[pve-devel] [PATCH RFC manager 2/8] aplinfo: improve signature verification
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Aug 23 16:27:18 CEST 2016
instead of importing the trusted gpg keys into root's
.gnupg on each appliance list update, install a trusted
keyring generated at build time.
verify signatures with gpgv and the trusted keyring instead
of gpg --verify on root's keyring with output parsing.
---
note: I kept the /usr/share/doc/pve-manager/ path for the keyring,
but am not really happy with it. suggestions welcome ;)
PVE/APLInfo.pm | 73 ++++++++++++--------------------------------------------
aplinfo/Makefile | 22 +++++++++++++----
2 files changed, 33 insertions(+), 62 deletions(-)
diff --git a/PVE/APLInfo.pm b/PVE/APLInfo.pm
index c68db76..d51df14 100644
--- a/PVE/APLInfo.pm
+++ b/PVE/APLInfo.pm
@@ -10,33 +10,6 @@ use POSIX qw(strftime);
my $logfile = "/var/log/pveam.log";
my $aplinfodir = "/var/lib/pve-manager/apl-info";
-# Default list of GPG keys allowed to sign aplinfo
-#
-#pub 1024D/5CAC72FE 2004-06-24
-# Key fingerprint = 9ABD 7E02 AD24 3AD3 C2FB BCCC B0C1 CC22 5CAC 72FE
-#uid Proxmox Support Team <support at proxmox.com>
-#pub 2048R/A16EB94D 2008-08-15 [expires: 2023-08-12]
-# Key fingerprint = 694C FF26 795A 29BA E07B 4EB5 85C2 5E95 A16E B94D
-#uid Turnkey Linux Release Key <release at turnkeylinux.com>
-
-my $valid_keys = {
- '9ABD7E02AD243AD3C2FBBCCCB0C1CC225CAC72FE' => 1, # fingerprint support at proxmox.com
- '25CAC72FE' => 1, # keyid support at proxmox.com
- '694CFF26795A29BAE07B4EB585C25E95A16EB94D' => 1, # fingerprint release at turnkeylinux.com
- 'A16EB94D' => 1, # keyid release at turnkeylinux.com
-};
-
-sub import_gpg_keys {
-
- my @keyfiles = ('support at proxmox.com.pubkey', 'release at turnkeylinux.com.pubkey');
-
- foreach my $key (@keyfiles) {
- my $fn = "/usr/share/doc/pve-manager/$key";
- system ("/usr/bin/gpg --batch --no-tty --status-fd=1 -q " .
- "--logger-fd=1 --import $fn >>$logfile");
- }
-}
-
sub logmsg {
my ($logfd, $msg) = @_;
@@ -187,37 +160,23 @@ sub download_aplinfo {
};
die "update failed: unable to unpack '$tmpgz'\n" if $@;
- # verify signature
-
- my $cmd = "/usr/bin/gpg --verify --trust-model always --batch --no-tty --status-fd=1 -q " .
- "--logger-fd=1 $sigfn $tmp";
-
- open(CMD, "$cmd|") ||
- die "unable to execute '$cmd': $!\n";
- my $line;
- my $signer = '';
- while (defined($line = <CMD>)) {
- chomp $line;
- logmsg($logfd, $line);
- # code borrowed from SA
- next if $line !~ /^\Q[GNUPG:]\E (?:VALID|GOOD)SIG (\S{8,40})/;
- my $key = $1;
-
- # we want either a keyid (8) or a fingerprint (40)
- if (length $key > 8 && length $key < 40) {
- substr($key, 8) = '';
- }
- # use the longest match we can find
- $signer = $key if (length $key > length $signer) && $valid_keys->{$key};
- }
-
- close(CMD);
-
- die "unable to verify signature\n" if !$signer;
-
- logmsg($logfd, "signature valid: $signer");
+ # verify signature
+ my $trustedkeyring = "/usr/share/doc/pve-manager/trustedkeys.gpg";
+ my $cmd = "/usr/bin/gpgv -q --keyring $trustedkeyring $sigfn $tmp";
+
+ eval {
+ my $logfunc = sub {
+ my $line = shift;
+ logmsg($logfd, "signature verification: $line");
+ };
+
+ PVE::Tools::run_command($cmd,
+ outfunc => $logfunc,
+ errfunc => $logfunc);
+ };
+ die "unable to verify signature - $@\n" if $@;
# test syntax
eval {
@@ -264,8 +223,6 @@ sub update {
my $logfd = IO::File->new (">>$logfile");
logmsg($logfd, "starting update");
- import_gpg_keys();
-
my $ua = LWP::UserAgent->new;
$ua->agent("PVE/1.0");
diff --git a/aplinfo/Makefile b/aplinfo/Makefile
index ff2c83e..43916ea 100644
--- a/aplinfo/Makefile
+++ b/aplinfo/Makefile
@@ -4,10 +4,9 @@ DOCDIR=/usr/share/doc/pve-manager/
all:
.PHONY: install
-install: aplinfo.dat support at proxmox.com.pubkey
+install: aplinfo.dat trustedkeys.gpg
install -D -m 0644 aplinfo.dat ${DESTDIR}${DOCDIR}/aplinfo.dat
- install -D -m 0644 support at proxmox.com.pubkey ${DESTDIR}${DOCDIR}/support at proxmox.com.pubkey
- install -D -m 0644 release at turnkeylinux.com.pubkey ${DESTDIR}${DOCDIR}/release at turnkeylinux.com.pubkey
+ install -D -m 0644 trustedkeys.gpg ${DESTDIR}${DOCDIR}/trustedkeys.gpg
.PHONY: update
update:
@@ -15,9 +14,24 @@ update:
wget http://download.proxmox.com/images/aplinfo.dat -O aplinfo.dat.tmp
mv aplinfo.dat.tmp aplinfo.dat
+# Default list of GPG keys allowed to sign aplinfo
+#
+#pub 1024D/5CAC72FE 2004-06-24
+# Key fingerprint = 9ABD 7E02 AD24 3AD3 C2FB BCCC B0C1 CC22 5CAC 72FE
+#uid Proxmox Support Team <support at proxmox.com>
+#pub 2048R/A16EB94D 2008-08-15 [expires: 2023-08-12]
+# Key fingerprint = 694C FF26 795A 29BA E07B 4EB5 85C2 5E95 A16E B94D
+#uid Turnkey Linux Release Key <release at turnkeylinux.com>
+trustedkeys.gpg: support at proxmox.com.pubkey release at turnkeylinux.com.pubkey
+ rm -Rf tempgpg
+ mkdir tempgpg
+ chmod 700 tempgpg
+ gpg --fingerprint --batch --no-tty --homedir tempgpg --import support at proxmox.com.pubkey release at turnkeylinux.com.pubkey
+ gpg --batch --no-tty --homedir tempgpg --export > trustedkeys.gpg
+
.PHONY: distclean
distclean: clean
.PHONY: clean
clean:
- rm -rf *~ aplinfo.dat.gz aplinfo.dat.asc
+ rm -rf *~ aplinfo.dat.gz aplinfo.dat.asc tempgpg
--
2.1.4
More information about the pve-devel
mailing list