tests_test_rfc2616_dates_CFLAGS = $(TESTS_CFLAGS)
tests_test_rfc2616_dates_LDADD = $(TESTS_LDADD)
+noinst_PROGRAMS += tests/test-commit-sign-sh-ext
+tests_test_commit_sign_sh_ext_CFLAGS = $(TESTS_CFLAGS)
+tests_test_commit_sign_sh_ext_LDADD = $(TESTS_LDADD)
+
if USE_GPGME
tests_test_gpg_verify_result_SOURCES = \
src/libostree/ostree-gpg-verify-result-private.h \
ostree_repo_add_gpg_signature_summary
ostree_repo_gpg_sign_data
ostree_repo_gpg_verify_data
+ostree_repo_signature_verify_commit_data
ostree_repo_verify_commit
ostree_repo_verify_commit_ext
ostree_repo_verify_commit_for_remote
LIBOSTREE_2021.4 {
global:
ostree_repo_remote_get_gpg_keys;
+ ostree_repo_signature_verify_commit_data;
} LIBOSTREE_2021.3;
/* Stub section for the stable release *after* this development one; don't
g_assert (out_success_message == NULL || *out_success_message == NULL);
+ g_assert (verifiers);
g_assert_cmpuint (verifiers->len, >=, 1);
for (guint i = 0; i < verifiers->len; i++)
{
}
#endif /* OSTREE_DISABLE_GPGME */
+static gboolean
+validate_metadata_size (const char *prefix, GBytes *buf, GError **error)
+{
+ gsize len = g_bytes_get_size (buf);
+ if (len > OSTREE_MAX_METADATA_SIZE)
+ return glnx_throw (error, "%s is %" G_GUINT64_FORMAT " bytes, exceeding maximum %" G_GUINT64_FORMAT, prefix, (guint64)len, (guint64)OSTREE_MAX_METADATA_SIZE);
+ return TRUE;
+}
+
+/**
+ * ostree_repo_signature_verify_commit_data:
+ * @self: Repo
+ * @remote_name: Name of remote
+ * @commit_data: Commit object data (GVariant)
+ * @commit_metadata: Commit metadata (GVariant `a{sv}`), must contain at least one valid signature
+ * @flags: Optionally disable GPG or signapi
+ * @out_results: (nullable) (out) (transfer full): Textual description of results
+ * @error: Error
+ *
+ * Validate the commit data using the commit metadata which must
+ * contain at least one valid signature. If GPG and signapi are
+ * both enabled, then both must find at least one valid signature.
+ */
+gboolean
+ostree_repo_signature_verify_commit_data (OstreeRepo *self,
+ const char *remote_name,
+ GBytes *commit_data,
+ GBytes *commit_metadata,
+ OstreeRepoVerifyFlags flags,
+ char **out_results,
+ GError **error)
+{
+ g_assert (self);
+ g_assert (remote_name);
+ g_assert (commit_data);
+
+ gboolean gpg = !(flags & OSTREE_REPO_VERIFY_FLAGS_NO_GPG);
+ gboolean signapi = !(flags & OSTREE_REPO_VERIFY_FLAGS_NO_SIGNAPI);
+ // Must ask for at least one type of verification
+ if (!(gpg || signapi))
+ return glnx_throw (error, "No commit verification types enabled via API");
+
+ if (!validate_metadata_size ("Commit", commit_data, error))
+ return FALSE;
+ /* Nothing to check if detached metadata is absent */
+ if (commit_metadata == NULL)
+ return glnx_throw (error, "Can't verify commit without detached metadata");
+ if (!validate_metadata_size ("Commit metadata", commit_metadata, error))
+ return FALSE;
+ g_autoptr(GVariant) commit_metadata_v = g_variant_new_from_bytes (G_VARIANT_TYPE_VARDICT, commit_metadata, FALSE);
+
+ g_autoptr(GString) results_buf = g_string_new ("");
+ gboolean verified = FALSE;
+
+ if (gpg)
+ {
+ if (!ostree_repo_remote_get_gpg_verify (self, remote_name,
+ &gpg, error))
+ return FALSE;
+ }
+
+ /* TODO - we could cache this in the repo */
+ g_autoptr(GPtrArray) signapi_verifiers = NULL;
+ if (signapi)
+ {
+ if (!_signapi_init_for_remote (self, remote_name, &signapi_verifiers, NULL, error))
+ return FALSE;
+ }
+
+ if (!(gpg || signapi_verifiers))
+ return glnx_throw (error, "Cannot verify commit for remote %s; GPG verification disabled, and no signapi verifiers configured", remote_name);
+
+#ifndef OSTREE_DISABLE_GPGME
+ if (gpg)
+ {
+ g_autoptr(OstreeGpgVerifyResult) result =
+ _ostree_repo_gpg_verify_with_metadata (self, commit_data,
+ commit_metadata_v,
+ remote_name,
+ NULL, NULL, NULL, error);
+ if (!result)
+ return FALSE;
+ if (!ostree_gpg_verify_result_require_valid_signature (result, error))
+ return FALSE;
+
+ const guint n_signatures = ostree_gpg_verify_result_count_all (result);
+ g_assert_cmpuint (n_signatures, >, 0);
+ for (guint jj = 0; jj < n_signatures; jj++)
+ {
+ ostree_gpg_verify_result_describe (result, jj, results_buf, "GPG: ",
+ OSTREE_GPG_SIGNATURE_FORMAT_DEFAULT);
+ }
+ verified = TRUE;
+ }
+#endif /* OSTREE_DISABLE_GPGME */
+
+ if (signapi_verifiers)
+ {
+ g_autofree char *success_message = NULL;
+ if (!_sign_verify_for_remote (signapi_verifiers, commit_data, commit_metadata_v, &success_message, error))
+ return glnx_prefix_error (error, "Can't verify commit");
+ if (verified)
+ g_string_append_c (results_buf, '\n');
+ g_string_append (results_buf, success_message);
+ verified = TRUE;
+ }
+
+ /* Must be true since we did g_assert (gpg || signapi) */
+ g_assert (verified);
+ if (out_results)
+ *out_results = g_string_free (g_steal_pointer (&results_buf), FALSE);
+ return TRUE;
+}
+
gboolean
_verify_unwritten_commit (OtPullData *pull_data,
const char *checksum,
GCancellable *cancellable,
GError **error);
+/**
+ * OstreeRepoVerifyFlags:
+ * @OSTREE_REPO_VERIFY_FLAGS_NONE: No flags
+ * @OSTREE_REPO_VERIFY_FLAGS_NO_GPG: Skip GPG verification
+ * @OSTREE_REPO_VERIFY_FLAGS_NO_SIGNAPI: Skip all other signature verification methods
+ *
+ * Since: 2021.4
+ */
+typedef enum {
+ OSTREE_REPO_VERIFY_FLAGS_NONE = 0,
+ OSTREE_REPO_VERIFY_FLAGS_NO_GPG = (1 << 0),
+ OSTREE_REPO_VERIFY_FLAGS_NO_SIGNAPI = (1 << 1),
+} OstreeRepoVerifyFlags;
+
+_OSTREE_PUBLIC
+gboolean ostree_repo_signature_verify_commit_data (OstreeRepo *self,
+ const char *remote_name,
+ GBytes *commit_data,
+ GBytes *commit_metadata,
+ OstreeRepoVerifyFlags flags,
+ char **out_results,
+ GError **error);
+
_OSTREE_PUBLIC
gboolean ostree_repo_regenerate_summary (OstreeRepo *self,
GVariant *additional_metadata,
#include <glib/gi18n.h>
+static gboolean opt_verify;
+
static GOptionEntry options[] = {
+ { "verify", 'V', 0, G_OPTION_ARG_NONE, &opt_verify, "Print the commit verification status", NULL },
{ NULL }
};
g_autoptr(GVariant) commit_metadata = NULL;
if (commit)
commit_metadata = g_variant_get_child_value (commit, 0);
+ g_autoptr(GVariant) commit_detached_metadata = NULL;
+ if (commit)
+ {
+ if (!ostree_repo_read_commit_detached_metadata (repo, ref, &commit_detached_metadata, cancellable, error))
+ return FALSE;
+ }
const char *version = NULL;
const char *source_title = NULL;
}
#ifndef OSTREE_DISABLE_GPGME
- if (deployment_get_gpg_verify (deployment, repo))
+ if (!opt_verify && deployment_get_gpg_verify (deployment, repo))
{
g_autoptr(GString) output_buffer = g_string_sized_new (256);
/* Print any digital signatures on this commit. */
g_print ("%s", output_buffer->str);
}
#endif /* OSTREE_DISABLE_GPGME */
+ if (opt_verify)
+ {
+ if (!commit)
+ return glnx_throw (error, "Cannot verify, failed to load commit");
+
+ if (origin == NULL)
+ return glnx_throw (error, "Cannot verify deployment with no origin");
+
+ g_autofree char *refspec = g_key_file_get_string (origin, "origin", "refspec", NULL);
+ if (refspec == NULL)
+ return glnx_throw (error, "No origin/refspec, cannot verify");
+ g_autofree char *remote = NULL;
+ if (!ostree_parse_refspec (refspec, &remote, NULL, NULL))
+ return FALSE;
+ if (remote == NULL)
+ return glnx_throw (error, "Cannot verify deployment without remote");
+
+ g_autoptr(GBytes) commit_data = g_variant_get_data_as_bytes (commit);
+ g_autoptr(GBytes) commit_detached_metadata_bytes =
+ commit_detached_metadata ? g_variant_get_data_as_bytes (commit_detached_metadata) : NULL;
+ g_autofree char *verify_text = NULL;
+ if (!ostree_repo_signature_verify_commit_data (repo, remote, commit_data, commit_detached_metadata_bytes, 0, &verify_text, error))
+ return FALSE;
+ g_print ("%s\n", verify_text);
+ }
return TRUE;
}
test-rfc2616-dates
test-rollsum-cli
test-kargs
+test-commit-sign-sh-ext
test -f status.txt
assert_file_has_content status.txt "GPG: Signature made"
assert_not_file_has_content status.txt "GPG: Can't check signature: public key not found"
+rm -f status.txt
+
+${CMD_PREFIX} ostree admin status --verify > status.txt
+assert_file_has_content status.txt "GPG: Signature made"
+rm -f status.txt
echo 'ok gpg signature'
--- /dev/null
+/*
+ * Copyright (C) 2021 Red Hat, Inc.
+ *
+ * SPDX-License-Identifier: LGPL-2.0+
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+ * Boston, MA 02111-1307, USA.
+ */
+
+#include "config.h"
+
+#include "libglnx.h"
+#include <ostree.h>
+
+static void
+assert_error_contains (GError **error, const char *msg)
+{
+ g_assert (error != NULL);
+ GError *actual = *error;
+ g_assert (actual != NULL);
+ if (strstr (actual->message, msg) == NULL)
+ g_error ("%s does not contain %s", actual->message, msg);
+ g_clear_error (error);
+}
+
+// Perhaps in the future we hook this up to a fuzzer
+static GBytes *
+corrupt (GBytes *input)
+{
+ gsize len = 0;
+ const guint8 *buf = g_bytes_get_data (input, &len);
+ g_assert_cmpint (len, >, 0);
+ g_assert_cmpint (len, <, G_MAXINT);
+ g_autofree char *newbuf = g_memdup (buf, len);
+ int o = g_random_int_range (0, len);
+ newbuf[o] = (newbuf[0] + 1);
+
+ return g_bytes_new_take (g_steal_pointer (&newbuf), len);
+}
+
+static gboolean
+run (GError **error)
+{
+ g_autoptr(OstreeRepo) repo = ostree_repo_open_at (AT_FDCWD, "repo", NULL, error);
+ if (!repo)
+ return FALSE;
+
+ g_autofree char *rev = NULL;
+ if (!ostree_repo_resolve_rev (repo, "origin:main", FALSE, &rev, error))
+ return FALSE;
+ g_assert (rev);
+ g_autoptr(GVariant) commit = NULL;
+ if (!ostree_repo_load_variant (repo, OSTREE_OBJECT_TYPE_COMMIT, rev, &commit, error))
+ return FALSE;
+ g_assert (commit);
+
+ g_autoptr(GVariant) detached_meta = NULL;
+ if (!ostree_repo_read_commit_detached_metadata (repo, rev, &detached_meta, NULL, error))
+ return FALSE;
+ g_assert (detached_meta);
+
+ g_autoptr(GBytes) commit_bytes = g_variant_get_data_as_bytes (commit);
+ g_autoptr(GBytes) detached_meta_bytes = g_variant_get_data_as_bytes (detached_meta);
+ g_autofree char *verify_report = NULL;
+ if (!ostree_repo_signature_verify_commit_data (repo, "origin", commit_bytes, detached_meta_bytes, 0,
+ &verify_report, error))
+ return FALSE;
+
+ if (ostree_repo_signature_verify_commit_data (repo, "origin", commit_bytes, detached_meta_bytes,
+ OSTREE_REPO_VERIFY_FLAGS_NO_GPG | OSTREE_REPO_VERIFY_FLAGS_NO_SIGNAPI,
+ &verify_report, error))
+ g_error ("Should not have validated");
+ assert_error_contains (error, "No commit verification types enabled");
+
+ // No signatures
+ g_autoptr(GBytes) empty = g_bytes_new_static ("", 0);
+ if (ostree_repo_signature_verify_commit_data (repo, "origin", commit_bytes, empty, 0,
+ &verify_report, error))
+ g_error ("Should not have validated");
+ assert_error_contains (error, "no signatures found");
+ // No such remote
+ if (ostree_repo_signature_verify_commit_data (repo, "nosuchremote", commit_bytes, detached_meta_bytes, 0,
+ &verify_report, error))
+ g_error ("Should not have validated");
+ assert_error_contains (error, "Remote \"nosuchremote\" not found");
+
+ // Corrupted commit
+ g_autoptr(GBytes) corrupted_commit = corrupt (commit_bytes);
+ if (ostree_repo_signature_verify_commit_data (repo, "origin", corrupted_commit, detached_meta_bytes, 0,
+ &verify_report, error))
+ g_error ("Should not have validated");
+ assert_error_contains (error, "BAD signature");
+
+ return TRUE;
+}
+
+int
+main (int argc, char **argv)
+{
+ g_autoptr(GError) error = NULL;
+ if (!run (&error))
+ {
+ g_printerr ("error: %s\n", error->message);
+ exit (1);
+ }
+}
exit 0
fi
-echo "1..6"
+echo "1..7"
keyid="472CDAFA"
oldpwd=`pwd`
${CMD_PREFIX} ostree --repo=repo pull origin main
${CMD_PREFIX} ostree --repo=repo show --gpg-verify-remote=origin main > show.txt
assert_file_has_content_literal show.txt 'Found 1 signature'
-rm repo -rf
echo "ok pull verify"
+# Run tests written in C
+${OSTREE_UNINSTALLED}/tests/test-commit-sign-sh-ext
+echo "ok extra C tests"
+
+# Clean things up and reinit
+rm repo -rf
+
# A test with corrupted detached signature
cd ${test_tmpdir}
find ${test_tmpdir}/ostree-srv/gnomerepo -name '*.commitmeta' | while read fname; do
projects / ostree.git / commitdiff