Revision f4d04ed5
Added by Benoît PECCATTE about 8 years ago
rudder-agent/SOURCES/Makefile | ||
---|---|---|
|
||
# Signature script
|
||
$(INSTALL) -m 755 signature.sh $(INSTALL_DIR)/bin/
|
||
$(INSTALL) -m 755 signature_check.sh $(INSTALL_DIR)/bin/
|
||
|
||
# Install an empty uuid.hive file before generating an uuid
|
||
$(INSTALL) -m 644 uuid.hive $(INSTALL_DIR)/etc/
|
rudder-agent/SOURCES/signature.sh | ||
---|---|---|
# Create signature
|
||
SIGNATURE=`openssl dgst -passin "pass:${PASSPHRASE}" -${HASH} -hex -sign "${PRIVKEY}" < "${FILE}" | sed -e 's/.*= //'`
|
||
|
||
# Hostname (informative only, it can be slightly different from the rudder detected one)
|
||
HOSTNAME=`hostname`
|
||
|
||
# Private key modification date
|
||
KEYDATE=`stat -c %y ${PRIVKEY}`
|
||
|
||
# Public key identifier (last 4 bytes of the modulus)
|
||
KEYID=`openssl rsa -passin "pass:${PASSPHRASE}" -in "${PRIVKEY}" -noout -modulus | sed 's/.*\(........\)$/\1/'`
|
||
|
||
# Create a signature FILE
|
||
cat > "${FILE}.sign" <<EOF
|
||
header=rudder-signature-v1
|
||
algorithm=${HASH}
|
||
digest=${SIGNATURE}
|
||
hostname=${HOSTNAME}
|
||
keydate=${KEYDATE}
|
||
keyid=${KEYID}
|
||
EOF
|
||
|
rudder-agent/SOURCES/signature_check.sh | ||
---|---|---|
#!/bin/bash
|
||
|
||
# To allow Rudder to provide its own version of openssl
|
||
export PATH=/opt/rudder/bin:$PATH
|
||
|
||
if openssl -h 2> /dev/null
|
||
then
|
||
true
|
||
else
|
||
echo "ERROR: openssl binary is missing !"
|
||
exit 1
|
||
fi
|
||
|
||
# the file to verify
|
||
FILE="$1"
|
||
if [ ! -e "${FILE}" ]
|
||
then
|
||
echo "Cannot verify: The file ${FILE} doesn't exist"
|
||
exit 2
|
||
fi
|
||
|
||
# Signature of this file
|
||
SIGNATURE="${FILE}.sign"
|
||
if [ ! -e "${SIGNATURE}" ]
|
||
then
|
||
echo "Cannot verify: The file ${SIGNATURE} doesn't exist"
|
||
exit 2
|
||
fi
|
||
|
||
# the public key to use for verification
|
||
PUBKEY="$2"
|
||
if [ ! -e "${PUBKEY}" ]
|
||
then
|
||
echo "Cannot verify: The file ${PUBKEY} doesn't exist"
|
||
exit 2
|
||
fi
|
||
|
||
# extract data from signature file
|
||
if [ $(head -n1 "${SIGNATURE}") != "header=rudder-signature-v1" ]
|
||
then
|
||
echo "Not a valid signature file"
|
||
exit 3
|
||
fi
|
||
HASH=$(sed -ne '/algorithm=/s/algorithm=//p' "${SIGNATURE}")
|
||
SIGN_HEX=$(sed -ne '/digest=/s/digest=//p' "${SIGNATURE}")
|
||
HOSTNAME=$(sed -ne '/hostname=/s/hostname=//p' "${SIGNATURE}")
|
||
KEYDATE=$(sed -ne '/keydate=/s/keydate=//p' "${SIGNATURE}")
|
||
KEYID=$(sed -ne '/keyid=/s/keyid=//p' "${SIGNATURE}")
|
||
|
||
# create binary signature file
|
||
SIGN=$(mktemp)
|
||
echo -ne $(echo "${SIGN_HEX}" | tr -d '[:space:]' | sed 's/../\\x&/g') > "${SIGN}"
|
||
|
||
# openssl command only read public keys in X509/pkcs8 format
|
||
PUBKEY8=$(mktemp)
|
||
openssl rsa -RSAPublicKey_in -in "${PUBKEY}" -pubout -out "${PUBKEY8}" 2> /dev/null
|
||
|
||
# Public key identifier (last 4 bytes of the modulus)
|
||
LOCAL_KEYID=$(openssl rsa -RSAPublicKey_in -in "${PUBKEY}" -noout -modulus | sed 's/.*\(........\)$/\1/')
|
||
|
||
# Check the signature
|
||
openssl dgst "-${HASH}" -verify "${PUBKEY8}" -signature "${SIGN}" < "${FILE}"
|
||
RET=$?
|
||
|
||
rm -f ${PUBKEY8} ${SIGN}
|
||
|
||
if [ ${RET} -ne 0 ]
|
||
then
|
||
# if there was an error give disgnostic information is possible
|
||
echo " - signature created on ${HOSTNAME:-unknown}"
|
||
echo " - private key file created at ${KEYDATE:-unknown}"
|
||
echo " - public key id from signature is ${KEYID:-unknown}"
|
||
echo " - your public key id is ${LOCAL_KEYID}"
|
||
fi
|
||
|
||
exit ${RET}
|
rudder-agent/SPECS/rudder-agent.spec | ||
---|---|---|
Source14: uuidgen
|
||
Source15: vzps.py
|
||
Source16: rudder.8.gz
|
||
Source17: signature_check.sh
|
||
|
||
# Prevent dependency auto-generation, that tries to be helpful by detecting Perl dependencies from
|
||
# FusionInventory. We handle that with the perl standalone installation already.
|
Also available in: Unified diff
Fixes #8053: Make signature problem easier to diagnose