From 56d51fcd6be992c7bbc38431db06817816c1e08e Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Thu, 3 Nov 2016 10:26:38 +0100 Subject: [PATCH] gpg-sign all valid files in the repo, including source tarballs This makes sure there is a GPG signature on any file that is included in the repo, including APKs, OBB, source tarballs, media files, OTA update ZIPs, etc. Having a GPG signature is more important on non-APK files since they mostly do not have any signature mechanism of their own. This also adds basic tests of adding non-APK/OBB files to a repo with `fdroid update`. closes #232 --- examples/config.py | 2 +- fdroidserver/common.py | 11 +++++++++++ fdroidserver/gpgsign.py | 15 +++++++++------ fdroidserver/update.py | 4 +--- tests/gnupghome/pubring.gpg | Bin 0 -> 724 bytes tests/gnupghome/random_seed | Bin 0 -> 600 bytes tests/gnupghome/secring.gpg | Bin 0 -> 1388 bytes tests/gnupghome/trustdb.gpg | Bin 0 -> 1280 bytes tests/repo/fake.ota.update_1234.zip | Bin 0 -> 233 bytes .../repo/obb.main.twoversions_1101617_src.tar.gz | Bin 0 -> 150 bytes tests/run-tests | 14 +++++++++++++- 11 files changed, 35 insertions(+), 11 deletions(-) create mode 100644 tests/gnupghome/pubring.gpg create mode 100644 tests/gnupghome/random_seed create mode 100644 tests/gnupghome/secring.gpg create mode 100644 tests/gnupghome/trustdb.gpg create mode 100644 tests/repo/fake.ota.update_1234.zip create mode 100644 tests/repo/obb.main.twoversions_1101617_src.tar.gz diff --git a/examples/config.py b/examples/config.py index 63edc718..3b1ab95c 100644 --- a/examples/config.py +++ b/examples/config.py @@ -86,7 +86,7 @@ The repository of older versions of applications from the main demo repository. # current_version_name_source = 'id' # Optionally, override home directory for gpg -# gpghome = /home/fdroid/somewhere/else/.gnupg +# gpghome = '/home/fdroid/somewhere/else/.gnupg' # The ID of a GPG key for making detached signatures for apks. Optional. # gpgkey = '1DBA2E89' diff --git a/fdroidserver/common.py b/fdroidserver/common.py index b653d5a8..08708f31 100644 --- a/fdroidserver/common.py +++ b/fdroidserver/common.py @@ -2084,3 +2084,14 @@ def get_per_app_repos(): repos.append(d) break return repos + + +def is_repo_file(filename): + '''Whether the file in a repo is a build product to be delivered to users''' + return os.path.isfile(filename) \ + and os.path.basename(filename) not in [ + 'index.jar', + 'index.xml', + 'index.html', + 'categories.txt', + ] diff --git a/fdroidserver/gpgsign.py b/fdroidserver/gpgsign.py index 41b5a43f..4c9cf6bb 100644 --- a/fdroidserver/gpgsign.py +++ b/fdroidserver/gpgsign.py @@ -50,10 +50,13 @@ def main(): sys.exit(1) # Process any apks that are waiting to be signed... - for apkfile in sorted(glob.glob(os.path.join(output_dir, '*.apk'))): - - apkfilename = os.path.basename(apkfile) - sigfilename = apkfilename + ".asc" + for f in sorted(glob.glob(os.path.join(output_dir, '*.*'))): + if common.get_file_extension(f) == 'asc': + continue + if not common.is_repo_file(f): + continue + filename = os.path.basename(f) + sigfilename = filename + ".asc" sigpath = os.path.join(output_dir, sigfilename) if not os.path.exists(sigpath): @@ -64,13 +67,13 @@ def main(): gpgargs.extend(['--homedir', config['gpghome']]) if 'gpgkey' in config: gpgargs.extend(['--local-user', config['gpgkey']]) - gpgargs.append(os.path.join(output_dir, apkfilename)) + gpgargs.append(os.path.join(output_dir, filename)) p = FDroidPopen(gpgargs) if p.returncode != 0: logging.error("Signing failed.") sys.exit(1) - logging.info('Signed ' + apkfilename) + logging.info('Signed ' + filename) if __name__ == "__main__": diff --git a/fdroidserver/update.py b/fdroidserver/update.py index cebd5a92..110de3ef 100644 --- a/fdroidserver/update.py +++ b/fdroidserver/update.py @@ -517,13 +517,11 @@ def scan_repo_files(apkcache, repodir, knownapks, use_date_from_file=False): cachechanged = False repo_files = [] for name in os.listdir(repodir): - if name in ['index.jar', 'index.xml', 'index.html', 'categories.txt', ]: - continue file_extension = common.get_file_extension(name) if file_extension == 'apk' or file_extension == 'obb': continue filename = os.path.join(repodir, name) - if not os.path.isfile(filename): + if not common.is_repo_file(name): continue stat = os.stat(filename) if stat.st_size == 0: diff --git a/tests/gnupghome/pubring.gpg b/tests/gnupghome/pubring.gpg new file mode 100644 index 0000000000000000000000000000000000000000..fc60c42a12c6b85fc4af9da6199c1f4013eef803 GIT binary patch literal 724 zcmbQy%Mu~=kDrl+VXtfG<-5BsEZ=f!j�qN!X^hO2W*irfq9;VVqDTNk(R|LRx;2LSkMe zkPTFjR9d1?0@P8gsbG@^G{yl$*mdk+5oTm!P-0~Qd6Y?-nT?y1gPoa)O_YO)lZ%^0 zjER|%Nsf_8yn%s>Q$Xz6k;~@_zyG!lXJME+Rq*YFQ+pD6>ekKcIp!(haYahc_?6ZI zyX%d8`zMNBTV{U#z5MKJbDnUCxhY*%v2`$Lco^TF@n-T*o+4%mIqv`3529UXsC8{! zR9}b-7jBu;Jxefx>c`j(V+* zHJ2DH<2EocFz)g?p*h_1q^9hiqSckE zTguS>JpMwS{*%C&KP&z%Q)w)n+G+SQ$ofZAnP0KwrgW}g)=?x-o9Df0I0x&51utvUgmVCh#_9 xZxUw=7vCu(yy+^u-&Pam73;=z?Gz0(u literal 0 HcmV?d00001 diff --git a/tests/gnupghome/random_seed b/tests/gnupghome/random_seed new file mode 100644 index 0000000000000000000000000000000000000000..cb41f6e0107d690b8d2aec094ed6e7b10648c86d GIT binary patch literal 600 zcmV-e0;m1-T`r;8DQxp34*eCDD#z{;y@dF;VHekN60OR4My2@deo&N*Omm?%0ldsV z9=*FgRYYJv49GmT(8c&wU`%`)R)ya9Z@Yaqn<=~6J{b>i7ZFrU*ACe`%I@pX#^ zKbko|9)MpiW$Fjt!EB813PK>ap!JCL3lr@0!4}!4F4JrZyy|0CIGqmCM>qQ_{{aNJr@51lFjRO@}mVhI zcWjC~FO~#W8(tZ3Dk93K&|}2n&4}u!hp+Vxd&-|r>x zAA;fag&I>Q*WO@tA8=^xj#7ePTAUPcKe4H)G5nm z15?r=X7*gm9gmGzDnaEr?mi7{H)CII`y_YZOWxww+Xy*q&_9I;4KOtd6S>maCi8fn mWPbmrC!LTJ{9oF=FDJ1W(n7{Hbof>h8d3JB+@GwcYCa1GUM(L0 literal 0 HcmV?d00001 diff --git a/tests/gnupghome/secring.gpg b/tests/gnupghome/secring.gpg new file mode 100644 index 0000000000000000000000000000000000000000..20b160863a87ac3b36fa315feeba66ebdf3b87bc GIT binary patch literal 1388 zcmV-y1(W)f0oVjs8vYLf1OUB7Rny(N(5JM@oEvW=bXKzMA`=73mbQjO1D`Dj-*33c z!CC%a$tjPXNCP;f(4hjI<3V*v%4qpVBL~`Y@E}cMaODN9;3cmOn65A`Vx3Mr1HpWB zZ}P0sKQXcxa#a8k0RRC21OHEu z9e2JCL6`7aO4gGYa!SIf*FcQx={r#_}<49*%~M!lQ}dn zQh}2u3ALIuoqjepF3Jk2#K~tIlj8ya*!CHsxk%Dq&72mgZ>yrmE-6^$M{FTGx?;9C zn_w5h7W^bgGHf;JXzy6ElgmbTWZ0&Ytk8zd>PW*;*R|Ei+ zl@aaG%DiBVey*O3#z`1R)EX``>MEc<*MW||krvjbH_z`Mo7SA<3Km8p(8+I@hq>8%iPcN~a+Du}Go06AW;0ssJ=0oVjs8vYLf1OUjSZ=mN_RhI8o>VJ&| z2wTX1XH9K@88Q-h!ki198kD<~DvD(-bpVIwU(jwZbm&fpwLMG3in}_*!;O za~ZN{3R4Bbg8uVeHtlQLKSajAl+K@*2M6Wphe0VDX%y|v&cCz7ZiVfPqx?gRHS+v2 z5sBUm3bNtg%u@gn0RRC21O7V)31T#TAdG>CH~-^oZX1?CPsGW$7F44FJL9FdtLp>gFHp%J=4H$*pMqOW{vwjliA zjS}^Qo9y=6n1#z$XgleIy z0yjqosAcoG$$@oS%sE;$iUhVSle_Gh)Y)oN3*Yez1hEByYO4PuZy!aQDv`lSi^MqPL27u~zJYf7%Os7v&M KRH!MVsV*{UyDX3m!qN;f3~7nkse1V(iF&04DTyVidIdR&$*CFn zIVq_{p&^_M%zQtkB0#vbf}4SnFj8=K4N)*M yFf`)|@MdI^W5#8t1kh#%21X#>(g(iQ+MLKT8W9aa$`U z_-}nB&*!e~`pfVBi8%IX+2W~@dzPQ~jQ^~t^4$6D5*gi@!SU> config.py echo "install_list = 'org.adaway'" >> config.py echo "uninstall_list = {'com.android.vending', 'com.facebook.orca',}" >> config.py +echo "gpghome = '$GNUPGHOME'" >> config.py +echo "gpgkey = 'CE71F7FB'" >> config.py $fdroid update --verbose test -e repo/index.xml test -e repo/index.jar grep -F '