Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tarball Signature check #120

Merged
merged 1 commit into from
Sep 27, 2024
Merged

Tarball Signature check #120

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions bootstrap/install-rpms/rpms-common
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ coreutils
git
make
mock
p7zip
python3-devel
quilt
rpm
Expand Down
35 changes: 35 additions & 0 deletions cmd/create_srpm_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,41 @@ func testCreateSrpm(t *testing.T,
}
}

func testTarballSig(t *testing.T, folder string) {
curPath, _ := os.Getwd()
workingDir := filepath.Join(curPath, "testData/tarballSig", folder)
manishk-arista marked this conversation as resolved.
Show resolved Hide resolved
tarballPath := map[string]string{
"checkTarball": filepath.Join(workingDir, "linux.10.4.1.tar.gz"),
"matchTarball": filepath.Join(workingDir, "libpcap-1.10.4.tar.gz"),
}
tarballSigPath := filepath.Join(workingDir, "libpcap-1.10.4.tar.gz.sig")

switch folder {
case "checkTarball":
ok, _ := util.CheckValidSignature(tarballPath[folder], tarballSigPath)
require.Equal(t, false, ok)
case "matchTarball":
intermediateTarball, err := util.MatchtarballSignCmprsn(
tarballPath[folder],
tarballSigPath,
workingDir,
"TestmatchTarballSignature : ",
)
os.Remove(intermediateTarball)
require.Equal(t, nil, err)
}
}

func TestCheckTarballSignature(t *testing.T) {
t.Log("Test tarball Signatue Check")
testTarballSig(t, "checkTarball")
}

func TestMatchTarballSignature(t *testing.T) {
t.Log("Test tarball Signatue Match")
testTarballSig(t, "matchTarball")
}

func TestCreateSrpmFromSrpm(t *testing.T) {
t.Log("Test createSrpm from SRPM")
testCreateSrpm(t,
Expand Down
Binary file added cmd/testData/tarballSig/checkTarball/libpcap-1.10.4.tar.sig
View file
Open in desktop
Binary file not shown.
Binary file added cmd/testData/tarballSig/checkTarball/linux.10.4.1.tar.gz
View file
Open in desktop
Binary file not shown.
Binary file added cmd/testData/tarballSig/matchTarball/libpcap-1.10.4.tar.gz
View file
Open in desktop
Binary file not shown.
Binary file added cmd/testData/tarballSig/matchTarball/libpcap-1.10.4.tar.sig
View file
Open in desktop
Binary file not shown.
14 changes: 12 additions & 2 deletions impl/create_srpm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -218,11 +218,21 @@ func (bldr *srpmBuilder) verifyUpstream() error {
}
} else {
downloadDir := getDownloadDir(bldr.pkgSpec.Name)
for _, upstreamSrc := range bldr.upstreamSrc {
upstreamSourceFilePath := filepath.Join(downloadDir, upstreamSrc.sourceFile)

for _, upstreamSrc := range bldr.upstreamSrc {
if !upstreamSrc.skipSigCheck {
upstreamSourceFilePath := filepath.Join(downloadDir, upstreamSrc.sourceFile)
upstreamSigFilePath := filepath.Join(downloadDir, upstreamSrc.sigFile)
uncompressedTarball, err := util.MatchtarballSignCmprsn(
upstreamSourceFilePath, upstreamSigFilePath,
downloadDir, bldr.errPrefix)
if err != nil {
return err
}
if uncompressedTarball != "" {
upstreamSourceFilePath = uncompressedTarball
defer os.Remove(uncompressedTarball)
}
if err := util.VerifyTarballSignature(
upstreamSourceFilePath,
upstreamSigFilePath,
Expand Down
51 changes: 51 additions & 0 deletions util/util.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,57 @@ func VerifyRpmSignature(rpmPath string, errPrefix ErrPrefix) error {
return nil
}

// CheckValidSignature verifies that tarball anf signature
// correspond to same package
func CheckValidSignature(tarballPath, tarballSigPath string) (
manith-arista marked this conversation as resolved.
Show resolved Hide resolved
bool, bool) {
lastDotIndex := strings.LastIndex(tarballSigPath, ".")
if lastDotIndex == -1 || !strings.HasPrefix(
tarballPath, tarballSigPath[:lastDotIndex]) {
return false, false
}
decompress := strings.Count(tarballPath[lastDotIndex:], ".")
manith-arista marked this conversation as resolved.
Show resolved Hide resolved
dcmprsnReqd := false
if decompress > 0 {
dcmprsnReqd = true
}
return true, dcmprsnReqd
}

// UncompressTarball decompresses the compression one layer at a time
// to match the tarball with its valid signature
func uncompressTarball(tarballPath string, downloadDir string) (string, error) {
if err := RunSystemCmd(
"7za", "x",
"-y", tarballPath,
"-o"+downloadDir); err != nil {
return "", err
}
lastDotIndex := strings.LastIndex(tarballPath, ".")
return tarballPath[:lastDotIndex], nil
}

// MatchtarballSignCmprsn evaluvates and finds correct compressed/uncompressed tarball
// that matches with the sign file.
func MatchtarballSignCmprsn(tarballPath string, tarballSigPath string,
downloadDir string, errPrefix ErrPrefix) (string, error) {
uncompressedTarball := ""
ok, dcmprsnReqd := CheckValidSignature(tarballPath, tarballSigPath)
if !ok {
return uncompressedTarball, fmt.Errorf("%sError while matching tarball and signature",
errPrefix)
}
if dcmprsnReqd {
newTarball, err := uncompressTarball(tarballPath, downloadDir)
if err != nil {
return uncompressedTarball, fmt.Errorf("%sError '%s' while decompressing trarball",
errPrefix, err)
}
uncompressedTarball = newTarball
}
return uncompressedTarball, nil
}

// VerifyTarballSignature verifies that the detached signature of the tarball
// is valid.
func VerifyTarballSignature(
Expand Down
Loading