Alternative signing system

Makefile-libostree-defines.am

@@ -46,6 +46,8 @@ libostree_public_headers = \
  src/libostree/ostree-repo-finder-mount.h \
  src/libostree/ostree-repo-finder-override.h \
  src/libostree/ostree-kernel-args.h \
+ src/libostree/ostree-sign.h \
+ src/libostree/ostree-sign-ed25519.h \
  $(NULL)
 
 # This one is generated via configure.ac, and the gtk-doc

Makefile-libostree.am

@@ -262,6 +262,20 @@ libostree_1_la_CFLAGS += $(OT_DEP_SELINUX_CFLAGS)
 libostree_1_la_LIBADD += $(OT_DEP_SELINUX_LIBS)
 endif
 
+libostree_1_la_SOURCES += \
+ src/libostree/ostree-sign.c \
+ src/libostree/ostree-sign.h \
+ src/libostree/ostree-sign-dummy.c \
+ src/libostree/ostree-sign-dummy.h \
+ src/libostree/ostree-sign-ed25519.c \
+ src/libostree/ostree-sign-ed25519.h \
+ $(NULL)
+
+if USE_LIBSODIUM
+libostree_1_la_CFLAGS += $(OT_DEP_LIBSODIUM_CFLAGS)
+libostree_1_la_LIBADD += $(OT_DEP_LIBSODIUM_LIBS)
+endif # USE_LIBSODIUM
+
 # XXX: work around clang being passed -fstack-clash-protection which it doesn't understand
 # See: https://bugzilla.redhat.com/show_bug.cgi?id=1672012
 INTROSPECTION_SCANNER_ENV = CC=gcc

Makefile-man.am

@@ -32,7 +32,7 @@ ostree-commit.1 ostree-create-usb.1 ostree-export.1 \
 ostree-config.1 ostree-diff.1 ostree-find-remotes.1 ostree-fsck.1 \
 ostree-init.1 ostree-log.1 ostree-ls.1 ostree-prune.1 ostree-pull-local.1 \
 ostree-pull.1 ostree-refs.1 ostree-remote.1 ostree-reset.1 \
-ostree-rev-parse.1 ostree-show.1 ostree-summary.1 \
+ostree-rev-parse.1 ostree-show.1 ostree-sign.1 ostree-summary.1 \
 ostree-static-delta.1
 if USE_LIBSOUP
 man1_files += ostree-trivial-httpd.1

Makefile-ostree.am

@@ -43,6 +43,7 @@ ostree_SOURCES = src/ostree/main.c \
  src/ostree/ot-builtin-remote.c \
  src/ostree/ot-builtin-reset.c \
  src/ostree/ot-builtin-rev-parse.c \
+ src/ostree/ot-builtin-sign.c \
  src/ostree/ot-builtin-summary.c \
  src/ostree/ot-builtin-show.c \
  src/ostree/ot-builtin-static-delta.c \
@@ -112,7 +113,6 @@ ostree_SOURCES += \
  $(NULL)
 endif
 
-
 if USE_CURL_OR_SOUP
 ostree_SOURCES += src/ostree/ot-remote-builtin-add-cookie.c \
  src/ostree/ot-remote-builtin-delete-cookie.c \
@@ -162,3 +162,8 @@ if USE_LIBARCHIVE
 ostree_CFLAGS += $(OT_DEP_LIBARCHIVE_CFLAGS)
 ostree_LDADD += $(OT_DEP_LIBARCHIVE_LIBS)
 endif
+
+if USE_LIBSODIUM
+ostree_CFLAGS += $(OT_DEP_LIBSODIUM_CFLAGS)
+ostree_LDADD += $(OT_DEP_LIBSODIUM_LIBS)
+endif # USE_LIBSODIUM

Makefile-tests.am

@@ -137,6 +137,9 @@ _installed_or_uninstalled_test_scripts = \
  tests/test-summary-collections.sh \
  tests/test-pull-collections.sh \
  tests/test-config.sh \
+ tests/test-signed-commit.sh \
+ tests/test-signed-pull.sh \
+ tests/test-signed-pull-summary.sh \
  $(NULL)
 
 if USE_GPGME

apidoc/ostree-docs.xml

@@ -21,6 +21,7 @@
  <xi:include href="xml/ostree-sepolicy.xml"/>
  <xi:include href="xml/ostree-sysroot-upgrader.xml"/>
  <xi:include href="xml/ostree-gpg-verify-result.xml"/>
+ <xi:include href="xml/ostree-sign.xml"/>
  <xi:include href="xml/ostree-bootconfig-parser.xml"/>
  <xi:include href="xml/ostree-chain-input-stream.xml"/>
  <xi:include href="xml/ostree-checksum-input-stream.xml"/>

apidoc/ostree-sections.txt

@@ -705,3 +705,23 @@ ostree_kernel_args_from_string
 ostree_kernel_args_to_strv
 ostree_kernel_args_to_string
 </SECTION>
+
+<SECTION>
+<FILE>ostree-sign</FILE>
+OstreeSign
+ostree_sign_list_names
+ostree_sign_commit
+ostree_sign_commit_verify
+ostree_sign_data
+ostree_sign_data_verify
+ostree_sign_get_by_name
+ostree_sign_get_name
+ostree_sign_add_pk
+ostree_sign_clear_keys
+ostree_sign_load_pk
+ostree_sign_set_pk
+ostree_sign_set_sk
+ostree_sign_summary
+<SUBSECTION Standard>
+ostree_sign_get_type
+</SECTION>

bash/ostree

@@ -1484,6 +1484,48 @@ _ostree_show() {
  return 0
 }
 
+_ostree_sign() {
+ local boolean_options="
+ $main_boolean_options
+ --delete -d
+ --verify -v
+ "
+
+ local options_with_args="
+ --sign-type
+ --keys-file
+ --keys-dir
+ --repo
+ "
+
+ local options_with_args_glob=$( __ostree_to_extglob "$options_with_args" )
+
+ case "$prev" in
+ --keys-file|--keys-dir|--repo)
+ __ostree_compreply_dirs_only
+ return 0
+ ;;
+ $options_with_args_glob )
+ return 0
+ ;;
+ esac
+
+ case "$cur" in
+ -*)
+ local all_options="$boolean_options $options_with_args"
+ __ostree_compreply_all_options
+ ;;
+ *)
+ local argpos=$( __ostree_pos_first_nonflag $( __ostree_to_alternatives "$options_with_args" ) )
+
+ if [ $cword -eq $argpos ]; then
+ __ostree_compreply_commits
+ fi
+ esac
+
+ return 0
+}
+
 _ostree_static_delta_apply_offline() {
  local boolean_options="
  $main_boolean_options
@@ -1747,6 +1789,7 @@ _ostree() {
  reset
  rev-parse
  show
+ sign
  static-delta
  summary
  "

configure.ac

@@ -242,6 +242,21 @@ dnl to link to it directly.
 )
 AM_CONDITIONAL(USE_GPGME, test "x$have_gpgme" = xyes)
 
+
+LIBSODIUM_DEPENDENCY="1.0.14"
+AC_ARG_WITH(libsodium,
+ AS_HELP_STRING([--with-libsodium], [Use libsodium @<:@default=no@:>@]),
+ [], [with_libsodium=no])
+AS_IF([test x$with_libsodium != xno], [
+ AC_DEFINE([HAVE_LIBSODIUM], 1, [Define if using libsodium])
+ PKG_CHECK_MODULES(OT_DEP_LIBSODIUM, libsodium >= $LIBSODIUM_DEPENDENCY, have_libsodium=yes, have_libsodium=no)
+ AS_IF([ test x$have_libsodium = xno ], [
+ AC_MSG_ERROR([Need LIBSODIUM version $LIBSODIUM_DEPENDENCY or later])
+ ])
+ OSTREE_FEATURES="$OSTREE_FEATURES libsodium"
+], with_libsodium=no )
+AM_CONDITIONAL(USE_LIBSODIUM, test "x$have_libsodium" = xyes)
+
 LIBARCHIVE_DEPENDENCY="libarchive >= 2.8.0"
 # What's in RHEL7.2.
 FUSE_DEPENDENCY="fuse >= 2.9.2"
@@ -626,6 +641,7 @@ echo "
  cryptographic checksums: $with_crypto
  systemd: $with_libsystemd
  libmount: $with_libmount
+ libsodium (ed25519 signatures): $with_libsodium
  libarchive (parse tar files directly): $with_libarchive
  static deltas: yes (always enabled now)
  O_TMPFILE: $enable_otmpfile

man/ostree-commit.xml

@@ -251,6 +251,39 @@ Boston, MA 02111-1307, USA.
  POLICY is a boolean which specifies whether fsync should be used or not. Default to true.
  </para></listitem>
  </varlistentry>
+
+ <varlistentry>
+ <term><option>-s, --sign-type</option></term>
+ <listitem><para>
+ Use particular signature engine. Currently
+ available <arg choice="plain">ed25519</arg> and <arg choice="plain">dummy</arg>
+ signature types.
+
+ The default is <arg choice="plain">ed25519</arg>.
+ </para></listitem>
+
+ </varlistentry>
+ <varlistentry>
+ <term><option>--sign</option>="KEY-ID"</term>
+ <listitem><para>
+ There <literal>KEY-ID</literal> is:
+ <variablelist>
+ <varlistentry>
+ <term><option>for ed25519:</option></term>
+ <listitem><para>
+ <literal>base64</literal>-encoded secret key for commit signing.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>for dummy:</option></term>
+ <listitem><para>
+ ASCII-string used as secret key.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+ </para></listitem>
+ </varlistentry>
  </variablelist>
  </refsect1>
 

man/ostree-sign.xml

@@ -0,0 +1,152 @@
+<?xml version='1.0'?> <!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<!--
+Copyright 2019 Denis Pynkin <[email protected]>
+
+SPDX-License-Identifier: LGPL-2.0+
+
+This library is free software; you can redistribute it and/or
+modify it under the terms of the GNU Lesser General Public
+License as published by the Free Software Foundation; either
+version 2 of the License, or (at your option) any later version.
+
+This library is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+Lesser General Public License for more details.
+
+You should have received a copy of the GNU Lesser General Public
+License along with this library; if not, write to the
+Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+Boston, MA 02111-1307, USA.
+-->
+
+<refentry id="ostree">
+
+ <refentryinfo>
+ <title>ostree sign</title>
+ <productname>OSTree</productname>
+
+ <authorgroup>
+ <author>
+ <contrib>Developer</contrib>
+ <firstname>Colin</firstname>
+ <surname>Walters</surname>
+ <email>[email protected]</email>
+ </author>
+ </authorgroup>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>ostree sign</refentrytitle>
+ <manvolnum>1</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>ostree-sign</refname>
+ <refpurpose>Sign a commit</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>ostree sign</command> <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="req">COMMIT</arg> <arg choice="req" rep="repeat">KEY-ID</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para>
+ Add a new signature to a commit.
+
+ Note that currently, this will append a new signature even if
+ the commit is already signed with a given key.
+ </para>
+
+ <para>
+ There are several "well-known" system places for `ed25519` trusted and revoked public keys -- expected single <literal>base64</literal>-encoded key per line.
+ </para>
+
+ <para>Files:
+ <itemizedlist>
+ <listitem><para><filename>/etc/ostree/trusted.ed25519</filename></para></listitem>
+ <listitem><para><filename>/etc/ostree/revoked.ed25519</filename></para></listitem>
+ <listitem><para><filename>/usr/share/ostree/trusted.ed25519</filename></para></listitem>
+ <listitem><para><filename>/usr/share/ostree/revoked.ed25519</filename></para></listitem>
+ </itemizedlist>
+ </para>
+
+ <para>Directories containing files with keys:
+ <itemizedlist>
+ <listitem><para><filename>/etc/ostree/trusted.ed25519.d</filename></para></listitem>
+ <listitem><para><filename>/etc/ostree/revoked.ed25519.d</filename></para></listitem>
+ <listitem><para><filename>/usr/share/ostree/trusted.ed25519.d</filename></para></listitem>
+ <listitem><para><filename>/usr/share/ostree/rvokeded.ed25519.d</filename></para></listitem>
+ </itemizedlist>
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>Options</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>KEY-ID</option></term>
+ <listitem><para>
+ <variablelist>
+ <varlistentry>
+ <term><option>for ed25519:</option></term>
+ <listitem><para>
+ <literal>base64</literal>-encoded secret (for signing) or public key (for verifying).
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>for dummy:</option></term>
+ <listitem><para>
+ ASCII-string used as secret key and public key.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--verify</option></term>
+ <listitem><para>
+ Verify signatures
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>-s, --sign-type</option></term>
+ <listitem><para>
+ Use particular signature mechanism. Currently
+ available <arg choice="plain">ed25519</arg> and <arg choice="plain">dummy</arg>
+ signature types.
+
+ The default is <arg choice="plain">ed25519</arg>.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--keys-file</option></term>
+ <listitem><para>
+ Read key(s) from file <filename>filename</filename>.
+ </para></listitem>
+
+ <listitem><para>
+ Valid for <literal>ed25519</literal> signature type.
+ For <literal>ed25519</literal> this file must contain <literal>base64</literal>-encoded
+ secret key(s) (for signing) or public key(s) (for verifying) per line.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--keys-dir</option></term>
+ <listitem><para>
+ Redefine the system path, where to search files and subdirectories with
+ well-known and revoked keys.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+</refentry>