118 lines
5.2 KiB
Diff
118 lines
5.2 KiB
Diff
From 49bc0a3afbbe3740bb857b530440364b021a865f Mon Sep 17 00:00:00 2001
|
|
From: Sergio Correia <scorreia@redhat.com>
|
|
Date: Fri, 17 Jun 2022 19:57:17 -0300
|
|
Subject: [PATCH 5/5] Use python3-gpg instead of python3-gnupg
|
|
|
|
The former uses GPGME and is the recommended way of using GnuPG from
|
|
applications, by the GnuPG initiative, as it provides a better
|
|
documented API [1][2].
|
|
|
|
python-gpg is also already present in some distros, e.g. Fedora and
|
|
CentOS Stream, as it is a dependency of their package manager (dnf).
|
|
|
|
It is also available in other major distros such as Debian, Ubuntu,
|
|
OpenSUSE, so no disruptions are to be expected regarding packaging.
|
|
|
|
[1] https://gnupg.org/software/gpgme/index.html
|
|
[2] https://wiki.python.org/moin/GnuPrivacyGuard
|
|
---
|
|
installer.sh | 6 +++---
|
|
keylime/signing.py | 27 +++++++++++++--------------
|
|
requirements.txt | 3 +--
|
|
3 files changed, 17 insertions(+), 19 deletions(-)
|
|
|
|
diff --git a/installer.sh b/installer.sh
|
|
index 6618e1d..4355b33 100755
|
|
--- a/installer.sh
|
|
+++ b/installer.sh
|
|
@@ -58,7 +58,7 @@ case "$ID" in
|
|
echo "${ID} selected."
|
|
PACKAGE_MGR=$(command -v apt-get)
|
|
PYTHON_PREIN="git patch"
|
|
- PYTHON_DEPS="python3 python3-pip python3-dev python3-setuptools python3-zmq python3-tornado python3-cryptography python3-requests python3-psutil gcc g++ libssl-dev swig python3-yaml python3-gnupg python3-lark wget"
|
|
+ PYTHON_DEPS="python3 python3-pip python3-dev python3-setuptools python3-zmq python3-tornado python3-cryptography python3-requests python3-psutil gcc g++ libssl-dev swig python3-yaml python3-gpg python3-lark wget"
|
|
if [ "$(uname -m)" = "x86_64" ]; then
|
|
PYTHON_DEPS+=" libefivar-dev"
|
|
fi
|
|
@@ -96,7 +96,7 @@ case "$ID" in
|
|
PACKAGE_MGR=$(command -v dnf)
|
|
NEED_EPEL=1
|
|
PYTHON_PREIN="python3 python3-devel python3-setuptools python3-pip"
|
|
- PYTHON_DEPS="gcc gcc-c++ openssl-devel python3-yaml python3-requests swig python3-cryptography wget git python3-tornado python3-zmq python3-gnupg python3-psutil"
|
|
+ PYTHON_DEPS="gcc gcc-c++ openssl-devel python3-yaml python3-requests swig python3-cryptography wget git python3-tornado python3-zmq python3-gpg python3-psutil"
|
|
if [ "$(uname -m)" = "x86_64" ]; then
|
|
PYTHON_DEPS+=" efivar-libs"
|
|
fi
|
|
@@ -116,7 +116,7 @@ case "$ID" in
|
|
echo "${ID} selected."
|
|
PACKAGE_MGR=$(command -v dnf)
|
|
PYTHON_PREIN="python3 python3-devel python3-setuptools git wget patch"
|
|
- PYTHON_DEPS="python3-pip gcc gcc-c++ openssl-devel swig python3-pyyaml python3-zmq python3-cryptography python3-tornado python3-requests python3-gnupg yaml-cpp-devel procps-ng python3-psutil python3-lark-parser"
|
|
+ PYTHON_DEPS="python3-pip gcc gcc-c++ openssl-devel swig python3-pyyaml python3-zmq python3-cryptography python3-tornado python3-requests python3-gpg yaml-cpp-devel procps-ng python3-psutil python3-lark-parser"
|
|
if [ "$(uname -m)" = "x86_64" ]; then
|
|
PYTHON_DEPS+=" efivar-devel"
|
|
fi
|
|
diff --git a/keylime/signing.py b/keylime/signing.py
|
|
index 1353c1e..a1be9c7 100644
|
|
--- a/keylime/signing.py
|
|
+++ b/keylime/signing.py
|
|
@@ -5,7 +5,7 @@ Copyright 2017 Massachusetts Institute of Technology.
|
|
|
|
import tempfile
|
|
|
|
-import gnupg
|
|
+import gpg
|
|
from cryptography.exceptions import InvalidSignature
|
|
from cryptography.hazmat.primitives import hashes
|
|
from cryptography.hazmat.primitives.asymmetric import ec
|
|
@@ -55,19 +55,18 @@ def verify_signature(key, sig, file):
|
|
|
|
# PGP
|
|
if key_header == "-----BEGIN PGP PUBLIC KEY BLOCK-----":
|
|
- gpg = gnupg.GPG()
|
|
- logger.debug("Importing GPG key")
|
|
- gpg_imported = gpg.import_keys(key.decode("utf-8"))
|
|
- if gpg_imported.count == 1: # pylint: disable=E1101
|
|
- logger.debug("GPG key successfully imported")
|
|
- else:
|
|
- raise Exception("Unable to import GPG key")
|
|
-
|
|
- # The Python PGP library won't let you read a signature from memory, hence this hack.
|
|
- with tempfile.NamedTemporaryFile() as temp_sig:
|
|
- temp_sig.write(sig)
|
|
- temp_sig.flush()
|
|
- verified = gpg.verify_data(temp_sig.name, file)
|
|
+ verified = False
|
|
+ with tempfile.TemporaryDirectory() as gpg_homedir:
|
|
+ ctx = gpg.Context(home_dir=gpg_homedir)
|
|
+ try:
|
|
+ logger.debug("Importing GPG key")
|
|
+ result = ctx.key_import(key)
|
|
+ except Exception as e:
|
|
+ raise Exception("Unable to import GPG key") from e
|
|
+
|
|
+ if result is not None and hasattr(result, "considered") is True:
|
|
+ _, result = ctx.verify(file, sig)
|
|
+ verified = result.signatures[0].status == 0
|
|
|
|
# OpenSSL
|
|
elif key_header == "-----BEGIN PUBLIC KEY-----":
|
|
diff --git a/requirements.txt b/requirements.txt
|
|
index d31eabc..ca3fac3 100644
|
|
--- a/requirements.txt
|
|
+++ b/requirements.txt
|
|
@@ -10,8 +10,7 @@ pyyaml>=3.11 # MIT
|
|
requests>=2.6 # Apache-2.0
|
|
sqlalchemy>=1.3 # MIT
|
|
alembic>=1.1.0 # MIT
|
|
-python-gnupg>=0.4.6 # BSD
|
|
packaging>=20.0 #BSD
|
|
psutil>=5.4.2 # BSD
|
|
# Note that lark was renamed from lark-parser with 1.0.0 release
|
|
-lark>=1.0.0 # MIT
|
|
\ No newline at end of file
|
|
+lark>=1.0.0 # MIT
|
|
--
|
|
2.35.1
|
|
|