From 91ebd4193ec19f85f06022fb612504e489c09eb1 Mon Sep 17 00:00:00 2001
From: Disassembler <disassembler@dasm.cz>
Date: Tue, 2 Oct 2018 17:35:49 +0200
Subject: [PATCH] Sign using py3-cryptography

---
 basic.sh          |  2 +-
 zz-extra/lxc-pack | 20 ++++++++++++++++----
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/basic.sh b/basic.sh
index 89910e6..eb89cb6 100755
--- a/basic.sh
+++ b/basic.sh
@@ -4,7 +4,7 @@ set -e
 SOURCE_DIR=$(realpath $(dirname "${0}"))/basic
 
 # Install packages
-apk --no-cache add ca-certificates curl bridge e2fsprogs-extra gettext iptables kbd-misc libcap libressl libseccomp postfix python3 py3-bcrypt py3-cffi py3-dnspython py3-jinja2 py3-requests py3-six py3-werkzeug nginx util-linux
+apk --no-cache add ca-certificates curl bridge e2fsprogs-extra gettext iptables kbd-misc libcap libressl libseccomp postfix python3 py3-bcrypt py3-cffi py3-cryptography py3-dnspython py3-jinja2 py3-requests py3-six py3-werkzeug nginx util-linux
 if [ ${DEBUG:-0} -eq 1 ]; then
     # Install some utilities for DEBUG mode
     apk --no-cache add git file htop less openssh-server openssh-sftp-server tar xz
diff --git a/zz-extra/lxc-pack b/zz-extra/lxc-pack
index 8bc2740..41ca130 100755
--- a/zz-extra/lxc-pack
+++ b/zz-extra/lxc-pack
@@ -6,13 +6,20 @@ import os
 import subprocess
 import sys
 
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives.serialization import load_pem_private_key
+
 BUILD_ROOT = '/root/buildroot'
 LXC_ROOT = '/var/lib/lxc'
 
-def pack(meta_file):
+def pack(pkg_file):
+    if os.path.is_dir(pkg_file):
+        pkg_file = os.path.join(pkg_file, 'pkg')
     # Prepare metadata
     meta = {}
-    with open(meta_file) as fd:
+    with open(pkg_file) as fd:
         for line in fd:
             line = [l.strip() for l in line.split(':', 1)]
             meta[line[0]] = line[1]
@@ -35,7 +42,7 @@ def pack(meta_file):
     subprocess.run(['tar', 'cpf', tar_path, meta['lxcpath']], cwd=LXC_ROOT)
     if '/' not in meta['lxcpath']:
         print('Archiving setup files')
-        cwd = os.path.dirname(os.path.abspath(meta_file))
+        cwd = os.path.dirname(os.path.abspath(pkg_file))
         subprocess.run(['tar', 'rpf', tar_path, 'setup', 'setup.sh'], cwd=cwd)
     print('Compressing', tar_path)
     subprocess.run(['xz', '-9', tar_path])
@@ -55,7 +62,12 @@ def pack(meta_file):
 
     # Sign packages
     print('Signing packages')
-    subprocess.run(['openssl', 'dgst', '-sha512', '-sign', 'packages.key', '-out', 'packages.sha512', 'packages'], cwd=BUILD_ROOT)
+    with open(os.path.join(BUILD_ROOT, 'packages.key'), 'rb') as fd:
+        priv_key = load_pem_private_key(fd.read(), None, default_backend())
+    with open(os.path.join(BUILD_ROOT, 'packages'), 'rb') as fd:
+        data = fd.read()
+    with open(os.path.join(BUILD_ROOT, 'packages.sha512'), 'wb') as fd:
+        fd.write(priv_key.sign(data, ec.ECDSA(hashes.SHA512())))
 
 def hash_file(file_path):
     sha512 = hashlib.sha512()