Here's the QA coverage testing I've done:
I build in /X/src/wdj, change the path in what follows to taste.
1) run lib/genpgp.sh to generate test cases.
2) Add transaction dependencies to /etc/rpm/sysinfo.
My transaction dependencies looked like
signature(/X/src/wdj/lib/DSA.pem)
signature(/X/src/wdj/lib/DSA.pem) = :e395eedea3640584
signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/DSA.sig)
signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/DSA.sig)
= :e395eedea3640584
signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/DSA.sigpem)
signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/DSA.sigpem)
= :e395eedea3640584
signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/DSA.sig) = /X/src/
wdj/lib/DSA.pub
signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/DSA.sig) = /X/src/
wdj/lib/DSA.pub:e395eedea3640584
signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/DSA.sigpem) = /X/
src/wdj/lib/DSA.pub
signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/DSA.sigpem) = /X/
src/wdj/lib/DSA.pub:e395eedea3640584
signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/DSA.sig) = /X/src/
wdj/lib/DSA.pubpem
signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/DSA.sig) = /X/src/
wdj/lib/DSA.pubpem:e395eedea3640584
signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/DSA.sigpem) = /X/
src/wdj/lib/DSA.pubpem
signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/DSA.sigpem) = /X/
src/wdj/lib/DSA.pubpem:e395eedea3640584
3) Choose some pkg (I used popt) and run
rpm -Vvv popt
4) Examine the --verify spewage:
...
D: opening db index /var/lib/rpm/Conflictname rdonly mode=0x0
D: ========== DSA pubkey id e395eede a3640584 (h#1311)
D: Requires: signature(/X/src/wdj/lib/DSA.pem) YES
(signature probe)
D: ========== DSA pubkey id e395eede a3640584 (rpm:gpg:pubkey:A3640584)
D: Requires: signature(/X/src/wdj/lib/DSA.pem) = :e395eedea3640584
YES (signature probe)
D: ========== DSA pubkey id e395eede a3640584 (rpm:gpg:pubkey:A3640584)
D: Requires: signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/
DSA.sig) YES (signature probe)
D: Requires: signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/
DSA.sig) = /X/src/wdj/lib/DSA.pub YES (signature probe)
D: Requires: signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/
DSA.sig) = /X/src/wdj/lib/DSA.pub:e395eedea3640584 YES (signature probe)
D: Requires: signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/
DSA.sig) = /X/src/wdj/lib/DSA.pubpem YES (signature probe)
D: Requires: signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/
DSA.sig) = /X/src/wdj/lib/DSA.pubpem:e395eedea3640584 YES (signature
probe)
D: ========== DSA pubkey id e395eede a3640584 (rpm:gpg:pubkey:A3640584)
D: Requires: signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/
DSA.sig) = :e395eedea3640584 YES (signature probe)
D: ========== DSA pubkey id e395eede a3640584 (rpm:gpg:pubkey:A3640584)
D: Requires: signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/
DSA.sigpem) YES (signature probe)
D: Requires: signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/
DSA.sigpem) = /X/src/wdj/lib/DSA.pub YES (signature probe)
D: Requires: signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/
DSA.sigpem) = /X/src/wdj/lib/DSA.pub:e395eedea3640584 YES (signature
probe)
D: Requires: signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/
DSA.sigpem) = /X/src/wdj/lib/DSA.pubpem YES (signature probe)
D: Requires: signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/
DSA.sigpem) = /X/src/wdj/lib/DSA.pubpem:e395eedea3640584 YES
(signature probe)
D: ========== DSA pubkey id e395eede a3640584 (rpm:gpg:pubkey:A3640584)
D: Requires: signature(/X/src/wdj/lib/plaintext:/X/src/wdj/lib/
DSA.sigpem) = :e395eedea3640584 YES (signature probe)
.......T /usr/include/popt.h
...
Q.E.D.
For extra credit, note the keyutils caching.
(aside) Hmmm, perhaps enough time before rpm-5.0 to collect some
additional
keyring sources in rpmtsFindPubkey():
1) drill a FTS file walk through /etc/pki/rpm-gpg
2) slurp up ~/.gnupg/pubring.gpg
as I suggested privately a couple months back.
Vermouth first ;-)
73 de Jeff
On Dec 29, 2007, at 4:34 PM, Jeff Johnson wrote:
> RPM Package Manager, CVS Repository
> http://rpm5.org/cvs/
>
> ______________________________________________________________________
> ______
>
> Server: rpm5.org Name: Jeff Johnson
> Root: /v/rpm/cvs Email: jbj@rpm5.org
> Module: rpm Date: 29-Dec-2007
> 22:34:21
> Branch: HEAD Handle: 2007122921342100
>
> Modified files:
> rpm CHANGES
> rpm/lib depends.c rpmns.c tpgp.c
>
> Log:
> - re-add all the debugging spew under --rpmnsdebug for now.
> - functional signature(...) name space probe.
>
> Summary:
> Revision Changes Path
> 1.2038 +2 -0 rpm/CHANGES
> 1.376 +32 -0 rpm/lib/depends.c
> 1.9 +51 -10 rpm/lib/rpmns.c
> 2.13 +1 -1 rpm/lib/tpgp.c
>
> ______________________________________________________________________
> ______
>
> patch -p0 <<'@@ .'
> Index: rpm/CHANGES
>
> ======================================================================
> ======
> $ cvs diff -u -r1.2037 -r1.2038 CHANGES
> --- rpm/CHANGES 29 Dec 2007 20:18:46 -0000 1.2037
> +++ rpm/CHANGES 29 Dec 2007 21:34:21 -0000 1.2038
> @@ -1,4 +1,6 @@
> 5.0b3 -> 5.0b4:
> + - jbj: re-add all the debugging spew under --rpmnsdebug for
> now.
> + - jbj: functional signature(...) name space probe.
> - jbj: add rpmnsProbeSignature() & "signature(/text:/sig) = /
> pub:id" probe.
> - jbj: pgpReadPkts: truncate binary encoded pgp pktlen to
> actual length.
> - jbj: pgpReadPkts: identify binary encoded pgp pkts correctly.
> @@ .
> patch -p0 <<'@@ .'
> Index: rpm/lib/depends.c
>
> ======================================================================
> ======
> $ cvs diff -u -r1.375 -r1.376 depends.c
> --- rpm/lib/depends.c 28 Dec 2007 14:00:30 -0000 1.375
> +++ rpm/lib/depends.c 29 Dec 2007 21:34:21 -0000 1.376
> @@ -821,6 +821,35 @@
> goto exit;
> }
>
> + if (NSType == RPMNS_TYPE_SIGNATURE) {
> + const char * EVR = rpmdsEVR(dep);
> + char * fn = xstrdup(Name);
> + char * sigfn = NULL;
> + char * pubfn = ((EVR && *EVR) ? xstrdup(EVR) : NULL);
> + char * pubid = NULL;
> +
> + /* Split /fn:/sig */
> + if ((sigfn = strrchr(fn, ':')) != NULL)
> + *sigfn++ = '\0';
> +
> + /* Split /pub:id */
> + if (pubfn) {
> + if ((pubid = strrchr(pubfn, ':')) != NULL)
> + *pubid++ = '\0';
> + }
> +
> + xx = rpmnsProbeSignature(ts, fn, sigfn, pubfn, pubid);
> + rc = (xx ? 0 : 1);
> +
> + fn = _free(fn);
> + pubfn = _free(pubfn);
> +
> + if (Flags & RPMSENSE_MISSINGOK)
> + goto unsatisfied;
> + rpmdsNotify(dep, _("(signature probe)"), rc);
> + goto exit;
> + }
> +
> if (NSType == RPMNS_TYPE_GNUPG) {
> const char * EVR = rpmdsEVR(dep);
> if (!(EVR && *EVR)) {
> @@ -1749,6 +1778,9 @@
> case RPMNS_TYPE_MACRO:
> case RPMNS_TYPE_ENVVAR:
> case RPMNS_TYPE_RUNNING:
> + case RPMNS_TYPE_SANITY:
> + case RPMNS_TYPE_VCHECK:
> + case RPMNS_TYPE_SIGNATURE:
> return 0;
> /*@notreached@*/ break;
> default:
> @@ .
> patch -p0 <<'@@ .'
> Index: rpm/lib/rpmns.c
>
> ======================================================================
> ======
> $ cvs diff -u -r1.8 -r1.9 rpmns.c
> --- rpm/lib/rpmns.c 29 Dec 2007 20:18:47 -0000 1.8
> +++ rpm/lib/rpmns.c 29 Dec 2007 21:34:21 -0000 1.9
> @@ -269,11 +269,16 @@
> int rc = 0;
> int xx;
>
> +if (_rpmns_debug)
> +fprintf(stderr, "==> check(%s, %s, %s, %s)\n", fn, sigfn, pubfn,
> pubid);
> +
> /* Load the signature. Use sigfn if specified, otherwise
> clearsign. */
> - if (sigfn != NULL) {
> + if (sigfn && *sigfn) {
> const char * _sigfn = rpmExpand(sigfn, NULL);
> xx = pgpReadPkts(_sigfn, &sigpkt, &sigpktlen);
> if (xx != PGPARMOR_SIGNATURE) {
> +if (_rpmns_debug)
> +fprintf(stderr, "==> pgpReadPkts(%s) SIG %p[%u] ret %d\n",
> _sigfn, sigpkt, sigpktlen, xx);
> _sigfn = _free(_sigfn);
> goto exit;
> }
> @@ -282,41 +287,57 @@
> const char * _sigfn = rpmExpand(fn, NULL);
> xx = pgpReadPkts(_sigfn, &sigpkt, &sigpktlen);
> if (xx != PGPARMOR_SIGNATURE) {
> +if (_rpmns_debug)
> +fprintf(stderr, "==> pgpReadPkts(%s) SIG %p[%u] ret %d\n",
> _sigfn, sigpkt, sigpktlen, xx);
> _sigfn = _free(_sigfn);
> goto exit;
> }
> _sigfn = _free(_sigfn);
> }
> xx = pgpPrtPkts((uint8_t *)sigpkt, sigpktlen, dig, printing);
> - if (xx)
> + if (xx) {
> +if (_rpmns_debug)
> +fprintf(stderr, "==> pgpPrtPkts SIG %p[%u] ret %d\n", sigpkt,
> sigpktlen, xx);
> goto exit;
> + }
>
> sigp = pgpGetSignature(dig);
>
> - if (sigp->version != 3 && sigp->version != 4)
> + if (sigp->version != 3 && sigp->version != 4) {
> +if (_rpmns_debug)
> +fprintf(stderr, "==> unverifiable V%d\n", sigp->version);
> goto exit;
> + }
>
> /* Load the pubkey. Use pubfn if specified, otherwise rpmdb
> keyring. */
> - if (pubfn != NULL) {
> + if (pubfn && *pubfn) {
> const char * _pubfn = rpmExpand(pubfn, NULL);
> xx = pgpReadPkts(_pubfn, &ts->pkpkt, &ts->pkpktlen);
> if (xx != PGPARMOR_PUBKEY) {
> +if (_rpmns_debug)
> +fprintf(stderr, "==> pgpReadPkts(%s) PUB %p[%u] ret %d\n",
> _pubfn, ts->pkpkt, ts->pkpktlen, xx);
> _pubfn = _free(_pubfn);
> goto exit;
> }
> _pubfn = _free(_pubfn);
> xx = pgpPrtPkts((uint8_t *)ts->pkpkt, ts->pkpktlen, dig,
> printing);
> - if (xx)
> + if (xx) {
> +if (_rpmns_debug)
> +fprintf(stderr, "==> pgpPrtPkts PUB %p[%u] ret %d\n", ts->pkpkt,
> ts->pkpktlen, xx);
> goto exit;
> + }
> } else {
> - if (pgpFindPubkey(dig) != RPMRC_OK)
> + if ((xx = pgpFindPubkey(dig)) != RPMRC_OK) {
> +if (_rpmns_debug)
> +fprintf(stderr, "==> pgpFindPubkey ret %d\n", xx);
> goto exit;
> + }
> }
>
> pubp = pgpGetPubkey(dig);
>
> /* Is this the requested pubkey? */
> - if (pubid != NULL) {
> + if (pubid && *pubid) {
> size_t ns = strlen(pubid);
> const char * s;
> char * t;
> @@ -347,8 +368,12 @@
> if (pubp->pubkey_algo == PGPPUBKEYALGO_RSA)
> xx = 0;
>
> - if (xx)
> + if (xx) {
> +if (_rpmns_debug)
> +fprintf(stderr, "==> mismatched: pubkey id (%08x %08x) != %s\n",
> +pgpGrab(pubp->signid, 4), pgpGrab(pubp->signid+4, 4), pubid);
> goto exit;
> + }
> }
>
> /* Do the parameters match the signature? */
> @@ -357,8 +382,16 @@
> && sigp->hash_algo == pubp->hash_algo
> #endif
> /* XXX HACK: V4 RSA key id's are wonky atm. */
> - && (pubp->pubkey_algo == PGPPUBKEYALGO_RSA || !memcmp(sigp-
> >signid, pubp->signid, sizeof(sigp->signid))) ) )
> + && (pubp->pubkey_algo == PGPPUBKEYALGO_RSA || !memcmp(sigp-
> >signid, pubp->signid, sizeof(sigp->signid))) ) ) {
> +if (_rpmns_debug) {
> +fprintf(stderr, "==> mismatch between signature and pubkey\n");
> +fprintf(stderr, "\tpubkey_algo: %u %u\n", sigp->pubkey_algo,
> pubp->pubkey_algo);
> +fprintf(stderr, "\tsignid: %08X %08X %08X %08X\n",
> +pgpGrab(sigp->signid, 4), pgpGrab(sigp->signid+4, 4),
> +pgpGrab(pubp->signid, 4), pgpGrab(pubp->signid+4, 4));
> +}
> goto exit;
> + }
>
> /* Compute the message digest. */
> ctx = rpmDigestInit(sigp->hash_algo, RPMDIGEST_NONE);
> @@ -372,6 +405,8 @@
> int _rc = rpmioSlurp(_fn, &b, &blen);
>
> if (!(_rc == 0 && b != NULL && blen > 0)) {
> +if (_rpmns_debug)
> +fprintf(stderr, "==> rpmioSlurp(%s) MSG %p[%u] ret %d\n", _fn,
> b, blen, _rc);
> b = _free(b);
> _fn = _free(_fn);
> goto exit;
> @@ -431,8 +466,11 @@
> xx = pgpImplSetRSA(ctx, dig, sigp);
> break;
> }
> - if (xx)
> + if (xx) {
> +if (_rpmns_debug)
> +fprintf(stderr, "==> can't load pubkey_algo(%u)\n", sigp-
> >pubkey_algo);
> goto exit;
> + }
>
> /* Verify the signature. */
> switch(sigp->pubkey_algo) {
> @@ -453,5 +491,8 @@
> ts->pkpktlen = 0;
> rpmtsCleanDig(ts);
>
> +if (_rpmns_debug)
> +fprintf(stderr, "============================ verify: rc %d\n",
> rc);
> +
> return rc;
> }
> @@ .
> patch -p0 <<'@@ .'
> Index: rpm/lib/tpgp.c
>
> ======================================================================
> ======
> $ cvs diff -u -r2.12 -r2.13 tpgp.c
> --- rpm/lib/tpgp.c 29 Dec 2007 19:38:44 -0000 2.12
> +++ rpm/lib/tpgp.c 29 Dec 2007 21:34:21 -0000 2.13
> @@ -125,7 +125,7 @@
> rpmRC res = pgpFindPubkey(dig);
> if (res != RPMRC_OK) {
> if (_debug)
> -fprintf(stderr, "==> rpmtsFindPubkey ret %d\n", res);
> +fprintf(stderr, "==> pgpFindPubkey ret %d\n", res);
> goto exit;
> }
> }
> @@ .
> ______________________________________________________________________
> RPM Package Manager http://rpm5.org
> CVS Sources Repository rpm-cvs@rpm5.org
Received on Sat Dec 29 22:45:58 2007