def testVerifySig(self): rpmName = 'tmpwatch-2.9.7-1.1.el5.2.x86_64.rpm' rpmPath = os.path.join(self.archiveDir, rpmName) fileObj = file(rpmPath) header = rpmhelper.readHeader(fileObj) from conary.lib import openpgpfile sig = openpgpfile.readSignature(header[rpmhelper.SIG_GPG]) fileObj.seek(0) rpmhelper.readSignatureHeader(fileObj) k = openpgpfile.getKeyFromString( 'E8562897', openpgpfile.parseAsciiArmorKey(pgpKeyCentos)) rpmhelper.verifySignatures(fileObj, [k]) # Similar deal, fileObj is an ExtendedFile fileObj = util.ExtendedFile(rpmPath, buffering=False) rpmhelper.verifySignatures(fileObj, [k]) # Finally, StringIO fileObj.seek(0) fileObj = StringIO.StringIO(fileObj.read()) rpmhelper.verifySignatures(fileObj, [k]) # Replace last byte fileObj = StringIO.StringIO(fileObj.getvalue()[:-1]) fileObj.seek(0, 2) fileObj.write("\xff") fileObj.seek(0) e = self.assertRaises(rpmhelper.MD5SignatureError, rpmhelper.verifySignatures, fileObj, [k]) self.assertEqual( str(e), 'The MD5 digest fails to verify: ' 'expected 6cc7c546c3a5de90bb272b11be2f3d67, got 744d88f4164ec2974b49839a69ea589d' )
def testVerifySig(self): rpmName = "tmpwatch-2.9.7-1.1.el5.2.x86_64.rpm" rpmPath = os.path.join(self.archiveDir, rpmName) fileObj = file(rpmPath) header = rpmhelper.readHeader(fileObj) from conary.lib import openpgpfile sig = openpgpfile.readSignature(header[rpmhelper.SIG_GPG]) fileObj.seek(0) rpmhelper.readSignatureHeader(fileObj) k = openpgpfile.getKeyFromString("E8562897", openpgpfile.parseAsciiArmorKey(pgpKeyCentos)) rpmhelper.verifySignatures(fileObj, [k]) # Similar deal, fileObj is an ExtendedFile fileObj = util.ExtendedFile(rpmPath, buffering=False) rpmhelper.verifySignatures(fileObj, [k]) # Finally, StringIO fileObj.seek(0) fileObj = StringIO.StringIO(fileObj.read()) rpmhelper.verifySignatures(fileObj, [k]) # Replace last byte fileObj = StringIO.StringIO(fileObj.getvalue()[:-1]) fileObj.seek(0, 2) fileObj.write("\xff") fileObj.seek(0) e = self.assertRaises(rpmhelper.MD5SignatureError, rpmhelper.verifySignatures, fileObj, [k]) self.assertEqual( str(e), "The MD5 digest fails to verify: " "expected 6cc7c546c3a5de90bb272b11be2f3d67, got 744d88f4164ec2974b49839a69ea589d", )
def verifySignatures(f, validKeys=None): """ Given an extended file, compute signatures """ f.seek(0) h = readHeader(f) # Cheap test first: verify MD5 sig sigmd5 = h.get(SIG_MD5, None) if sigmd5 is not None: f.seek(0) readSignatureHeader(f) # verify md5 digest md5 = digestlib.md5() util.copyfileobj(f, NullWriter(), digest=md5) if md5.digest() != sigmd5: raise MD5SignatureError( "The MD5 digest fails to verify: expected %s, got %s" % (sha1helper.md5ToString(sigmd5), md5.hexdigest())) # Don't bother if no gpg signature was present, or no valid keys were # presented if validKeys is None: return sigString = h.get(SIG_GPG, None) if sigString is None: return # Skip to immutable header region f.seek(0) readSignatureHeader(f) sig = openpgpfile.readSignature(sigString) keyId = sig.getSignerKeyId() matchingKeys = [x for x in validKeys if x.hasKeyId(keyId)] if not matchingKeys: raise PGPSignatureError("Signature generated with key %s does " "not match valid keys %s" % (keyId, ', '.join(x.getKeyId() for x in validKeys))) key = matchingKeys[0] # signature verification assumes a seekable stream and will seek to the # beginning; use a SeekableNestedFile size = h.getHeaderPlusPayloadSize() if size is None: pos = f.tell() f.seek(0, 2) size = f.tell() f.seek(pos, 0) snf = None if hasattr(f, 'pread'): extFile = f elif hasattr(f, 'name'): extFile = util.ExtendedFile(f.name, buffering=False) else: # worst case scenario, we slurp everything in memory extFile = util.ExtendedStringIO(f.read()) snf = extFile if snf is None: snf = util.SeekableNestedFile(extFile, start=f.tell(), size=size) try: sig.verifyDocument(key.getCryptoKey(), snf) except openpgpfile.SignatureError: raise PGPSignatureError
def verifySignatures(f, validKeys = None): """ Given an extended file, compute signatures """ f.seek(0) h = readHeader(f) # Cheap test first: verify MD5 sig sigmd5 = h.get(SIG_MD5, None) if sigmd5 is not None: f.seek(0) readSignatureHeader(f) # verify md5 digest md5 = digestlib.md5() util.copyfileobj(f, NullWriter(), digest = md5) if md5.digest() != sigmd5: raise MD5SignatureError( "The MD5 digest fails to verify: expected %s, got %s" % (sha1helper.md5ToString(sigmd5), md5.hexdigest())) # Don't bother if no gpg signature was present, or no valid keys were # presented if validKeys is None: return sigString = h.get(SIG_GPG, None) if sigString is None: return # Skip to immutable header region f.seek(0) readSignatureHeader(f) sig = openpgpfile.readSignature(sigString) keyId = sig.getSignerKeyId() matchingKeys = [ x for x in validKeys if x.hasKeyId(keyId) ] if not matchingKeys: raise PGPSignatureError("Signature generated with key %s does " "not match valid keys %s" % (keyId, ', '.join(x.getKeyId() for x in validKeys))) key = matchingKeys[0] # signature verification assumes a seekable stream and will seek to the # beginning; use a SeekableNestedFile size = h.getHeaderPlusPayloadSize() if size is None: pos = f.tell() f.seek(0, 2) size = f.tell() f.seek(pos, 0) snf = None if hasattr(f, 'pread'): extFile = f elif hasattr(f, 'name'): extFile = util.ExtendedFile(f.name, buffering = False) else: # worst case scenario, we slurp everything in memory extFile = util.ExtendedStringIO(f.read()) snf = extFile if snf is None: snf = util.SeekableNestedFile(extFile, start = f.tell(), size = size) try: sig.verifyDocument(key.getCryptoKey(), snf) except openpgpfile.SignatureError: raise PGPSignatureError