2026N/A

2026N/A

2026N/Aimport getopt

2026N/Aimport gettext

2962N/Aimport locale

2026N/Aimport os

2026N/Aimport shutil

2026N/Aimport sys

2026N/Aimport tempfile

2026N/Aimport traceback

2026N/Aimport urllib

2026N/Aimport urlparse

2026N/A

2026N/Aimport pkg

2026N/Aimport pkg.actions as actions

2026N/Aimport pkg.client.api_errors as api_errors

2962N/Aimport pkg.client.transport.transport as transport

2026N/Aimport pkg.config as cfg

2026N/Aimport pkg.fmri as fmri

2026N/Aimport pkg.manifest as manifest

2026N/Aimport pkg.misc as misc

2026N/Aimport pkg.publish.transaction as trans

2962N/Aimport pkg.server.repository as sr

2026N/Afrom pkg.client import global_settings

2414N/Afrom pkg.misc import emsg, msg, PipeError

2026N/A

2026N/APKG_CLIENT_NAME = "pkgsign"

2026N/A

2026N/AEXIT_OK = 0

2026N/AEXIT_OOPS = 1

2026N/AEXIT_BADOPT = 2

2026N/AEXIT_PARTIAL = 3

2026N/A

2026N/Arepo_cache = {}

2026N/A

2026N/Adef error(text, cmd=None):

2026N/A """Emit an error message prefixed by the command name """

2026N/A

2026N/A if cmd:

3158N/A text = "%s: %s" % (cmd, text)

2962N/A

2026N/A else:

3158N/A text = "%s: %s" % (PKG_CLIENT_NAME, text)

2026N/A

2026N/A

2026N/A # If the message starts with whitespace, assume that it should come

2026N/A # *before* the command-name prefix.

2026N/A text_nows = text.lstrip()

2026N/A ws = text[:len(text) - len(text_nows)]

2026N/A

2026N/A # This has to be a constant value as we can't reliably get our actual

2026N/A # program name on all platforms.

2026N/A emsg(ws + text_nows)

2026N/A

2026N/Adef usage(usage_error=None, cmd=None, retcode=EXIT_BADOPT):

2026N/A """Emit a usage message and optionally prefix it with a more specific

2026N/A

2026N/A if usage_error:

2026N/A error(usage_error, cmd=cmd)

2026N/A emsg (_("""\

2026N/A"""))

2026N/A

2026N/A sys.exit(retcode)

2026N/A

2405N/Adef fetch_catalog(src_pub, xport, temp_root, list_packages=False):

2026N/A """Fetch the catalog from src_uri."""

2026N/A global complete_catalog

2026N/A

2026N/A src_uri = src_pub.selected_repository.origins[0].uri

2026N/A # tracker.catalog_start(src_uri)

2026N/A

2026N/A if not src_pub.meta_root:

2026N/A # Create a temporary directory for catalog.

2026N/A cat_dir = tempfile.mkdtemp(dir=temp_root)

2026N/A src_pub.meta_root = cat_dir

2405N/A

2026N/A src_pub.transport = xport

2414N/A src_pub.refresh(True, True)

2414N/A

2414N/A if not list_packages:

2414N/A return

3158N/A

3158N/A cat = src_pub.catalog

3158N/A

2414N/A d = {}

2414N/A fmri_list = []

2414N/A for f in cat.fmris():

2414N/A fmri_list.append(f)

2414N/A d.setdefault(f.pkg_name, [f]).append(f)

2026N/A for k in d.keys():

2026N/A d[k].sort(reverse=True)

2728N/A

2728N/A complete_catalog = d

2026N/A return fmri_list

2026N/A

2026N/Adef main_func():

2962N/A misc.setlocale(locale.LC_ALL, "", error)

2405N/A gettext.install("pkg", "/usr/share/locale")

2026N/A global_settings.client_name = "pkgsign"

3158N/A

2026N/A try:

2026N/A opts, pargs = getopt.getopt(sys.argv[1:], "a:c:i:k:s:",

2026N/A ["help", "no-index", "no-catalog", "sign-all"])

2026N/A except getopt.GetoptError, e:

2026N/A usage(_("illegal global option -- %s") % e.opt)

2026N/A

2026N/A show_usage = False

2026N/A sig_alg = "rsa-sha256"

2405N/A cert_path = None

2026N/A key_path = None

2268N/A chain_certs = []

2026N/A refresh_index = True

2026N/A add_to_catalog = True

2026N/A set_alg = False

2026N/A sign_all = False

2026N/A

2026N/A try:

2026N/A repo_uri = os.environ["PKG_REPO"]

3158N/A except KeyError:

3158N/A repo_uri = "http://localhost:10000"

2026N/A

2026N/A for opt, arg in opts:

2026N/A if opt == "-a":

3158N/A sig_alg = arg

3158N/A set_alg = True

2026N/A elif opt == "-c":

2026N/A cert_path = os.path.abspath(arg)

2026N/A if not os.path.isfile(cert_path):

2026N/A usage(_("%s was expected to be a certificate "

3158N/A "but isn't a file.") % cert_path)

3158N/A elif opt == "-i":

2405N/A p = os.path.abspath(arg)

2405N/A if not os.path.isfile(p):

2026N/A usage(_("%s was expected to be a certificate "

2268N/A "but isn't a file.") % p)

2026N/A chain_certs.append(p)

2026N/A elif opt == "-k":

2026N/A key_path = os.path.abspath(arg)

2026N/A if not os.path.isfile(key_path):

2962N/A usage(_("%s was expected to be a key file "

2962N/A "but isn't a file.") % key_path)

2962N/A elif opt == "-s":

2962N/A repo_uri = arg

2962N/A elif opt == "--help":

3158N/A show_usage = True

3158N/A elif opt == "--no-index":

3158N/A refresh_index = False

2026N/A elif opt == "--no-catalog":

2026N/A add_to_catalog = False

2026N/A elif opt == "--sign-all":

2268N/A sign_all = True

2268N/A

2268N/A if show_usage:

2026N/A usage(retcode=EXIT_OK)

2026N/A

2026N/A if key_path and not cert_path:

2026N/A usage(_("If a key is given to sign with, its associated "

2026N/A "certificate must be given."))

2026N/A

2026N/A if cert_path and not key_path:

2026N/A usage(_("If a certificate is given, its associated key must be "

2026N/A "given."))

2026N/A

2026N/A if chain_certs and not cert_path:

2026N/A usage(_("Intermediate certificates are only valid if a key "

2405N/A "and certificate are also provided."))

2405N/A

2405N/A if not pargs and not sign_all:

2026N/A usage(_("At least one fmri must be provided for signing."))

2026N/A

2026N/A if pargs and sign_all:

2026N/A usage(_("No fmris may be provided if the sign-all option is "

2026N/A "set."))

2026N/A

3158N/A if not set_alg and not key_path:

3158N/A sig_alg = "sha256"

2026N/A

3158N/A s, h = actions.signature.SignatureAction.decompose_sig_alg(sig_alg)

2026N/A if h is None:

3158N/A usage(_("%s is not a recognized signature algorithm.") %

2026N/A sig_alg)

3158N/A if s and not key_path:

2026N/A usage(_("Using %s as the signature algorithm requires that a "

3158N/A "key and certificate pair be presented using the -k and -c "

2026N/A "options.") % sig_alg)

2962N/A if not s and key_path:

2962N/A usage(_("The %s hash algorithm does not use a key or "

2962N/A "certificate. Do not use the -k or -c options with this "

2026N/A "algorithm.") % sig_alg)

2026N/A

2026N/A errors = []

2026N/A

2026N/A t = misc.config_temp_root()

2962N/A temp_root = tempfile.mkdtemp(dir=t)

2026N/A del t

2026N/A

2286N/A cache_dir = tempfile.mkdtemp(dir=temp_root)

2414N/A incoming_dir = tempfile.mkdtemp(dir=temp_root)

2026N/A

2026N/A try:

2414N/A xport, xport_cfg = transport.setup_transport()

2414N/A xport_cfg.cached_download_dir = cache_dir

2414N/A xport_cfg.incoming_download_dir = incoming_dir

2414N/A

2414N/A # Configure src publisher

2414N/A src_pub = transport.setup_publisher(repo_uri, "source", xport,

2026N/A xport_cfg, remote_prefix=True)

2073N/A fmris = fetch_catalog(src_pub, xport, temp_root,

2073N/A list_packages=sign_all)

2026N/A if not sign_all:

2405N/A fmris = pargs

2405N/A succesful_publish = False

2026N/A

2405N/A for pfmri in fmris:

2028N/A try:

2026N/A if isinstance(pfmri, basestring):

2405N/A pfmri = fmri.PkgFmri(pfmri)

2405N/A

2405N/A # Get the existing manifest for the package to

2405N/A # be sign.

2405N/A m_str = xport.get_manifest(pfmri,

2405N/A content_only=True, pub=src_pub)

2405N/A m = manifest.Manifest()

2026N/A m.set_content(m_str)

2405N/A

2405N/A # Construct the base signature action.

2405N/A attrs = { "algorithm": sig_alg }

2405N/A a = actions.signature.SignatureAction(cert_path,

2405N/A **attrs)

2405N/A a.hash = cert_path

2405N/A

2405N/A # Add the action to the manifest to be signed

2405N/A # since the action signs itself.

2405N/A m.add_action(a, misc.EmptyI)

2405N/A

2405N/A # Set the signature value and certificate

2405N/A # information for the signature action.

2405N/A a.set_signature(m.gen_actions(),

2591N/A key_path=key_path, chain_paths=chain_certs)

2405N/A

2405N/A # Append the finished signature action to the

2405N/A # published manifest.

2405N/A t = trans.Transaction(repo_uri,

2405N/A pkg_name=str(pfmri), xport=xport,

2405N/A pub=src_pub, refresh_index=refresh_index)

2405N/A t.append()

2405N/A try:

2405N/A t.add(a)

2026N/A for c in chain_certs:

2405N/A t.add_file(c)

2405N/A t.close(refresh_index=refresh_index,

2026N/A add_to_catalog=add_to_catalog)

2405N/A except:

2026N/A t.close(abandon=True)

2026N/A raise

2026N/A msg(_("Signed %s") % pfmri)

2073N/A succesful_publish = True

2026N/A except (api_errors.ApiException, fmri.FmriError,

2026N/A trans.TransactionError), e:

2026N/A errors.append(e)

2026N/A if errors:

2026N/A error("\n".join([str(e) for e in errors]))

2026N/A if succesful_publish:

2026N/A return EXIT_PARTIAL

2026N/A else:

2026N/A return EXIT_OOPS

2026N/A return EXIT_OK

2026N/A except (api_errors.TransportError,

2026N/A api_errors.UnsupportedRepositoryURI),e:

2026N/A error(e)

2026N/A return EXIT_OOPS

2286N/A finally:

2286N/A shutil.rmtree(cache_dir)

2286N/A shutil.rmtree(incoming_dir)

2286N/A

2962N/Aif __name__ == "__main__":

2962N/A try:

2962N/A __ret = main_func()

2286N/A except (PipeError, KeyboardInterrupt):

2962N/A # We don't want to display any messages here to prevent

2962N/A # possible further broken pipe (EPIPE) errors.

2286N/A __ret = EXIT_OOPS

2286N/A except SystemExit, _e:

2286N/A raise _e

2286N/A except:

2286N/A traceback.print_exc()

2286N/A error(

2286N/A _("\n\nThis is an internal error. Please let the "

2286N/A "developers know about this\nproblem by filing a bug at "

2286N/A "http://defect.opensolaris.org and including the\nabove "

2286N/A "traceback and this message. The version of pkg(5) is "

2286N/A "'%s'.") % pkg.VERSION)

2286N/A __ret = 99

2286N/A sys.exit(__ret)

2286N/A