Add an API to verify a commit signature explicitly

We have a bunch of APIs to do GPG verification of a commit,
but that doesn't generalize to signapi.  Further, they
require the caller to check the signature status explicitly
which seems like a trap.

This much higher level API works with both GPG and signapi.
The intention is to use this in things that are doing "external
pulls" like the ostree-ext tar import support.  There we will
get the commitmeta from the tarball and we want to verify it
at the same time we import the commit.

Makefile-tests.am

@@ -391,6 +391,10 @@ tests_test_rfc2616_dates_SOURCES = \
 tests_test_rfc2616_dates_CFLAGS = $(TESTS_CFLAGS)
 tests_test_rfc2616_dates_LDADD = $(TESTS_LDADD)
 
+noinst_PROGRAMS += tests/test-commit-sign-sh-ext
+tests_test_commit_sign_sh_ext_CFLAGS = $(TESTS_CFLAGS)
+tests_test_commit_sign_sh_ext_LDADD = $(TESTS_LDADD)
+
 if USE_GPGME
 tests_test_gpg_verify_result_SOURCES = \
 	src/libostree/ostree-gpg-verify-result-private.h \

apidoc/ostree-sections.txt

@@ -474,6 +474,7 @@ ostree_repo_append_gpg_signature
 ostree_repo_add_gpg_signature_summary
 ostree_repo_gpg_sign_data
 ostree_repo_gpg_verify_data
+ostree_repo_signature_verify_commit_data
 ostree_repo_verify_commit
 ostree_repo_verify_commit_ext
 ostree_repo_verify_commit_for_remote

src/libostree/libostree-devel.sym

@@ -25,6 +25,7 @@
 LIBOSTREE_2021.4 {
 global:
   ostree_repo_remote_get_gpg_keys;
+  ostree_repo_signature_verify_commit_data;
 } LIBOSTREE_2021.3;
 
 /* Stub section for the stable release *after* this development one; don't

src/libostree/ostree-repo-pull-verify.c

@@ -270,6 +270,7 @@ _sign_verify_for_remote (GPtrArray *verifiers,
 
   g_assert (out_success_message == NULL || *out_success_message == NULL);
 
+  g_assert (verifiers);
   g_assert_cmpuint (verifiers->len, >=, 1);
   for (guint i = 0; i < verifiers->len; i++)
     {
@@ -346,6 +347,120 @@ _process_gpg_verify_result (OtPullData            *pull_data,
 }
 #endif /* OSTREE_DISABLE_GPGME */
 
+static gboolean
+validate_metadata_size (const char *prefix, GBytes *buf, GError **error)
+{
+  gsize len = g_bytes_get_size (buf);
+  if (len > OSTREE_MAX_METADATA_SIZE)
+    return glnx_throw (error, "%s is %" G_GUINT64_FORMAT " bytes, exceeding maximum %" G_GUINT64_FORMAT, prefix, (guint64)len, (guint64)OSTREE_MAX_METADATA_SIZE);
+  return TRUE;
+}
+
+/**
+ * ostree_repo_signature_verify_commit_data:
+ * @self: Repo
+ * @remote_name: Name of remote
+ * @commit_data: Commit object data (GVariant)
+ * @commit_metadata: Commit metadata (GVariant `a{sv}`), must contain at least one valid signature
+ * @flags: Optionally disable GPG or signapi
+ * @out_results: (nullable) (out) (transfer full): Textual description of results
+ * @error: Error
+ *
+ * Validate the commit data using the commit metadata which must
+ * contain at least one valid signature.  If GPG and signapi are
+ * both enabled, then both must find at least one valid signature.
+ */
+gboolean 
+ostree_repo_signature_verify_commit_data (OstreeRepo    *self,
+                                          const char    *remote_name,
+                                          GBytes        *commit_data,
+                                          GBytes        *commit_metadata,
+                                          OstreeRepoVerifyFlags flags,
+                                          char         **out_results,
+                                          GError       **error)
+{
+  g_assert (self);
+  g_assert (remote_name);
+  g_assert (commit_data);
+
+  gboolean gpg = !(flags & OSTREE_REPO_VERIFY_FLAGS_NO_GPG);
+  gboolean signapi = !(flags & OSTREE_REPO_VERIFY_FLAGS_NO_SIGNAPI);
+  // Must ask for at least one type of verification
+  if (!(gpg || signapi))
+    return glnx_throw (error, "No commit verification types enabled via API");
+
+  if (!validate_metadata_size ("Commit", commit_data, error))
+    return FALSE;
+  /* Nothing to check if detached metadata is absent */
+  if (commit_metadata == NULL)
+    return glnx_throw (error, "Can't verify commit without detached metadata");
+  if (!validate_metadata_size ("Commit metadata", commit_metadata, error))
+    return FALSE;
+  g_autoptr(GVariant) commit_metadata_v = g_variant_new_from_bytes (G_VARIANT_TYPE_VARDICT, commit_metadata, FALSE);
+
+  g_autoptr(GString) results_buf = g_string_new ("");
+  gboolean verified = FALSE;
+
+  if (gpg)
+    {
+      if (!ostree_repo_remote_get_gpg_verify (self, remote_name,
+                                              &gpg, error))
+        return FALSE;
+    }
+
+  /* TODO - we could cache this in the repo */
+  g_autoptr(GPtrArray) signapi_verifiers = NULL;
+  if (signapi)
+    {
+      if (!_signapi_init_for_remote (self, remote_name, &signapi_verifiers, NULL, error))
+        return FALSE;
+    }
+
+  if (!(gpg || signapi_verifiers))
+    return glnx_throw (error, "Cannot verify commit for remote %s; GPG verification disabled, and no signapi verifiers configured", remote_name);
+
+#ifndef OSTREE_DISABLE_GPGME
+  if (gpg)
+    {
+      g_autoptr(OstreeGpgVerifyResult) result =
+        _ostree_repo_gpg_verify_with_metadata (self, commit_data,
+                                               commit_metadata_v,
+                                               remote_name,
+                                               NULL, NULL, NULL, error);
+      if (!result)
+        return FALSE;
+      if (!ostree_gpg_verify_result_require_valid_signature (result, error))
+        return FALSE;
+
+      const guint n_signatures = ostree_gpg_verify_result_count_all (result);
+      g_assert_cmpuint (n_signatures, >, 0);
+      for (guint jj = 0; jj < n_signatures; jj++)
+        {
+          ostree_gpg_verify_result_describe (result, jj, results_buf, "GPG: ",
+                                             OSTREE_GPG_SIGNATURE_FORMAT_DEFAULT);
+        }
+      verified = TRUE;
+    }
+#endif /* OSTREE_DISABLE_GPGME */
+
+  if (signapi_verifiers)
+    {
+      g_autofree char *success_message = NULL;
+      if (!_sign_verify_for_remote (signapi_verifiers, commit_data, commit_metadata_v, &success_message, error))
+        return glnx_prefix_error (error, "Can't verify commit");
+      if (verified)
+        g_string_append_c (results_buf, '\n');
+      g_string_append (results_buf, success_message);
+      verified = TRUE;
+    }
+
+  /* Must be true since we did g_assert (gpg || signapi) */
+  g_assert (verified);
+  if (out_results)
+    *out_results = g_string_free (g_steal_pointer (&results_buf), FALSE);
+  return TRUE;
+}
+
 gboolean
 _verify_unwritten_commit (OtPullData                 *pull_data,
                           const char                 *checksum,

src/libostree/ostree-repo.h

@@ -1538,6 +1538,29 @@ OstreeGpgVerifyResult * ostree_repo_verify_summary (OstreeRepo    *self,
                                                     GCancellable  *cancellable,
                                                     GError       **error);
 
+/**
+ * OstreeRepoVerifyFlags:
+ * @OSTREE_REPO_VERIFY_FLAGS_NONE: No flags
+ * @OSTREE_REPO_VERIFY_FLAGS_NO_GPG: Skip GPG verification
+ * @OSTREE_REPO_VERIFY_FLAGS_NO_SIGNAPI: Skip all other signature verification methods
+ * 
+ * Since: 2021.4
+ */
+typedef enum {
+  OSTREE_REPO_VERIFY_FLAGS_NONE = 0,
+  OSTREE_REPO_VERIFY_FLAGS_NO_GPG = (1 << 0),
+  OSTREE_REPO_VERIFY_FLAGS_NO_SIGNAPI = (1 << 1),
+} OstreeRepoVerifyFlags;
+
+_OSTREE_PUBLIC
+gboolean ostree_repo_signature_verify_commit_data (OstreeRepo    *self,
+                                                   const char    *remote_name,
+                                                   GBytes        *commit_data,
+                                                   GBytes        *commit_metadata,
+                                                   OstreeRepoVerifyFlags flags,
+                                                   char         **out_results,
+                                                   GError       **error);
+
 _OSTREE_PUBLIC
 gboolean ostree_repo_regenerate_summary (OstreeRepo     *self,
                                          GVariant       *additional_metadata,

src/ostree/ot-admin-builtin-status.c

@@ -31,7 +31,10 @@
 
 #include <glib/gi18n.h>
 
+static gboolean opt_verify;
+
 static GOptionEntry options[] = {
+  { "verify", 'V', 0, G_OPTION_ARG_NONE, &opt_verify, "Print the commit verification status", NULL },
   { NULL }
 };
 
@@ -86,6 +89,12 @@ deployment_print_status (OstreeSysroot    *sysroot,
   g_autoptr(GVariant) commit_metadata = NULL;
   if (commit)
     commit_metadata = g_variant_get_child_value (commit, 0);
+  g_autoptr(GVariant) commit_detached_metadata = NULL;
+  if (commit)
+    {
+      if (!ostree_repo_read_commit_detached_metadata (repo, ref, &commit_detached_metadata, cancellable, error))
+        return FALSE;
+    }
 
   const char *version = NULL;
   const char *source_title = NULL;
@@ -139,7 +148,7 @@ deployment_print_status (OstreeSysroot    *sysroot,
     }
 
 #ifndef OSTREE_DISABLE_GPGME
-  if (deployment_get_gpg_verify (deployment, repo))
+  if (!opt_verify && deployment_get_gpg_verify (deployment, repo))
     {
       g_autoptr(GString) output_buffer = g_string_sized_new (256);
       /* Print any digital signatures on this commit. */
@@ -172,6 +181,31 @@ deployment_print_status (OstreeSysroot    *sysroot,
       g_print ("%s", output_buffer->str);
     }
 #endif /* OSTREE_DISABLE_GPGME */
+  if (opt_verify)
+    {
+      if (!commit)
+        return glnx_throw (error, "Cannot verify, failed to load commit");
+
+      if (origin == NULL)
+        return glnx_throw (error, "Cannot verify deployment with no origin");
+
+      g_autofree char *refspec = g_key_file_get_string (origin, "origin", "refspec", NULL);
+      if (refspec == NULL)
+        return glnx_throw (error, "No origin/refspec, cannot verify");
+      g_autofree char *remote = NULL;
+      if (!ostree_parse_refspec (refspec, &remote, NULL, NULL))
+        return FALSE;
+      if (remote == NULL)
+        return glnx_throw (error, "Cannot verify deployment without remote");
+
+      g_autoptr(GBytes) commit_data = g_variant_get_data_as_bytes (commit);
+      g_autoptr(GBytes) commit_detached_metadata_bytes = 
+        commit_detached_metadata ? g_variant_get_data_as_bytes (commit_detached_metadata) : NULL;
+      g_autofree char *verify_text = NULL;
+      if (!ostree_repo_signature_verify_commit_data (repo, remote, commit_data, commit_detached_metadata_bytes, 0, &verify_text, error))
+        return FALSE;
+      g_print ("%s\n", verify_text);
+    }
 
   return TRUE;
 }

tests/.gitignore

@@ -24,3 +24,4 @@ test-repo-finder-mount
 test-rfc2616-dates
 test-rollsum-cli
 test-kargs
+test-commit-sign-sh-ext

tests/test-admin-gpg.sh

@@ -148,4 +148,9 @@ ${CMD_PREFIX} ostree admin status > status.txt
 test -f status.txt
 assert_file_has_content status.txt "GPG: Signature made"
 assert_not_file_has_content status.txt "GPG: Can't check signature: public key not found"
+rm -f status.txt
+
+${CMD_PREFIX} ostree admin status --verify > status.txt
+assert_file_has_content status.txt "GPG: Signature made"
+rm -f status.txt
 echo 'ok gpg signature'

tests/test-commit-sign-sh-ext.c

@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2021 Red Hat, Inc.
+ *
+ * SPDX-License-Identifier: LGPL-2.0+
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+ * Boston, MA 02111-1307, USA.
+ */
+
+#include "config.h"
+
+#include "libglnx.h"
+#include <ostree.h>
+
+static void
+assert_error_contains (GError **error, const char *msg)
+{
+  g_assert (error != NULL);
+  GError *actual = *error;
+  g_assert (actual != NULL);
+  if (strstr (actual->message, msg) == NULL)
+    g_error ("%s does not contain %s", actual->message, msg);
+  g_clear_error (error);
+}
+
+// Perhaps in the future we hook this up to a fuzzer
+static GBytes *
+corrupt (GBytes *input)
+{
+  gsize len = 0;
+  const guint8 *buf = g_bytes_get_data (input, &len);
+  g_assert_cmpint (len, >, 0);
+  g_assert_cmpint (len, <, G_MAXINT);
+  g_autofree char *newbuf = g_memdup (buf, len);
+  int o = g_random_int_range (0, len);
+  newbuf[o] = (newbuf[0] + 1);
+
+  return g_bytes_new_take (g_steal_pointer (&newbuf), len);
+}
+
+static gboolean
+run (GError **error)
+{
+  g_autoptr(OstreeRepo) repo = ostree_repo_open_at (AT_FDCWD, "repo", NULL, error);
+  if (!repo)
+    return FALSE;
+
+  g_autofree char *rev = NULL;
+  if (!ostree_repo_resolve_rev (repo, "origin:main", FALSE, &rev, error))
+    return FALSE;
+  g_assert (rev);
+  g_autoptr(GVariant) commit = NULL;
+  if (!ostree_repo_load_variant (repo, OSTREE_OBJECT_TYPE_COMMIT, rev, &commit, error))
+    return FALSE;
+  g_assert (commit);
+
+  g_autoptr(GVariant) detached_meta = NULL;
+  if (!ostree_repo_read_commit_detached_metadata (repo, rev, &detached_meta, NULL, error))
+    return FALSE;
+  g_assert (detached_meta);
+
+  g_autoptr(GBytes) commit_bytes = g_variant_get_data_as_bytes (commit);
+  g_autoptr(GBytes) detached_meta_bytes = g_variant_get_data_as_bytes (detached_meta);
+  g_autofree char *verify_report = NULL;
+  if (!ostree_repo_signature_verify_commit_data (repo, "origin", commit_bytes, detached_meta_bytes, 0, 
+                                                 &verify_report, error))
+    return FALSE;
+
+  if (ostree_repo_signature_verify_commit_data (repo, "origin", commit_bytes, detached_meta_bytes, 
+                                                OSTREE_REPO_VERIFY_FLAGS_NO_GPG | OSTREE_REPO_VERIFY_FLAGS_NO_SIGNAPI, 
+                                                &verify_report, error))
+    g_error ("Should not have validated");
+  assert_error_contains (error, "No commit verification types enabled");
+
+  // No signatures
+  g_autoptr(GBytes) empty = g_bytes_new_static ("", 0);
+  if (ostree_repo_signature_verify_commit_data (repo, "origin", commit_bytes, empty, 0, 
+                                                 &verify_report, error))
+    g_error ("Should not have validated");
+  assert_error_contains (error, "no signatures found");
+  // No such remote
+  if (ostree_repo_signature_verify_commit_data (repo, "nosuchremote", commit_bytes, detached_meta_bytes, 0, 
+                                                 &verify_report, error))
+    g_error ("Should not have validated");
+  assert_error_contains (error, "Remote \"nosuchremote\" not found");
+
+  // Corrupted commit
+  g_autoptr(GBytes) corrupted_commit = corrupt (commit_bytes);
+  if (ostree_repo_signature_verify_commit_data (repo, "origin", corrupted_commit, detached_meta_bytes, 0, 
+                                                 &verify_report, error))
+    g_error ("Should not have validated");
+  assert_error_contains (error, "BAD signature");
+
+  return TRUE;
+}
+
+int
+main (int argc, char **argv)
+{
+  g_autoptr(GError) error = NULL;
+  if (!run (&error))
+    {
+      g_printerr ("error: %s\n", error->message);
+      exit (1);
+    }
+}

tests/test-commit-sign.sh

@@ -28,7 +28,7 @@ if ! has_gpgme; then
     exit 0
 fi
 
-echo "1..6"
+echo "1..7"
 
 keyid="472CDAFA"
 oldpwd=`pwd`
@@ -85,9 +85,15 @@ ${CMD_PREFIX} ostree --repo=repo remote add origin $(cat httpd-address)/ostree/g
 ${CMD_PREFIX} ostree --repo=repo pull origin main
 ${CMD_PREFIX} ostree --repo=repo show --gpg-verify-remote=origin main > show.txt
 assert_file_has_content_literal show.txt 'Found 1 signature'
-rm repo -rf
 echo "ok pull verify"
 
+# Run tests written in C
+${OSTREE_UNINSTALLED}/tests/test-commit-sign-sh-ext
+echo "ok extra C tests"
+
+# Clean things up and reinit
+rm repo -rf
+
 # A test with corrupted detached signature
 cd ${test_tmpdir}
 find ${test_tmpdir}/ostree-srv/gnomerepo -name '*.commitmeta' | while read fname; do