def sign(infile, outfile, fingerprint): ctx = core.Context() ctx.set_engine_info(PROTOCOL_OpenPGP, None, '/var/cache/elbe/gnupg') key = None try: key = ctx.get_key(fingerprint, 0) except Exception as ex: print("no key with fingerprint %s: %s" % (fingerprint, ex.message)) unlock_key(key.fpr) ctx.signers_add(key) ctx.set_armor(False) try: indata = core.Data(file=infile) outdata = core.Data() ctx.op_sign(indata, outdata, sig.mode.NORMAL) outdata.seek(0, os.SEEK_SET) signature = outdata.read() with open(outfile, 'w') as fd: fd.write(signature) except Exception as ex: print("Error signing file %s" % ex.message)
def unsign_file(fname): # check for .gpg extension and create an output filename without it if len(fname) <= 4 or fname[len(fname) - 4:] != '.gpg': print("The input file needs a .gpg extension") return None outfilename = fname[:len(fname) - 4] ctx = core.Context() ctx.set_engine_info(PROTOCOL_OpenPGP, None, '/var/cache/elbe/gnupg') ctx.set_armor(False) overall_status = OverallStatus() try: infile = core.Data(file=fname) outfile = core.Data(file=outfilename) except (GPGMEError, ValueError) as E: print("Error: Opening file %s or %s - %s" % (fname, outfilename, E)) else: # obtain signature and write unsigned file ctx.op_verify(infile, None, outfile) vres = ctx.op_verify_result() for signature in vres.signatures: status = check_signature(ctx, signature) overall_status.add(status) if overall_status.to_exitcode(): return None return outfilename return None
def sign(infile, outfile, fingerprint): ctx = core.Context() try: ctx.set_engine_info(PROTOCOL_OpenPGP, None, '/var/cache/elbe/gnupg') except GPGMEError as E: print("Error: Can't set engine info - %s", E) return key = None try: key = ctx.get_key(fingerprint, 0) except (KeyNotFound, GPGMEError, AssertionError) as E: print("Error: No key with fingerprint %s - %s" % (fingerprint, E)) return else: unlock_key(key.fpr) ctx.signers_add(key) ctx.set_armor(False) try: indata = core.Data(file=infile) except (GPGMEError, ValueError) as E: print("Error: Opening file %s - %s" % (infile, E)) else: outdata = core.Data() try: ctx.op_sign(indata, outdata, sig.mode.NORMAL) except InvalidSigners as E: print("Error: Invalid signer - %s", E) except GPGMEError as E: print("Error: While signing - %s", E) else: outdata.seek(0, os.SEEK_SET) signature = outdata.read() with open(outfile, 'w') as fd: fd.write(signature)
def unsign_file(fname): # check for .gpg extension and create an output filename without it if len(fname) <= 4 or fname[len(fname) - 4:] != '.gpg': print("The input file needs a .gpg extension") return None outfilename = fname[:len(fname) - 4] ctx = core.Context() ctx.set_engine_info(PROTOCOL_OpenPGP, None, '/var/cache/elbe/gnupg') ctx.set_armor(False) try: overall_status = OverallStatus() with core.Data(file=fname) as infile: with core.Data(file=outfilename) as outfile: # obtain signature and write unsigned file ctx.op_verify(infile, None, outfile) vres = ctx.op_verify_result() for sig in vres.signatures: status = check_signature(ctx, sig) overall_status.add(status) if overall_status.to_exitcode(): return None return outfilename except IOError as ex: print(ex.message) except Exception as ex: print("Error checking the file %s: %s" % (fname, ex.message)) return None
def download_release(tmp, base_url): # setup gpg context, for verifying # the Release.gpg signature. ctx = core.Context() ctx.set_engine_info(PROTOCOL_OpenPGP, None, tmp.fname('/')) # download the Relase file to a tmp file, # because we need it 2 times download(base_url + "Release", tmp.fname('Release')) # validate signature. # open downloaded plaintext file, and # use the urlopen object of the Release.gpg # directtly. sig = urlopen(base_url + 'Release.gpg', None, 10) try: with tmp.open("Release", "r") as signed: overall_status = OverallStatus() # verify detached signature det_sign = core.Data(sig.read()) signed_data = core.Data(signed.read()) ctx.op_verify(det_sign, signed_data, None) vres = ctx.op_verify_result() for s in vres.signatures: status = check_signature(ctx, s) overall_status.add(status) if overall_status.to_exitcode(): raise InvalidSignature('Failed to verify Release file') finally: sig.close()
def execute(self, buildenv, target): # pylint: disable=too-many-locals if self.node.et.text: fp = self.node.et.text logging.info("transfert gpg key to target: %s", fp) gpgdata = core.Data() ctx = core.Context() ctx.set_engine_info(PROTOCOL_OpenPGP, None, '/var/cache/elbe/gnupg') ctx.set_armor(True) unlock_key(fp) ctx.op_export(fp, 0, gpgdata) gpgdata.seek(0, os.SEEK_SET) key = gpgdata.read() logging.info(str(key)) with open((target.path + '/pub.key'), 'wb') as tkey: tkey.write(key) target.mkdir_p("/var/cache/elbe/gnupg", mode=0o700) with target: env_add = {'GNUPGHOME': target.path + "/var/cache/elbe/gnupg"} cmd = "gpg --import %s%s" % (target.path, "/pub.key") do(cmd, env_add=env_add) logging.info("generate base repo") arch = target.xml.text("project/arch", key="arch") buildenv.rfs.mkdir_p('/tmp/pkgs') with buildenv: cache = get_rpcaptcache(buildenv.rfs, arch) pkglist = cache.get_installed_pkgs() for pkg in pkglist: try: cache.download_binary(pkg.name, '/tmp/pkgs', pkg.installed_version) except ValueError: logging.exception("No package %s-%s", pkg.name, pkg.installed_version) except FetchError: logging.exception("Package %s-%s could not be downloaded", pkg.name, pkg.installed_version) except TypeError: logging.exception("Package %s-%s missing name or version", pkg.name, pkg.installed_version) r = UpdateRepo(target.xml, target.path + '/var/cache/elbe/repos/base') for d in buildenv.rfs.glob('tmp/pkgs/*.deb'): r.includedeb(d, 'main') r.finalize() slist = target.path + '/etc/apt/sources.list.d/base.list' slist_txt = 'deb [trusted=yes] file:///var/cache/elbe/repos/base ' slist_txt += target.xml.text("/project/suite") slist_txt += " main" with open(slist, 'w') as apt_source: apt_source.write(slist_txt) rmtree(buildenv.rfs.path + '/tmp/pkgs') # allow downgrades by default target.touch_file('/var/cache/elbe/.downgrade_allowed')