Implement inline package signature verification. This replaces calling out to an external gpg command for verification with inline verification using the security/netpgpverify library. Bump version to 20150901.diff -r1.208 -r1.209 pkgsrc/pkgtools/pkg_install/Makefile
(jperkin)
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | # $NetBSD: Makefile,v 1.208 2015/04/21 00:28:19 joerg Exp $ | 1 | # $NetBSD: Makefile,v 1.209 2015/09/01 12:14:05 jperkin Exp $ | |
2 | 2 | |||
3 | # Notes to package maintainers: | 3 | # Notes to package maintainers: | |
4 | # | 4 | # | |
5 | # Updating this package does not automatically necessitate bumping | 5 | # Updating this package does not automatically necessitate bumping | |
6 | # PKGTOOLS_REQD in bsd.pkg.mk. Do so if and only if there is a critical | 6 | # PKGTOOLS_REQD in bsd.pkg.mk. Do so if and only if there is a critical | |
7 | # change in the pkg_* tools that pkgsrc relies on for proper operation. | 7 | # change in the pkg_* tools that pkgsrc relies on for proper operation. | |
8 | 8 | |||
9 | PKGNAME= pkg_install-${VERSION} | 9 | PKGNAME= pkg_install-${VERSION} | |
10 | CATEGORIES= pkgtools | 10 | CATEGORIES= pkgtools | |
11 | 11 | |||
12 | MAINTAINER= agc@NetBSD.org | 12 | MAINTAINER= agc@NetBSD.org | |
13 | HOMEPAGE= http://www.pkgsrc.org/ | 13 | HOMEPAGE= http://www.pkgsrc.org/ | |
14 | COMMENT= Package management and administration tools for pkgsrc | 14 | COMMENT= Package management and administration tools for pkgsrc | |
@@ -118,26 +118,27 @@ CONFIGURE_ARGS+= --with-ssl | @@ -118,26 +118,27 @@ CONFIGURE_ARGS+= --with-ssl | |||
118 | 118 | |||
119 | .include "../../security/openssl/buildlink3.mk" | 119 | .include "../../security/openssl/buildlink3.mk" | |
120 | .endif | 120 | .endif | |
121 | 121 | |||
122 | .if empty(USE_BUILTIN.bzip2:M[yY][eE][sS]) || \ | 122 | .if empty(USE_BUILTIN.bzip2:M[yY][eE][sS]) || \ | |
123 | empty(USE_BUILTIN.zlib:M[yY][eE][sS]) | 123 | empty(USE_BUILTIN.zlib:M[yY][eE][sS]) | |
124 | USE_BUILTIN.libarchive= no | 124 | USE_BUILTIN.libarchive= no | |
125 | .endif | 125 | .endif | |
126 | 126 | |||
127 | FILESDIR.bzip2?= ${.CURDIR}/../../archivers/bzip2/files | 127 | FILESDIR.bzip2?= ${.CURDIR}/../../archivers/bzip2/files | |
128 | FILESDIR.libarchive?= ${.CURDIR}/../../archivers/libarchive/files | 128 | FILESDIR.libarchive?= ${.CURDIR}/../../archivers/libarchive/files | |
129 | FILESDIR.zlib?= ${.CURDIR}/../../devel/zlib/files | 129 | FILESDIR.zlib?= ${.CURDIR}/../../devel/zlib/files | |
130 | FILESDIR.libfetch?= ${.CURDIR}/../../net/libfetch/files | 130 | FILESDIR.libfetch?= ${.CURDIR}/../../net/libfetch/files | |
131 | FILESDIR.netpgpverify?= ${.CURDIR}/../../security/netpgpverify/files | |||
131 | 132 | |||
132 | .if empty(USE_BUILTIN.bzip2:M[yY][eE][sS]) | 133 | .if empty(USE_BUILTIN.bzip2:M[yY][eE][sS]) | |
133 | CPPFLAGS+= -I${WRKDIR}/bzip2 | 134 | CPPFLAGS+= -I${WRKDIR}/bzip2 | |
134 | LDFLAGS+= -L${WRKDIR}/bzip2 | 135 | LDFLAGS+= -L${WRKDIR}/bzip2 | |
135 | .endif | 136 | .endif | |
136 | .if empty(USE_BUILTIN.zlib:M[yY][eE][sS]) | 137 | .if empty(USE_BUILTIN.zlib:M[yY][eE][sS]) | |
137 | CPPFLAGS+= -I${WRKDIR}/zlib | 138 | CPPFLAGS+= -I${WRKDIR}/zlib | |
138 | LDFLAGS+= -L${WRKDIR}/zlib | 139 | LDFLAGS+= -L${WRKDIR}/zlib | |
139 | .endif | 140 | .endif | |
140 | .if empty(USE_BUILTIN.libarchive:M[yY][eE][sS]) | 141 | .if empty(USE_BUILTIN.libarchive:M[yY][eE][sS]) | |
141 | CPPFLAGS+= -I${WRKDIR}/libarchive/libarchive | 142 | CPPFLAGS+= -I${WRKDIR}/libarchive/libarchive | |
142 | LDFLAGS+= -L${WRKDIR}/libarchive/.libs | 143 | LDFLAGS+= -L${WRKDIR}/libarchive/.libs | |
143 | 144 | |||
@@ -166,64 +167,73 @@ CPPFLAGS+= -DLIBARCHIVE_STATIC | @@ -166,64 +167,73 @@ CPPFLAGS+= -DLIBARCHIVE_STATIC | |||
166 | LDFLAGS+= -Wl,-search_paths_first | 167 | LDFLAGS+= -Wl,-search_paths_first | |
167 | . endif | 168 | . endif | |
168 | 169 | |||
169 | . if ${OPSYS} == "SunOS" | 170 | . if ${OPSYS} == "SunOS" | |
170 | # workaround for pkg/45491 | 171 | # workaround for pkg/45491 | |
171 | CONFIGURE_ENV+= ac_cv_header_ext2fs_ext2_fs_h=no | 172 | CONFIGURE_ENV+= ac_cv_header_ext2fs_ext2_fs_h=no | |
172 | . endif | 173 | . endif | |
173 | 174 | |||
174 | # Hack to make sure that the libarchive version is replaced | 175 | # Hack to make sure that the libarchive version is replaced | |
175 | pre-configure: config-guess-override config-sub-override | 176 | pre-configure: config-guess-override config-sub-override | |
176 | .endif | 177 | .endif | |
177 | CPPFLAGS+= -I${WRKDIR}/libfetch | 178 | CPPFLAGS+= -I${WRKDIR}/libfetch | |
178 | LDFLAGS+= -L${WRKDIR}/libfetch | 179 | LDFLAGS+= -L${WRKDIR}/libfetch | |
180 | # Avoid duplicate and conflicting headers, pull in any we need | |||
181 | # directly with <netpgpgverify/*.h> | |||
182 | CPPFLAGS+= -I${WRKDIR} | |||
183 | LDFLAGS+= -L${WRKDIR}/netpgpverify | |||
179 | 184 | |||
180 | CONFIGURE_ENV+= LIBS=${LIBS:Q} | 185 | CONFIGURE_ENV+= LIBS=${LIBS:Q} | |
181 | 186 | |||
182 | do-extract: | 187 | do-extract: | |
183 | @${CP} -R ${FILESDIR} ${WRKSRC} | 188 | @${CP} -R ${FILESDIR} ${WRKSRC} | |
184 | .if empty(USE_BUILTIN.bzip2:M[yY][eE][sS]) | 189 | .if empty(USE_BUILTIN.bzip2:M[yY][eE][sS]) | |
185 | @${CP} -R ${FILESDIR.bzip2} ${WRKDIR}/bzip2 | 190 | @${CP} -R ${FILESDIR.bzip2} ${WRKDIR}/bzip2 | |
186 | .endif | 191 | .endif | |
187 | .if empty(USE_BUILTIN.zlib:M[yY][eE][sS]) | 192 | .if empty(USE_BUILTIN.zlib:M[yY][eE][sS]) | |
188 | @${CP} -R ${FILESDIR.zlib} ${WRKDIR}/zlib | 193 | @${CP} -R ${FILESDIR.zlib} ${WRKDIR}/zlib | |
189 | .endif | 194 | .endif | |
190 | .if empty(USE_BUILTIN.libarchive:M[yY][eE][sS]) | 195 | .if empty(USE_BUILTIN.libarchive:M[yY][eE][sS]) | |
191 | @${CP} -R ${FILESDIR.libarchive} ${WRKDIR}/libarchive | 196 | @${CP} -R ${FILESDIR.libarchive} ${WRKDIR}/libarchive | |
192 | .endif | 197 | .endif | |
193 | @${CP} -R ${FILESDIR.libfetch} ${WRKDIR}/libfetch | 198 | @${CP} -R ${FILESDIR.libfetch} ${WRKDIR}/libfetch | |
199 | @${CP} -R ${FILESDIR.netpgpverify} ${WRKDIR}/netpgpverify | |||
194 | 200 | |||
195 | pre-configure: | 201 | pre-configure: | |
196 | .if empty(USE_BUILTIN.bzip2:M[yY][eE][sS]) | 202 | .if empty(USE_BUILTIN.bzip2:M[yY][eE][sS]) | |
197 | cd ${WRKDIR}/bzip2 && ${BUILD_MAKE_CMD} libbz2.a | 203 | cd ${WRKDIR}/bzip2 && ${BUILD_MAKE_CMD} libbz2.a | |
198 | .endif | 204 | .endif | |
199 | .if empty(USE_BUILTIN.zlib:M[yY][eE][sS]) | 205 | .if empty(USE_BUILTIN.zlib:M[yY][eE][sS]) | |
200 | cd ${WRKDIR}/zlib && ${BUILD_MAKE_CMD} libz.a | 206 | cd ${WRKDIR}/zlib && ${BUILD_MAKE_CMD} libz.a | |
201 | .endif | 207 | .endif | |
202 | .if empty(USE_BUILTIN.libarchive:M[yY][eE][sS]) | 208 | .if empty(USE_BUILTIN.libarchive:M[yY][eE][sS]) | |
203 | cd ${WRKDIR}/libarchive && ${SETENV} ${_CONFIGURE_SCRIPT_ENV} \ | 209 | cd ${WRKDIR}/libarchive && ${SETENV} ${_CONFIGURE_SCRIPT_ENV} \ | |
204 | ${CONFIG_SHELL} ${CONFIG_SHELL_FLAGS} ./configure \ | 210 | ${CONFIG_SHELL} ${CONFIG_SHELL_FLAGS} ./configure \ | |
205 | --disable-bsdcpio --disable-bsdtar --disable-shared \ | 211 | --disable-bsdcpio --disable-bsdtar --disable-shared \ | |
206 | --disable-dependency-tracking --without-expat \ | 212 | --disable-dependency-tracking --without-expat \ | |
207 | --without-iconv --without-lzo2 --without-nettle \ | 213 | --without-iconv --without-lzo2 --without-nettle \ | |
208 | --without-xml2 \ | 214 | --without-xml2 \ | |
209 | ${LIBARCHIVE_CONFIGURE_ARGS} | 215 | ${LIBARCHIVE_CONFIGURE_ARGS} | |
210 | cd ${WRKDIR}/libarchive && ${BUILD_MAKE_CMD} | 216 | cd ${WRKDIR}/libarchive && ${BUILD_MAKE_CMD} | |
211 | .endif | 217 | .endif | |
212 | cd ${WRKDIR}/libfetch && ${TOUCH} fetch.cat3 && \ | 218 | cd ${WRKDIR}/libfetch && ${TOUCH} fetch.cat3 && \ | |
213 | ${SETENV} ${MAKE_ENV} ${BSD_MAKE_ENV} \ | 219 | ${SETENV} ${MAKE_ENV} ${BSD_MAKE_ENV} \ | |
214 | ${MAKE_PROGRAM} ${MAKE_FLAGS} ${BUILD_MAKE_FLAGS} \ | 220 | ${MAKE_PROGRAM} ${MAKE_FLAGS} ${BUILD_MAKE_FLAGS} \ | |
215 | -f ${MAKE_FILE} depend all | 221 | -f ${MAKE_FILE} depend all | |
216 | 222 | cd ${WRKDIR}/netpgpverify && \ | ||
223 | ${SED} -e '/zlib/d' Makefile.lib.in >Makefile.in && \ | |||
224 | ./configure && ${SETENV} ${MAKE_ENV} ${BSD_MAKE_ENV} \ | |||
225 | ${MAKE_PROGRAM} ${MAKE_FLAGS} ${BUILD_MAKE_FLAGS} \ | |||
226 | -f ${MAKE_FILE} all | |||
217 | 227 | |||
218 | # XXX Reverse the order that update does things since | 228 | # XXX Reverse the order that update does things since | |
219 | # XXX we need pkg_delete built before we can deinstall. | 229 | # XXX we need pkg_delete built before we can deinstall. | |
220 | # XXX This should probably be the default order for all packages. | 230 | # XXX This should probably be the default order for all packages. | |
221 | update: | 231 | update: | |
222 | ${MAKE} | 232 | ${MAKE} | |
223 | ${MAKE} deinstall _UPDATE_RUNNING=YES | 233 | ${MAKE} deinstall _UPDATE_RUNNING=YES | |
224 | ${MAKE} ${UPDATE_TARGET} | 234 | ${MAKE} ${UPDATE_TARGET} | |
225 | ${MAKE} clean | 235 | ${MAKE} clean | |
226 | 236 | |||
227 | update-catpages: | 237 | update-catpages: | |
228 | for f in lib/pkgsrc.7 add/pkg_add.1 admin/pkg_admin.1 \ | 238 | for f in lib/pkgsrc.7 add/pkg_add.1 admin/pkg_admin.1 \ | |
229 | create/pkg_create.1 delete/pkg_delete.1 info/pkg_info.1 \ | 239 | create/pkg_create.1 delete/pkg_delete.1 info/pkg_info.1 \ |
@@ -1,36 +1,36 @@ | @@ -1,36 +1,36 @@ | |||
1 | # $NetBSD: Makefile.in,v 1.29 2015/01/22 09:19:47 jperkin Exp $ | 1 | # $NetBSD: Makefile.in,v 1.30 2015/09/01 12:14:06 jperkin Exp $ | |
2 | 2 | |||
3 | srcdir= @srcdir@ | 3 | srcdir= @srcdir@ | |
4 | 4 | |||
5 | prefix= @prefix@ | 5 | prefix= @prefix@ | |
6 | exec_prefix= @exec_prefix@ | 6 | exec_prefix= @exec_prefix@ | |
7 | sbindir= @sbindir@ | 7 | sbindir= @sbindir@ | |
8 | mandir= @mandir@ | 8 | mandir= @mandir@ | |
9 | datarootdir= @datarootdir@ | 9 | datarootdir= @datarootdir@ | |
10 | 10 | |||
11 | man1dir= $(mandir)/man1 | 11 | man1dir= $(mandir)/man1 | |
12 | cat1dir= $(mandir)/cat1 | 12 | cat1dir= $(mandir)/cat1 | |
13 | 13 | |||
14 | CC= @CC@ | 14 | CC= @CC@ | |
15 | CCLD= $(CC) | 15 | CCLD= $(CC) | |
16 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib | 16 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib | |
17 | DEFS= @DEFS@ -DOPSYS_NAME=\"$(OPSYS)\" -DMACHINE_ARCH=\"$(MACHINE_ARCH)\" -DBINDIR=\"$(sbindir)\" | 17 | DEFS= @DEFS@ -DOPSYS_NAME=\"$(OPSYS)\" -DMACHINE_ARCH=\"$(MACHINE_ARCH)\" -DBINDIR=\"$(sbindir)\" | |
18 | CFLAGS= @CFLAGS@ | 18 | CFLAGS= @CFLAGS@ | |
19 | LDFLAGS= @LDFLAGS@ -L../lib | 19 | LDFLAGS= @LDFLAGS@ -L../lib | |
20 | 20 | |||
21 | SSL_SUPPORT= @ssl_support@ | 21 | SSL_SUPPORT= @ssl_support@ | |
22 | 22 | |||
23 | LIBS= -linstall -larchive -lfetch | 23 | LIBS= -linstall -larchive -lfetch -lnetpgpverify | |
24 | .if !empty(SSL_SUPPORT) | 24 | .if !empty(SSL_SUPPORT) | |
25 | LIBS+= -lssl -lcrypto | 25 | LIBS+= -lssl -lcrypto | |
26 | .endif | 26 | .endif | |
27 | LIBS+= @LIBS@ | 27 | LIBS+= @LIBS@ | |
28 | 28 | |||
29 | INSTALL= @INSTALL@ | 29 | INSTALL= @INSTALL@ | |
30 | 30 | |||
31 | PROG= pkg_add | 31 | PROG= pkg_add | |
32 | 32 | |||
33 | OBJS= main.o perform.o | 33 | OBJS= main.o perform.o | |
34 | 34 | |||
35 | all: $(PROG) | 35 | all: $(PROG) | |
36 | 36 |
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | # $NetBSD: Makefile.in,v 1.27 2015/01/22 09:19:47 jperkin Exp $ | 1 | # $NetBSD: Makefile.in,v 1.28 2015/09/01 12:14:06 jperkin Exp $ | |
2 | 2 | |||
3 | srcdir= @srcdir@ | 3 | srcdir= @srcdir@ | |
4 | 4 | |||
5 | prefix= @prefix@ | 5 | prefix= @prefix@ | |
6 | exec_prefix= @exec_prefix@ | 6 | exec_prefix= @exec_prefix@ | |
7 | sbindir= @sbindir@ | 7 | sbindir= @sbindir@ | |
8 | mandir= @mandir@ | 8 | mandir= @mandir@ | |
9 | datarootdir= @datarootdir@ | 9 | datarootdir= @datarootdir@ | |
10 | 10 | |||
11 | man1dir= $(mandir)/man1 | 11 | man1dir= $(mandir)/man1 | |
12 | cat1dir= $(mandir)/cat1 | 12 | cat1dir= $(mandir)/cat1 | |
13 | man8dir= $(mandir)/man8 | 13 | man8dir= $(mandir)/man8 | |
14 | cat8dir= $(mandir)/cat8 | 14 | cat8dir= $(mandir)/cat8 | |
@@ -18,27 +18,27 @@ SSL_SUPPORT= @ssl_support@ | @@ -18,27 +18,27 @@ SSL_SUPPORT= @ssl_support@ | |||
18 | 18 | |||
19 | CC= @CC@ | 19 | CC= @CC@ | |
20 | CCLD= $(CC) | 20 | CCLD= $(CC) | |
21 | DEFS= @DEFS@ | 21 | DEFS= @DEFS@ | |
22 | CFLAGS= @CFLAGS@ | 22 | CFLAGS= @CFLAGS@ | |
23 | LDFLAGS= @LDFLAGS@ -L../lib | 23 | LDFLAGS= @LDFLAGS@ -L../lib | |
24 | 24 | |||
25 | INSTALL= @INSTALL@ | 25 | INSTALL= @INSTALL@ | |
26 | 26 | |||
27 | PROG= pkg_admin | 27 | PROG= pkg_admin | |
28 | SCRIPTS= audit-packages download-vulnerability-list | 28 | SCRIPTS= audit-packages download-vulnerability-list | |
29 | 29 | |||
30 | .if empty(BOOTSTRAP) | 30 | .if empty(BOOTSTRAP) | |
31 | LIBS= -linstall -larchive -lfetch | 31 | LIBS= -linstall -larchive -lfetch -lnetpgpverify | |
32 | .if !empty(SSL_SUPPORT) | 32 | .if !empty(SSL_SUPPORT) | |
33 | LIBS+= -lssl -lcrypto | 33 | LIBS+= -lssl -lcrypto | |
34 | CFLAGS+= -DHAVE_SSL | 34 | CFLAGS+= -DHAVE_SSL | |
35 | .endif | 35 | .endif | |
36 | LIBS+= @LIBS@ | 36 | LIBS+= @LIBS@ | |
37 | OBJS= audit.o check.o main.o | 37 | OBJS= audit.o check.o main.o | |
38 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib | 38 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib | |
39 | .else | 39 | .else | |
40 | LIBS= -linstall @LIBS@ | 40 | LIBS= -linstall @LIBS@ | |
41 | OBJS= check.o main.o | 41 | OBJS= check.o main.o | |
42 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib -DBOOTSTRAP | 42 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib -DBOOTSTRAP | |
43 | .endif | 43 | .endif | |
44 | 44 |
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | # $NetBSD: Makefile.in,v 1.25 2015/01/22 09:19:47 jperkin Exp $ | 1 | # $NetBSD: Makefile.in,v 1.26 2015/09/01 12:14:06 jperkin Exp $ | |
2 | 2 | |||
3 | srcdir= @srcdir@ | 3 | srcdir= @srcdir@ | |
4 | 4 | |||
5 | prefix= @prefix@ | 5 | prefix= @prefix@ | |
6 | exec_prefix= @exec_prefix@ | 6 | exec_prefix= @exec_prefix@ | |
7 | sbindir= @sbindir@ | 7 | sbindir= @sbindir@ | |
8 | mandir= @mandir@ | 8 | mandir= @mandir@ | |
9 | datarootdir= @datarootdir@ | 9 | datarootdir= @datarootdir@ | |
10 | 10 | |||
11 | man1dir= $(mandir)/man1 | 11 | man1dir= $(mandir)/man1 | |
12 | cat1dir= $(mandir)/cat1 | 12 | cat1dir= $(mandir)/cat1 | |
13 | 13 | |||
14 | BOOTSTRAP= @bootstrap@ | 14 | BOOTSTRAP= @bootstrap@ | |
@@ -16,27 +16,27 @@ BOOTSTRAP= @bootstrap@ | @@ -16,27 +16,27 @@ BOOTSTRAP= @bootstrap@ | |||
16 | CC= @CC@ | 16 | CC= @CC@ | |
17 | CCLD= $(CC) | 17 | CCLD= $(CC) | |
18 | DEFS= @DEFS@ | 18 | DEFS= @DEFS@ | |
19 | CFLAGS= @CFLAGS@ | 19 | CFLAGS= @CFLAGS@ | |
20 | LDFLAGS= @LDFLAGS@ -L../lib | 20 | LDFLAGS= @LDFLAGS@ -L../lib | |
21 | 21 | |||
22 | INSTALL= @INSTALL@ | 22 | INSTALL= @INSTALL@ | |
23 | 23 | |||
24 | PROG= pkg_create | 24 | PROG= pkg_create | |
25 | 25 | |||
26 | SSL_SUPPORT= @ssl_support@ | 26 | SSL_SUPPORT= @ssl_support@ | |
27 | 27 | |||
28 | .if empty(BOOTSTRAP) | 28 | .if empty(BOOTSTRAP) | |
29 | LIBS= -linstall -larchive -lfetch @LIBS@ | 29 | LIBS= -linstall -larchive -lfetch -lnetpgpverify @LIBS@ | |
30 | .if !empty(SSL_SUPPORT) | 30 | .if !empty(SSL_SUPPORT) | |
31 | LIBS+= -lssl -lcrypto | 31 | LIBS+= -lssl -lcrypto | |
32 | .endif | 32 | .endif | |
33 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib | 33 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib | |
34 | OBJS= main.o perform.o pl.o util.o build.o | 34 | OBJS= main.o perform.o pl.o util.o build.o | |
35 | .else | 35 | .else | |
36 | LIBS= -linstall @LIBS@ | 36 | LIBS= -linstall @LIBS@ | |
37 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib -DBOOTSTRAP | 37 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib -DBOOTSTRAP | |
38 | OBJS= main.o perform.o pl.o util.o | 38 | OBJS= main.o perform.o pl.o util.o | |
39 | .endif | 39 | .endif | |
40 | 40 | |||
41 | all: $(PROG) | 41 | all: $(PROG) | |
42 | 42 |
@@ -1,31 +1,31 @@ | @@ -1,31 +1,31 @@ | |||
1 | # $NetBSD: Makefile.in,v 1.22 2015/01/22 09:19:47 jperkin Exp $ | 1 | # $NetBSD: Makefile.in,v 1.23 2015/09/01 12:14:06 jperkin Exp $ | |
2 | 2 | |||
3 | srcdir= @srcdir@ | 3 | srcdir= @srcdir@ | |
4 | 4 | |||
5 | prefix= @prefix@ | 5 | prefix= @prefix@ | |
6 | exec_prefix= @exec_prefix@ | 6 | exec_prefix= @exec_prefix@ | |
7 | sbindir= @sbindir@ | 7 | sbindir= @sbindir@ | |
8 | mandir= @mandir@ | 8 | mandir= @mandir@ | |
9 | datarootdir= @datarootdir@ | 9 | datarootdir= @datarootdir@ | |
10 | 10 | |||
11 | man1dir= $(mandir)/man1 | 11 | man1dir= $(mandir)/man1 | |
12 | cat1dir= $(mandir)/cat1 | 12 | cat1dir= $(mandir)/cat1 | |
13 | 13 | |||
14 | SSL_SUPPORT= @ssl_support@ | 14 | SSL_SUPPORT= @ssl_support@ | |
15 | 15 | |||
16 | CC= @CC@ | 16 | CC= @CC@ | |
17 | CCLD= $(CC) | 17 | CCLD= $(CC) | |
18 | LIBS= -linstall -larchive -lfetch @LIBS@ | 18 | LIBS= -linstall -larchive -lfetch -lnetpgpverify @LIBS@ | |
19 | 19 | |||
20 | .if !empty(SSL_SUPPORT) | 20 | .if !empty(SSL_SUPPORT) | |
21 | LIBS+= -lssl -lcrypto | 21 | LIBS+= -lssl -lcrypto | |
22 | .endif | 22 | .endif | |
23 | 23 | |||
24 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib -DBINDIR=\"$(sbindir)\" | 24 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib -DBINDIR=\"$(sbindir)\" | |
25 | DEFS= @DEFS@ | 25 | DEFS= @DEFS@ | |
26 | CFLAGS= @CFLAGS@ | 26 | CFLAGS= @CFLAGS@ | |
27 | LDFLAGS= @LDFLAGS@ -L../lib | 27 | LDFLAGS= @LDFLAGS@ -L../lib | |
28 | 28 | |||
29 | INSTALL= @INSTALL@ | 29 | INSTALL= @INSTALL@ | |
30 | 30 | |||
31 | PROG= pkg_delete | 31 | PROG= pkg_delete |
@@ -1,33 +1,33 @@ | @@ -1,33 +1,33 @@ | |||
1 | # $NetBSD: Makefile.in,v 1.28 2015/01/22 09:19:47 jperkin Exp $ | 1 | # $NetBSD: Makefile.in,v 1.29 2015/09/01 12:14:06 jperkin Exp $ | |
2 | 2 | |||
3 | srcdir= @srcdir@ | 3 | srcdir= @srcdir@ | |
4 | 4 | |||
5 | prefix= @prefix@ | 5 | prefix= @prefix@ | |
6 | exec_prefix= @exec_prefix@ | 6 | exec_prefix= @exec_prefix@ | |
7 | sbindir= @sbindir@ | 7 | sbindir= @sbindir@ | |
8 | mandir= @mandir@ | 8 | mandir= @mandir@ | |
9 | datarootdir= @datarootdir@ | 9 | datarootdir= @datarootdir@ | |
10 | 10 | |||
11 | man1dir= $(mandir)/man1 | 11 | man1dir= $(mandir)/man1 | |
12 | cat1dir= $(mandir)/cat1 | 12 | cat1dir= $(mandir)/cat1 | |
13 | 13 | |||
14 | BOOTSTRAP= @bootstrap@ | 14 | BOOTSTRAP= @bootstrap@ | |
15 | SSL_SUPPORT= @ssl_support@ | 15 | SSL_SUPPORT= @ssl_support@ | |
16 | 16 | |||
17 | CC= @CC@ | 17 | CC= @CC@ | |
18 | CCLD= $(CC) | 18 | CCLD= $(CC) | |
19 | .if empty(BOOTSTRAP) | 19 | .if empty(BOOTSTRAP) | |
20 | LIBS= -linstall -larchive -lfetch @LIBS@ | 20 | LIBS= -linstall -larchive -lfetch -lnetpgpverify @LIBS@ | |
21 | .if !empty(SSL_SUPPORT) | 21 | .if !empty(SSL_SUPPORT) | |
22 | LIBS+= -lssl -lcrypto | 22 | LIBS+= -lssl -lcrypto | |
23 | .endif | 23 | .endif | |
24 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib | 24 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib | |
25 | .else | 25 | .else | |
26 | LIBS= -linstall @LIBS@ | 26 | LIBS= -linstall @LIBS@ | |
27 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib -DBOOTSTRAP | 27 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib -DBOOTSTRAP | |
28 | .endif | 28 | .endif | |
29 | DEFS= @DEFS@ | 29 | DEFS= @DEFS@ | |
30 | CFLAGS= @CFLAGS@ | 30 | CFLAGS= @CFLAGS@ | |
31 | LDFLAGS= @LDFLAGS@ -L../lib | 31 | LDFLAGS= @LDFLAGS@ -L../lib | |
32 | 32 | |||
33 | INSTALL= @INSTALL@ | 33 | INSTALL= @INSTALL@ |
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | # $NetBSD: Makefile.in,v 1.34 2013/09/12 11:03:10 jperkin Exp $ | 1 | # $NetBSD: Makefile.in,v 1.35 2015/09/01 12:14:06 jperkin Exp $ | |
2 | 2 | |||
3 | srcdir= @srcdir@ | 3 | srcdir= @srcdir@ | |
4 | 4 | |||
5 | pkgdbdir= @pkgdbdir@ | 5 | pkgdbdir= @pkgdbdir@ | |
6 | mandir= @mandir@ | 6 | mandir= @mandir@ | |
7 | datarootdir= @datarootdir@ | 7 | datarootdir= @datarootdir@ | |
8 | sysconfdir= @sysconfdir@ | 8 | sysconfdir= @sysconfdir@ | |
9 | 9 | |||
10 | cat5dir= $(mandir)/cat5 | 10 | cat5dir= $(mandir)/cat5 | |
11 | cat7dir= $(mandir)/cat7 | 11 | cat7dir= $(mandir)/cat7 | |
12 | man5dir= $(mandir)/man5 | 12 | man5dir= $(mandir)/man5 | |
13 | man7dir= $(mandir)/man7 | 13 | man7dir= $(mandir)/man7 | |
14 | 14 | |||
@@ -17,36 +17,36 @@ SSL_SUPPORT= @ssl_support@ | @@ -17,36 +17,36 @@ SSL_SUPPORT= @ssl_support@ | |||
17 | 17 | |||
18 | RANLIB= @RANLIB@ | 18 | RANLIB= @RANLIB@ | |
19 | AR= @AR@ | 19 | AR= @AR@ | |
20 | CC= @CC@ | 20 | CC= @CC@ | |
21 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) | 21 | CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) | |
22 | DEFS= @DEFS@ -DDEF_LOG_DIR=\"$(pkgdbdir)\" | 22 | DEFS= @DEFS@ -DDEF_LOG_DIR=\"$(pkgdbdir)\" | |
23 | CFLAGS= @CFLAGS@ | 23 | CFLAGS= @CFLAGS@ | |
24 | 24 | |||
25 | INSTALL= @INSTALL@ | 25 | INSTALL= @INSTALL@ | |
26 | 26 | |||
27 | LIB= libinstall.a | 27 | LIB= libinstall.a | |
28 | 28 | |||
29 | OBJS= automatic.o conflicts.o dewey.o fexec.o file.o \ | 29 | OBJS= automatic.o conflicts.o dewey.o fexec.o file.o \ | |
30 | gpgsig.o global.o iterate.o license.o lpkg.o opattern.o \ | 30 | global.o iterate.o license.o lpkg.o opattern.o \ | |
31 | parse-config.o pkgdb.o plist.o remove.o \ | 31 | parse-config.o pkgdb.o plist.o remove.o \ | |
32 | str.o var.o version.o vulnerabilities-file.o xwrapper.o | 32 | str.o var.o version.o vulnerabilities-file.o xwrapper.o | |
33 | 33 | |||
34 | CPPFLAGS+= -DSYSCONFDIR=\"$(sysconfdir)\" | 34 | CPPFLAGS+= -DSYSCONFDIR=\"$(sysconfdir)\" | |
35 | 35 | |||
36 | .if !empty(BOOTSTRAP) | 36 | .if !empty(BOOTSTRAP) | |
37 | CPPFLAGS+= -DBOOTSTRAP | 37 | CPPFLAGS+= -DBOOTSTRAP | |
38 | .else | 38 | .else | |
39 | OBJS+= pkg_io.o pkg_signature.o | 39 | OBJS+= gpgsig.o pkg_io.o pkg_signature.o | |
40 | .endif | 40 | .endif | |
41 | 41 | |||
42 | .if !empty(SSL_SUPPORT) | 42 | .if !empty(SSL_SUPPORT) | |
43 | CPPFLAGS+= -DHAVE_SSL | 43 | CPPFLAGS+= -DHAVE_SSL | |
44 | OBJS+= pkcs7.o | 44 | OBJS+= pkcs7.o | |
45 | .endif | 45 | .endif | |
46 | 46 | |||
47 | all: $(LIB) | 47 | all: $(LIB) | |
48 | 48 | |||
49 | .c.o: | 49 | .c.o: | |
50 | $(CC) $(DEFS) $(CPPFLAGS) $(CFLAGS) -c $< | 50 | $(CC) $(DEFS) $(CPPFLAGS) $(CFLAGS) -c $< | |
51 | 51 | |||
52 | $(LIB): $(OBJS) | 52 | $(LIB): $(OBJS) |
@@ -1,23 +1,23 @@ | @@ -1,23 +1,23 @@ | |||
1 | /* $NetBSD: gpgsig.c,v 1.3 2009/08/02 17:56:45 joerg Exp $ */ | 1 | /* $NetBSD: gpgsig.c,v 1.4 2015/09/01 12:14:06 jperkin Exp $ */ | |
2 | #if HAVE_CONFIG_H | 2 | #if HAVE_CONFIG_H | |
3 | #include "config.h" | 3 | #include "config.h" | |
4 | #endif | 4 | #endif | |
5 | #include <nbcompat.h> | 5 | #include <nbcompat.h> | |
6 | #if HAVE_SYS_CDEFS_H | 6 | #if HAVE_SYS_CDEFS_H | |
7 | #include <sys/cdefs.h> | 7 | #include <sys/cdefs.h> | |
8 | #endif | 8 | #endif | |
9 | 9 | |||
10 | __RCSID("$NetBSD: gpgsig.c,v 1.3 2009/08/02 17:56:45 joerg Exp $"); | 10 | __RCSID("$NetBSD: gpgsig.c,v 1.4 2015/09/01 12:14:06 jperkin Exp $"); | |
11 | 11 | |||
12 | /*- | 12 | /*- | |
13 | * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>. | 13 | * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>. | |
14 | * All rights reserved. | 14 | * All rights reserved. | |
15 | * | 15 | * | |
16 | * Redistribution and use in source and binary forms, with or without | 16 | * Redistribution and use in source and binary forms, with or without | |
17 | * modification, are permitted provided that the following conditions | 17 | * modification, are permitted provided that the following conditions | |
18 | * are met: | 18 | * are met: | |
19 | * | 19 | * | |
20 | * 1. Redistributions of source code must retain the above copyright | 20 | * 1. Redistributions of source code must retain the above copyright | |
21 | * notice, this list of conditions and the following disclaimer. | 21 | * notice, this list of conditions and the following disclaimer. | |
22 | * 2. Redistributions in binary form must reproduce the above copyright | 22 | * 2. Redistributions in binary form must reproduce the above copyright | |
23 | * notice, this list of conditions and the following disclaimer in | 23 | * notice, this list of conditions and the following disclaimer in | |
@@ -41,125 +41,65 @@ __RCSID("$NetBSD: gpgsig.c,v 1.3 2009/08 | @@ -41,125 +41,65 @@ __RCSID("$NetBSD: gpgsig.c,v 1.3 2009/08 | |||
41 | #include <sys/wait.h> | 41 | #include <sys/wait.h> | |
42 | #ifndef NETBSD | 42 | #ifndef NETBSD | |
43 | #include <nbcompat/err.h> | 43 | #include <nbcompat/err.h> | |
44 | #else | 44 | #else | |
45 | #include <err.h> | 45 | #include <err.h> | |
46 | #endif | 46 | #endif | |
47 | #ifndef NETBSD | 47 | #ifndef NETBSD | |
48 | #include <nbcompat/stdlib.h> | 48 | #include <nbcompat/stdlib.h> | |
49 | #else | 49 | #else | |
50 | #include <stdlib.h> | 50 | #include <stdlib.h> | |
51 | #endif | 51 | #endif | |
52 | 52 | |||
53 | #include "lib.h" | 53 | #include "lib.h" | |
54 | 54 | #include "netpgpverify/verify.h" | ||
55 | static void | |||
56 | verify_signature(const char *input, size_t input_len, const char *keyring, | |||
57 | const char *detached_signature) | |||
58 | { | |||
59 | const char *argv[8], **argvp; | |||
60 | pid_t child; | |||
61 | int fd[2], status; | |||
62 | ||||
63 | if (pipe(fd) == -1) | |||
64 | err(EXIT_FAILURE, "cannot create input pipes"); | |||
65 | ||||
66 | child = vfork(); | |||
67 | if (child == -1) | |||
68 | err(EXIT_FAILURE, "cannot fork GPG process"); | |||
69 | if (child == 0) { | |||
70 | close(fd[1]); | |||
71 | close(STDIN_FILENO); | |||
72 | if (dup2(fd[0], STDIN_FILENO) == -1) { | |||
73 | static const char err_msg[] = | |||
74 | "cannot redirect stdin of GPG process\n"; | |||
75 | write(STDERR_FILENO, err_msg, sizeof(err_msg) - 1); | |||
76 | _exit(255); | |||
77 | } | |||
78 | close(fd[0]); | |||
79 | argvp = argv; | |||
80 | *argvp++ = gpg_cmd; | |||
81 | *argvp++ = "--verify"; | |||
82 | if (keyring != NULL) { | |||
83 | *argvp++ = "--no-default-keyring"; | |||
84 | *argvp++ = "--keyring"; | |||
85 | *argvp++ = keyring; | |||
86 | } | |||
87 | ||||
88 | if (detached_signature != NULL) | |||
89 | *argvp++ = detached_signature; | |||
90 | *argvp++ = "-"; | |||
91 | ||||
92 | *argvp = NULL; | |||
93 | ||||
94 | execvp(gpg_cmd, __UNCONST(argv)); | |||
95 | _exit(255); | |||
96 | } | |||
97 | close(fd[0]); | |||
98 | if (write(fd[1], input, input_len) != (ssize_t)input_len) | |||
99 | errx(EXIT_FAILURE, "Short read from GPG"); | |||
100 | close(fd[1]); | |||
101 | waitpid(child, &status, 0); | |||
102 | if (status) | |||
103 | errx(EXIT_FAILURE, "GPG could not verify the signature"); | |||
104 | } | |||
105 | 55 | |||
106 | int | 56 | int | |
107 | inline_gpg_verify(const char *content, size_t len, const char *keyring) | 57 | gpg_verify(const char *content, size_t len, const char *keyring, | |
58 | const char *sig, size_t sig_len) | |||
108 | { | 59 | { | |
109 | verify_signature(content, len, keyring, NULL); | 60 | pgpv_t pgp; | |
110 | 61 | pgpv_cursor_t cursor; | ||
111 | return 0; | 62 | static const char hdr1[] = "-----BEGIN PGP SIGNED MESSAGE-----\n"; | |
112 | } | 63 | static const char hdr2[] = "Hash: SHA512\n\n"; | |
113 | 64 | ssize_t buflen; | ||
114 | int | 65 | char *buf; | |
115 | detached_gpg_verify(const char *content, size_t len, | 66 | ||
116 | const char *signature, size_t signature_len, const char *keyring) | 67 | /* | |
117 | { | 68 | * If there is a detached signature we need to construct a format that | |
118 | int fd; | 69 | * netpgp can parse, otherwise use as-is. | |
119 | const char *tmpdir; | 70 | */ | |
120 | char *tempsig; | 71 | if (sig_len) { | |
121 | ssize_t ret; | 72 | buf = xasprintf("%s%s%s%s", hdr1, hdr2, content, sig); | |
122 | 73 | buflen = strlen(buf); | ||
123 | if (gpg_cmd == NULL) { | 74 | } else { | |
124 | warnx("GPG variable not set, failing signature check"); | 75 | buf = content; | |
125 | return -1; | 76 | buflen = len; | |
126 | } | 77 | } | |
127 | 78 | |||
128 | if ((tmpdir = getenv("TMPDIR")) == NULL) | 79 | memset(&pgp, 0, sizeof(pgp)); | |
129 | tmpdir = "/tmp"; | 80 | memset(&cursor, 0, sizeof(cursor)); | |
130 | tempsig = xasprintf("%s/pkg_install.XXXXXX", tmpdir); | 81 | ||
131 | 82 | if (!pgpv_read_pubring(&pgp, keyring, -1)) | ||
132 | fd = mkstemp(tempsig); | 83 | err(EXIT_FAILURE, "cannot read keyring"); | |
133 | if (fd == -1) { | 84 | ||
134 | warnx("Creating temporary file for GPG signature failed"); | 85 | if (!pgpv_verify(&cursor, &pgp, buf, buflen)) | |
135 | return -1; | 86 | errx(EXIT_FAILURE, "unable to verify signature: %s", | |
136 | } | 87 | cursor.why); | |
137 | ||||
138 | while (signature_len) { | |||
139 | ret = write(fd, signature, signature_len); | |||
140 | if (ret == -1) | |||
141 | err(EXIT_FAILURE, "Write to GPG failed"); | |||
142 | if (ret == 0) | |||
143 | errx(EXIT_FAILURE, "Short write to GPG"); | |||
144 | signature_len -= ret; | |||
145 | signature += ret; | |||
146 | } | |||
147 | 88 | |||
148 | verify_signature(content, len, keyring, tempsig); | 89 | pgpv_close(&pgp); | |
149 | 90 | |||
150 | unlink(tempsig); | 91 | if (sig_len) | |
151 | close(fd); | 92 | free(buf); | |
152 | free(tempsig); | |||
153 | 93 | |||
154 | return 0; | 94 | return 0; | |
155 | } | 95 | } | |
156 | 96 | |||
157 | int | 97 | int | |
158 | detached_gpg_sign(const char *content, size_t len, char **sig, size_t *sig_len, | 98 | detached_gpg_sign(const char *content, size_t len, char **sig, size_t *sig_len, | |
159 | const char *keyring, const char *user) | 99 | const char *keyring, const char *user) | |
160 | { | 100 | { | |
161 | const char *argv[12], **argvp; | 101 | const char *argv[12], **argvp; | |
162 | pid_t child; | 102 | pid_t child; | |
163 | int fd_in[2], fd_out[2], status; | 103 | int fd_in[2], fd_out[2], status; | |
164 | size_t allocated; | 104 | size_t allocated; | |
165 | ssize_t ret; | 105 | ssize_t ret; |
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: lib.h,v 1.65 2014/12/30 15:13:21 wiz Exp $ */ | 1 | /* $NetBSD: lib.h,v 1.66 2015/09/01 12:14:06 jperkin Exp $ */ | |
2 | 2 | |||
3 | /* from FreeBSD Id: lib.h,v 1.25 1997/10/08 07:48:03 charnier Exp */ | 3 | /* from FreeBSD Id: lib.h,v 1.25 1997/10/08 07:48:03 charnier Exp */ | |
4 | 4 | |||
5 | /* | 5 | /* | |
6 | * FreeBSD install - a package for the installation and maintainance | 6 | * FreeBSD install - a package for the installation and maintainance | |
7 | * of non-core utilities. | 7 | * of non-core utilities. | |
8 | * | 8 | * | |
9 | * Redistribution and use in source and binary forms, with or without | 9 | * Redistribution and use in source and binary forms, with or without | |
10 | * modification, are permitted provided that the following conditions | 10 | * modification, are permitted provided that the following conditions | |
11 | * are met: | 11 | * are met: | |
12 | * 1. Redistributions of source code must retain the above copyright | 12 | * 1. Redistributions of source code must retain the above copyright | |
13 | * notice, this list of conditions and the following disclaimer. | 13 | * notice, this list of conditions and the following disclaimer. | |
14 | * 2. Redistributions in binary form must reproduce the above copyright | 14 | * 2. Redistributions in binary form must reproduce the above copyright | |
@@ -390,29 +390,27 @@ int pkg_full_signature_check(const char | @@ -390,29 +390,27 @@ int pkg_full_signature_check(const char | |||
390 | void pkg_sign_x509(const char *, const char *, const char *, const char *); | 390 | void pkg_sign_x509(const char *, const char *, const char *, const char *); | |
391 | #endif | 391 | #endif | |
392 | 392 | |||
393 | void pkg_sign_gpg(const char *, const char *); | 393 | void pkg_sign_gpg(const char *, const char *); | |
394 | 394 | |||
395 | #ifdef HAVE_SSL | 395 | #ifdef HAVE_SSL | |
396 | /* PKCS7 signing/verification */ | 396 | /* PKCS7 signing/verification */ | |
397 | int easy_pkcs7_verify(const char *, size_t, const char *, size_t, | 397 | int easy_pkcs7_verify(const char *, size_t, const char *, size_t, | |
398 | const char *, int); | 398 | const char *, int); | |
399 | int easy_pkcs7_sign(const char *, size_t, char **, size_t *, const char *, | 399 | int easy_pkcs7_sign(const char *, size_t, char **, size_t *, const char *, | |
400 | const char *); | 400 | const char *); | |
401 | #endif | 401 | #endif | |
402 | 402 | |||
403 | int inline_gpg_verify(const char *, size_t, const char *); | 403 | int gpg_verify(const char *, size_t, const char *, const char *, size_t); | |
404 | int detached_gpg_verify(const char *, size_t, const char *, size_t, | |||
405 | const char *); | |||
406 | int detached_gpg_sign(const char *, size_t, char **, size_t *, const char *, | 404 | int detached_gpg_sign(const char *, size_t, char **, size_t *, const char *, | |
407 | const char *); | 405 | const char *); | |
408 | 406 | |||
409 | /* License handling */ | 407 | /* License handling */ | |
410 | int add_licenses(const char *); | 408 | int add_licenses(const char *); | |
411 | int acceptable_license(const char *); | 409 | int acceptable_license(const char *); | |
412 | int acceptable_pkg_license(const char *); | 410 | int acceptable_pkg_license(const char *); | |
413 | void load_license_lists(void); | 411 | void load_license_lists(void); | |
414 | 412 | |||
415 | /* Helper functions for memory allocation */ | 413 | /* Helper functions for memory allocation */ | |
416 | char *xstrdup(const char *); | 414 | char *xstrdup(const char *); | |
417 | void *xrealloc(void *, size_t); | 415 | void *xrealloc(void *, size_t); | |
418 | void *xcalloc(size_t, size_t); | 416 | void *xcalloc(size_t, size_t); |
@@ -1,23 +1,23 @@ | @@ -1,23 +1,23 @@ | |||
1 | /* $NetBSD: pkg_signature.c,v 1.11 2013/09/11 14:10:05 khorben Exp $ */ | 1 | /* $NetBSD: pkg_signature.c,v 1.12 2015/09/01 12:14:06 jperkin Exp $ */ | |
2 | 2 | |||
3 | #if HAVE_CONFIG_H | 3 | #if HAVE_CONFIG_H | |
4 | #include "config.h" | 4 | #include "config.h" | |
5 | #endif | 5 | #endif | |
6 | #include <nbcompat.h> | 6 | #include <nbcompat.h> | |
7 | #if HAVE_SYS_CDEFS_H | 7 | #if HAVE_SYS_CDEFS_H | |
8 | #include <sys/cdefs.h> | 8 | #include <sys/cdefs.h> | |
9 | #endif | 9 | #endif | |
10 | __RCSID("$NetBSD: pkg_signature.c,v 1.11 2013/09/11 14:10:05 khorben Exp $"); | 10 | __RCSID("$NetBSD: pkg_signature.c,v 1.12 2015/09/01 12:14:06 jperkin Exp $"); | |
11 | 11 | |||
12 | /*- | 12 | /*- | |
13 | * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>. | 13 | * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>. | |
14 | * All rights reserved. | 14 | * All rights reserved. | |
15 | * | 15 | * | |
16 | * Redistribution and use in source and binary forms, with or without | 16 | * Redistribution and use in source and binary forms, with or without | |
17 | * modification, are permitted provided that the following conditions | 17 | * modification, are permitted provided that the following conditions | |
18 | * are met: | 18 | * are met: | |
19 | * | 19 | * | |
20 | * 1. Redistributions of source code must retain the above copyright | 20 | * 1. Redistributions of source code must retain the above copyright | |
21 | * notice, this list of conditions and the following disclaimer. | 21 | * notice, this list of conditions and the following disclaimer. | |
22 | * 2. Redistributions in binary form must reproduce the above copyright | 22 | * 2. Redistributions in binary form must reproduce the above copyright | |
23 | * notice, this list of conditions and the following disclaimer in | 23 | * notice, this list of conditions and the following disclaimer in | |
@@ -356,28 +356,28 @@ pkg_verify_signature(const char *archive | @@ -356,28 +356,28 @@ pkg_verify_signature(const char *archive | |||
356 | entry, GPG_SIGNATURE_FNAME, | 356 | entry, GPG_SIGNATURE_FNAME, | |
357 | &signature_file, &signature_len); | 357 | &signature_file, &signature_len); | |
358 | if (r == -1) { | 358 | if (r == -1) { | |
359 | archive_read_finish(*archive); | 359 | archive_read_finish(*archive); | |
360 | *archive = NULL; | 360 | *archive = NULL; | |
361 | free(state); | 361 | free(state); | |
362 | free(hash_file); | 362 | free(hash_file); | |
363 | goto no_valid_signature; | 363 | goto no_valid_signature; | |
364 | } else if (r != 0) { | 364 | } else if (r != 0) { | |
365 | free(hash_file); | 365 | free(hash_file); | |
366 | free(state); | 366 | free(state); | |
367 | goto no_valid_signature; | 367 | goto no_valid_signature; | |
368 | } | 368 | } | |
369 | has_sig = !detached_gpg_verify(hash_file, hash_len, | 369 | has_sig = !gpg_verify(hash_file, hash_len, gpg_keyring_verify, | |
370 | signature_file, signature_len, gpg_keyring_verify); | 370 | signature_file, signature_len); | |
371 | 371 | |||
372 | free(signature_file); | 372 | free(signature_file); | |
373 | } else { | 373 | } else { | |
374 | #ifdef HAVE_SSL | 374 | #ifdef HAVE_SSL | |
375 | has_sig = !easy_pkcs7_verify(hash_file, hash_len, signature_file, | 375 | has_sig = !easy_pkcs7_verify(hash_file, hash_len, signature_file, | |
376 | signature_len, certs_packages, 1); | 376 | signature_len, certs_packages, 1); | |
377 | 377 | |||
378 | free(signature_file); | 378 | free(signature_file); | |
379 | #else | 379 | #else | |
380 | warnx("No OpenSSL support compiled in, skipping signature"); | 380 | warnx("No OpenSSL support compiled in, skipping signature"); | |
381 | has_sig = 0; | 381 | has_sig = 0; | |
382 | free(signature_file); | 382 | free(signature_file); | |
383 | #endif | 383 | #endif |
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: version.h,v 1.168 2015/05/08 16:29:37 agc Exp $ */ | 1 | /* $NetBSD: version.h,v 1.169 2015/09/01 12:14:06 jperkin Exp $ */ | |
2 | 2 | |||
3 | /* | 3 | /* | |
4 | * Copyright (c) 2001 Thomas Klausner. All rights reserved. | 4 | * Copyright (c) 2001 Thomas Klausner. All rights reserved. | |
5 | * | 5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | 6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions | 7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | 8 | * are met: | |
9 | * 1. Redistributions of source code must retain the above copyright | 9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | 10 | * notice, this list of conditions and the following disclaimer. | |
11 | * 2. Redistributions in binary form must reproduce the above copyright | 11 | * 2. Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in the | 12 | * notice, this list of conditions and the following disclaimer in the | |
13 | * documentation and/or other materials provided with the distribution. | 13 | * documentation and/or other materials provided with the distribution. | |
14 | * | 14 | * | |
@@ -17,16 +17,16 @@ | @@ -17,16 +17,16 @@ | |||
17 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | 17 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | |
18 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | 18 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | |
19 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | 19 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
20 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | 20 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
21 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | 21 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
22 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | 22 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
24 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 24 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
25 | */ | 25 | */ | |
26 | 26 | |||
27 | #ifndef _INST_LIB_VERSION_H_ | 27 | #ifndef _INST_LIB_VERSION_H_ | |
28 | #define _INST_LIB_VERSION_H_ | 28 | #define _INST_LIB_VERSION_H_ | |
29 | 29 | |||
30 | #define PKGTOOLS_VERSION 20150508 | 30 | #define PKGTOOLS_VERSION 20150901 | |
31 | 31 | |||
32 | #endif /* _INST_LIB_VERSION_H_ */ | 32 | #endif /* _INST_LIB_VERSION_H_ */ |
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: vulnerabilities-file.c,v 1.7 2010/06/16 23:02:49 joerg Exp $ */ | 1 | /* $NetBSD: vulnerabilities-file.c,v 1.8 2015/09/01 12:14:06 jperkin Exp $ */ | |
2 | 2 | |||
3 | /*- | 3 | /*- | |
4 | * Copyright (c) 2008, 2010 Joerg Sonnenberger <joerg@NetBSD.org>. | 4 | * Copyright (c) 2008, 2010 Joerg Sonnenberger <joerg@NetBSD.org>. | |
5 | * All rights reserved. | 5 | * All rights reserved. | |
6 | * | 6 | * | |
7 | * Redistribution and use in source and binary forms, with or without | 7 | * Redistribution and use in source and binary forms, with or without | |
8 | * modification, are permitted provided that the following conditions | 8 | * modification, are permitted provided that the following conditions | |
9 | * are met: | 9 | * are met: | |
10 | * | 10 | * | |
11 | * 1. Redistributions of source code must retain the above copyright | 11 | * 1. Redistributions of source code must retain the above copyright | |
12 | * notice, this list of conditions and the following disclaimer. | 12 | * notice, this list of conditions and the following disclaimer. | |
13 | * 2. Redistributions in binary form must reproduce the above copyright | 13 | * 2. Redistributions in binary form must reproduce the above copyright | |
14 | * notice, this list of conditions and the following disclaimer in | 14 | * notice, this list of conditions and the following disclaimer in | |
@@ -28,27 +28,27 @@ | @@ -28,27 +28,27 @@ | |||
28 | * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 28 | * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
29 | * SUCH DAMAGE. | 29 | * SUCH DAMAGE. | |
30 | */ | 30 | */ | |
31 | 31 | |||
32 | #if HAVE_CONFIG_H | 32 | #if HAVE_CONFIG_H | |
33 | #include "config.h" | 33 | #include "config.h" | |
34 | #endif | 34 | #endif | |
35 | 35 | |||
36 | #include <nbcompat.h> | 36 | #include <nbcompat.h> | |
37 | 37 | |||
38 | #if HAVE_SYS_CDEFS_H | 38 | #if HAVE_SYS_CDEFS_H | |
39 | #include <sys/cdefs.h> | 39 | #include <sys/cdefs.h> | |
40 | #endif | 40 | #endif | |
41 | __RCSID("$NetBSD: vulnerabilities-file.c,v 1.7 2010/06/16 23:02:49 joerg Exp $"); | 41 | __RCSID("$NetBSD: vulnerabilities-file.c,v 1.8 2015/09/01 12:14:06 jperkin Exp $"); | |
42 | 42 | |||
43 | #if HAVE_SYS_STAT_H | 43 | #if HAVE_SYS_STAT_H | |
44 | #include <sys/stat.h> | 44 | #include <sys/stat.h> | |
45 | #endif | 45 | #endif | |
46 | #if HAVE_SYS_WAIT_H | 46 | #if HAVE_SYS_WAIT_H | |
47 | #include <sys/wait.h> | 47 | #include <sys/wait.h> | |
48 | #endif | 48 | #endif | |
49 | #ifndef BOOTSTRAP | 49 | #ifndef BOOTSTRAP | |
50 | #include <archive.h> | 50 | #include <archive.h> | |
51 | #endif | 51 | #endif | |
52 | #include <ctype.h> | 52 | #include <ctype.h> | |
53 | #if HAVE_ERR_H | 53 | #if HAVE_ERR_H | |
54 | #include <err.h> | 54 | #include <err.h> | |
@@ -100,32 +100,27 @@ verify_signature_pkcs7(const char *input | @@ -100,32 +100,27 @@ verify_signature_pkcs7(const char *input | |||
100 | end_sig += strlen(pkcs7_end); | 100 | end_sig += strlen(pkcs7_end); | |
101 | 101 | |||
102 | if (easy_pkcs7_verify(begin_pkgvul, end_pkgvul - begin_pkgvul, | 102 | if (easy_pkcs7_verify(begin_pkgvul, end_pkgvul - begin_pkgvul, | |
103 | begin_sig, end_sig - begin_sig, certs_pkg_vulnerabilities, 0)) | 103 | begin_sig, end_sig - begin_sig, certs_pkg_vulnerabilities, 0)) | |
104 | errx(EXIT_FAILURE, "Unable to verify PKCS7 signature"); | 104 | errx(EXIT_FAILURE, "Unable to verify PKCS7 signature"); | |
105 | #else | 105 | #else | |
106 | errx(EXIT_FAILURE, "OpenSSL support is not compiled in"); | 106 | errx(EXIT_FAILURE, "OpenSSL support is not compiled in"); | |
107 | #endif | 107 | #endif | |
108 | } | 108 | } | |
109 | 109 | |||
110 | static void | 110 | static void | |
111 | verify_signature(const char *input, size_t input_len) | 111 | verify_signature(const char *input, size_t input_len) | |
112 | { | 112 | { | |
113 | if (gpg_cmd == NULL && certs_pkg_vulnerabilities == NULL) | 113 | gpg_verify(input, input_len, gpg_keyring_pkgvuln, NULL, 0); | |
114 | errx(EXIT_FAILURE, | |||
115 | "At least GPG or CERTIFICATE_ANCHOR_PKGVULN " | |||
116 | "must be configured"); | |||
117 | if (gpg_cmd != NULL) | |||
118 | inline_gpg_verify(input, input_len, gpg_keyring_pkgvuln); | |||
119 | if (certs_pkg_vulnerabilities != NULL) | 114 | if (certs_pkg_vulnerabilities != NULL) | |
120 | verify_signature_pkcs7(input); | 115 | verify_signature_pkcs7(input); | |
121 | } | 116 | } | |
122 | 117 | |||
123 | static void * | 118 | static void * | |
124 | sha512_hash_init(void) | 119 | sha512_hash_init(void) | |
125 | { | 120 | { | |
126 | static SHA512_CTX hash_ctx; | 121 | static SHA512_CTX hash_ctx; | |
127 | 122 | |||
128 | SHA512_Init(&hash_ctx); | 123 | SHA512_Init(&hash_ctx); | |
129 | return &hash_ctx; | 124 | return &hash_ctx; | |
130 | } | 125 | } | |
131 | 126 |