From: "Ludovic Courtès" <ludo@gnu.org>
To: 43285@debbugs.gnu.org
Cc: "Ludovic Courtès" <ludo@gnu.org>
Subject: [bug#43285] [PATCH 3/3] daemon: Simplify interface with 'guix authenticate'.
Date: Wed, 9 Sep 2020 00:16:35 +0200 [thread overview]
Message-ID: <20200908221635.32684-3-ludo@gnu.org> (raw)
In-Reply-To: <20200908221635.32684-1-ludo@gnu.org>
There's no reason at this point to mimic the calling convention of the
'openssl' command.
* nix/libstore/local-store.cc (LocalStore::exportPath): Add only "sign"
and HASH to ARGS. Remove 'tmpDir' and 'hashFile'.
(LocalStore::importPath): Add only "verify" and SIGNATURE to ARGS.
Remove 'sigFile'.
* guix/scripts/authenticate.scm (guix-authenticate): Adjust
accordingly; remove the OpenSSL-style clauses.
(read-hash-data): Remove.
(sign-with-key): Replace 'port' with 'sha256' and adjust accordingly.
(validate-signature): Export SIGNATURE to be a canonical sexp.
---
guix/scripts/authenticate.scm | 57 +++++++++++------------------------
nix/libstore/local-store.cc | 24 +++------------
2 files changed, 22 insertions(+), 59 deletions(-)
diff --git a/guix/scripts/authenticate.scm b/guix/scripts/authenticate.scm
index f1fd8ee895..b5f043e6ac 100644
--- a/guix/scripts/authenticate.scm
+++ b/guix/scripts/authenticate.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2020 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -17,7 +17,6 @@
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (guix scripts authenticate)
- #:use-module (guix config)
#:use-module (guix base16)
#:use-module (gcrypt pk-crypto)
#:use-module (guix pki)
@@ -39,16 +38,9 @@
;; Read a gcrypt sexp from a port and return it.
(compose string->canonical-sexp read-string))
-(define (read-hash-data port key-type)
- "Read sha256 hash data from PORT and return it as a gcrypt sexp. KEY-TYPE
-is a symbol representing the type of public key algo being used."
- (let* ((hex (read-string port))
- (bv (base16-string->bytevector (string-trim-both hex))))
- (bytevector->hash-data bv #:key-type key-type)))
-
-(define (sign-with-key key-file port)
- "Sign the hash read from PORT with KEY-FILE, and write an sexp that includes
-both the hash and the actual signature."
+(define (sign-with-key key-file sha256)
+ "Sign the hash SHA256 (a bytevector) with KEY-FILE, and write an sexp that
+includes both the hash and the actual signature."
(let* ((secret-key (call-with-input-file key-file read-canonical-sexp))
(public-key (if (string-suffix? ".sec" key-file)
(call-with-input-file
@@ -58,18 +50,18 @@ both the hash and the actual signature."
(leave
(G_ "cannot find public key for secret key '~a'~%")
key-file)))
- (data (read-hash-data port (key-type public-key)))
+ (data (bytevector->hash-data sha256
+ #:key-type (key-type public-key)))
(signature (signature-sexp data secret-key public-key)))
(display (canonical-sexp->string signature))
#t))
-(define (validate-signature port)
- "Read the signature from PORT (which is as produced above), check whether
-its public key is authorized, verify the signature, and print the signed data
-to stdout upon success."
- (let* ((signature (read-canonical-sexp port))
- (subject (signature-subject signature))
- (data (signature-signed-data signature)))
+(define (validate-signature signature)
+ "Validate SIGNATURE, a canonical sexp. Check whether its public key is
+authorized, verify the signature, and print the signed data to stdout upon
+success."
+ (let* ((subject (signature-subject signature))
+ (data (signature-signed-data signature)))
(if (and data subject)
(if (authorized-key? subject)
(if (valid-signature? signature)
@@ -85,9 +77,7 @@ to stdout upon success."
\f
;;;
-;;; Entry point with 'openssl'-compatible interface. We support this
-;;; interface because that's what the daemon expects, and we want to leave it
-;;; unmodified currently.
+;;; Entry point.
;;;
(define (guix-authenticate . args)
@@ -101,22 +91,11 @@ to stdout upon success."
(with-fluids ((%default-port-encoding "ISO-8859-1")
(%default-port-conversion-strategy 'error))
(match args
- ;; As invoked by guix-daemon.
- (("rsautl" "-sign" "-inkey" key "-in" hash-file)
- (call-with-input-file hash-file
- (lambda (port)
- (sign-with-key key port))))
- ;; As invoked by Nix/Crypto.pm (used by Hydra.)
- (("rsautl" "-sign" "-inkey" key)
- (sign-with-key key (current-input-port)))
- ;; As invoked by guix-daemon.
- (("rsautl" "-verify" "-inkey" _ "-pubin" "-in" signature-file)
- (call-with-input-file signature-file
- (lambda (port)
- (validate-signature port))))
- ;; As invoked by Nix/Crypto.pm (used by Hydra.)
- (("rsautl" "-verify" "-inkey" _ "-pubin")
- (validate-signature (current-input-port)))
+ (("sign" key-file hash)
+ (sign-with-key key-file (base16-string->bytevector hash)))
+ (("verify" signature)
+ (validate-signature (string->canonical-sexp signature)))
+
(("--help")
(display (G_ "Usage: guix authenticate OPTION...
Sign or verify the signature on the given file. This tool is meant to
diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc
index 7a520925e5..0534f2a3fc 100644
--- a/nix/libstore/local-store.cc
+++ b/nix/libstore/local-store.cc
@@ -1277,21 +1277,13 @@ void LocalStore::exportPath(const Path & path, bool sign,
writeInt(1, hashAndWriteSink);
- Path tmpDir = createTempDir();
- AutoDelete delTmp(tmpDir);
- Path hashFile = tmpDir + "/hash";
- writeFile(hashFile, printHash(hash));
-
Path secretKey = settings.nixConfDir + "/signing-key.sec";
checkSecrecy(secretKey);
Strings args;
- args.push_back("rsautl");
- args.push_back("-sign");
- args.push_back("-inkey");
+ args.push_back("sign");
args.push_back(secretKey);
- args.push_back("-in");
- args.push_back(hashFile);
+ args.push_back(printHash(hash));
string signature = runAuthenticationProgram(args);
@@ -1372,17 +1364,9 @@ Path LocalStore::importPath(bool requireSignature, Source & source)
string signature = readString(hashAndReadSource);
if (requireSignature) {
- Path sigFile = tmpDir + "/sig";
- writeFile(sigFile, signature);
-
Strings args;
- args.push_back("rsautl");
- args.push_back("-verify");
- args.push_back("-inkey");
- args.push_back(settings.nixConfDir + "/signing-key.pub");
- args.push_back("-pubin");
- args.push_back("-in");
- args.push_back(sigFile);
+ args.push_back("verify");
+ args.push_back(signature);
string hash2 = runAuthenticationProgram(args);
/* Note: runProgram() throws an exception if the signature
--
2.28.0
next prev parent reply other threads:[~2020-09-08 22:17 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-08 21:58 [bug#43285] [PATCH 0/3] Improve 'import-paths' tests and 'guix authenticate' interface Ludovic Courtès
2020-09-08 22:16 ` [bug#43285] [PATCH 1/3] store: Test 'import-paths' with unauthorized and unsigned nar bundles Ludovic Courtès
2020-09-08 22:16 ` [bug#43285] [PATCH 2/3] doc: Distinguish the "nar bundle" format from "nar" Ludovic Courtès
2020-09-08 22:16 ` Ludovic Courtès [this message]
2020-09-08 23:07 ` [bug#43285] [PATCH 0/3] Improve 'import-paths' tests and 'guix authenticate' interface zimoun
2020-09-09 7:03 ` Ludovic Courtès
2020-09-11 15:59 ` bug#43285: " Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200908221635.32684-3-ludo@gnu.org \
--to=ludo@gnu.org \
--cc=43285@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).