shaba/ostree
1
0
Fork 0
mirror of https://github.com/ostreedev/ostree.git synced 2025-03-10 16:58:43 +03:00
Code Issues Projects Releases Wiki Activity

bin/static-delta: Add signature parameters to apply-offline

Browse Source 
This allows to check the delta signature before applying it.

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
This commit is contained in:
Frédéric Danis 2020-08-21 17:22:40 +02:00
parent fb1faf17d6
commit 2e97f5659f
3 changed files with 118 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bash/ostree
View File

@ -1532,6 +1532,9 @@ _ostree_static_delta_apply_offline() {
"
local options_with_args="
--sign-type
--keys-file
--keys-dir
--repo
"

61
man/ostree-static-delta.xml
View File

@ -63,7 +63,7 @@ Boston, MA 02111-1307, USA.
<command>ostree static-delta generate</command> <arg choice="req">--to=REV</arg> <arg choice="opt" rep="repeat">OPTIONS</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>ostree static-delta apply-offline</command> <arg choice="req">PATH</arg>
<command>ostree static-delta apply-offline</command> <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="req">PATH</arg> <arg choice="opt" rep="repeat">KEY-ID</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>ostree static-delta verify</command> <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="req">STATIC-DELTA</arg> <arg choice="opt" rep="repeat">KEY-ID</arg>
@ -152,6 +152,65 @@ Boston, MA 02111-1307, USA.
</variablelist>
</refsect1>
<refsect1>
<title>'Apply-offline' Options</title>
<variablelist>
<varlistentry>
<term><option>KEY-ID</option></term>
<listitem><para>
<variablelist>
<varlistentry>
<term><option>for ed25519:</option></term>
<listitem><para>
<literal>base64</literal>-encoded public key for verifying.
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>for dummy:</option></term>
<listitem><para>
ASCII-string used as public key.
</para></listitem>
</varlistentry>
</variablelist>
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--sign-type</option>=ENGINE</term>
<listitem><para>
Use particular signature engine. Currently
available <arg choice="plain">ed25519</arg> and <arg choice="plain">dummy</arg>
signature types.
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--keys-file</option></term>
<listitem><para>
Read key(s) from file <filename>filename</filename>.
</para></listitem>
<listitem><para>
Valid for <literal>ed25519</literal> signature type.
For <literal>ed25519</literal> this file must contain <literal>base64</literal>-encoded
public key(s) per line for verifying.
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--keys-dir</option></term>
<listitem><para>
Redefine the system path, where to search files and subdirectories with
well-known and revoked keys.
</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>'Verify' Options</title>

56
src/ostree/ot-builtin-static-delta.c
View File

@ -105,6 +105,11 @@ static GOptionEntry generate_options[] = {
};
static GOptionEntry apply_offline_options[] = {
{ "sign-type", 0, 0, G_OPTION_ARG_STRING, &opt_sign_name, "Signature type to use (defaults to 'ed25519')", "NAME"},
#if defined(HAVE_LIBSODIUM)
{ "keys-file", 0, 0, G_OPTION_ARG_STRING, &opt_keysfilename, "Read key(s) from file", "NAME"},
{ "keys-dir", 0, 0, G_OPTION_ARG_STRING, &opt_keysdir, "Redefine system-wide directories with public and revoked keys for verification", "NAME"},
#endif
{ NULL }
};
@ -423,6 +428,9 @@ ot_static_delta_builtin_apply_offline (int argc, char **argv, OstreeCommandInvoc
{
g_autoptr(GOptionContext) context = NULL;
g_autoptr(OstreeRepo) repo = NULL;
g_autoptr (OstreeSign) sign = NULL;
char **key_ids;
int n_key_ids;
context = g_option_context_new ("");
if (!ostree_option_context_parse (context, apply_offline_options, &argc, &argv, invocation, &repo, cancellable, error))
@ -438,13 +446,59 @@ ot_static_delta_builtin_apply_offline (int argc, char **argv, OstreeCommandInvoc
return FALSE;
}
#if defined(HAVE_LIBSODIUM)
/* Initialize crypto system */
opt_sign_name = opt_sign_name ?: OSTREE_SIGN_NAME_ED25519;
#endif
if (opt_sign_name)
{
sign = ostree_sign_get_by_name (opt_sign_name, error);
if (!sign)
return glnx_throw (error, "Signing type %s is not supported", opt_sign_name);
key_ids = argv + 3;
n_key_ids = argc - 3;
for (int i = 0; i < n_key_ids; i++)
{
g_autoptr (GVariant) pk = g_variant_new_string(key_ids[i]);
if (!ostree_sign_add_pk(sign, pk, error))
return FALSE;
}
if ((n_key_ids == 0) || opt_keysfilename)
{
g_autoptr (GVariantBuilder) builder = g_variant_builder_new (G_VARIANT_TYPE ("a{sv}"));
g_autoptr (GVariant) options = NULL;
/* Use custom directory with public and revoked keys instead of system-wide directories */
if (opt_keysdir)
g_variant_builder_add (builder, "{sv}", "basedir", g_variant_new_string (opt_keysdir));
/* The last chance for verification source -- system files */
if (opt_keysfilename)
g_variant_builder_add (builder, "{sv}", "filename", g_variant_new_string (opt_keysfilename));
options = g_variant_builder_end (builder);
if (!ostree_sign_load_pk (sign, options, error))
{
/* If it fails to load system default public keys, consider there no signature engine */
if (!opt_keysdir && !opt_keysfilename)
{
g_clear_error(error);
g_clear_object(&sign);
}
else
return FALSE;
}
}
}
const char *patharg = argv[2];
g_autoptr(GFile) path = g_file_new_for_path (patharg);
if (!ostree_repo_prepare_transaction (repo, NULL, cancellable, error))
return FALSE;
if (!ostree_repo_static_delta_execute_offline (repo, path, FALSE, cancellable, error))
if (!ostree_repo_static_delta_execute_offline_with_signature (repo, path, sign, FALSE, cancellable, error))
return FALSE;
if (!ostree_repo_commit_transaction (repo, NULL, cancellable, error))