Sign using py3-cryptography
This commit is contained in:
parent
48e31ca0f1
commit
91ebd4193e
2
basic.sh
2
basic.sh
@ -4,7 +4,7 @@ set -e
|
||||
SOURCE_DIR=$(realpath $(dirname "${0}"))/basic
|
||||
|
||||
# Install packages
|
||||
apk --no-cache add ca-certificates curl bridge e2fsprogs-extra gettext iptables kbd-misc libcap libressl libseccomp postfix python3 py3-bcrypt py3-cffi py3-dnspython py3-jinja2 py3-requests py3-six py3-werkzeug nginx util-linux
|
||||
apk --no-cache add ca-certificates curl bridge e2fsprogs-extra gettext iptables kbd-misc libcap libressl libseccomp postfix python3 py3-bcrypt py3-cffi py3-cryptography py3-dnspython py3-jinja2 py3-requests py3-six py3-werkzeug nginx util-linux
|
||||
if [ ${DEBUG:-0} -eq 1 ]; then
|
||||
# Install some utilities for DEBUG mode
|
||||
apk --no-cache add git file htop less openssh-server openssh-sftp-server tar xz
|
||||
|
@ -6,13 +6,20 @@ import os
|
||||
import subprocess
|
||||
import sys
|
||||
|
||||
from cryptography.hazmat.backends import default_backend
|
||||
from cryptography.hazmat.primitives import hashes
|
||||
from cryptography.hazmat.primitives.asymmetric import ec
|
||||
from cryptography.hazmat.primitives.serialization import load_pem_private_key
|
||||
|
||||
BUILD_ROOT = '/root/buildroot'
|
||||
LXC_ROOT = '/var/lib/lxc'
|
||||
|
||||
def pack(meta_file):
|
||||
def pack(pkg_file):
|
||||
if os.path.is_dir(pkg_file):
|
||||
pkg_file = os.path.join(pkg_file, 'pkg')
|
||||
# Prepare metadata
|
||||
meta = {}
|
||||
with open(meta_file) as fd:
|
||||
with open(pkg_file) as fd:
|
||||
for line in fd:
|
||||
line = [l.strip() for l in line.split(':', 1)]
|
||||
meta[line[0]] = line[1]
|
||||
@ -35,7 +42,7 @@ def pack(meta_file):
|
||||
subprocess.run(['tar', 'cpf', tar_path, meta['lxcpath']], cwd=LXC_ROOT)
|
||||
if '/' not in meta['lxcpath']:
|
||||
print('Archiving setup files')
|
||||
cwd = os.path.dirname(os.path.abspath(meta_file))
|
||||
cwd = os.path.dirname(os.path.abspath(pkg_file))
|
||||
subprocess.run(['tar', 'rpf', tar_path, 'setup', 'setup.sh'], cwd=cwd)
|
||||
print('Compressing', tar_path)
|
||||
subprocess.run(['xz', '-9', tar_path])
|
||||
@ -55,7 +62,12 @@ def pack(meta_file):
|
||||
|
||||
# Sign packages
|
||||
print('Signing packages')
|
||||
subprocess.run(['openssl', 'dgst', '-sha512', '-sign', 'packages.key', '-out', 'packages.sha512', 'packages'], cwd=BUILD_ROOT)
|
||||
with open(os.path.join(BUILD_ROOT, 'packages.key'), 'rb') as fd:
|
||||
priv_key = load_pem_private_key(fd.read(), None, default_backend())
|
||||
with open(os.path.join(BUILD_ROOT, 'packages'), 'rb') as fd:
|
||||
data = fd.read()
|
||||
with open(os.path.join(BUILD_ROOT, 'packages.sha512'), 'wb') as fd:
|
||||
fd.write(priv_key.sign(data, ec.ECDSA(hashes.SHA512())))
|
||||
|
||||
def hash_file(file_path):
|
||||
sha512 = hashlib.sha512()
|
||||
|
Loading…
Reference in New Issue
Block a user