diff options
author | Ludovic Courtès <ludo@gnu.org> | 2013-12-28 00:42:07 +0100 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2013-12-29 15:57:23 +0100 |
commit | 6df1fb8991bc7323dd4974a55d37f249a4e9c4a0 (patch) | |
tree | 599841214479f1b49c7c1422bb92e008d7b2f805 /guix/scripts | |
parent | b0a33ac157ce99688b6d668124377fdd81bf413e (diff) | |
download | gnu-guix-6df1fb8991bc7323dd4974a55d37f249a4e9c4a0.tar gnu-guix-6df1fb8991bc7323dd4974a55d37f249a4e9c4a0.tar.gz |
authenticate: Store the public key as part of the signature.
* guix/scripts/authenticate.scm (signature-sexp): New procedure.
(guix-authenticate): Use it to produce the signature. Adjust
verification code accordingly.
* tests/store.scm ("import corrupt path"): Adjust test accordingly.
Diffstat (limited to 'guix/scripts')
-rw-r--r-- | guix/scripts/authenticate.scm | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/guix/scripts/authenticate.scm b/guix/scripts/authenticate.scm index 70ba7cb88e..7e1c2a4671 100644 --- a/guix/scripts/authenticate.scm +++ b/guix/scripts/authenticate.scm @@ -44,6 +44,17 @@ (bv (base16-string->bytevector (string-trim-both hex)))) (bytevector->hash-data bv))) +(define (signature-sexp data secret-key public-key) + "Return a SPKI-style sexp for the signature of DATA with SECRET-KEY that +includes DATA, the actual signature value (with a 'sig-val' tag), and +PUBLIC-KEY (see <http://theworld.com/~cme/spki.txt> for examples.)" + (string->canonical-sexp + (format #f + "(signature ~a ~a ~a)" + (canonical-sexp->string data) + (canonical-sexp->string (sign data secret-key)) + (canonical-sexp->string public-key)))) + ;;; ;;; Entry point with 'openssl'-compatible interface. We support this @@ -57,18 +68,21 @@ ;; Sign the hash in HASH-FILE with KEY, and return an sexp that includes ;; both the hash and the actual signature. (let* ((secret-key (read-canonical-sexp key)) - (data (read-hash-data hash-file))) - (format #t - "(guix-signature ~a (payload ~a))" - (canonical-sexp->string (sign data secret-key)) - (canonical-sexp->string data)) + (public-key (if (string-suffix? ".sec" key) + (read-canonical-sexp + (string-append (string-drop-right key 4) ".pub")) + (leave (_ "cannot find public key for secret key '~a'") + key))) + (data (read-hash-data hash-file)) + (signature (signature-sexp data secret-key public-key))) + (display (canonical-sexp->string signature)) #t)) (("rsautl" "-verify" "-inkey" key "-pubin" "-in" signature-file) ;; Read the signature as produced above, check it against KEY, and print ;; the signed data to stdout upon success. (let* ((public-key (read-canonical-sexp key)) (sig+data (read-canonical-sexp signature-file)) - (data (find-sexp-token sig+data 'payload)) + (data (find-sexp-token sig+data 'data)) (signature (find-sexp-token sig+data 'sig-val))) (if (and data signature) (if (verify signature data public-key) |