Cross Reference: /pkg/src/sign.py
sign.py revision 3339
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
3177N/A#!/usr/bin/python2.7
2026N/A#
2026N/A# CDDL HEADER START
2026N/A#
2026N/A# The contents of this file are subject to the terms of the
2026N/A# Common Development and Distribution License (the "License").
2026N/A# You may not use this file except in compliance with the License.
2026N/A#
2026N/A# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
2026N/A# or http://www.opensolaris.org/os/licensing.
2026N/A# See the License for the specific language governing permissions
2026N/A# and limitations under the License.
2026N/A#
2026N/A# When distributing Covered Code, include this CDDL HEADER in each
2026N/A# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
2026N/A# If applicable, add the following below this CDDL HEADER, with the
2026N/A# fields enclosed by brackets "[]" replaced with your own identifying
2026N/A# information: Portions Copyright [yyyy] [name of copyright owner]
2026N/A#
2026N/A# CDDL HEADER END
2026N/A#
2026N/A
2026N/A#
3321N/A# Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
2026N/A#
2026N/A
2026N/Aimport getopt
2026N/Aimport gettext
2962N/Aimport hashlib
2026N/Aimport locale
2026N/Aimport os
2026N/Aimport shutil
2026N/Aimport sys
2026N/Aimport tempfile
2026N/Aimport traceback
3339N/Aif sys.version_info[:2] >= (3, 4):
3339N/A from importlib import reload
3339N/Aelse:
3339N/A from imp import reload
3321N/A
3321N/Afrom cryptography import x509
3321N/Afrom cryptography.hazmat.backends import default_backend
3321N/Afrom cryptography.hazmat.primitives import serialization
3194N/Afrom imp import reload
2026N/A
2026N/Aimport pkg
2026N/Aimport pkg.actions as actions
2026N/Aimport pkg.client.api_errors as api_errors
2026N/Aimport pkg.client.transport.transport as transport
2962N/Aimport pkg.digest as digest
2026N/Aimport pkg.fmri as fmri
2026N/Aimport pkg.manifest as manifest
2026N/Aimport pkg.misc as misc
2026N/Aimport pkg.publish.transaction as trans
2026N/Afrom pkg.client import global_settings
2962N/Afrom pkg.client.debugvalues import DebugValues
2026N/Afrom pkg.misc import emsg, msg, PipeError
2026N/A
2026N/APKG_CLIENT_NAME = "pkgsign"
2026N/A
2026N/A# pkg exit codes
2026N/AEXIT_OK = 0
2026N/AEXIT_OOPS = 1
2026N/AEXIT_BADOPT = 2
2026N/AEXIT_PARTIAL = 3
2026N/A
2026N/Arepo_cache = {}
2026N/A
2026N/Adef error(text, cmd=None):
2026N/A """Emit an error message prefixed by the command name """
2026N/A
2026N/A if cmd:
3158N/A text = "{0}: {1}".format(cmd, text)
2962N/A
2026N/A else:
3158N/A text = "{0}: {1}".format(PKG_CLIENT_NAME, text)
2026N/A
2026N/A
2026N/A # If the message starts with whitespace, assume that it should come
2026N/A # *before* the command-name prefix.
2026N/A text_nows = text.lstrip()
2026N/A ws = text[:len(text) - len(text_nows)]
2026N/A
2026N/A # This has to be a constant value as we can't reliably get our actual
2026N/A # program name on all platforms.
2026N/A emsg(ws + text_nows)
2026N/A
2026N/Adef usage(usage_error=None, cmd=None, retcode=EXIT_BADOPT):
2026N/A """Emit a usage message and optionally prefix it with a more specific
2026N/A error message. Causes program to exit."""
2026N/A
2026N/A if usage_error:
2026N/A error(usage_error, cmd=cmd)
2026N/A emsg (_("""\
2026N/AUsage:
2405N/A pkgsign -s path_or_uri [-acikn] [--no-index] [--no-catalog]
2405N/A (fmri|pattern) ...
2026N/A"""))
2026N/A
2026N/A sys.exit(retcode)
2026N/A
2405N/Adef fetch_catalog(src_pub, xport, temp_root):
2026N/A """Fetch the catalog from src_uri."""
2026N/A
2026N/A if not src_pub.meta_root:
2026N/A # Create a temporary directory for catalog.
2026N/A cat_dir = tempfile.mkdtemp(dir=temp_root)
2026N/A src_pub.meta_root = cat_dir
2026N/A
2026N/A src_pub.transport = xport
2026N/A src_pub.refresh(True, True)
2026N/A
2405N/A return src_pub.catalog
2026N/A
2414N/Adef __make_tmp_cert(d, pth):
2414N/A try:
3321N/A with open(pth, "rb") as f:
3321N/A cert = x509.load_pem_x509_certificate(f.read(),
3321N/A default_backend())
3321N/A except (ValueError, IOError) as e:
3158N/A raise api_errors.BadFileFormat(_("The file {0} was expected to "
3158N/A "be a PEM certificate but it could not be read.").format(
3158N/A pth))
2414N/A fd, fp = tempfile.mkstemp(dir=d)
2414N/A with os.fdopen(fd, "wb") as fh:
3321N/A fh.write(cert.public_bytes(serialization.Encoding.PEM))
2414N/A return fp
2414N/A
2026N/Adef main_func():
2026N/A misc.setlocale(locale.LC_ALL, "", error)
2728N/A gettext.install("pkg", "/usr/share/locale",
2728N/A codeset=locale.getpreferredencoding())
2026N/A global_settings.client_name = "pkgsign"
2026N/A
2026N/A try:
2962N/A opts, pargs = getopt.getopt(sys.argv[1:], "a:c:i:k:ns:D:",
2405N/A ["help", "no-index", "no-catalog"])
3171N/A except getopt.GetoptError as e:
3158N/A usage(_("illegal global option -- {0}").format(e.opt))
2026N/A
2026N/A show_usage = False
2026N/A sig_alg = "rsa-sha256"
2026N/A cert_path = None
2026N/A key_path = None
2026N/A chain_certs = []
2026N/A add_to_catalog = True
2026N/A set_alg = False
2405N/A dry_run = False
2026N/A
2268N/A repo_uri = os.getenv("PKG_REPO", None)
2026N/A for opt, arg in opts:
2026N/A if opt == "-a":
2026N/A sig_alg = arg
2026N/A set_alg = True
2026N/A elif opt == "-c":
2026N/A cert_path = os.path.abspath(arg)
2026N/A if not os.path.isfile(cert_path):
3158N/A usage(_("{0} was expected to be a certificate "
3158N/A "but isn't a file.").format(cert_path))
2026N/A elif opt == "-i":
2026N/A p = os.path.abspath(arg)
2026N/A if not os.path.isfile(p):
3158N/A usage(_("{0} was expected to be a certificate "
3158N/A "but isn't a file.").format(p))
2026N/A chain_certs.append(p)
2026N/A elif opt == "-k":
2026N/A key_path = os.path.abspath(arg)
2026N/A if not os.path.isfile(key_path):
3158N/A usage(_("{0} was expected to be a key file "
3158N/A "but isn't a file.").format(key_path))
2405N/A elif opt == "-n":
2405N/A dry_run = True
2026N/A elif opt == "-s":
2268N/A repo_uri = misc.parse_uri(arg)
2026N/A elif opt == "--help":
2026N/A show_usage = True
2026N/A elif opt == "--no-catalog":
2026N/A add_to_catalog = False
2962N/A elif opt == "-D":
2962N/A try:
2962N/A key, value = arg.split("=", 1)
2962N/A DebugValues.set_value(key, value)
2962N/A except (AttributeError, ValueError):
3158N/A error(_("{opt} takes argument of form "
3158N/A "name=value, not {arg}").format(
3158N/A opt=opt, arg=arg))
2026N/A if show_usage:
2026N/A usage(retcode=EXIT_OK)
2026N/A
2268N/A if not repo_uri:
2268N/A usage(_("a repository must be provided"))
2268N/A
2026N/A if key_path and not cert_path:
2026N/A usage(_("If a key is given to sign with, its associated "
2026N/A "certificate must be given."))
2026N/A
2026N/A if cert_path and not key_path:
2026N/A usage(_("If a certificate is given, its associated key must be "
2026N/A "given."))
2026N/A
2026N/A if chain_certs and not cert_path:
2026N/A usage(_("Intermediate certificates are only valid if a key "
2026N/A "and certificate are also provided."))
2026N/A
2405N/A if not pargs:
2405N/A usage(_("At least one fmri or pattern must be provided to "
2405N/A "sign."))
2026N/A
2026N/A if not set_alg and not key_path:
2026N/A sig_alg = "sha256"
2026N/A
2026N/A s, h = actions.signature.SignatureAction.decompose_sig_alg(sig_alg)
2026N/A if h is None:
3158N/A usage(_("{0} is not a recognized signature algorithm.").format(
3158N/A sig_alg))
2026N/A if s and not key_path:
3158N/A usage(_("Using {0} as the signature algorithm requires that a "
2026N/A "key and certificate pair be presented using the -k and -c "
3158N/A "options.").format(sig_alg))
2026N/A if not s and key_path:
3158N/A usage(_("The {0} hash algorithm does not use a key or "
2026N/A "certificate. Do not use the -k or -c options with this "
3158N/A "algorithm.").format(sig_alg))
2026N/A
2962N/A if DebugValues:
2962N/A reload(digest)
2962N/A
2026N/A errors = []
2026N/A
2026N/A t = misc.config_temp_root()
2026N/A temp_root = tempfile.mkdtemp(dir=t)
2026N/A del t
2962N/A
2026N/A cache_dir = tempfile.mkdtemp(dir=temp_root)
2026N/A incoming_dir = tempfile.mkdtemp(dir=temp_root)
2286N/A chash_dir = tempfile.mkdtemp(dir=temp_root)
2414N/A cert_dir = tempfile.mkdtemp(dir=temp_root)
2026N/A
2026N/A try:
2414N/A chain_certs = [
2414N/A __make_tmp_cert(cert_dir, c) for c in chain_certs
2414N/A ]
2414N/A if cert_path is not None:
2414N/A cert_path = __make_tmp_cert(cert_dir, cert_path)
2414N/A
2026N/A xport, xport_cfg = transport.setup_transport()
2073N/A xport_cfg.add_cache(cache_dir, readonly=False)
2073N/A xport_cfg.incoming_root = incoming_dir
2026N/A
2405N/A # Configure publisher(s)
2405N/A transport.setup_publisher(repo_uri, "source", xport,
2026N/A xport_cfg, remote_prefix=True)
2405N/A pats = pargs
2028N/A successful_publish = False
2026N/A
2405N/A concrete_fmris = []
2405N/A unmatched_pats = set(pats)
2405N/A all_pats = frozenset(pats)
2405N/A get_all_pubs = False
2405N/A pub_prefs = set()
2405N/A # Gather the publishers whose catalogs will be needed.
2405N/A for pat in pats:
2026N/A try:
2405N/A p_obj = fmri.MatchingPkgFmri(pat)
3171N/A except fmri.IllegalMatchingFmri as e:
2405N/A errors.append(e)
2405N/A continue
2405N/A pub_prefix = p_obj.get_publisher()
2405N/A if pub_prefix:
2405N/A pub_prefs.add(pub_prefix)
2405N/A else:
2405N/A get_all_pubs = True
2405N/A # Check each publisher for matches to our patterns.
2405N/A for p in xport_cfg.gen_publishers():
2405N/A if not get_all_pubs and p.prefix not in pub_prefs:
2405N/A continue
2405N/A cat = fetch_catalog(p, xport, temp_root)
2591N/A ms, tmp1, u = cat.get_matching_fmris(pats)
2405N/A # Find which patterns matched.
2405N/A matched_pats = all_pats - u
2405N/A # Remove those patterns from the unmatched set.
2405N/A unmatched_pats -= matched_pats
2405N/A for v_list in ms.values():
2405N/A concrete_fmris.extend([(v, p) for v in v_list])
2405N/A if unmatched_pats:
2405N/A raise api_errors.PackageMatchErrors(
2405N/A unmatched_fmris=unmatched_pats)
2026N/A
2405N/A for pfmri, src_pub in sorted(set(concrete_fmris)):
2405N/A try:
2026N/A # Get the existing manifest for the package to
2405N/A # be signed.
2026N/A m_str = xport.get_manifest(pfmri,
2026N/A content_only=True, pub=src_pub)
2026N/A m = manifest.Manifest()
2073N/A m.set_content(content=m_str)
2026N/A
2026N/A # Construct the base signature action.
2026N/A attrs = { "algorithm": sig_alg }
2026N/A a = actions.signature.SignatureAction(cert_path,
2026N/A **attrs)
2026N/A a.hash = cert_path
2026N/A
2026N/A # Add the action to the manifest to be signed
2026N/A # since the action signs itself.
2026N/A m.add_action(a, misc.EmptyI)
2026N/A
2026N/A # Set the signature value and certificate
2026N/A # information for the signature action.
2026N/A a.set_signature(m.gen_actions(),
2286N/A key_path=key_path, chain_paths=chain_certs,
2286N/A chash_dir=chash_dir)
2286N/A
2286N/A # The hash of 'a' is currently a path, we need
2286N/A # to find the hash of that file to allow
2286N/A # comparison to existing signatures.
2286N/A hsh = None
2286N/A if cert_path:
2962N/A # Action identity still uses the 'hash'
2962N/A # member of the action, so we need to
2962N/A # stay with the sha1 hash.
2286N/A hsh, _dummy = \
2962N/A misc.get_data_digest(cert_path,
2962N/A hash_func=hashlib.sha1)
2286N/A
2286N/A # Check whether the signature about to be added
2286N/A # is identical, or almost identical, to existing
2286N/A # signatures on the package. Because 'a' has
2286N/A # already been added to the manifest, it is
2286N/A # generated by gen_actions_by_type, so the cnt
2286N/A # must be 2 or higher to be an issue.
2286N/A cnt = 0
2286N/A almost_identical = False
2286N/A for a2 in m.gen_actions_by_type("signature"):
2286N/A try:
2286N/A if a.identical(a2, hsh):
2286N/A cnt += 1
3171N/A except api_errors.AlmostIdentical as e:
2286N/A e.pkg = pfmri
2286N/A errors.append(e)
2286N/A almost_identical = True
2286N/A if almost_identical:
2286N/A continue
2286N/A if cnt == 2:
2286N/A continue
2286N/A elif cnt > 2:
2286N/A raise api_errors.DuplicateSignaturesAlreadyExist(pfmri)
3158N/A assert cnt == 1, "Cnt was:{0}".format(cnt)
2026N/A
2405N/A if not dry_run:
2405N/A # Append the finished signature action
2405N/A # to the published manifest.
2405N/A t = trans.Transaction(repo_uri,
2405N/A pkg_name=str(pfmri), xport=xport,
2405N/A pub=src_pub)
2405N/A try:
2405N/A t.append()
2405N/A t.add(a)
2405N/A for c in chain_certs:
2405N/A t.add_file(c)
2405N/A t.close(add_to_catalog=
2405N/A add_to_catalog)
2405N/A except:
2405N/A if t.trans_id:
2405N/A t.close(abandon=True)
2405N/A raise
3158N/A msg(_("Signed {0}").format(pfmri.get_fmri(
3158N/A include_build=False)))
2028N/A successful_publish = True
2026N/A except (api_errors.ApiException, fmri.FmriError,
3171N/A trans.TransactionError) as e:
2026N/A errors.append(e)
2026N/A if errors:
2026N/A error("\n".join([str(e) for e in errors]))
2028N/A if successful_publish:
2026N/A return EXIT_PARTIAL
2026N/A else:
2026N/A return EXIT_OOPS
2026N/A return EXIT_OK
3171N/A except api_errors.ApiException as e:
2026N/A error(e)
2026N/A return EXIT_OOPS
2026N/A finally:
2245N/A shutil.rmtree(temp_root)
2026N/A
2026N/A#
2026N/A# Establish a specific exit status which means: "python barfed an exception"
2026N/A# so that we can more easily detect these in testing of the CLI commands.
2026N/A#
2026N/Aif __name__ == "__main__":
2026N/A try:
2026N/A __ret = main_func()
2026N/A except (PipeError, KeyboardInterrupt):
2026N/A # We don't want to display any messages here to prevent
2026N/A # possible further broken pipe (EPIPE) errors.
2026N/A __ret = EXIT_OOPS
3171N/A except SystemExit as _e:
2026N/A raise _e
2026N/A except:
2026N/A traceback.print_exc()
2569N/A error(misc.get_traceback_message())
2026N/A __ret = 99
2026N/A sys.exit(__ret)