diff --git a/Makefile-tests.am b/Makefile-tests.am index 81fe2b76..efbcad9a 100644 --- a/Makefile-tests.am +++ b/Makefile-tests.am @@ -391,6 +391,10 @@ tests_test_rfc2616_dates_SOURCES = \ tests_test_rfc2616_dates_CFLAGS = $(TESTS_CFLAGS) tests_test_rfc2616_dates_LDADD = $(TESTS_LDADD) +noinst_PROGRAMS += tests/test-commit-sign-sh-ext +tests_test_commit_sign_sh_ext_CFLAGS = $(TESTS_CFLAGS) +tests_test_commit_sign_sh_ext_LDADD = $(TESTS_LDADD) + if USE_GPGME tests_test_gpg_verify_result_SOURCES = \ src/libostree/ostree-gpg-verify-result-private.h \ diff --git a/apidoc/ostree-sections.txt b/apidoc/ostree-sections.txt index 4d027555..f0901f21 100644 --- a/apidoc/ostree-sections.txt +++ b/apidoc/ostree-sections.txt @@ -474,6 +474,7 @@ ostree_repo_append_gpg_signature ostree_repo_add_gpg_signature_summary ostree_repo_gpg_sign_data ostree_repo_gpg_verify_data +ostree_repo_signature_verify_commit_data ostree_repo_verify_commit ostree_repo_verify_commit_ext ostree_repo_verify_commit_for_remote diff --git a/src/libostree/libostree-devel.sym b/src/libostree/libostree-devel.sym index 75bc4647..7e6f7784 100644 --- a/src/libostree/libostree-devel.sym +++ b/src/libostree/libostree-devel.sym @@ -25,6 +25,7 @@ LIBOSTREE_2021.4 { global: ostree_repo_remote_get_gpg_keys; + ostree_repo_signature_verify_commit_data; } LIBOSTREE_2021.3; /* Stub section for the stable release *after* this development one; don't diff --git a/src/libostree/ostree-repo-pull-verify.c b/src/libostree/ostree-repo-pull-verify.c index fa170f94..e469dc0b 100644 --- a/src/libostree/ostree-repo-pull-verify.c +++ b/src/libostree/ostree-repo-pull-verify.c @@ -270,6 +270,7 @@ _sign_verify_for_remote (GPtrArray *verifiers, g_assert (out_success_message == NULL || *out_success_message == NULL); + g_assert (verifiers); g_assert_cmpuint (verifiers->len, >=, 1); for (guint i = 0; i < verifiers->len; i++) { @@ -346,6 +347,120 @@ _process_gpg_verify_result (OtPullData *pull_data, } #endif /* OSTREE_DISABLE_GPGME */ +static gboolean +validate_metadata_size (const char *prefix, GBytes *buf, GError **error) +{ + gsize len = g_bytes_get_size (buf); + if (len > OSTREE_MAX_METADATA_SIZE) + return glnx_throw (error, "%s is %" G_GUINT64_FORMAT " bytes, exceeding maximum %" G_GUINT64_FORMAT, prefix, (guint64)len, (guint64)OSTREE_MAX_METADATA_SIZE); + return TRUE; +} + +/** + * ostree_repo_signature_verify_commit_data: + * @self: Repo + * @remote_name: Name of remote + * @commit_data: Commit object data (GVariant) + * @commit_metadata: Commit metadata (GVariant `a{sv}`), must contain at least one valid signature + * @flags: Optionally disable GPG or signapi + * @out_results: (nullable) (out) (transfer full): Textual description of results + * @error: Error + * + * Validate the commit data using the commit metadata which must + * contain at least one valid signature. If GPG and signapi are + * both enabled, then both must find at least one valid signature. + */ +gboolean +ostree_repo_signature_verify_commit_data (OstreeRepo *self, + const char *remote_name, + GBytes *commit_data, + GBytes *commit_metadata, + OstreeRepoVerifyFlags flags, + char **out_results, + GError **error) +{ + g_assert (self); + g_assert (remote_name); + g_assert (commit_data); + + gboolean gpg = !(flags & OSTREE_REPO_VERIFY_FLAGS_NO_GPG); + gboolean signapi = !(flags & OSTREE_REPO_VERIFY_FLAGS_NO_SIGNAPI); + // Must ask for at least one type of verification + if (!(gpg || signapi)) + return glnx_throw (error, "No commit verification types enabled via API"); + + if (!validate_metadata_size ("Commit", commit_data, error)) + return FALSE; + /* Nothing to check if detached metadata is absent */ + if (commit_metadata == NULL) + return glnx_throw (error, "Can't verify commit without detached metadata"); + if (!validate_metadata_size ("Commit metadata", commit_metadata, error)) + return FALSE; + g_autoptr(GVariant) commit_metadata_v = g_variant_new_from_bytes (G_VARIANT_TYPE_VARDICT, commit_metadata, FALSE); + + g_autoptr(GString) results_buf = g_string_new (""); + gboolean verified = FALSE; + + if (gpg) + { + if (!ostree_repo_remote_get_gpg_verify (self, remote_name, + &gpg, error)) + return FALSE; + } + + /* TODO - we could cache this in the repo */ + g_autoptr(GPtrArray) signapi_verifiers = NULL; + if (signapi) + { + if (!_signapi_init_for_remote (self, remote_name, &signapi_verifiers, NULL, error)) + return FALSE; + } + + if (!(gpg || signapi_verifiers)) + return glnx_throw (error, "Cannot verify commit for remote %s; GPG verification disabled, and no signapi verifiers configured", remote_name); + +#ifndef OSTREE_DISABLE_GPGME + if (gpg) + { + g_autoptr(OstreeGpgVerifyResult) result = + _ostree_repo_gpg_verify_with_metadata (self, commit_data, + commit_metadata_v, + remote_name, + NULL, NULL, NULL, error); + if (!result) + return FALSE; + if (!ostree_gpg_verify_result_require_valid_signature (result, error)) + return FALSE; + + const guint n_signatures = ostree_gpg_verify_result_count_all (result); + g_assert_cmpuint (n_signatures, >, 0); + for (guint jj = 0; jj < n_signatures; jj++) + { + ostree_gpg_verify_result_describe (result, jj, results_buf, "GPG: ", + OSTREE_GPG_SIGNATURE_FORMAT_DEFAULT); + } + verified = TRUE; + } +#endif /* OSTREE_DISABLE_GPGME */ + + if (signapi_verifiers) + { + g_autofree char *success_message = NULL; + if (!_sign_verify_for_remote (signapi_verifiers, commit_data, commit_metadata_v, &success_message, error)) + return glnx_prefix_error (error, "Can't verify commit"); + if (verified) + g_string_append_c (results_buf, '\n'); + g_string_append (results_buf, success_message); + verified = TRUE; + } + + /* Must be true since we did g_assert (gpg || signapi) */ + g_assert (verified); + if (out_results) + *out_results = g_string_free (g_steal_pointer (&results_buf), FALSE); + return TRUE; +} + gboolean _verify_unwritten_commit (OtPullData *pull_data, const char *checksum, diff --git a/src/libostree/ostree-repo.h b/src/libostree/ostree-repo.h index 962fa8cc..522cb034 100644 --- a/src/libostree/ostree-repo.h +++ b/src/libostree/ostree-repo.h @@ -1538,6 +1538,29 @@ OstreeGpgVerifyResult * ostree_repo_verify_summary (OstreeRepo *self, GCancellable *cancellable, GError **error); +/** + * OstreeRepoVerifyFlags: + * @OSTREE_REPO_VERIFY_FLAGS_NONE: No flags + * @OSTREE_REPO_VERIFY_FLAGS_NO_GPG: Skip GPG verification + * @OSTREE_REPO_VERIFY_FLAGS_NO_SIGNAPI: Skip all other signature verification methods + * + * Since: 2021.4 + */ +typedef enum { + OSTREE_REPO_VERIFY_FLAGS_NONE = 0, + OSTREE_REPO_VERIFY_FLAGS_NO_GPG = (1 << 0), + OSTREE_REPO_VERIFY_FLAGS_NO_SIGNAPI = (1 << 1), +} OstreeRepoVerifyFlags; + +_OSTREE_PUBLIC +gboolean ostree_repo_signature_verify_commit_data (OstreeRepo *self, + const char *remote_name, + GBytes *commit_data, + GBytes *commit_metadata, + OstreeRepoVerifyFlags flags, + char **out_results, + GError **error); + _OSTREE_PUBLIC gboolean ostree_repo_regenerate_summary (OstreeRepo *self, GVariant *additional_metadata, diff --git a/src/ostree/ot-admin-builtin-status.c b/src/ostree/ot-admin-builtin-status.c index c6c52382..8b2325d5 100644 --- a/src/ostree/ot-admin-builtin-status.c +++ b/src/ostree/ot-admin-builtin-status.c @@ -31,7 +31,10 @@ #include +static gboolean opt_verify; + static GOptionEntry options[] = { + { "verify", 'V', 0, G_OPTION_ARG_NONE, &opt_verify, "Print the commit verification status", NULL }, { NULL } }; @@ -86,6 +89,12 @@ deployment_print_status (OstreeSysroot *sysroot, g_autoptr(GVariant) commit_metadata = NULL; if (commit) commit_metadata = g_variant_get_child_value (commit, 0); + g_autoptr(GVariant) commit_detached_metadata = NULL; + if (commit) + { + if (!ostree_repo_read_commit_detached_metadata (repo, ref, &commit_detached_metadata, cancellable, error)) + return FALSE; + } const char *version = NULL; const char *source_title = NULL; @@ -139,7 +148,7 @@ deployment_print_status (OstreeSysroot *sysroot, } #ifndef OSTREE_DISABLE_GPGME - if (deployment_get_gpg_verify (deployment, repo)) + if (!opt_verify && deployment_get_gpg_verify (deployment, repo)) { g_autoptr(GString) output_buffer = g_string_sized_new (256); /* Print any digital signatures on this commit. */ @@ -172,6 +181,31 @@ deployment_print_status (OstreeSysroot *sysroot, g_print ("%s", output_buffer->str); } #endif /* OSTREE_DISABLE_GPGME */ + if (opt_verify) + { + if (!commit) + return glnx_throw (error, "Cannot verify, failed to load commit"); + + if (origin == NULL) + return glnx_throw (error, "Cannot verify deployment with no origin"); + + g_autofree char *refspec = g_key_file_get_string (origin, "origin", "refspec", NULL); + if (refspec == NULL) + return glnx_throw (error, "No origin/refspec, cannot verify"); + g_autofree char *remote = NULL; + if (!ostree_parse_refspec (refspec, &remote, NULL, NULL)) + return FALSE; + if (remote == NULL) + return glnx_throw (error, "Cannot verify deployment without remote"); + + g_autoptr(GBytes) commit_data = g_variant_get_data_as_bytes (commit); + g_autoptr(GBytes) commit_detached_metadata_bytes = + commit_detached_metadata ? g_variant_get_data_as_bytes (commit_detached_metadata) : NULL; + g_autofree char *verify_text = NULL; + if (!ostree_repo_signature_verify_commit_data (repo, remote, commit_data, commit_detached_metadata_bytes, 0, &verify_text, error)) + return FALSE; + g_print ("%s\n", verify_text); + } return TRUE; } diff --git a/tests/.gitignore b/tests/.gitignore index 938c169f..6355c8df 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -24,3 +24,4 @@ test-repo-finder-mount test-rfc2616-dates test-rollsum-cli test-kargs +test-commit-sign-sh-ext diff --git a/tests/test-admin-gpg.sh b/tests/test-admin-gpg.sh index 2167f673..bd34aae4 100755 --- a/tests/test-admin-gpg.sh +++ b/tests/test-admin-gpg.sh @@ -148,4 +148,9 @@ ${CMD_PREFIX} ostree admin status > status.txt test -f status.txt assert_file_has_content status.txt "GPG: Signature made" assert_not_file_has_content status.txt "GPG: Can't check signature: public key not found" +rm -f status.txt + +${CMD_PREFIX} ostree admin status --verify > status.txt +assert_file_has_content status.txt "GPG: Signature made" +rm -f status.txt echo 'ok gpg signature' diff --git a/tests/test-commit-sign-sh-ext.c b/tests/test-commit-sign-sh-ext.c new file mode 100644 index 00000000..b5c5dcc6 --- /dev/null +++ b/tests/test-commit-sign-sh-ext.c @@ -0,0 +1,118 @@ +/* + * Copyright (C) 2021 Red Hat, Inc. + * + * SPDX-License-Identifier: LGPL-2.0+ + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the + * Free Software Foundation, Inc., 59 Temple Place - Suite 330, + * Boston, MA 02111-1307, USA. + */ + +#include "config.h" + +#include "libglnx.h" +#include + +static void +assert_error_contains (GError **error, const char *msg) +{ + g_assert (error != NULL); + GError *actual = *error; + g_assert (actual != NULL); + if (strstr (actual->message, msg) == NULL) + g_error ("%s does not contain %s", actual->message, msg); + g_clear_error (error); +} + +// Perhaps in the future we hook this up to a fuzzer +static GBytes * +corrupt (GBytes *input) +{ + gsize len = 0; + const guint8 *buf = g_bytes_get_data (input, &len); + g_assert_cmpint (len, >, 0); + g_assert_cmpint (len, <, G_MAXINT); + g_autofree char *newbuf = g_memdup (buf, len); + int o = g_random_int_range (0, len); + newbuf[o] = (newbuf[0] + 1); + + return g_bytes_new_take (g_steal_pointer (&newbuf), len); +} + +static gboolean +run (GError **error) +{ + g_autoptr(OstreeRepo) repo = ostree_repo_open_at (AT_FDCWD, "repo", NULL, error); + if (!repo) + return FALSE; + + g_autofree char *rev = NULL; + if (!ostree_repo_resolve_rev (repo, "origin:main", FALSE, &rev, error)) + return FALSE; + g_assert (rev); + g_autoptr(GVariant) commit = NULL; + if (!ostree_repo_load_variant (repo, OSTREE_OBJECT_TYPE_COMMIT, rev, &commit, error)) + return FALSE; + g_assert (commit); + + g_autoptr(GVariant) detached_meta = NULL; + if (!ostree_repo_read_commit_detached_metadata (repo, rev, &detached_meta, NULL, error)) + return FALSE; + g_assert (detached_meta); + + g_autoptr(GBytes) commit_bytes = g_variant_get_data_as_bytes (commit); + g_autoptr(GBytes) detached_meta_bytes = g_variant_get_data_as_bytes (detached_meta); + g_autofree char *verify_report = NULL; + if (!ostree_repo_signature_verify_commit_data (repo, "origin", commit_bytes, detached_meta_bytes, 0, + &verify_report, error)) + return FALSE; + + if (ostree_repo_signature_verify_commit_data (repo, "origin", commit_bytes, detached_meta_bytes, + OSTREE_REPO_VERIFY_FLAGS_NO_GPG | OSTREE_REPO_VERIFY_FLAGS_NO_SIGNAPI, + &verify_report, error)) + g_error ("Should not have validated"); + assert_error_contains (error, "No commit verification types enabled"); + + // No signatures + g_autoptr(GBytes) empty = g_bytes_new_static ("", 0); + if (ostree_repo_signature_verify_commit_data (repo, "origin", commit_bytes, empty, 0, + &verify_report, error)) + g_error ("Should not have validated"); + assert_error_contains (error, "no signatures found"); + // No such remote + if (ostree_repo_signature_verify_commit_data (repo, "nosuchremote", commit_bytes, detached_meta_bytes, 0, + &verify_report, error)) + g_error ("Should not have validated"); + assert_error_contains (error, "Remote \"nosuchremote\" not found"); + + // Corrupted commit + g_autoptr(GBytes) corrupted_commit = corrupt (commit_bytes); + if (ostree_repo_signature_verify_commit_data (repo, "origin", corrupted_commit, detached_meta_bytes, 0, + &verify_report, error)) + g_error ("Should not have validated"); + assert_error_contains (error, "BAD signature"); + + return TRUE; +} + +int +main (int argc, char **argv) +{ + g_autoptr(GError) error = NULL; + if (!run (&error)) + { + g_printerr ("error: %s\n", error->message); + exit (1); + } +} diff --git a/tests/test-commit-sign.sh b/tests/test-commit-sign.sh index e9e7a6da..c3f9ce63 100755 --- a/tests/test-commit-sign.sh +++ b/tests/test-commit-sign.sh @@ -28,7 +28,7 @@ if ! has_gpgme; then exit 0 fi -echo "1..6" +echo "1..7" keyid="472CDAFA" oldpwd=`pwd` @@ -85,9 +85,15 @@ ${CMD_PREFIX} ostree --repo=repo remote add origin $(cat httpd-address)/ostree/g ${CMD_PREFIX} ostree --repo=repo pull origin main ${CMD_PREFIX} ostree --repo=repo show --gpg-verify-remote=origin main > show.txt assert_file_has_content_literal show.txt 'Found 1 signature' -rm repo -rf echo "ok pull verify" +# Run tests written in C +${OSTREE_UNINSTALLED}/tests/test-commit-sign-sh-ext +echo "ok extra C tests" + +# Clean things up and reinit +rm repo -rf + # A test with corrupted detached signature cd ${test_tmpdir} find ${test_tmpdir}/ostree-srv/gnomerepo -name '*.commitmeta' | while read fname; do