int main(int argc, char **argv) { char *NSSConfigDir = NULL; const char *certNames[MAX_SIGNATURES]; char *MARChannelID = MAR_CHANNEL_ID; char *productVersion = MOZ_APP_VERSION; uint32_t i, k; int rv = -1; uint32_t certCount = 0; int32_t sigIndex = -1; #if defined(XP_WIN) && !defined(MAR_NSS) && !defined(NO_SIGN_VERIFY) HANDLE certFile; /* We use DWORD here instead of uint64_t because it simplifies code with the Win32 API ReadFile which takes a DWORD. DER files will not be too large anyway. */ DWORD fileSizes[MAX_SIGNATURES]; DWORD read; uint8_t *certBuffers[MAX_SIGNATURES]; char *DERFilePaths[MAX_SIGNATURES]; #endif memset(certNames, 0, sizeof(certNames)); #if defined(XP_WIN) && !defined(MAR_NSS) && !defined(NO_SIGN_VERIFY) memset(fileSizes, 0, sizeof(fileSizes)); memset(certBuffers, 0, sizeof(certBuffers)); memset(DERFilePaths, 0, sizeof(DERFilePaths)); #endif if (argc > 1 && 0 == strcmp(argv[1], "--version")) { print_version(); return 0; } if (argc < 3) { print_usage(); return -1; } while (argc > 0) { if (argv[1][0] == '-' && (argv[1][1] == 'c' || argv[1][1] == 't' || argv[1][1] == 'x' || argv[1][1] == 'v' || argv[1][1] == 's' || argv[1][1] == 'i' || argv[1][1] == 'T' || argv[1][1] == 'r' || argv[1][1] == 'X' || argv[1][1] == 'I')) { break; /* -C workingdirectory */ } else if (argv[1][0] == '-' && argv[1][1] == 'C') { chdir(argv[2]); argv += 2; argc -= 2; } #if defined(XP_WIN) && !defined(MAR_NSS) && !defined(NO_SIGN_VERIFY) /* -D DERFilePath, also matches -D[index] DERFilePath We allow an index for verifying to be symmetric with the import and export command line arguments. */ else if (argv[1][0] == '-' && argv[1][1] == 'D' && (argv[1][2] == '0' + certCount || argv[1][2] == '\0')) { if (certCount >= MAX_SIGNATURES) { print_usage(); return -1; } DERFilePaths[certCount++] = argv[2]; argv += 2; argc -= 2; } #endif /* -d NSSConfigdir */ else if (argv[1][0] == '-' && argv[1][1] == 'd') { NSSConfigDir = argv[2]; argv += 2; argc -= 2; /* -n certName, also matches -n[index] certName We allow an index for verifying to be symmetric with the import and export command line arguments. */ } else if (argv[1][0] == '-' && argv[1][1] == 'n' && (argv[1][2] == '0' + certCount || argv[1][2] == '\0' || !strcmp(argv[2], "-X") || !strcmp(argv[2], "-I"))) { if (certCount >= MAX_SIGNATURES) { print_usage(); return -1; } certNames[certCount++] = argv[2]; if (strlen(argv[1]) > 2 && (!strcmp(argv[2], "-X") || !strcmp(argv[2], "-I")) && argv[1][2] >= '0' && argv[1][2] <= '9') { sigIndex = argv[1][2] - '0'; argv++; argc--; } else { argv += 2; argc -= 2; } /* MAR channel ID */ } else if (argv[1][0] == '-' && argv[1][1] == 'H') { MARChannelID = argv[2]; argv += 2; argc -= 2; /* Product Version */ } else if (argv[1][0] == '-' && argv[1][1] == 'V') { productVersion = argv[2]; argv += 2; argc -= 2; } else { print_usage(); return -1; } } if (argv[1][0] != '-') { print_usage(); return -1; } switch (argv[1][1]) { case 'c': { struct ProductInformationBlock infoBlock; infoBlock.MARChannelID = MARChannelID; infoBlock.productVersion = productVersion; return mar_create(argv[2], argc - 3, argv + 3, &infoBlock); } case 'i': { struct ProductInformationBlock infoBlock; infoBlock.MARChannelID = MARChannelID; infoBlock.productVersion = productVersion; return refresh_product_info_block(argv[2], &infoBlock); } case 'T': { struct ProductInformationBlock infoBlock; uint32_t numSignatures, numAdditionalBlocks; int hasSignatureBlock, hasAdditionalBlock; if (!get_mar_file_info(argv[2], &hasSignatureBlock, &numSignatures, &hasAdditionalBlock, NULL, &numAdditionalBlocks)) { if (hasSignatureBlock) { printf("Signature block found with %d signature%s\n", numSignatures, numSignatures != 1 ? "s" : ""); } if (hasAdditionalBlock) { printf("%d additional block%s found:\n", numAdditionalBlocks, numAdditionalBlocks != 1 ? "s" : ""); } rv = read_product_info_block(argv[2], &infoBlock); if (!rv) { printf(" - Product Information Block:\n"); printf(" - MAR channel name: %s\n" " - Product version: %s\n", infoBlock.MARChannelID, infoBlock.productVersion); free((void *)infoBlock.MARChannelID); free((void *)infoBlock.productVersion); } } printf("\n"); /* The fall through from 'T' to 't' is intentional */ } case 't': return mar_test(argv[2]); /* Extract a MAR file */ case 'x': return mar_extract(argv[2]); #ifndef NO_SIGN_VERIFY /* Extract a MAR signature */ case 'X': if (sigIndex == -1) { fprintf(stderr, "ERROR: Signature index was not passed.\n"); return -1; } if (sigIndex >= MAX_SIGNATURES || sigIndex < -1) { fprintf(stderr, "ERROR: Signature index is out of range: %d.\n", sigIndex); return -1; } return extract_signature(argv[2], sigIndex, argv[3]); /* Import a MAR signature */ case 'I': if (sigIndex == -1) { fprintf(stderr, "ERROR: signature index was not passed.\n"); return -1; } if (sigIndex >= MAX_SIGNATURES || sigIndex < -1) { fprintf(stderr, "ERROR: Signature index is out of range: %d.\n", sigIndex); return -1; } if (argc < 5) { print_usage(); return -1; } return import_signature(argv[2], sigIndex, argv[3], argv[4]); case 'v': #if defined(XP_WIN) && !defined(MAR_NSS) if (certCount == 0) { print_usage(); return -1; } for (k = 0; k < certCount; ++k) { /* If the mar program was built using CryptoAPI, then read in the buffer containing the cert from disk. */ certFile = CreateFileA(DERFilePaths[k], GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL); if (INVALID_HANDLE_VALUE == certFile) { return -1; } fileSizes[k] = GetFileSize(certFile, NULL); certBuffers[k] = malloc(fileSizes[k]); if (!ReadFile(certFile, certBuffers[k], fileSizes[k], &read, NULL) || fileSizes[k] != read) { CloseHandle(certFile); for (i = 0; i <= k; i++) { free(certBuffers[i]); } return -1; } CloseHandle(certFile); } rv = mar_verify_signatures(argv[2], certBuffers, fileSizes, NULL, certCount); for (k = 0; k < certCount; ++k) { free(certBuffers[k]); } if (rv) { /* Determine if the source MAR file has the new fields for signing */ int hasSignatureBlock; if (get_mar_file_info(argv[2], &hasSignatureBlock, NULL, NULL, NULL, NULL)) { fprintf(stderr, "ERROR: could not determine if MAR is old or new.\n"); } else if (!hasSignatureBlock) { fprintf(stderr, "ERROR: The MAR file is in the old format so has" " no signature to verify.\n"); } return -1; } return 0; #else if (!NSSConfigDir || certCount == 0) { print_usage(); return -1; } if (NSSInitCryptoContext(NSSConfigDir)) { fprintf(stderr, "ERROR: Could not initialize crypto library.\n"); return -1; } return mar_verify_signatures(argv[2], NULL, 0, certNames, certCount); #endif /* defined(XP_WIN) && !defined(MAR_NSS) */ case 's': if (!NSSConfigDir || certCount == 0 || argc < 4) { print_usage(); return -1; } return mar_repackage_and_sign(NSSConfigDir, certNames, certCount, argv[2], argv[3]); case 'r': return strip_signature_block(argv[2], argv[3]); #endif /* endif NO_SIGN_VERIFY disabled */ default: print_usage(); return -1; } return 0; }
int main(int argc, char **argv) { char *NSSConfigDir = NULL; const char *certNames[MAX_SIGNATURES]; char *MARChannelID = MAR_CHANNEL_ID; char *productVersion = MOZ_APP_VERSION; uint32_t k; int rv = -1; uint32_t certCount = 0; int32_t sigIndex = -1; #if !defined(NO_SIGN_VERIFY) uint32_t fileSizes[MAX_SIGNATURES]; const uint8_t* certBuffers[MAX_SIGNATURES]; char* DERFilePaths[MAX_SIGNATURES]; #if (!defined(XP_WIN) && !defined(XP_MACOSX)) || defined(MAR_NSS) CERTCertificate* certs[MAX_SIGNATURES]; #endif #endif memset((void*)certNames, 0, sizeof(certNames)); #if defined(XP_WIN) && !defined(MAR_NSS) && !defined(NO_SIGN_VERIFY) memset((void*)certBuffers, 0, sizeof(certBuffers)); #endif #if !defined(NO_SIGN_VERIFY) && ((!defined(MAR_NSS) && defined(XP_WIN)) || \ defined(XP_MACOSX)) memset(DERFilePaths, 0, sizeof(DERFilePaths)); memset(fileSizes, 0, sizeof(fileSizes)); #endif if (argc > 1 && 0 == strcmp(argv[1], "--version")) { print_version(); return 0; } if (argc < 3) { print_usage(); return -1; } while (argc > 0) { if (argv[1][0] == '-' && (argv[1][1] == 'c' || argv[1][1] == 't' || argv[1][1] == 'x' || argv[1][1] == 'v' || argv[1][1] == 's' || argv[1][1] == 'i' || argv[1][1] == 'T' || argv[1][1] == 'r' || argv[1][1] == 'X' || argv[1][1] == 'I')) { break; /* -C workingdirectory */ } else if (argv[1][0] == '-' && argv[1][1] == 'C') { if (chdir(argv[2]) != 0) { return -1; } argv += 2; argc -= 2; } #if !defined(NO_SIGN_VERIFY) && ((!defined(MAR_NSS) && defined(XP_WIN)) || \ defined(XP_MACOSX)) /* -D DERFilePath, also matches -D[index] DERFilePath We allow an index for verifying to be symmetric with the import and export command line arguments. */ else if (argv[1][0] == '-' && argv[1][1] == 'D' && (argv[1][2] == (char)('0' + certCount) || argv[1][2] == '\0')) { if (certCount >= MAX_SIGNATURES) { print_usage(); return -1; } DERFilePaths[certCount++] = argv[2]; argv += 2; argc -= 2; } #endif /* -d NSSConfigdir */ else if (argv[1][0] == '-' && argv[1][1] == 'd') { NSSConfigDir = argv[2]; argv += 2; argc -= 2; /* -n certName, also matches -n[index] certName We allow an index for verifying to be symmetric with the import and export command line arguments. */ } else if (argv[1][0] == '-' && argv[1][1] == 'n' && (argv[1][2] == (char)('0' + certCount) || argv[1][2] == '\0' || !strcmp(argv[2], "-X") || !strcmp(argv[2], "-I"))) { if (certCount >= MAX_SIGNATURES) { print_usage(); return -1; } certNames[certCount++] = argv[2]; if (strlen(argv[1]) > 2 && (!strcmp(argv[2], "-X") || !strcmp(argv[2], "-I")) && argv[1][2] >= '0' && argv[1][2] <= '9') { sigIndex = argv[1][2] - '0'; argv++; argc--; } else { argv += 2; argc -= 2; } /* MAR channel ID */ } else if (argv[1][0] == '-' && argv[1][1] == 'H') { MARChannelID = argv[2]; argv += 2; argc -= 2; /* Product Version */ } else if (argv[1][0] == '-' && argv[1][1] == 'V') { productVersion = argv[2]; argv += 2; argc -= 2; } else { print_usage(); return -1; } } if (argv[1][0] != '-') { print_usage(); return -1; } switch (argv[1][1]) { case 'c': { struct ProductInformationBlock infoBlock; infoBlock.MARChannelID = MARChannelID; infoBlock.productVersion = productVersion; return mar_create(argv[2], argc - 3, argv + 3, &infoBlock); } case 'i': { struct ProductInformationBlock infoBlock; infoBlock.MARChannelID = MARChannelID; infoBlock.productVersion = productVersion; return refresh_product_info_block(argv[2], &infoBlock); } case 'T': { struct ProductInformationBlock infoBlock; uint32_t numSignatures, numAdditionalBlocks; int hasSignatureBlock, hasAdditionalBlock; if (!get_mar_file_info(argv[2], &hasSignatureBlock, &numSignatures, &hasAdditionalBlock, NULL, &numAdditionalBlocks)) { if (hasSignatureBlock) { printf("Signature block found with %d signature%s\n", numSignatures, numSignatures != 1 ? "s" : ""); } if (hasAdditionalBlock) { printf("%d additional block%s found:\n", numAdditionalBlocks, numAdditionalBlocks != 1 ? "s" : ""); } rv = read_product_info_block(argv[2], &infoBlock); if (!rv) { printf(" - Product Information Block:\n"); printf(" - MAR channel name: %s\n" " - Product version: %s\n", infoBlock.MARChannelID, infoBlock.productVersion); free((void *)infoBlock.MARChannelID); free((void *)infoBlock.productVersion); } } printf("\n"); /* The fall through from 'T' to 't' is intentional */ } case 't': return mar_test(argv[2]); /* Extract a MAR file */ case 'x': return mar_extract(argv[2]); #ifndef NO_SIGN_VERIFY /* Extract a MAR signature */ case 'X': if (sigIndex == -1) { fprintf(stderr, "ERROR: Signature index was not passed.\n"); return -1; } if (sigIndex >= MAX_SIGNATURES || sigIndex < -1) { fprintf(stderr, "ERROR: Signature index is out of range: %d.\n", sigIndex); return -1; } return extract_signature(argv[2], sigIndex, argv[3]); /* Import a MAR signature */ case 'I': if (sigIndex == -1) { fprintf(stderr, "ERROR: signature index was not passed.\n"); return -1; } if (sigIndex >= MAX_SIGNATURES || sigIndex < -1) { fprintf(stderr, "ERROR: Signature index is out of range: %d.\n", sigIndex); return -1; } if (argc < 5) { print_usage(); return -1; } return import_signature(argv[2], sigIndex, argv[3], argv[4]); case 'v': if (certCount == 0) { print_usage(); return -1; } #if (!defined(XP_WIN) && !defined(XP_MACOSX)) || defined(MAR_NSS) if (!NSSConfigDir || certCount == 0) { print_usage(); return -1; } if (NSSInitCryptoContext(NSSConfigDir)) { fprintf(stderr, "ERROR: Could not initialize crypto library.\n"); return -1; } #endif rv = 0; for (k = 0; k < certCount; ++k) { #if (defined(XP_WIN) || defined(XP_MACOSX)) && !defined(MAR_NSS) rv = mar_read_entire_file(DERFilePaths[k], MAR_MAX_CERT_SIZE, &certBuffers[k], &fileSizes[k]); #else /* It is somewhat circuitous to look up a CERTCertificate and then pass * in its DER encoding just so we can later re-create that * CERTCertificate to extract the public key out of it. However, by doing * things this way, we maximize the reuse of the mar_verify_signatures * function and also we keep the control flow as similar as possible * between programs and operating systems, at least for the functions * that are critically important to security. */ certs[k] = PK11_FindCertFromNickname(certNames[k], NULL); if (certs[k]) { certBuffers[k] = certs[k]->derCert.data; fileSizes[k] = certs[k]->derCert.len; } else { rv = -1; } #endif if (rv) { fprintf(stderr, "ERROR: could not read file %s", DERFilePaths[k]); break; } } if (!rv) { MarFile *mar = mar_open(argv[2]); if (mar) { rv = mar_verify_signatures(mar, certBuffers, fileSizes, certCount); mar_close(mar); } else { fprintf(stderr, "ERROR: Could not open MAR file.\n"); rv = -1; } } for (k = 0; k < certCount; ++k) { #if (defined(XP_WIN) || defined(XP_MACOSX)) && !defined(MAR_NSS) free((void*)certBuffers[k]); #else /* certBuffers[k] is owned by certs[k] so don't free it */ CERT_DestroyCertificate(certs[k]); #endif } if (rv) { /* Determine if the source MAR file has the new fields for signing */ int hasSignatureBlock; if (get_mar_file_info(argv[2], &hasSignatureBlock, NULL, NULL, NULL, NULL)) { fprintf(stderr, "ERROR: could not determine if MAR is old or new.\n"); } else if (!hasSignatureBlock) { fprintf(stderr, "ERROR: The MAR file is in the old format so has" " no signature to verify.\n"); } return -1; } return 0; case 's': if (!NSSConfigDir || certCount == 0 || argc < 4) { print_usage(); return -1; } return mar_repackage_and_sign(NSSConfigDir, certNames, certCount, argv[2], argv[3]); case 'r': return strip_signature_block(argv[2], argv[3]); #endif /* endif NO_SIGN_VERIFY disabled */ default: print_usage(); return -1; } }
int main(int argc, char *argv[]) { int rc; pesign_context ctx, *ctxp = &ctx; int list = 0; int remove = 0; char *digest_name = "sha256"; poptContext optCon; struct poptOption options[] = { {NULL, '\0', POPT_ARG_INTL_DOMAIN, "pesign" }, {"in", 'i', POPT_ARG_STRING, &ctx.infile, 0, "specify input file", "<infile>"}, {"out", 'o', POPT_ARG_STRING, &ctx.outfile, 0, "specify output file", "<outfile>" }, {"certficate", 'c', POPT_ARG_STRING, &ctx.cms_ctx.certname, 0, "specify certificate nickname", "<certificate nickname>" }, {"privkey", 'p', POPT_ARG_STRING, &ctx.privkeyfile, 0, "specify private key file", "<privkey>" }, {"force", 'f', POPT_ARG_VAL, &ctx.force, 1, "force overwriting of output file", NULL }, {"nogaps", 'n', POPT_ARG_VAL|POPT_ARGFLAG_DOC_HIDDEN, &ctx.hashgaps, 0, "skip gaps between sections when signing", NULL }, {"sign", 's', POPT_ARG_VAL, &ctx.sign, 1, "create a new signature", NULL }, {"hash", 'h', POPT_ARG_VAL, &ctx.hash, 1, "hash binary", NULL }, {"digest_type", 'd', POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT, &digest_name, 0, "digest type to use for pe hash" }, {"import-signature", 'm', POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN, &ctx.insig, 0,"import signature from file", "<insig>" }, {"signature-number", 'u', POPT_ARG_INT, &ctx.signum, -1, "specify which signature to operate on","<sig-number>"}, {"list-signatures", 'l', POPT_ARG_VAL|POPT_ARGFLAG_DOC_HIDDEN, &list, 1, "list signatures", NULL }, {"show-signature", 'S', POPT_ARG_VAL, &list, 1, "show signature", NULL }, {"remove-signature", 'r', POPT_ARG_VAL, &remove, 1, "remove signature" }, {"export-signature", 'e', POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN, &ctx.outsig, 0,"export signature to file", "<outsig>" }, {"export-pubkey", 'K', POPT_ARG_STRING, &ctx.outkey, 0, "export pubkey to file", "<outkey>" }, {"export-cert", 'C', POPT_ARG_STRING, &ctx.outcert, 0, "export signing cert to file", "<outcert>" }, {"ascii-armor", 'a', POPT_ARG_VAL, &ctx.ascii, 1, "use ascii armoring", NULL }, POPT_AUTOALIAS POPT_AUTOHELP POPT_TABLEEND }; rc = pesign_context_init(ctxp); if (rc < 0) { fprintf(stderr, "Could not initialize context: %m\n"); exit(1); } optCon = poptGetContext("pesign", argc, (const char **)argv, options,0); while ((rc = poptGetNextOpt(optCon)) > 0) ; if (rc < -1) { fprintf(stderr, "pesign: Invalid argument: %s: %s\n", poptBadOption(optCon, 0), poptStrerror(rc)); exit(1); } if (poptPeekArg(optCon)) { fprintf(stderr, "pesign: Invalid Argument: \"%s\"\n", poptPeekArg(optCon)); exit(1); } poptFreeContext(optCon); rc = set_digest_parameters(&ctx.cms_ctx, digest_name); int is_help = strcmp(digest_name, "help") ? 0 : 1; if (rc < 0) { if (!is_help) { fprintf(stderr, "Digest \"%s\" not found.\n", digest_name); } exit(!is_help); } int action = 0; if (ctx.insig) action |= IMPORT_SIGNATURE; if (ctx.outkey) action |= EXPORT_PUBKEY; if (ctx.outcert) action |= EXPORT_CERT; if (ctx.outsig) action |= EXPORT_SIGNATURE; if (remove != 0) action |= REMOVE_SIGNATURE; if (list != 0) action |= LIST_SIGNATURES; if (ctx.sign) { action |= GENERATE_SIGNATURE; if (!(action & EXPORT_SIGNATURE)) action |= IMPORT_SIGNATURE; } if (ctx.hash) action |= GENERATE_DIGEST|PRINT_DIGEST; SECItem newsig; switch (action) { case NO_FLAGS: fprintf(stderr, "pesign: Nothing to do.\n"); exit(0); break; /* add a signature from a file */ case IMPORT_SIGNATURE: check_inputs(ctxp); open_input(ctxp); open_output(ctxp); close_input(ctxp); open_sig_input(ctxp); import_signature(ctxp); close_sig_input(ctxp); close_output(ctxp); break; case EXPORT_PUBKEY: rc = find_certificate(&ctx.cms_ctx); if (rc < 0) { fprintf(stderr, "pesign: Could not find " "certificate %s\n", ctx.cms_ctx.certname); exit(1); } open_pubkey_output(ctxp); export_pubkey(ctxp); break; case EXPORT_CERT: rc = find_certificate(&ctx.cms_ctx); if (rc < 0) { fprintf(stderr, "pesign: Could not find " "certificate %s\n", ctx.cms_ctx.certname); exit(1); } open_cert_output(ctxp); export_cert(ctxp); break; /* find a signature in the binary and save it to a file */ case EXPORT_SIGNATURE: open_input(ctxp); open_sig_output(ctxp); if (ctx.signum > ctx.cms_ctx.num_signatures) { fprintf(stderr, "Invalid signature number.\n"); exit(1); } SECItem *sig = ctx.cms_ctx.signatures[ctx.signum]; export_signature(ctxp, sig); close_input(ctxp); close_sig_output(ctxp); break; /* remove a signature from the binary */ case REMOVE_SIGNATURE: check_inputs(ctxp); open_input(ctxp); open_output(ctxp); close_input(ctxp); if (ctx.signum > ctx.cms_ctx.num_signatures) { fprintf(stderr, "Invalid signature number.\n"); exit(1); } remove_signature(&ctx); close_output(ctxp); break; /* list signatures in the binary */ case LIST_SIGNATURES: open_input(ctxp); list_signatures(ctxp); break; case GENERATE_DIGEST|PRINT_DIGEST: open_input(ctxp); generate_digest(ctxp, ctx.inpe); print_digest(ctxp); break; /* generate a signature and save it in a separate file */ case EXPORT_SIGNATURE|GENERATE_SIGNATURE: rc = find_certificate(&ctx.cms_ctx); if (rc < 0) { fprintf(stderr, "pesign: Could not find " "certificate %s\n", ctx.cms_ctx.certname); exit(1); } open_input(ctxp); open_sig_output(ctxp); generate_digest(ctxp, ctx.inpe); generate_signature(ctxp, &newsig); export_signature(ctxp, &newsig); break; /* generate a signature and embed it in the binary */ case IMPORT_SIGNATURE|GENERATE_SIGNATURE: check_inputs(ctxp); rc = find_certificate(&ctx.cms_ctx); if (rc < 0) { fprintf(stderr, "pesign: Could not find " "certificate %s\n", ctx.cms_ctx.certname); exit(1); } open_input(ctxp); open_output(ctxp); close_input(ctxp); generate_digest(ctxp, ctx.outpe); generate_signature(ctxp, &newsig); insert_signature(ctxp, &newsig); close_output(ctxp); break; default: fprintf(stderr, "Incompatible flags (0x%08x): ", action); for (int i = 1; i < FLAG_LIST_END; i <<= 1) { if (action & i) print_flag_name(stderr, i); } fprintf(stderr, "\n"); exit(1); } pesign_context_fini(&ctx); return (rc < 0); }