<cmdsynopsis>
<command>ostree static-delta apply-offline</command> <arg choice="req">PATH</arg>
</cmdsynopsis>
+ <cmdsynopsis>
+ <command>ostree static-delta verify</command> <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="req">STATIC-DELTA</arg> <arg choice="opt" rep="repeat">KEY-ID</arg>
+ </cmdsynopsis>
</refsynopsisdiv>
<refsect1>
</variablelist>
</refsect1>
+ <refsect1>
+ <title>'Verify' Options</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>KEY-ID</option></term>
+
+ <listitem><para>
+ <variablelist>
+ <varlistentry>
+ <term><option>for ed25519:</option></term>
+ <listitem><para>
+ <literal>base64</literal>-encoded public key for verifying.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>for dummy:</option></term>
+ <listitem><para>
+ ASCII-string used as public key.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--sign-type</option>=ENGINE</term>
+
+ <listitem><para>
+ Use particular signature engine. Currently
+ available <arg choice="plain">ed25519</arg> and <arg choice="plain">dummy</arg>
+ signature types.
+
+ The default is <arg choice="plain">ed25519</arg>.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--keys-file</option></term>
+ <listitem><para>
+ Read key(s) from file <filename>filename</filename>.
+ </para></listitem>
+
+ <listitem><para>
+ Valid for <literal>ed25519</literal> signature type.
+ For <literal>ed25519</literal> this file must contain <literal>base64</literal>-encoded
+ public key(s) per line for verifying.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--keys-dir</option></term>
+ <listitem><para>
+ Redefine the system path, where to search files and subdirectories with
+ well-known and revoked keys.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
<!-- Can we have an example for when it actually does something?-->
<refsect1>
<title>Example</title>
static char **opt_key_ids;
static char *opt_sign_name;
static char *opt_keysfilename;
+static char *opt_keysdir;
#define BUILTINPROTO(name) static gboolean ot_static_delta_builtin_ ## name (int argc, char **argv, OstreeCommandInvocation *invocation, GCancellable *cancellable, GError **error)
BUILTINPROTO(delete);
BUILTINPROTO(generate);
BUILTINPROTO(apply_offline);
+BUILTINPROTO(verify);
#undef BUILTINPROTO
{ "apply-offline", OSTREE_BUILTIN_FLAG_NONE,
ot_static_delta_builtin_apply_offline,
"Apply static delta file" },
+ { "verify", OSTREE_BUILTIN_FLAG_NONE,
+ ot_static_delta_builtin_verify,
+ "Verify static delta signatures" },
{ NULL, 0, NULL, NULL }
};
{ NULL }
};
+static GOptionEntry verify_options[] = {
+ { "sign-type", 0, 0, G_OPTION_ARG_STRING, &opt_sign_name, "Signature type to use (defaults to 'ed25519')", "NAME"},
+#if defined(HAVE_LIBSODIUM)
+ { "keys-file", 0, 0, G_OPTION_ARG_STRING, &opt_keysfilename, "Read key(s) from file", "NAME"},
+ { "keys-dir", 0, 0, G_OPTION_ARG_STRING, &opt_keysdir, "Redefine system-wide directories with public and revoked keys for verification", "NAME"},
+#endif
+ { NULL }
+};
+
static void
static_delta_usage (char **argv,
gboolean is_error)
return TRUE;
}
+static gboolean
+ot_static_delta_builtin_verify (int argc, char **argv, OstreeCommandInvocation *invocation, GCancellable *cancellable, GError **error)
+{
+ g_autoptr (GOptionContext) context = g_option_context_new ("STATIC-DELTA-FILE [KEY-ID...]");
+ g_autoptr (OstreeRepo) repo = NULL;
+ gboolean verified;
+ char **key_ids;
+ int n_key_ids;
+
+ if (!ostree_option_context_parse (context, verify_options, &argc, &argv, invocation, &repo, cancellable, error))
+ return FALSE;
+
+ if (argc < 3)
+ {
+ g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+ "DELTA must be specified");
+ return FALSE;
+ }
+
+ opt_sign_name = opt_sign_name ?: OSTREE_SIGN_NAME_ED25519;
+
+ const char *delta_id = argv[2];
+
+ g_autoptr (OstreeSign) sign = ostree_sign_get_by_name (opt_sign_name, error);
+ if (!sign)
+ {
+ g_print("Sign-type not supported\n");
+ return FALSE;
+ }
+
+ key_ids = argv + 3;
+ n_key_ids = argc - 3;
+ for (int i = 0; i < n_key_ids; i++)
+ {
+ g_autoptr (GVariant) pk = g_variant_new_string(key_ids[i]);
+ if (!ostree_sign_add_pk(sign, pk, error))
+ return FALSE;
+ }
+ if ((n_key_ids == 0) || opt_keysfilename)
+ {
+ g_autoptr (GVariantBuilder) builder = NULL;
+ g_autoptr (GVariant) options = NULL;
+
+ builder = g_variant_builder_new (G_VARIANT_TYPE ("a{sv}"));
+ /* Use custom directory with public and revoked keys instead of system-wide directories */
+ if (opt_keysdir)
+ g_variant_builder_add (builder, "{sv}", "basedir", g_variant_new_string (opt_keysdir));
+ /* The last chance for verification source -- system files */
+ if (opt_keysfilename)
+ g_variant_builder_add (builder, "{sv}", "filename", g_variant_new_string (opt_keysfilename));
+ options = g_variant_builder_end (builder);
+
+ if (!ostree_sign_load_pk (sign, options, error))
+ return FALSE;
+ }
+
+ verified = ostree_repo_static_delta_verify_signature (repo, delta_id, sign, NULL, error);
+ g_print ("Verification %s\n", verified ? "OK" : "fails");
+
+ return verified;
+}
+
gboolean
ostree_builtin_static_delta (int argc, char **argv, OstreeCommandInvocation *invocation, GCancellable *cancellable, GError **error)
{
projects / ostree.git / commitdiff