Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add package verification to updatemgr #1497

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add package verification to updatemgr #1497

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f0b9398
verify-repo-metadata: Support more hashes
jandryuk Aug 30, 2023
179697d
verify-repo-metadata: Add package checking
jandryuk Aug 31, 2023
1a8b58c
verify-repo-metadata: Check signature first
jandryuk Aug 31, 2023
369f493
updatemgr: Make verify-repo-metadata check packages
jandryuk Sep 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions recipes-openxt/manager/updatemgr/updatemgr-verify-packages.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
--- a/UpdateMgr/Logic.hs
+++ b/UpdateMgr/Logic.hs
@@ -346,8 +346,8 @@ verifyUpdateMetadataSignature :: Update
verifyUpdateMetadataSignature = void $
handleError failed . safeShellExecuteAndLogOutput . cmd =<< allowDevRepoCert
where
- cmd False = "verify-repo-metadata " ++ updateDirCurrent
- cmd True = "verify-repo-metadata -d " ++ updateDirCurrent
+ cmd False = "verify-repo-metadata -p " ++ updateDirCurrent
+ cmd True = "verify-repo-metadata -d -p " ++ updateDirCurrent
failed _ = throwError $ localE FailedSignatureVerification

handleError = flip catchError
1 change: 1 addition & 0 deletions recipes-openxt/manager/updatemgr_git.bb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ require manager.inc

SRC_URI += " \
file://updatemgr.initscript \
file://updatemgr-verify-packages.patch \
"

S = "${WORKDIR}/git/updatemgr"
Expand Down
64 changes: 53 additions & 11 deletions recipes-openxt/xenclient-repo-certs/xenclient-repo-certs/verify-repo-metadata
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,22 @@
PROD_CERT_FILE="/usr/share/xenclient/repo-certs/prod/cert.pem"
DEV_CERT_FILE="/usr/share/xenclient/repo-certs/dev/cert.pem"

VERIFY_PACKAGES=0

parse_args()
{
ALLOW_DEV_KEY=0

if [ "$1" = "-d" ] ; then
ALLOW_DEV_KEY=1
shift
fi
while getopts "dp" opt ; do
case "$opt" in
d) ALLOW_DEV_KEY=1 ;;
p) VERIFY_PACKAGES=1 ;;
\?) die "unknown option" ;;
*) die "getopts error" ;;
esac
done

shift "$(( OPTIND - 1 ))"
if [ $# -ne 1 ] ; then
usage
exit 2
Expand All @@ -29,7 +36,7 @@ parse_args()
usage()
{
cat <<EOF
Usage: $(basename $0) [-d] REPOSITORY_DIR
Usage: $(basename $0) [-d] [-p] REPOSITORY_DIR

Verifies the integrity of the metadata files (XC-REPOSITORY, XC-PACKAGES and
XC-SIGNATURE) in a XenClient repository:
Expand All @@ -39,7 +46,7 @@ XC-SIGNATURE) in a XenClient repository:

Note that this only verifies the integrity of the metadata files: it does not
verify that the packages in the repository match the checksums listed in
XC-PACKAGES.
XC-PACKAGES. The -p option enables package checksum checking.

The -d option should only be used for testing purposes. It allows signatures
created with the XenClient development signing certificate in addition to
Expand All @@ -48,12 +55,43 @@ signatures created with the XenClient production signing certificate.
Exit status:

0 metadata is valid
1 metadata is valid except for invalid signature
1 invalid signature
2 metadata is not valid or another error occurred

EOF
}

get_hasher()
{
case "${#1}" in
64)
echo "sha256sum"
;;
96)
echo "sha384sum"
;;
128)
echo "sha512sum"
;;
*)
die "invalid checksum length"
;;
esac
}

verify_xc_packages_contents()
{
local hasher
while read n sz hash _ _ file _ ; do
hasher=$( get_hasher "$hash" )
[ "$sz" = "$( du -b "$REPOSITORY_DIR/$file" | awk '{print $1}' )" ] ||
die "file size mismatch $n $file"
[ "$( "$hasher" "$REPOSITORY_DIR/$file" | awk '{print $1}' )" = "$hash" ] ||
die "hash mismatch $n $file"
done < "$PACKAGES_FILE"

}

verify_xc_packages()
{
local PACKAGES_CHECKSUM=$(sed -n 's/^packages://p' "${REPOSITORY_FILE}") ||
Expand All @@ -62,7 +100,8 @@ verify_xc_packages()
[ -n "${PACKAGES_CHECKSUM}" ] ||
die "XC-PACKAGES checksum MISSING"

local FILE_CHECKSUM=$(sha256sum "${PACKAGES_FILE}" | cut -f1 -d' ') ||
local hasher="$( get_hasher "${PACKAGES_CHECKSUM}" )"
local FILE_CHECKSUM=$( "$hasher" "${PACKAGES_FILE}" | cut -f1 -d' ') ||
die "error calculating checksum of '${PACKAGES_FILE}'"

[ -n "${FILE_CHECKSUM}" ] ||
Expand Down Expand Up @@ -116,11 +155,14 @@ die()

parse_args "$@"

# Verify XC-REPOSITORY against signature in XC-SIGNATURE.
verify_xc_repository

# Verify XC-PACKAGES against checksum in XC-REPOSITORY.
verify_xc_packages

# Verify XC-REPOSITORY against signature in XC-SIGNATURE. Must be done last,
# so we only exit with status 1 if metadata is valid except for signature.
verify_xc_repository
if [ "$VERIFY_PACKAGES" -eq 1 ] ; then
verify_xc_packages_contents
fi

exit 0