def testVerifySig(self):
rpmName = 'tmpwatch-2.9.7-1.1.el5.2.x86_64.rpm'
rpmPath = os.path.join(self.archiveDir, rpmName)
fileObj = file(rpmPath)
header = rpmhelper.readHeader(fileObj)
from conary.lib import openpgpfile
sig = openpgpfile.readSignature(header[rpmhelper.SIG_GPG])
fileObj.seek(0)
rpmhelper.readSignatureHeader(fileObj)
k = openpgpfile.getKeyFromString(
'E8562897', openpgpfile.parseAsciiArmorKey(pgpKeyCentos))
rpmhelper.verifySignatures(fileObj, [k])
# Similar deal, fileObj is an ExtendedFile
fileObj = util.ExtendedFile(rpmPath, buffering=False)
rpmhelper.verifySignatures(fileObj, [k])
# Finally, StringIO
fileObj.seek(0)
fileObj = StringIO.StringIO(fileObj.read())
rpmhelper.verifySignatures(fileObj, [k])
# Replace last byte
fileObj = StringIO.StringIO(fileObj.getvalue()[:-1])
fileObj.seek(0, 2)
fileObj.write("\xff")
fileObj.seek(0)
e = self.assertRaises(rpmhelper.MD5SignatureError,
rpmhelper.verifySignatures, fileObj, [k])
self.assertEqual(
str(e), 'The MD5 digest fails to verify: '
'expected 6cc7c546c3a5de90bb272b11be2f3d67, got 744d88f4164ec2974b49839a69ea589d'
)
def testVerifySig(self):
rpmName = "tmpwatch-2.9.7-1.1.el5.2.x86_64.rpm"
rpmPath = os.path.join(self.archiveDir, rpmName)
fileObj = file(rpmPath)
header = rpmhelper.readHeader(fileObj)
from conary.lib import openpgpfile
sig = openpgpfile.readSignature(header[rpmhelper.SIG_GPG])
fileObj.seek(0)
rpmhelper.readSignatureHeader(fileObj)
k = openpgpfile.getKeyFromString("E8562897", openpgpfile.parseAsciiArmorKey(pgpKeyCentos))
rpmhelper.verifySignatures(fileObj, [k])
# Similar deal, fileObj is an ExtendedFile
fileObj = util.ExtendedFile(rpmPath, buffering=False)
rpmhelper.verifySignatures(fileObj, [k])
# Finally, StringIO
fileObj.seek(0)
fileObj = StringIO.StringIO(fileObj.read())
rpmhelper.verifySignatures(fileObj, [k])
# Replace last byte
fileObj = StringIO.StringIO(fileObj.getvalue()[:-1])
fileObj.seek(0, 2)
fileObj.write("\xff")
fileObj.seek(0)
e = self.assertRaises(rpmhelper.MD5SignatureError, rpmhelper.verifySignatures, fileObj, [k])
self.assertEqual(
str(e),
"The MD5 digest fails to verify: "
"expected 6cc7c546c3a5de90bb272b11be2f3d67, got 744d88f4164ec2974b49839a69ea589d",
)
def verifySignatures(f, validKeys=None):
"""
Given an extended file, compute signatures
"""
f.seek(0)
h = readHeader(f)
# Cheap test first: verify MD5 sig
sigmd5 = h.get(SIG_MD5, None)
if sigmd5 is not None:
f.seek(0)
readSignatureHeader(f)
# verify md5 digest
md5 = digestlib.md5()
util.copyfileobj(f, NullWriter(), digest=md5)
if md5.digest() != sigmd5:
raise MD5SignatureError(
"The MD5 digest fails to verify: expected %s, got %s" %
(sha1helper.md5ToString(sigmd5), md5.hexdigest()))
# Don't bother if no gpg signature was present, or no valid keys were
# presented
if validKeys is None:
return
sigString = h.get(SIG_GPG, None)
if sigString is None:
return
# Skip to immutable header region
f.seek(0)
readSignatureHeader(f)
sig = openpgpfile.readSignature(sigString)
keyId = sig.getSignerKeyId()
matchingKeys = [x for x in validKeys if x.hasKeyId(keyId)]
if not matchingKeys:
raise PGPSignatureError("Signature generated with key %s does "
"not match valid keys %s" %
(keyId, ', '.join(x.getKeyId()
for x in validKeys)))
key = matchingKeys[0]
# signature verification assumes a seekable stream and will seek to the
# beginning; use a SeekableNestedFile
size = h.getHeaderPlusPayloadSize()
if size is None:
pos = f.tell()
f.seek(0, 2)
size = f.tell()
f.seek(pos, 0)
snf = None
if hasattr(f, 'pread'):
extFile = f
elif hasattr(f, 'name'):
extFile = util.ExtendedFile(f.name, buffering=False)
else:
# worst case scenario, we slurp everything in memory
extFile = util.ExtendedStringIO(f.read())
snf = extFile
if snf is None:
snf = util.SeekableNestedFile(extFile, start=f.tell(), size=size)
try:
sig.verifyDocument(key.getCryptoKey(), snf)
except openpgpfile.SignatureError:
raise PGPSignatureError
def verifySignatures(f, validKeys = None):
"""
Given an extended file, compute signatures
"""
f.seek(0)
h = readHeader(f)
# Cheap test first: verify MD5 sig
sigmd5 = h.get(SIG_MD5, None)
if sigmd5 is not None:
f.seek(0)
readSignatureHeader(f)
# verify md5 digest
md5 = digestlib.md5()
util.copyfileobj(f, NullWriter(), digest = md5)
if md5.digest() != sigmd5:
raise MD5SignatureError(
"The MD5 digest fails to verify: expected %s, got %s" %
(sha1helper.md5ToString(sigmd5), md5.hexdigest()))
# Don't bother if no gpg signature was present, or no valid keys were
# presented
if validKeys is None:
return
sigString = h.get(SIG_GPG, None)
if sigString is None:
return
# Skip to immutable header region
f.seek(0)
readSignatureHeader(f)
sig = openpgpfile.readSignature(sigString)
keyId = sig.getSignerKeyId()
matchingKeys = [ x for x in validKeys if x.hasKeyId(keyId) ]
if not matchingKeys:
raise PGPSignatureError("Signature generated with key %s does "
"not match valid keys %s" %
(keyId, ', '.join(x.getKeyId() for x in validKeys)))
key = matchingKeys[0]
# signature verification assumes a seekable stream and will seek to the
# beginning; use a SeekableNestedFile
size = h.getHeaderPlusPayloadSize()
if size is None:
pos = f.tell()
f.seek(0, 2)
size = f.tell()
f.seek(pos, 0)
snf = None
if hasattr(f, 'pread'):
extFile = f
elif hasattr(f, 'name'):
extFile = util.ExtendedFile(f.name, buffering = False)
else:
# worst case scenario, we slurp everything in memory
extFile = util.ExtendedStringIO(f.read())
snf = extFile
if snf is None:
snf = util.SeekableNestedFile(extFile, start = f.tell(), size = size)
try:
sig.verifyDocument(key.getCryptoKey(), snf)
except openpgpfile.SignatureError:
raise PGPSignatureError
