[pve-devel] [PATCH RFC manager 2/8] aplinfo: improve signature verification

Fabian Grünbichler f.gruenbichler at proxmox.com
Tue Aug 23 16:27:18 CEST 2016 

instead of importing the trusted gpg keys into root's
.gnupg on each appliance list update, install a trusted
keyring generated at build time.

verify signatures with gpgv and the trusted keyring instead
of gpg --verify on root's keyring with output parsing.
---
note: I kept the /usr/share/doc/pve-manager/ path for the keyring,
but am not really happy with it. suggestions welcome ;)

 PVE/APLInfo.pm   | 73 ++++++++++++--------------------------------------------
 aplinfo/Makefile | 22 +++++++++++++----
 2 files changed, 33 insertions(+), 62 deletions(-)

diff --git a/PVE/APLInfo.pm b/PVE/APLInfo.pm
index c68db76..d51df14 100644
--- a/PVE/APLInfo.pm
+++ b/PVE/APLInfo.pm
@@ -10,33 +10,6 @@ use POSIX qw(strftime);
 my $logfile = "/var/log/pveam.log";
 my $aplinfodir = "/var/lib/pve-manager/apl-info";
 
-# Default list of GPG keys allowed to sign aplinfo
-#
-#pub   1024D/5CAC72FE 2004-06-24
-#      Key fingerprint = 9ABD 7E02 AD24 3AD3 C2FB  BCCC B0C1 CC22 5CAC 72FE
-#uid                  Proxmox Support Team <support at proxmox.com>
-#pub   2048R/A16EB94D 2008-08-15 [expires: 2023-08-12]
-#      Key fingerprint = 694C FF26 795A 29BA E07B  4EB5 85C2 5E95 A16E B94D
-#uid                  Turnkey Linux Release Key <release at turnkeylinux.com>
-
-my $valid_keys = {
-    '9ABD7E02AD243AD3C2FBBCCCB0C1CC225CAC72FE' => 1, # fingerprint support at proxmox.com
-    '25CAC72FE' => 1,                                # keyid support at proxmox.com
-    '694CFF26795A29BAE07B4EB585C25E95A16EB94D' => 1, # fingerprint release at turnkeylinux.com
-    'A16EB94D' => 1,                                 # keyid release at turnkeylinux.com
-};
-
-sub import_gpg_keys {
-
-    my @keyfiles = ('support at proxmox.com.pubkey', 'release at turnkeylinux.com.pubkey');
-
-    foreach my $key (@keyfiles) {
-	my $fn = "/usr/share/doc/pve-manager/$key";
-	system ("/usr/bin/gpg --batch --no-tty --status-fd=1 -q " .
-		"--logger-fd=1 --import $fn >>$logfile");
-    }
-}
-
 sub logmsg {
     my ($logfd, $msg) = @_;
 
@@ -187,37 +160,23 @@ sub download_aplinfo {
        };
        die "update failed: unable to unpack '$tmpgz'\n" if $@;
 
-	# verify signature
-
-	my $cmd = "/usr/bin/gpg --verify --trust-model always --batch --no-tty --status-fd=1 -q " .
-	    "--logger-fd=1 $sigfn $tmp";
-
-	open(CMD, "$cmd|") ||
-	    die "unable to execute '$cmd': $!\n";
 
-	my $line;
-	my $signer = '';
-	while (defined($line = <CMD>)) {
-	    chomp $line;
-	    logmsg($logfd, $line);
 
-	    # code borrowed from SA
-	    next if $line !~ /^\Q[GNUPG:]\E (?:VALID|GOOD)SIG (\S{8,40})/;
-	    my $key = $1;  
-
-	    # we want either a keyid (8) or a fingerprint (40)
-	    if (length $key > 8 && length $key < 40) {
-		substr($key, 8) = '';
-	    }
-	    # use the longest match we can find
-	    $signer = $key if (length $key > length $signer) && $valid_keys->{$key};
-	}
-
-	close(CMD);
-
-	die "unable to verify signature\n" if !$signer;
-
-	logmsg($logfd, "signature valid: $signer");
+	# verify signature
+	my $trustedkeyring = "/usr/share/doc/pve-manager/trustedkeys.gpg";
+	my $cmd = "/usr/bin/gpgv -q --keyring $trustedkeyring $sigfn $tmp";
+
+	eval {
+	    my $logfunc = sub {
+		my $line = shift;
+		logmsg($logfd, "signature verification: $line");
+	    };
+
+	    PVE::Tools::run_command($cmd,
+				    outfunc => $logfunc,
+				    errfunc => $logfunc);
+	};
+	die "unable to verify signature - $@\n" if $@;
 
 	# test syntax
 	eval { 
@@ -264,8 +223,6 @@ sub update {
     my $logfd = IO::File->new (">>$logfile");
     logmsg($logfd, "starting update");
 
-    import_gpg_keys();
-
     my $ua = LWP::UserAgent->new;
     $ua->agent("PVE/1.0");
 
diff --git a/aplinfo/Makefile b/aplinfo/Makefile
index ff2c83e..43916ea 100644
--- a/aplinfo/Makefile
+++ b/aplinfo/Makefile
@@ -4,10 +4,9 @@ DOCDIR=/usr/share/doc/pve-manager/
 all:
 
 .PHONY: install
-install: aplinfo.dat support at proxmox.com.pubkey
+install: aplinfo.dat trustedkeys.gpg
 	install -D -m 0644 aplinfo.dat ${DESTDIR}${DOCDIR}/aplinfo.dat
-	install -D -m 0644 support at proxmox.com.pubkey ${DESTDIR}${DOCDIR}/support at proxmox.com.pubkey
-	install -D -m 0644 release at turnkeylinux.com.pubkey ${DESTDIR}${DOCDIR}/release at turnkeylinux.com.pubkey
+	install -D -m 0644 trustedkeys.gpg ${DESTDIR}${DOCDIR}/trustedkeys.gpg
 
 .PHONY: update
 update:
@@ -15,9 +14,24 @@ update:
 	wget http://download.proxmox.com/images/aplinfo.dat -O aplinfo.dat.tmp
 	mv aplinfo.dat.tmp aplinfo.dat
 
+# Default list of GPG keys allowed to sign aplinfo
+#
+#pub   1024D/5CAC72FE 2004-06-24
+#      Key fingerprint = 9ABD 7E02 AD24 3AD3 C2FB  BCCC B0C1 CC22 5CAC 72FE
+#uid                  Proxmox Support Team <support at proxmox.com>
+#pub   2048R/A16EB94D 2008-08-15 [expires: 2023-08-12]
+#      Key fingerprint = 694C FF26 795A 29BA E07B  4EB5 85C2 5E95 A16E B94D
+#uid                  Turnkey Linux Release Key <release at turnkeylinux.com>
+trustedkeys.gpg: support at proxmox.com.pubkey release at turnkeylinux.com.pubkey
+	rm -Rf tempgpg
+	mkdir tempgpg
+	chmod 700 tempgpg
+	gpg --fingerprint --batch --no-tty --homedir tempgpg --import support at proxmox.com.pubkey release at turnkeylinux.com.pubkey
+	gpg --batch --no-tty --homedir tempgpg --export > trustedkeys.gpg
+
 .PHONY: distclean
 distclean: clean
 
 .PHONY: clean
 clean:
-	rm -rf *~ aplinfo.dat.gz aplinfo.dat.asc
+	rm -rf *~ aplinfo.dat.gz aplinfo.dat.asc tempgpg
-- 
2.1.4

More information about the pve-devel mailing list