def sign(infile, outfile, fingerprint):
ctx = core.Context()
ctx.set_engine_info(PROTOCOL_OpenPGP,
None,
'/var/cache/elbe/gnupg')
key = None
try:
key = ctx.get_key(fingerprint, 0)
except Exception as ex:
print("no key with fingerprint %s: %s" % (fingerprint, ex.message))
unlock_key(key.fpr)
ctx.signers_add(key)
ctx.set_armor(False)
try:
indata = core.Data(file=infile)
outdata = core.Data()
ctx.op_sign(indata, outdata, sig.mode.NORMAL)
outdata.seek(0, os.SEEK_SET)
signature = outdata.read()
with open(outfile, 'w') as fd:
fd.write(signature)
except Exception as ex:
print("Error signing file %s" % ex.message)
def unsign_file(fname):
# check for .gpg extension and create an output filename without it
if len(fname) <= 4 or fname[len(fname) - 4:] != '.gpg':
print("The input file needs a .gpg extension")
return None
outfilename = fname[:len(fname) - 4]
ctx = core.Context()
ctx.set_engine_info(PROTOCOL_OpenPGP, None, '/var/cache/elbe/gnupg')
ctx.set_armor(False)
overall_status = OverallStatus()
try:
infile = core.Data(file=fname)
outfile = core.Data(file=outfilename)
except (GPGMEError, ValueError) as E:
print("Error: Opening file %s or %s - %s" % (fname, outfilename, E))
else:
# obtain signature and write unsigned file
ctx.op_verify(infile, None, outfile)
vres = ctx.op_verify_result()
for signature in vres.signatures:
status = check_signature(ctx, signature)
overall_status.add(status)
if overall_status.to_exitcode():
return None
return outfilename
return None
def get_fingerprints():
ctx = core.Context()
ctx.set_engine_info(PROTOCOL_OpenPGP, None, '/var/cache/elbe/gnupg')
keys = ctx.op_keylist_all(None, False)
fingerprints = []
for k in keys:
fingerprints.append(k.subkeys[0].fpr)
return fingerprints
def unlock_key(fingerprint):
ctx = core.Context()
ctx.set_engine_info(PROTOCOL_OpenPGP, None, '/var/cache/elbe/gnupg')
key = ctx.get_key(fingerprint, secret=True)
keygrip = key.subkeys[0].keygrip
system("/usr/lib/gnupg/gpg-preset-passphrase "
"--preset -P requiredToAvoidUserInput %s" % str(keygrip),
env_add={"GNUPGHOME": "/var/cache/elbe/gnupg"})
def generate_elbe_internal_key():
hostfs.mkdir_p("/var/cache/elbe/gnupg")
hostfs.write_file("/var/cache/elbe/gnupg/gpg-agent.conf", 0o600,
"allow-preset-passphrase")
ctx = core.Context()
ctx.set_engine_info(PROTOCOL_OpenPGP, None, '/var/cache/elbe/gnupg')
ctx.op_genkey(elbe_internal_key_param, None, None)
key = ctx.op_genkey_result()
return key.fpr
def sign(infile, outfile, fingerprint):
ctx = core.Context()
try:
ctx.set_engine_info(PROTOCOL_OpenPGP,
None,
'/var/cache/elbe/gnupg')
except GPGMEError as E:
print("Error: Can't set engine info - %s", E)
return
key = None
try:
key = ctx.get_key(fingerprint, 0)
except (KeyNotFound, GPGMEError, AssertionError) as E:
print("Error: No key with fingerprint %s - %s" % (fingerprint, E))
return
else:
unlock_key(key.fpr)
ctx.signers_add(key)
ctx.set_armor(False)
try:
indata = core.Data(file=infile)
except (GPGMEError, ValueError) as E:
print("Error: Opening file %s - %s" %
(infile, E))
else:
outdata = core.Data()
try:
ctx.op_sign(indata, outdata, sig.mode.NORMAL)
except InvalidSigners as E:
print("Error: Invalid signer - %s", E)
except GPGMEError as E:
print("Error: While signing - %s", E)
else:
outdata.seek(0, os.SEEK_SET)
signature = outdata.read()
with open(outfile, 'w') as fd:
fd.write(signature)
def unsign_file(fname):
# check for .gpg extension and create an output filename without it
if len(fname) <= 4 or fname[len(fname) - 4:] != '.gpg':
print("The input file needs a .gpg extension")
return None
outfilename = fname[:len(fname) - 4]
ctx = core.Context()
ctx.set_engine_info(PROTOCOL_OpenPGP,
None,
'/var/cache/elbe/gnupg')
ctx.set_armor(False)
try:
overall_status = OverallStatus()
with core.Data(file=fname) as infile:
with core.Data(file=outfilename) as outfile:
# obtain signature and write unsigned file
ctx.op_verify(infile, None, outfile)
vres = ctx.op_verify_result()
for sig in vres.signatures:
status = check_signature(ctx, sig)
overall_status.add(status)
if overall_status.to_exitcode():
return None
return outfilename
except IOError as ex:
print(ex.message)
except Exception as ex:
print("Error checking the file %s: %s" % (fname, ex.message))
return None
def download_release(tmp, base_url):
# setup gpg context, for verifying
# the Release.gpg signature.
ctx = core.Context()
ctx.set_engine_info(PROTOCOL_OpenPGP, None, tmp.fname('/'))
# download the Relase file to a tmp file,
# because we need it 2 times
download(base_url + "Release", tmp.fname('Release'))
# validate signature.
# open downloaded plaintext file, and
# use the urlopen object of the Release.gpg
# directtly.
sig = urlopen(base_url + 'Release.gpg', None, 10)
try:
with tmp.open("Release", "r") as signed:
overall_status = OverallStatus()
# verify detached signature
det_sign = core.Data(sig.read())
signed_data = core.Data(signed.read())
ctx.op_verify(det_sign, signed_data, None)
vres = ctx.op_verify_result()
for s in vres.signatures:
status = check_signature(ctx, s)
overall_status.add(status)
if overall_status.to_exitcode():
raise InvalidSignature('Failed to verify Release file')
finally:
sig.close()
def execute(self, buildenv, target):
# pylint: disable=too-many-locals
if self.node.et.text:
fp = self.node.et.text
logging.info("transfert gpg key to target: %s", fp)
gpgdata = core.Data()
ctx = core.Context()
ctx.set_engine_info(PROTOCOL_OpenPGP, None,
'/var/cache/elbe/gnupg')
ctx.set_armor(True)
unlock_key(fp)
ctx.op_export(fp, 0, gpgdata)
gpgdata.seek(0, os.SEEK_SET)
key = gpgdata.read()
logging.info(str(key))
with open((target.path + '/pub.key'), 'wb') as tkey:
tkey.write(key)
target.mkdir_p("/var/cache/elbe/gnupg", mode=0o700)
with target:
env_add = {'GNUPGHOME': target.path + "/var/cache/elbe/gnupg"}
cmd = "gpg --import %s%s" % (target.path, "/pub.key")
do(cmd, env_add=env_add)
logging.info("generate base repo")
arch = target.xml.text("project/arch", key="arch")
buildenv.rfs.mkdir_p('/tmp/pkgs')
with buildenv:
cache = get_rpcaptcache(buildenv.rfs, arch)
pkglist = cache.get_installed_pkgs()
for pkg in pkglist:
try:
cache.download_binary(pkg.name, '/tmp/pkgs',
pkg.installed_version)
except ValueError:
logging.exception("No package %s-%s", pkg.name,
pkg.installed_version)
except FetchError:
logging.exception("Package %s-%s could not be downloaded",
pkg.name, pkg.installed_version)
except TypeError:
logging.exception("Package %s-%s missing name or version",
pkg.name, pkg.installed_version)
r = UpdateRepo(target.xml, target.path + '/var/cache/elbe/repos/base')
for d in buildenv.rfs.glob('tmp/pkgs/*.deb'):
r.includedeb(d, 'main')
r.finalize()
slist = target.path + '/etc/apt/sources.list.d/base.list'
slist_txt = 'deb [trusted=yes] file:///var/cache/elbe/repos/base '
slist_txt += target.xml.text("/project/suite")
slist_txt += " main"
with open(slist, 'w') as apt_source:
apt_source.write(slist_txt)
rmtree(buildenv.rfs.path + '/tmp/pkgs')
# allow downgrades by default
target.touch_file('/var/cache/elbe/.downgrade_allowed')
