int
sign_repo(struct xbps_handle *xhp, const char *repodir,
const char *privkey, const char *signedby)
{
struct xbps_repo *repo = NULL;
xbps_dictionary_t meta = NULL;
xbps_data_t data = NULL, rpubkey = NULL;
RSA *rsa = NULL;
uint16_t rpubkeysize, pubkeysize;
const char *rsignedby = NULL;
char *buf = NULL, *rlockfname = NULL;
int rlockfd = -1, rv = 0;
bool flush_failed = false, flush = false;
if (signedby == NULL) {
fprintf(stderr, "--signedby unset! cannot initialize signed repository\n");
return -1;
}
/*
* Check that repository index exists and not empty, otherwise bail out.
*/
repo = xbps_repo_open(xhp, repodir);
if (repo == NULL) {
rv = errno;
fprintf(stderr, "%s: cannot read repository data: %s\n",
_XBPS_RINDEX, strerror(errno));
goto out;
}
if (xbps_dictionary_count(repo->idx) == 0) {
fprintf(stderr, "%s: invalid repository, existing!\n", _XBPS_RINDEX);
rv = EINVAL;
goto out;
}
rsa = load_rsa_key(privkey);
/*
* Check if repository index-meta contains changes compared to its
* current state.
*/
if ((buf = pubkey_from_privkey(rsa)) == NULL) {
rv = EINVAL;
goto out;
}
meta = xbps_dictionary_create();
data = xbps_data_create_data(buf, strlen(buf));
rpubkey = xbps_dictionary_get(repo->idxmeta, "public-key");
if (!xbps_data_equals(rpubkey, data))
flush = true;
free(buf);
pubkeysize = RSA_size(rsa) * 8;
xbps_dictionary_get_uint16(repo->idxmeta, "public-key-size", &rpubkeysize);
if (rpubkeysize != pubkeysize)
flush = true;
xbps_dictionary_get_cstring_nocopy(repo->idxmeta, "signature-by", &rsignedby);
if (rsignedby == NULL || strcmp(rsignedby, signedby))
flush = true;
if (!flush)
goto out;
xbps_dictionary_set(meta, "public-key", data);
xbps_dictionary_set_uint16(meta, "public-key-size", pubkeysize);
xbps_dictionary_set_cstring_nocopy(meta, "signature-by", signedby);
xbps_dictionary_set_cstring_nocopy(meta, "signature-type", "rsa");
xbps_object_release(data);
data = NULL;
/* lock repository to write repodata file */
if (!xbps_repo_lock(xhp, repodir, &rlockfd, &rlockfname)) {
rv = errno;
fprintf(stderr, "%s: cannot lock repository: %s\n",
_XBPS_RINDEX, strerror(errno));
goto out;
}
flush_failed = repodata_flush(xhp, repodir, repo->idx, meta);
xbps_repo_unlock(rlockfd, rlockfname);
if (!flush_failed) {
fprintf(stderr, "failed to write repodata: %s\n", strerror(errno));
goto out;
}
printf("Initialized signed repository (%u package%s)\n",
xbps_dictionary_count(repo->idx),
xbps_dictionary_count(repo->idx) == 1 ? "" : "s");
out:
if (rsa) {
RSA_free(rsa);
rsa = NULL;
}
if (repo)
xbps_repo_close(repo);
return rv ? -1 : 0;
}
int
sign_repo(struct xbps_handle *xhp, const char *repodir,
const char *privkey, const char *signedby)
{
struct stat st;
struct xbps_repo *repo;
xbps_dictionary_t pkgd, meta = NULL;
xbps_data_t data = NULL, rpubkey = NULL;
xbps_object_iterator_t iter = NULL;
xbps_object_t obj;
RSA *rsa = NULL;
unsigned char *sig;
unsigned int siglen;
uint16_t rpubkeysize, pubkeysize;
const char *arch, *pkgver, *rsignedby = NULL;
char *binpkg = NULL, *binpkg_sig = NULL, *buf = NULL, *defprivkey = NULL;
int binpkg_fd, binpkg_sig_fd, rv = 0;
bool flush = false;
if (signedby == NULL) {
fprintf(stderr, "--signedby unset! cannot sign repository\n");
return -1;
}
/*
* Check that repository index exists and not empty, otherwise bail out.
*/
repo = xbps_repo_open(xhp, repodir, true);
if (repo == NULL) {
rv = errno;
fprintf(stderr, "%s: cannot read repository data: %s\n",
_XBPS_RINDEX, strerror(errno));
goto out;
}
if (xbps_dictionary_count(repo->idx) == 0) {
fprintf(stderr, "%s: invalid repository, existing!\n", _XBPS_RINDEX);
rv = EINVAL;
goto out;
}
/*
* If privkey not set, default to ~/.ssh/id_rsa.
*/
if (privkey == NULL)
defprivkey = xbps_xasprintf("%s/.ssh/id_rsa", getenv("HOME"));
else
defprivkey = strdup(privkey);
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
if ((rsa = load_rsa_privkey(defprivkey)) == NULL) {
fprintf(stderr, "%s: failed to read the RSA privkey\n", _XBPS_RINDEX);
rv = EINVAL;
goto out;
}
/*
* Iterate over the idx dictionary and then sign all binary
* packages in this repository.
*/
iter = xbps_dictionary_iterator(repo->idx);
assert(iter);
while ((obj = xbps_object_iterator_next(iter))) {
pkgd = xbps_dictionary_get_keysym(repo->idx, obj);
xbps_dictionary_get_cstring_nocopy(pkgd, "architecture", &arch);
xbps_dictionary_get_cstring_nocopy(pkgd, "pkgver", &pkgver);
binpkg = xbps_xasprintf("%s/%s.%s.xbps", repodir, pkgver, arch);
binpkg_sig = xbps_xasprintf("%s.sig", binpkg);
/*
* Skip pkg if file signature exists
*/
if ((binpkg_sig_fd = access(binpkg_sig, R_OK)) == 0) {
if (xhp->flags & XBPS_FLAG_VERBOSE)
fprintf(stderr, "skipping %s, file signature found.\n", pkgver);
free(binpkg);
free(binpkg_sig);
close(binpkg_sig_fd);
continue;
}
/*
* Generate pkg file signature.
*/
if ((binpkg_fd = open(binpkg, O_RDONLY)) == -1) {
fprintf(stderr, "cannot read %s: %s\n", binpkg, strerror(errno));
free(binpkg);
free(binpkg_sig);
continue;
}
fstat(binpkg_fd, &st);
buf = malloc(st.st_size);
assert(buf);
if (read(binpkg_fd, buf, st.st_size) != st.st_size) {
fprintf(stderr, "failed to read %s: %s\n", binpkg, strerror(errno));
close(binpkg_fd);
free(buf);
free(binpkg);
free(binpkg_sig);
continue;
}
close(binpkg_fd);
if (!rsa_sign_buf(rsa, buf, st.st_size, &sig, &siglen)) {
fprintf(stderr, "failed to sign %s: %s\n", binpkg, strerror(errno));
free(buf);
free(binpkg);
free(binpkg_sig);
continue;
}
free(buf);
free(binpkg);
/*
* Write pkg file signature.
*/
binpkg_sig_fd = creat(binpkg_sig, 0644);
if (binpkg_sig_fd == -1) {
fprintf(stderr, "failed to create %s: %s\n", binpkg_sig, strerror(errno));
free(sig);
free(binpkg_sig);
continue;
}
if (write(binpkg_sig_fd, sig, siglen) != (ssize_t)siglen) {
fprintf(stderr, "failed to write %s: %s\n", binpkg_sig, strerror(errno));
free(sig);
free(binpkg_sig);
close(binpkg_sig_fd);
continue;
}
free(sig);
free(binpkg_sig);
close(binpkg_sig_fd);
printf("signed successfully %s\n", pkgver);
}
xbps_object_iterator_release(iter);
/*
* Check if repository index-meta contains changes compared to its
* current state.
*/
if ((buf = pubkey_from_privkey(rsa)) == NULL) {
rv = EINVAL;
goto out;
}
meta = xbps_dictionary_create();
data = xbps_data_create_data(buf, strlen(buf));
rpubkey = xbps_dictionary_get(repo->idxmeta, "public-key");
if (!xbps_data_equals(rpubkey, data))
flush = true;
free(buf);
pubkeysize = RSA_size(rsa) * 8;
xbps_dictionary_get_uint16(repo->idxmeta, "public-key-size", &rpubkeysize);
if (rpubkeysize != pubkeysize)
flush = true;
xbps_dictionary_get_cstring_nocopy(repo->idxmeta, "signature-by", &rsignedby);
if (rsignedby == NULL || strcmp(rsignedby, signedby))
flush = true;
if (!flush)
goto out;
xbps_dictionary_set(meta, "public-key", data);
xbps_dictionary_set_uint16(meta, "public-key-size", pubkeysize);
xbps_dictionary_set_cstring_nocopy(meta, "signature-by", signedby);
xbps_dictionary_set_cstring_nocopy(meta, "signature-type", "rsa");
xbps_object_release(data);
data = NULL;
if (!repodata_flush(xhp, repodir, repo->idx, meta)) {
fprintf(stderr, "failed to write repodata: %s\n", strerror(errno));
goto out;
}
printf("Signed repository (%u package%s)\n",
xbps_dictionary_count(repo->idx),
xbps_dictionary_count(repo->idx) == 1 ? "" : "s");
out:
if (defprivkey) {
free(defprivkey);
}
if (rsa) {
RSA_free(rsa);
rsa = NULL;
}
if (repo) {
xbps_repo_close(repo);
}
return rv ? -1 : 0;
}
static bool
repodata_commit(struct xbps_handle *xhp, const char *repodir,
xbps_dictionary_t idx, xbps_dictionary_t meta, xbps_dictionary_t stage) {
const char *pkgname;
xbps_object_iterator_t iter;
xbps_object_t keysym;
int rv;
if(xbps_dictionary_count(stage) == 0) {
// Nothing to do.
return true;
}
/*
* Find old shlibs-provides
*/
xbps_dictionary_t oldshlibs = xbps_dictionary_create();
xbps_dictionary_t usedshlibs = xbps_dictionary_create();
iter = xbps_dictionary_iterator(stage);
while ((keysym = xbps_object_iterator_next(iter))) {
pkgname = xbps_dictionary_keysym_cstring_nocopy(keysym);
xbps_dictionary_t oldpkg = xbps_dictionary_get(idx, pkgname);
xbps_array_t pkgshlibs = xbps_dictionary_get(oldpkg, "shlib-provides");
for(unsigned int i = 0; i < xbps_array_count(pkgshlibs); i++) {
const char *shlib = NULL;
xbps_array_get_cstring_nocopy(pkgshlibs, i, &shlib);
xbps_dictionary_set_cstring(oldshlibs, shlib, pkgname);
}
}
xbps_object_iterator_release(iter);
/*
* throw away all unused shlibs
*/
iter = xbps_dictionary_iterator(idx);
while ((keysym = xbps_object_iterator_next(iter))) {
pkgname = xbps_dictionary_keysym_cstring_nocopy(keysym);
xbps_dictionary_t pkg = xbps_dictionary_get(stage, pkgname);
if(!pkg)
pkg = xbps_dictionary_get_keysym(idx, keysym);
xbps_array_t pkgshlibs = xbps_dictionary_get(pkg, "shlib-requires");
for(unsigned int i = 0; i < xbps_array_count(pkgshlibs); i++) {
const char *shlib = NULL, *user = NULL;
xbps_array_get_cstring_nocopy(pkgshlibs, i, &shlib);
xbps_dictionary_get_cstring_nocopy(pkg, shlib, &user);
if(!user)
continue;
xbps_array_t users = xbps_dictionary_get(usedshlibs, shlib);
if(!users) {
users = xbps_array_create();
xbps_dictionary_set(usedshlibs, shlib, users);
}
xbps_array_add_cstring(users, user);
}
}
xbps_object_iterator_release(iter);
/*
* purge all packages that are fullfilled by the stage
*/
iter = xbps_dictionary_iterator(stage);
while ((keysym = xbps_object_iterator_next(iter))) {
pkgname = xbps_dictionary_keysym_cstring_nocopy(keysym);
xbps_dictionary_t newpkg = xbps_dictionary_get(idx, pkgname);
xbps_array_t pkgshlibs = xbps_dictionary_get(newpkg, "shlib-provides");
for(unsigned int i = 0; i < xbps_array_count(pkgshlibs); i++) {
const char *shlib;
xbps_array_get_cstring_nocopy(pkgshlibs, i, &shlib);
xbps_dictionary_remove(usedshlibs, shlib);
}
}
xbps_object_iterator_release(iter);
if(xbps_dictionary_count(usedshlibs) != 0) {
puts("Unfullfilled shlibs:");
iter = xbps_dictionary_iterator(usedshlibs);
while ((keysym = xbps_object_iterator_next(iter))) {
const char *shlib = xbps_dictionary_keysym_cstring_nocopy(keysym), *provider = NULL;
xbps_array_t users = xbps_dictionary_get(usedshlibs, shlib);
xbps_dictionary_get_cstring_nocopy(usedshlibs, shlib, &provider);
printf(" %s (provided by: %s; used by: ", shlib, provider);
const char *pre = "";
for(unsigned int i = 0; i < xbps_array_count(users); i++) {
const char *user;
xbps_array_get_cstring_nocopy(users, i, &user);
xbps_dictionary_remove(usedshlibs, shlib);
printf("%s%s",pre, user);
pre = ", ";
}
puts(")");
}
puts("Changes are commit to stage.");
xbps_object_iterator_release(iter);
// TODO FLUSH STAGE
rv = true;
}
else {
iter = xbps_dictionary_iterator(stage);
while ((keysym = xbps_object_iterator_next(iter))) {
pkgname = xbps_dictionary_keysym_cstring_nocopy(keysym);
xbps_dictionary_t newpkg = xbps_dictionary_get_keysym(stage, keysym);
xbps_dictionary_set(idx, pkgname, newpkg);
}
xbps_object_iterator_release(iter);
rv = repodata_flush(xhp, repodir, idx, meta);
}
xbps_object_release(usedshlibs);
xbps_object_release(oldshlibs);
return rv;
}
