Trouble verifying a pkg-repo signature manually
John W. O'Brien
john at saltant.com
Sun Feb 9 01:23:38 UTC 2014
On 2/8/14 6:50 PM, John W. O'Brien wrote:
> Hello freebsd-ports@,
>
> I'm trying to build and maintain my own package repository and
> understand how everything is put together in the process. Right now, I'm
> having trouble understanding how the signatures are made and verified.
> The following should illustrate both the problem I'm having and how I
> think things are supposed to work.
[...]
> Testing the signature
> ---------------------
>
> # cd /tmp/test
> # tar xf /tmp/packages/digests.txz
> # openssl dgst -verify /tmp/keys/repo.pub \
> -signature signature -sha256 digests
> Verification Failure
[...]
I think I found out why this doesn't work.
Inside pkg-repo(8), the code that actually generates the signature [0],
signs an ASCII-encoded, zero-terminated [1] representation of the SHA256
digest. I would guess that inside "openssl dgst ... -sha256 ..." the
signature generation and verification are operating on a SHA256 blob
(i.e. unterminated binary).
So, the next best way I've come up with to verify a repo by hand is this:
# openssl rsautl -pubin -inkey /tmp/keys/repo.pub \
-verify -in test_sig -asn1parse
0:d=0 hl=2 l= 49 cons: SEQUENCE
2:d=1 hl=2 l= 13 cons: SEQUENCE
4:d=2 hl=2 l= 9 prim: OBJECT :sha256
15:d=2 hl=2 l= 0 prim: NULL
17:d=1 hl=2 l= 32 prim: OCTET STRING
0000 - 7d b0 d6 38 8c 0f 28 53-2a 76 40 4f d6 84 8f 24
}..8..(S*v at O...$
0010 - e5 0a a1 57 45 ec f1 31-14 aa d0 4c 9a d0 fc 17
...WE..1...L....
# sha256 -q digests
7db0d6388c0f28532a76404fd6848f24e50aa15745ecf13114aad04c9ad0fc17
I just visually compare the OCTET STRING to the digest.
[0] rsa_sign()
https://github.com/freebsd/pkg/blob/master/libpkg/rsa.c#L175
[2] sha256_hash()
https://github.com/freebsd/pkg/blob/master/libpkg/utils.c#L343
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 535 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20140208/69f28a3c/attachment.sig>
More information about the freebsd-ports
mailing list