diff options
author | Ludovic Courtès <ludo@gnu.org> | 2020-09-08 15:00:29 +0200 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2020-09-11 17:53:58 +0200 |
commit | 6dd8ffc57420ee2f6f19e79e41028e78fe9e6a7e (patch) | |
tree | e416113b3ef643a6b34ed8b7fe4d317792ff66a1 /guix | |
parent | 7a68d3ccadc7391b97e94582301f3dfaf51a3179 (diff) |
daemon: Simplify interface with 'guix authenticate'.
There's no reason at this point to mimic the calling convention of the
'openssl' command.
* nix/libstore/local-store.cc (LocalStore::exportPath): Add only "sign"
and HASH to ARGS. Remove 'tmpDir' and 'hashFile'.
(LocalStore::importPath): Add only "verify" and SIGNATURE to
* guix/scripts/authenticate.scm (guix-authenticate): Adjust
accordingly; remove the OpenSSL-style clauses.
(read-hash-data): Remove.
(sign-with-key): Replace 'port' with 'sha256' and adjust accordingly.
(validate-signature): Export SIGNATURE to be a canonical sexp.
* tests/guix-authenticate.sh: Adjust tests accordingly.
Diffstat (limited to 'guix')
-rw-r--r-- | guix/scripts/authenticate.scm | 54 |
1 files changed, 18 insertions, 36 deletions
diff --git a/guix/scripts/authenticate.scm b/guix/scripts/authenticate.scm index a4b9171fc7..37e6cef53c 100644 --- a/guix/scripts/authenticate.scm +++ b/guix/scripts/authenticate.scm @@ -17,7 +17,6 @@ ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. (define-module (guix scripts authenticate) - #:use-module (guix config) #:use-module (guix scripts) #:use-module (guix base16) #:use-module (gcrypt pk-crypto) @@ -40,16 +39,9 @@ ;; Read a gcrypt sexp from a port and return it. (compose string->canonical-sexp read-string)) -(define (read-hash-data port key-type) - "Read sha256 hash data from PORT and return it as a gcrypt sexp. KEY-TYPE -is a symbol representing the type of public key algo being used." - (let* ((hex (read-string port)) - (bv (base16-string->bytevector (string-trim-both hex)))) - (bytevector->hash-data bv #:key-type key-type))) - -(define (sign-with-key key-file port) - "Sign the hash read from PORT with KEY-FILE, and write an sexp that includes -both the hash and the actual signature." +(define (sign-with-key key-file sha256) + "Sign the hash SHA256 (a bytevector) with KEY-FILE, and write an sexp that +includes both the hash and the actual signature." (let* ((secret-key (call-with-input-file key-file read-canonical-sexp)) (public-key (if (string-suffix? ".sec" key-file) (call-with-input-file @@ -59,18 +51,18 @@ both the hash and the actual signature." (leave (G_ "cannot find public key for secret key '~a'~%") key-file))) - (data (read-hash-data port (key-type public-key))) + (data (bytevector->hash-data sha256 + #:key-type (key-type public-key))) (signature (signature-sexp data secret-key public-key))) (display (canonical-sexp->string signature)) #t)) -(define (validate-signature port) - "Read the signature from PORT (which is as produced above), check whether -its public key is authorized, verify the signature, and print the signed data -to stdout upon success." - (let* ((signature (read-canonical-sexp port)) - (subject (signature-subject signature)) - (data (signature-signed-data signature))) +(define (validate-signature signature) + "Validate SIGNATURE, a canonical sexp. Check whether its public key is +authorized, verify the signature, and print the signed data to stdout upon +success." + (let* ((subject (signature-subject signature)) + (data (signature-signed-data signature))) (if (and data subject) (if (authorized-key? subject) (if (valid-signature? signature) @@ -86,9 +78,7 @@ to stdout upon success." ;;; -;;; Entry point with 'openssl'-compatible interface. We support this -;;; interface because that's what the daemon expects, and we want to leave it -;;; unmodified currently. +;;; Entry point. ;;; (define-command (guix-authenticate . args) @@ -105,22 +95,14 @@ to stdout upon success." (with-fluids ((%default-port-encoding "ISO-8859-1") (%default-port-conversion-strategy 'error)) (match args - ;; As invoked by guix-daemon. - (("rsautl" "-sign" "-inkey" key "-in" hash-file) - (call-with-input-file hash-file - (lambda (port) - (sign-with-key key port)))) - ;; As invoked by Nix/Crypto.pm (used by Hydra.) - (("rsautl" "-sign" "-inkey" key) - (sign-with-key key (current-input-port))) - ;; As invoked by guix-daemon. - (("rsautl" "-verify" "-inkey" _ "-pubin" "-in" signature-file) + (("sign" key-file hash) + (sign-with-key key-file (base16-string->bytevector hash))) + (("verify" signature-file) (call-with-input-file signature-file (lambda (port) - (validate-signature port)))) - ;; As invoked by Nix/Crypto.pm (used by Hydra.) - (("rsautl" "-verify" "-inkey" _ "-pubin") - (validate-signature (current-input-port))) + (validate-signature (string->canonical-sexp + (read-string port)))))) + (("--help") (display (G_ "Usage: guix authenticate OPTION... Sign or verify the signature on the given file. This tool is meant to |