Created
June 4, 2019 17:08
-
-
Save dashea/ffe49cb5703d3e44870d71006bfeedd0 to your computer and use it in GitHub Desktop.
verify rpmsign --signfiles
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Create the package signing key | |
gpg --homedir "$PWD" --batch --gen-key << EOF | |
Key-Type: RSA | |
Key-Length: 1024 | |
Name-Real: Test User | |
Name-Email: test@example.com | |
Expire-Date: 0 | |
%commit | |
EOF | |
gpg2 --homedir "$PWD" --batch --passphrase qweqwe --no-default-keyring --keyring "$PWD/testring.gpg" --quick-gen-key test@example.com | |
# Create the file signing key | |
openssl genrsa -out testkey.pem -passout pass:qweqwe 1024 | |
# Create a package with one data file | |
cat - > test.spec << EOF | |
Name: test | |
Version: 1.0 | |
Release: 1 | |
Summary: test package | |
License: GPLv2+ | |
BuildArch: noarch | |
%description | |
test package | |
%prep | |
%build | |
%install | |
mkdir -p %{buildroot} | |
echo 'hello world' > %{buildroot}/data | |
%files | |
/data | |
%changelog | |
EOF | |
rpmbuild -bb -D "_topdir ${PWD}" test.spec | |
# sign the files | |
rpmsign --addsign --signfiles --fskpath testkey.pem -D "_gpg_name test@example.com" -D "_gpg_path $PWD" -D "__gpg /usr/bin/gpg" -D '_file_signing_key_password qweqwe' RPMS/noarch/test-1.0-1.noarch.rpm | |
# Verify the signature | |
signature="$(rpm -q --qf '[%{FILESIGNATURES}\n]' RPMS/noarch/test-1.0-1.noarch.rpm)" | |
# First byte should be 0x03 | |
rpmversion="$(echo "$signature" | cut -c1-2)" | |
if [ "$rpmversion" != "03" ]; then | |
echo "Invalid rpm version: $rpmversion" | |
exit 1 | |
fi | |
# Second bytes is 0x02, the version of the ima-evm-utils headers | |
imaversion="$(echo "$signature" | cut -c3-4)" | |
if [ "$imaversion" != 02 ]; then | |
echo "Wrong ima-evm-utils version: $imaversion" | |
exit 1 | |
fi | |
# Next is 0x04, to indicate the hash is SHA-256 | |
hashid="$(echo "$signature" | cut -c5-6)" | |
if [ "$hashid" != 04 ]; then | |
echo "Wrong hash identifier: $hashid" | |
exit 1 | |
fi | |
# Next is the key id, which is the last 4 bytes of the SHA-1 sum of the DER representation of the public key | |
expected_keyid="$(openssl rsa -outform DER -RSAPublicKey_out -in testkey.pem | openssl dgst -sha1 -hex | sed 's/.*\(........\)$/\1/')" | |
actual_keyid="$(echo "$signature" | cut -c7-14)" | |
if [ "$expected_keyid" != "$actual_keyid" ]; then | |
echo "Key IDs do not match: expected $expected_keyid, actual $actual_keyid" | |
exit 1 | |
fi | |
# signature length, 2 bytes, should be 128 | |
signature_length="$(echo "$signature" | cut -c15-18)" | |
if [ "$signature_length" != "0080" ]; then | |
echo "Unexpected payload length: $signature_length" | |
exit 1 | |
fi | |
# the rest is the signature data, verify it against the source file contents | |
echo "$signature" | cut -c19- | xxd -r -p > test.signature | |
openssl rsa -outform PEM -pubout -in testkey.pem -out testkey.pub | |
echo 'hello world' | openssl dgst -sha256 -verify testkey.pub -signature test.signature |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment