Sign using py3-cryptography

This commit is contained in:
Disassembler 2018-10-02 17:35:49 +02:00
parent 48e31ca0f1
commit 91ebd4193e
Signed by: Disassembler
GPG Key ID: 524BD33A0EE29499
2 changed files with 17 additions and 5 deletions

View File

@ -4,7 +4,7 @@ set -e
SOURCE_DIR=$(realpath $(dirname "${0}"))/basic
# Install packages
apk --no-cache add ca-certificates curl bridge e2fsprogs-extra gettext iptables kbd-misc libcap libressl libseccomp postfix python3 py3-bcrypt py3-cffi py3-dnspython py3-jinja2 py3-requests py3-six py3-werkzeug nginx util-linux
apk --no-cache add ca-certificates curl bridge e2fsprogs-extra gettext iptables kbd-misc libcap libressl libseccomp postfix python3 py3-bcrypt py3-cffi py3-cryptography py3-dnspython py3-jinja2 py3-requests py3-six py3-werkzeug nginx util-linux
if [ ${DEBUG:-0} -eq 1 ]; then
# Install some utilities for DEBUG mode
apk --no-cache add git file htop less openssh-server openssh-sftp-server tar xz

View File

@ -6,13 +6,20 @@ import os
import subprocess
import sys
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.serialization import load_pem_private_key
BUILD_ROOT = '/root/buildroot'
LXC_ROOT = '/var/lib/lxc'
def pack(meta_file):
def pack(pkg_file):
if os.path.is_dir(pkg_file):
pkg_file = os.path.join(pkg_file, 'pkg')
# Prepare metadata
meta = {}
with open(meta_file) as fd:
with open(pkg_file) as fd:
for line in fd:
line = [l.strip() for l in line.split(':', 1)]
meta[line[0]] = line[1]
@ -35,7 +42,7 @@ def pack(meta_file):
subprocess.run(['tar', 'cpf', tar_path, meta['lxcpath']], cwd=LXC_ROOT)
if '/' not in meta['lxcpath']:
print('Archiving setup files')
cwd = os.path.dirname(os.path.abspath(meta_file))
cwd = os.path.dirname(os.path.abspath(pkg_file))
subprocess.run(['tar', 'rpf', tar_path, 'setup', 'setup.sh'], cwd=cwd)
print('Compressing', tar_path)
subprocess.run(['xz', '-9', tar_path])
@ -55,7 +62,12 @@ def pack(meta_file):
# Sign packages
print('Signing packages')
subprocess.run(['openssl', 'dgst', '-sha512', '-sign', 'packages.key', '-out', 'packages.sha512', 'packages'], cwd=BUILD_ROOT)
with open(os.path.join(BUILD_ROOT, 'packages.key'), 'rb') as fd:
priv_key = load_pem_private_key(fd.read(), None, default_backend())
with open(os.path.join(BUILD_ROOT, 'packages'), 'rb') as fd:
data = fd.read()
with open(os.path.join(BUILD_ROOT, 'packages.sha512'), 'wb') as fd:
fd.write(priv_key.sign(data, ec.ECDSA(hashes.SHA512())))
def hash_file(file_path):
sha512 = hashlib.sha512()