha256 hash of the file \a file with the sha256 + * string specified by \a sha256. The computed sha256 digest is stored into + * \a dst. + * + * @param[in] file Path to a file. + * @param[in] sha256 SHA256 hash to compare. + * @param[out] dst Destination struct. + * + * @return 0 if \a file and \a sha256 have the same hash, ERANGE + * if it differs, or any other errno value on error. + */ +int xbps_file_sha256_check_raw(const char *file, const char *sha256, struct xbps_sha256_digest *dst); + /** * Verifies the RSA signature \a sigfile against \a digest with the * RSA public-key associated in \a repo. @@ -1969,7 +1996,7 @@ int xbps_file_sha256_check(const char *file, const char *sha256); * @return True if the signature is valid, false otherwise. */ bool xbps_verify_signature(struct xbps_repo *repo, const char *sigfile, - unsigned char *digest); + const struct xbps_sha256_digest *digest); /** * Verifies the RSA signature of \a fname with the RSA public-key associated diff --git a/lib/transaction_fetch.c b/lib/transaction_fetch.c index a89de7bee..80e46b860 100644 --- a/lib/transaction_fetch.c +++ b/lib/transaction_fetch.c @@ -37,6 +37,7 @@ verify_binpkg(struct xbps_handle *xhp, xbps_dictionary_t pkgd) struct xbps_repo *repo; const char *pkgver, *repoloc, *sha256; char *binfile; + struct xbps_sha256_digest digest; int rv = 0; xbps_dictionary_get_cstring_nocopy(pkgd, "repository", &repoloc); @@ -62,7 +63,7 @@ verify_binpkg(struct xbps_handle *xhp, xbps_dictionary_t pkgd) xbps_set_cb_state(xhp, XBPS_STATE_VERIFY, 0, pkgver, "%s: verifying SHA256 hash...", pkgver); xbps_dictionary_get_cstring_nocopy(pkgd, "filename-sha256", &sha256); - if ((rv = xbps_file_sha256_check(binfile, sha256)) != 0) { + if ((rv = xbps_file_sha256_check_raw(binfile, sha256, &digest)) != 0) { xbps_set_cb_state(xhp, XBPS_STATE_VERIFY_FAIL, rv, pkgver, "%s: SHA256 hash is not valid: %s", pkgver, strerror(rv)); goto out; @@ -73,7 +74,7 @@ verify_binpkg(struct xbps_handle *xhp, xbps_dictionary_t pkgd) xbps_set_cb_state(xhp, XBPS_STATE_VERIFY, 0, pkgver, "%s: verifying RSA signature...", pkgver); - if (!xbps_verify_file_signature(repo, binfile)) { + if (!xbps_verify_signature(repo, binfile, &digest)) { rv = EPERM; xbps_set_cb_state(xhp, XBPS_STATE_VERIFY_FAIL, rv, pkgver, "%s: the RSA signature is not valid!", pkgver); @@ -110,7 +111,7 @@ download_binpkg(struct xbps_handle *xhp, xbps_dictionary_t repo_pkgd) char buf[PATH_MAX]; char *sigsuffix; const char *pkgver, *arch, *fetchstr, *repoloc; - unsigned char digest[XBPS_SHA256_DIGEST_SIZE] = {0}; + struct xbps_sha256_digest digest = {0}; int rv = 0; xbps_dictionary_get_cstring_nocopy(repo_pkgd, "repository", &repoloc); @@ -141,8 +142,8 @@ download_binpkg(struct xbps_handle *xhp, xbps_dictionary_t repo_pkgd) xbps_set_cb_state(xhp, XBPS_STATE_DOWNLOAD, 0, pkgver, "Downloading `%s' package (from `%s')...", pkgver, repoloc); - if ((rv = xbps_fetch_file_sha256(xhp, buf, NULL, digest, - sizeof digest)) == -1) { + if ((rv = xbps_fetch_file_sha256(xhp, buf, NULL, digest.buffer, + sizeof digest.buffer)) == -1) { rv = fetchLastErrCode ? fetchLastErrCode : errno; fetchstr = xbps_fetch_error_string(); xbps_set_cb_state(xhp, XBPS_STATE_DOWNLOAD_FAIL, rv, @@ -169,7 +170,8 @@ download_binpkg(struct xbps_handle *xhp, xbps_dictionary_t repo_pkgd) * If digest is not set, binary package was not downloaded, * i.e. 304 not modified, verify by file instead. */ - if (*digest) { + /* FIXME: this rejects hashes that start with 0 */ + if (digest.buffer[0]) { *sigsuffix = '\0'; if (!xbps_verify_file_signature(repo, buf)) { rv = EPERM; @@ -180,7 +182,7 @@ download_binpkg(struct xbps_handle *xhp, xbps_dictionary_t repo_pkgd) (void)remove(buf); } } else { - if (!xbps_verify_signature(repo, buf, digest)) { + if (!xbps_verify_signature(repo, buf, &digest)) { rv = EPERM; /* remove signature */ (void)remove(buf); diff --git a/lib/util_hash.c b/lib/util_hash.c index 4b1de715b..e925abccb 100644 --- a/lib/util_hash.c +++ b/lib/util_hash.c @@ -160,18 +160,16 @@ xbps_file_sha256(char *dst, size_t dstlen, const char *file) } static bool -sha256_digest_compare(const char *sha256, size_t shalen, - const unsigned char *digest, size_t digestlen) +sha256_digest_compare(const char *sha256, + const struct xbps_sha256_digest *digest_struct) { + const unsigned char *digest = digest_struct->buffer; + size_t shalen = strlen(sha256); assert(shalen == XBPS_SHA256_SIZE - 1); if (shalen != XBPS_SHA256_SIZE -1) return false; - assert(digestlen == XBPS_SHA256_DIGEST_SIZE); - if (digestlen != XBPS_SHA256_DIGEST_SIZE) - return false; - for (; *sha256;) { if (*digest / 16 < 10) { if (*sha256++ != '0' + *digest / 16) @@ -194,22 +192,30 @@ sha256_digest_compare(const char *sha256, size_t shalen, } int -xbps_file_sha256_check(const char *file, const char *sha256) +xbps_file_sha256_check_raw(const char *file, const char *sha256, + struct xbps_sha256_digest *dst) { - unsigned char digest[XBPS_SHA256_DIGEST_SIZE]; - assert(file != NULL); assert(sha256 != NULL); + assert(dst != NULL); - if (!xbps_file_sha256_raw(digest, sizeof digest, file)) + if (!xbps_file_sha256_raw(dst->buffer, sizeof dst->buffer, file)) return errno; - if (!sha256_digest_compare(sha256, strlen(sha256), digest, sizeof digest)) + if (!sha256_digest_compare(sha256, dst)) return ERANGE; return 0; } +int +xbps_file_sha256_check(const char *file, const char *sha256) +{ + struct xbps_sha256_digest digest; + + return xbps_file_sha256_check_raw(file, sha256, &digest); +} + static const char * file_hash_dictionary(xbps_dictionary_t d, const char *key, const char *file) { diff --git a/lib/verifysig.c b/lib/verifysig.c index 1cfe89911..adee19387 100644 --- a/lib/verifysig.c +++ b/lib/verifysig.c @@ -43,7 +43,7 @@ static bool rsa_verify_hash(struct xbps_repo *repo, xbps_data_t pubkey, unsigned char *sig, unsigned int siglen, - unsigned char *sha256) + const struct xbps_sha256_digest *digest) { BIO *bio; RSA *rsa; @@ -63,7 +63,7 @@ rsa_verify_hash(struct xbps_repo *repo, xbps_data_t pubkey, return false; } - rv = RSA_verify(NID_sha1, sha256, SHA256_DIGEST_LENGTH, sig, siglen, rsa); + rv = RSA_verify(NID_sha1, digest->buffer, sizeof digest->buffer, sig, siglen, rsa); RSA_free(rsa); BIO_free(bio); ERR_free_strings(); @@ -73,7 +73,7 @@ rsa_verify_hash(struct xbps_repo *repo, xbps_data_t pubkey, bool xbps_verify_signature(struct xbps_repo *repo, const char *sigfile, - unsigned char *digest) + const struct xbps_sha256_digest *digest) { xbps_dictionary_t repokeyd = NULL; xbps_data_t pubkey; @@ -137,16 +137,16 @@ bool xbps_verify_file_signature(struct xbps_repo *repo, const char *fname) { char sig[PATH_MAX]; - unsigned char digest[XBPS_SHA256_DIGEST_SIZE]; + struct xbps_sha256_digest digest; bool val = false; - if (!xbps_file_sha256_raw(digest, sizeof digest, fname)) { + if (!xbps_file_sha256_raw(digest.buffer, sizeof digest.buffer, fname)) { xbps_dbg_printf(repo->xhp, "can't open file %s: %s\n", fname, strerror(errno)); return false; } snprintf(sig, sizeof sig, "%s.sig", fname); - val = xbps_verify_signature(repo, sig, digest); + val = xbps_verify_signature(repo, sig, &digest); return val; } From 1731fdd3e310a8647550bedf32599469c8270e22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89rico=20Rolim?= Date: Sun, 7 Mar 2021 00:15:01 -0300 Subject: [PATCH 3/6] lib/util: add xbps_file_sig_path. Useful to print a signature path into a string and returning a pointer to the start of the ".sig" suffix. Also checks if the whole format string actually fit into the destination. Replace the manual computation in download_binpkg with it. --- include/xbps_api_impl.h | 3 +++ lib/transaction_fetch.c | 17 +++++++++++++---- lib/util.c | 21 +++++++++++++++++++++ 3 files changed, 37 insertions(+), 4 deletions(-) diff --git a/include/xbps_api_impl.h b/include/xbps_api_impl.h index ab5422abd..62f6cbaa0 100644 --- a/include/xbps_api_impl.h +++ b/include/xbps_api_impl.h @@ -161,4 +161,7 @@ struct xbps_repo HIDDEN *xbps_regget_repo(struct xbps_handle *, const char *); int HIDDEN xbps_conf_init(struct xbps_handle *); +/* util */ +int HIDDEN xbps_file_sig_path(char *str, size_t len, char **sigsuffix, const char *fmt, ...); + #endif /* !_XBPS_API_IMPL_H_ */ diff --git a/lib/transaction_fetch.c b/lib/transaction_fetch.c index 80e46b860..89ac6d91e 100644 --- a/lib/transaction_fetch.c +++ b/lib/transaction_fetch.c @@ -108,6 +108,7 @@ static int download_binpkg(struct xbps_handle *xhp, xbps_dictionary_t repo_pkgd) { struct xbps_repo *repo; + /* FIXME: increase max length for remote requests? */ char buf[PATH_MAX]; char *sigsuffix; const char *pkgver, *arch, *fetchstr, *repoloc; @@ -121,8 +122,12 @@ download_binpkg(struct xbps_handle *xhp, xbps_dictionary_t repo_pkgd) xbps_dictionary_get_cstring_nocopy(repo_pkgd, "pkgver", &pkgver); xbps_dictionary_get_cstring_nocopy(repo_pkgd, "architecture", &arch); - snprintf(buf, sizeof buf, "%s/%s.%s.xbps.sig", repoloc, pkgver, arch); - sigsuffix = buf+(strlen(buf)-sizeof (".sig")+1); + if ((rv = xbps_file_sig_path(buf, sizeof buf, &sigsuffix, "%s/%s.%s.xbps.sig", repoloc, pkgver, arch))) { + xbps_set_cb_state(xhp, XBPS_STATE_DOWNLOAD_FAIL, rv, + pkgver, "[trans] failed to create signature request for `%s': %s", + pkgver, strerror(rv)); + return rv; + } xbps_set_cb_state(xhp, XBPS_STATE_DOWNLOAD, 0, pkgver, "Downloading `%s' signature (from `%s')...", pkgver, repoloc); @@ -156,8 +161,12 @@ download_binpkg(struct xbps_handle *xhp, xbps_dictionary_t repo_pkgd) xbps_set_cb_state(xhp, XBPS_STATE_VERIFY, 0, pkgver, "%s: verifying RSA signature...", pkgver); - snprintf(buf, sizeof buf, "%s/%s.%s.xbps.sig", xhp->cachedir, pkgver, arch); - sigsuffix = buf+(strlen(buf)-sizeof (".sig")+1); + if ((rv = xbps_file_sig_path(buf, sizeof buf, &sigsuffix, "%s/%s.%s.xbps.sig", xhp->cachedir, pkgver, arch))) { + xbps_set_cb_state(xhp, XBPS_STATE_DOWNLOAD_FAIL, rv, + pkgver, "[trans] failed to create signature path for `%s': %s", + pkgver, strerror(rv)); + return rv; + } if ((repo = xbps_rpool_get_repo(repoloc)) == NULL) { rv = errno; diff --git a/lib/util.c b/lib/util.c index 71afd43b9..11d82c62b 100644 --- a/lib/util.c +++ b/lib/util.c @@ -699,3 +699,24 @@ xbps_patterns_match(xbps_array_t patterns, const char *path) return match; } + +int HIDDEN xbps_file_sig_path(char *str, size_t len, char **sigsuffix, const char *fmt, ...) +{ + va_list ap; + ssize_t w; + char *sig; + + va_start(ap, fmt); + /* Bail out if resulting string is too long. */ + if ((w = vsnprintf(str, len, fmt, ap)) >= (ssize_t)len) { + return ENAMETOOLONG; + } + sig = str + (w - sizeof(".sig")+1); + /* Check that we actually received a signature path. */ + if (strcmp(sig, ".sig")) + return EINVAL; + if (sigsuffix) + *sigsuffix = sig; + + return 0; +} From 4fc796d6007495bc0565d4700f3627e43437c46a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89rico=20Rolim?= Date: Sun, 7 Mar 2021 00:21:45 -0300 Subject: [PATCH 4/6] lib/transaction_fetch: fix verify_binpkg. verify_binpkg was using the package path instead of the signature path in xbps_verify_signature. Compute the signature path using the new xbps_file_sig_path, and as a bonus avoid new allocations. --- lib/transaction_fetch.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/lib/transaction_fetch.c b/lib/transaction_fetch.c index 89ac6d91e..0d27920e6 100644 --- a/lib/transaction_fetch.c +++ b/lib/transaction_fetch.c @@ -28,6 +28,7 @@ #include #include #include +#include #include "xbps_api_impl.h" @@ -70,11 +71,19 @@ verify_binpkg(struct xbps_handle *xhp, xbps_dictionary_t pkgd) } if (repo->is_remote || xhp->flags & XBPS_FLAG_VERIFY_LOCAL_REPO) { + char sigfile[PATH_MAX]; + if ((rv = xbps_file_sig_path(sigfile, sizeof sigfile, NULL, "%s.sig", binfile))) { + xbps_set_cb_state(xhp, XBPS_STATE_VERIFY_FAIL, rv, + pkgver, "[trans] can't access signature for `%s': %s", + pkgver, strerror(rv)); + goto out; + } + /* check RSA sig */ xbps_set_cb_state(xhp, XBPS_STATE_VERIFY, 0, pkgver, "%s: verifying RSA signature...", pkgver); - if (!xbps_verify_signature(repo, binfile, &digest)) { + if (!xbps_verify_signature(repo, sigfile, &digest)) { rv = EPERM; xbps_set_cb_state(xhp, XBPS_STATE_VERIFY_FAIL, rv, pkgver, "%s: the RSA signature is not valid!", pkgver); @@ -83,16 +92,12 @@ verify_binpkg(struct xbps_handle *xhp, xbps_dictionary_t pkgd) * Don't remove files from local repositories, since we might * not be the "owner"; with the XBPS cache, we are the owners. */ - char *sigfile; const char *errmsg; - sigfile = xbps_xasprintf("%s.sig", binfile); - assert(sigfile); if (remove(binfile) == 0 && remove(sigfile) == 0) { errmsg = "removed pkg archive and its signature"; } else { errmsg = "there was an error removing pkg archive and its signature"; } - free(sigfile); xbps_set_cb_state(xhp, XBPS_STATE_VERIFY_FAIL, rv, pkgver, "%s: %s.", pkgver, errmsg); } From 1ac07163156b2e6036654faf6ff629d7a71c24d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89rico=20Rolim?= Date: Sun, 7 Mar 2021 00:23:06 -0300 Subject: [PATCH 5/6] lib/verifysig: use xbps_file_sig_path in xbps_verify_file_signature. This actually checks that the resulting string fit inside the buffer, so we avoid using a truncated path. --- lib/verifysig.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/verifysig.c b/lib/verifysig.c index adee19387..f48a96e09 100644 --- a/lib/verifysig.c +++ b/lib/verifysig.c @@ -142,10 +142,13 @@ xbps_verify_file_signature(struct xbps_repo *repo, const char *fname) if (!xbps_file_sha256_raw(digest.buffer, sizeof digest.buffer, fname)) { xbps_dbg_printf(repo->xhp, "can't open file %s: %s\n", fname, strerror(errno)); - return false; + return val; } - snprintf(sig, sizeof sig, "%s.sig", fname); + if (xbps_file_sig_path(sig, sizeof sig, NULL, "%s.sig", fname)) { + /* XXX: print something for error ? */ + return val; + } val = xbps_verify_signature(repo, sig, &digest); return val; From d5a76401cdfe9ec6e532f522a3f0888d60940684 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89rico=20Rolim?= Date: Sun, 7 Mar 2021 20:42:15 -0300 Subject: [PATCH 6/6] xbps-install: rename verify-sig to verify-local-sig. Also add documentation to man page. --- bin/xbps-install/main.c | 4 ++-- bin/xbps-install/xbps-install.1 | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/bin/xbps-install/main.c b/bin/xbps-install/main.c index 176478bc8..5686e8ca1 100644 --- a/bin/xbps-install/main.c +++ b/bin/xbps-install/main.c @@ -63,7 +63,7 @@ usage(bool fail) " --reproducible Enable reproducible mode in pkgdb\n" " -S, --sync Sync remote repository index\n" " -u, --update Update target package(s)\n" - " --verify-sigs Verify package signatures even for local repositories\n" + " --verify-local-sig Verify package signatures even for local repositories\n" " -v, --verbose Verbose messages\n" " -y, --yes Assume yes to all questions\n" " -V, --version Show XBPS version\n"); @@ -119,7 +119,7 @@ main(int argc, char **argv) { "version", no_argument, NULL, 'V' }, { "yes", no_argument, NULL, 'y' }, { "reproducible", no_argument, NULL, 1 }, - { "verify-sig", no_argument, NULL, 2 }, + { "verify-local-sig", no_argument, NULL, 2 }, { NULL, 0, NULL, 0 } }; struct xbps_handle xh; diff --git a/bin/xbps-install/xbps-install.1 b/bin/xbps-install/xbps-install.1 index ca2985f9a..01f33b44a 100644 --- a/bin/xbps-install/xbps-install.1 +++ b/bin/xbps-install/xbps-install.1 @@ -163,6 +163,9 @@ Performs a full system upgrade: all installed packages .Pq except those on Sy hold , No see Fl -mode Sy hold No in Xr xbps-pkgdb 1 will be updated to the greatest versions that were found in repositories. +.It Fl -verify-local-sig +Enables signature verification for local repositories in addition to +remote ones. .It Fl v, Fl -verbose Enables verbose messages. .It Fl y, Fl -yes