Re: remove date from signify zsig
On 18.03.2019 20:49, Ted Unangst wrote:
> Andre Stoebe wrote:
>> Hi,
>>
>> I, too, would like to have a way of signing the gzip archive in a
>> reproducible way, so here's a diff that uses -n, similar to gzip(1).
>
> Thanks. I think it's more consistent to store a zero time stamp. This diff is
> a little simpler and avoids some variable reabuse.
Hi Ted,
I agree, this diff is pretty elegant. And it works fine here.
Regards
Andre
> Index: signify.1
> ===
> RCS file: /home/cvs/src/usr.bin/signify/signify.1,v
> retrieving revision 1.45
> diff -u -p -r1.45 signify.1
> --- signify.1 26 Feb 2019 22:24:41 - 1.45
> +++ signify.1 18 Mar 2019 19:47:05 -
> @@ -35,7 +35,7 @@
> .Fl s Ar seckey
> .Nm signify
> .Fl S
> -.Op Fl ez
> +.Op Fl enz
> .Op Fl x Ar sigfile
> .Fl s Ar seckey
> .Fl m Ar message
> @@ -91,10 +91,15 @@ When verifying with
> .Fl e ,
> the file to create.
> .It Fl n
> -Do not ask for a passphrase during key generation.
> +When generating a key pair, do not ask for a passphrase.
> Otherwise,
> .Nm
> will prompt the user for a passphrase to protect the secret key.
> +When signing with
> +.Fl z ,
> +store a zero time stamp in the
> +.Xr gzip 1
> +header.
> .It Fl p Ar pubkey
> Public key produced by
> .Fl G ,
> Index: signify.c
> ===
> RCS file: /home/cvs/src/usr.bin/signify/signify.c,v
> retrieving revision 1.130
> diff -u -p -r1.130 signify.c
> --- signify.c 17 Jan 2019 05:40:10 - 1.130
> +++ signify.c 18 Mar 2019 19:41:05 -
> @@ -80,7 +80,7 @@ usage(const char *error)
> #ifndef VERIFYONLY
> "\t%1$s -C [-q] -p pubkey -x sigfile [file ...]\n"
> "\t%1$s -G [-n] [-c comment] -p pubkey -s seckey\n"
> - "\t%1$s -S [-ez] [-x sigfile] -s seckey -m message\n"
> + "\t%1$s -S [-enz] [-x sigfile] -s seckey -m message\n"
> #endif
> "\t%1$s -V [-eqz] [-p pubkey] [-t keytype] [-x sigfile] -m
> message\n",
> getprogname());
> @@ -754,7 +754,8 @@ main(int argc, char **argv)
> char sigfilebuf[PATH_MAX];
> const char *comment = "signify";
> char *keytype = NULL;
> - int ch, rounds;
> + int ch;
> + int none = 0;
> int embedded = 0;
> int quiet = 0;
> int gzip = 0;
> @@ -769,8 +770,6 @@ main(int argc, char **argv)
> if (pledge("stdio rpath wpath cpath tty", NULL) == -1)
> err(1, "pledge");
>
> - rounds = 42;
> -
> while ((ch = getopt(argc, argv, "CGSVzc:em:np:qs:t:x:")) != -1) {
> switch (ch) {
> #ifndef VERIFYONLY
> @@ -808,7 +807,7 @@ main(int argc, char **argv)
> msgfile = optarg;
> break;
> case 'n':
> - rounds = 0;
> + none = 1;
> break;
> case 'p':
> pubkeyfile = optarg;
> @@ -871,14 +870,14 @@ main(int argc, char **argv)
> if (!pubkeyfile || !seckeyfile)
> usage("must specify pubkey and seckey");
> check_keyname_compliance(pubkeyfile, seckeyfile);
> - generate(pubkeyfile, seckeyfile, rounds, comment);
> + generate(pubkeyfile, seckeyfile, none ? 0 : 42, comment);
> break;
> case SIGN:
> /* no pledge */
> if (gzip) {
> if (!msgfile || !seckeyfile || !sigfile)
> usage("must specify message sigfile seckey");
> - zsign(seckeyfile, msgfile, sigfile);
> + zsign(seckeyfile, msgfile, sigfile, none);
> } else {
> if (!msgfile || !seckeyfile)
> usage("must specify message and seckey");
> Index: signify.h
> ===
> RCS file: /home/cvs/src/usr.bin/signify/signify.h,v
> retrieving revision 1.1
> diff -u -p -r1.1 signify.h
> --- signify.h 2 Sep 2016 16:10:56 - 1.1
> +++ signify.h 18 Mar 2019 19:38:33 -
> @@ -19,7 +19,7 @@
> #ifndef signify_h
> #define signify_h
> extern void zverify(const char *, const char *, const char *, const char *);
> -extern void zsign(const char *, const char *, const char *);
> +extern void zsign(const char *, const char *, const char *, int);
>
> extern void *xmalloc(size_t);
> extern void writeall(int, const void *, size_t, const char *);
> Index: zsig.c
> ===
> RCS file: /home/cvs/src/usr.bin/signify/zsig.c,v
> retrieving revision 1.15
> diff -u -p -r1.15 zsig.c
> --- zsig.c11 Jul 2017 23:52:05 - 1.15
> +++ zsig.c18 Mar 2019 19:43:08 -
> @@ -231,7 +231,8 @@ zverify(const char *pubkeyfile, const ch
> }
>
> void
> -zsign(const char *seckeyfile, const char *msgfile, const char *sigfile)
Re: remove date from signify zsig
Andre Stoebe wrote:
> Hi,
>
> I, too, would like to have a way of signing the gzip archive in a
> reproducible way, so here's a diff that uses -n, similar to gzip(1).
Thanks. I think it's more consistent to store a zero time stamp. This diff is
a little simpler and avoids some variable reabuse.
Index: signify.1
===
RCS file: /home/cvs/src/usr.bin/signify/signify.1,v
retrieving revision 1.45
diff -u -p -r1.45 signify.1
--- signify.1 26 Feb 2019 22:24:41 - 1.45
+++ signify.1 18 Mar 2019 19:47:05 -
@@ -35,7 +35,7 @@
.Fl s Ar seckey
.Nm signify
.Fl S
-.Op Fl ez
+.Op Fl enz
.Op Fl x Ar sigfile
.Fl s Ar seckey
.Fl m Ar message
@@ -91,10 +91,15 @@ When verifying with
.Fl e ,
the file to create.
.It Fl n
-Do not ask for a passphrase during key generation.
+When generating a key pair, do not ask for a passphrase.
Otherwise,
.Nm
will prompt the user for a passphrase to protect the secret key.
+When signing with
+.Fl z ,
+store a zero time stamp in the
+.Xr gzip 1
+header.
.It Fl p Ar pubkey
Public key produced by
.Fl G ,
Index: signify.c
===
RCS file: /home/cvs/src/usr.bin/signify/signify.c,v
retrieving revision 1.130
diff -u -p -r1.130 signify.c
--- signify.c 17 Jan 2019 05:40:10 - 1.130
+++ signify.c 18 Mar 2019 19:41:05 -
@@ -80,7 +80,7 @@ usage(const char *error)
#ifndef VERIFYONLY
"\t%1$s -C [-q] -p pubkey -x sigfile [file ...]\n"
"\t%1$s -G [-n] [-c comment] -p pubkey -s seckey\n"
- "\t%1$s -S [-ez] [-x sigfile] -s seckey -m message\n"
+ "\t%1$s -S [-enz] [-x sigfile] -s seckey -m message\n"
#endif
"\t%1$s -V [-eqz] [-p pubkey] [-t keytype] [-x sigfile] -m
message\n",
getprogname());
@@ -754,7 +754,8 @@ main(int argc, char **argv)
char sigfilebuf[PATH_MAX];
const char *comment = "signify";
char *keytype = NULL;
- int ch, rounds;
+ int ch;
+ int none = 0;
int embedded = 0;
int quiet = 0;
int gzip = 0;
@@ -769,8 +770,6 @@ main(int argc, char **argv)
if (pledge("stdio rpath wpath cpath tty", NULL) == -1)
err(1, "pledge");
- rounds = 42;
-
while ((ch = getopt(argc, argv, "CGSVzc:em:np:qs:t:x:")) != -1) {
switch (ch) {
#ifndef VERIFYONLY
@@ -808,7 +807,7 @@ main(int argc, char **argv)
msgfile = optarg;
break;
case 'n':
- rounds = 0;
+ none = 1;
break;
case 'p':
pubkeyfile = optarg;
@@ -871,14 +870,14 @@ main(int argc, char **argv)
if (!pubkeyfile || !seckeyfile)
usage("must specify pubkey and seckey");
check_keyname_compliance(pubkeyfile, seckeyfile);
- generate(pubkeyfile, seckeyfile, rounds, comment);
+ generate(pubkeyfile, seckeyfile, none ? 0 : 42, comment);
break;
case SIGN:
/* no pledge */
if (gzip) {
if (!msgfile || !seckeyfile || !sigfile)
usage("must specify message sigfile seckey");
- zsign(seckeyfile, msgfile, sigfile);
+ zsign(seckeyfile, msgfile, sigfile, none);
} else {
if (!msgfile || !seckeyfile)
usage("must specify message and seckey");
Index: signify.h
===
RCS file: /home/cvs/src/usr.bin/signify/signify.h,v
retrieving revision 1.1
diff -u -p -r1.1 signify.h
--- signify.h 2 Sep 2016 16:10:56 - 1.1
+++ signify.h 18 Mar 2019 19:38:33 -
@@ -19,7 +19,7 @@
#ifndef signify_h
#define signify_h
extern void zverify(const char *, const char *, const char *, const char *);
-extern void zsign(const char *, const char *, const char *);
+extern void zsign(const char *, const char *, const char *, int);
extern void *xmalloc(size_t);
extern void writeall(int, const void *, size_t, const char *);
Index: zsig.c
===
RCS file: /home/cvs/src/usr.bin/signify/zsig.c,v
retrieving revision 1.15
diff -u -p -r1.15 zsig.c
--- zsig.c 11 Jul 2017 23:52:05 - 1.15
+++ zsig.c 18 Mar 2019 19:43:08 -
@@ -231,7 +231,8 @@ zverify(const char *pubkeyfile, const ch
}
void
-zsign(const char *seckeyfile, const char *msgfile, const char *sigfile)
+zsign(const char *seckeyfile, const char *msgfile, const char *sigfile,
+int skipdate)
{
size_t bufsize = MYBUFSIZE;
int fdin, fdout;
@@ -261,7 +262,11 @@ zsign(const char *seckeyfile, const char
msg = xmalloc(space);
buffer =
Re: remove date from signify zsig
On Mon, Feb 25, 2019 at 05:11:54PM -0500, Ted Unangst wrote: > Marc Espie wrote: > > On Mon, Feb 25, 2019 at 03:02:42PM -0500, Ted Unangst wrote: > > > Andre Stoebe wrote: > > > > Hi, > > > > > > > > I, too, would like to have a way of signing the gzip archive in a > > > > reproducible way, so here's a diff that uses -n, similar to gzip(1). > > > > > > > > However, if that's a bad idea, I'm fine with continuing to use an > > > > unsigned gzip archive and creating a sigfile with signify. > > > > > > Let me think on this for a bit. Seems reasonable, though. > > > > If you want something simpler, just set the date from outside through an > > env variable, so you'll have a reproducible date line for when you > > absolutely > > need it. > > Like TZ? I don't think there's a way to change the time that way. Is there? No, but instead of an extra option, a specific env variable ? might make more sense... or less. I don't know. I'm surprised this surfaced again, as the subject was broached a few months ago and dismissed, because yep, we do want the timestamp to mean something for pkg_add. Especially relating to our keys having a shelf life.
Re: remove date from signify zsig
Marc Espie wrote: > On Mon, Feb 25, 2019 at 03:02:42PM -0500, Ted Unangst wrote: > > Andre Stoebe wrote: > > > Hi, > > > > > > I, too, would like to have a way of signing the gzip archive in a > > > reproducible way, so here's a diff that uses -n, similar to gzip(1). > > > > > > However, if that's a bad idea, I'm fine with continuing to use an > > > unsigned gzip archive and creating a sigfile with signify. > > > > Let me think on this for a bit. Seems reasonable, though. > > If you want something simpler, just set the date from outside through an > env variable, so you'll have a reproducible date line for when you absolutely > need it. Like TZ? I don't think there's a way to change the time that way. Is there?
Re: remove date from signify zsig
On Mon, Feb 25, 2019 at 03:02:42PM -0500, Ted Unangst wrote: > Andre Stoebe wrote: > > Hi, > > > > I, too, would like to have a way of signing the gzip archive in a > > reproducible way, so here's a diff that uses -n, similar to gzip(1). > > > > However, if that's a bad idea, I'm fine with continuing to use an > > unsigned gzip archive and creating a sigfile with signify. > > Let me think on this for a bit. Seems reasonable, though. If you want something simpler, just set the date from outside through an env variable, so you'll have a reproducible date line for when you absolutely need it.
Re: remove date from signify zsig
Andre Stoebe wrote: > Hi, > > I, too, would like to have a way of signing the gzip archive in a > reproducible way, so here's a diff that uses -n, similar to gzip(1). > > However, if that's a bad idea, I'm fine with continuing to use an > unsigned gzip archive and creating a sigfile with signify. Let me think on this for a bit. Seems reasonable, though.
Re: remove date from signify zsig
Hi,
I, too, would like to have a way of signing the gzip archive in a
reproducible way, so here's a diff that uses -n, similar to gzip(1).
However, if that's a bad idea, I'm fine with continuing to use an
unsigned gzip archive and creating a sigfile with signify.
Regards
Andre
Index: signify.1
===
RCS file: /cvs/src/usr.bin/signify/signify.1,v
retrieving revision 1.44
diff -u -p -r1.44 signify.1
--- signify.1 10 Aug 2018 20:27:01 - 1.44
+++ signify.1 25 Feb 2019 11:55:57 -
@@ -35,7 +35,7 @@
.Fl s Ar seckey
.Nm signify
.Fl S
-.Op Fl ez
+.Op Fl enz
.Op Fl x Ar sigfile
.Fl s Ar seckey
.Fl m Ar message
@@ -91,10 +91,15 @@ When verifying with
.Fl e ,
the file to create.
.It Fl n
-Do not ask for a passphrase during key generation.
+When generating a key pair, do not ask for a passphrase.
Otherwise,
.Nm
will prompt the user for a passphrase to protect the secret key.
+When signing with
+.Fl z ,
+do not store the time stamp in the
+.Xr gzip 1
+header.
.It Fl p Ar pubkey
Public key produced by
.Fl G ,
Index: signify.c
===
RCS file: /cvs/src/usr.bin/signify/signify.c,v
retrieving revision 1.130
diff -u -p -r1.130 signify.c
--- signify.c 17 Jan 2019 05:40:10 - 1.130
+++ signify.c 25 Feb 2019 11:55:57 -
@@ -80,7 +80,7 @@ usage(const char *error)
#ifndef VERIFYONLY
"\t%1$s -C [-q] -p pubkey -x sigfile [file ...]\n"
"\t%1$s -G [-n] [-c comment] -p pubkey -s seckey\n"
- "\t%1$s -S [-ez] [-x sigfile] -s seckey -m message\n"
+ "\t%1$s -S [-enz] [-x sigfile] -s seckey -m message\n"
#endif
"\t%1$s -V [-eqz] [-p pubkey] [-t keytype] [-x sigfile] -m
message\n",
getprogname());
@@ -878,7 +878,7 @@ main(int argc, char **argv)
if (gzip) {
if (!msgfile || !seckeyfile || !sigfile)
usage("must specify message sigfile seckey");
- zsign(seckeyfile, msgfile, sigfile);
+ zsign(seckeyfile, msgfile, sigfile, rounds);
} else {
if (!msgfile || !seckeyfile)
usage("must specify message and seckey");
Index: signify.h
===
RCS file: /cvs/src/usr.bin/signify/signify.h,v
retrieving revision 1.1
diff -u -p -r1.1 signify.h
--- signify.h 2 Sep 2016 16:10:56 - 1.1
+++ signify.h 25 Feb 2019 11:55:57 -
@@ -19,7 +19,7 @@
#ifndef signify_h
#define signify_h
extern void zverify(const char *, const char *, const char *, const char *);
-extern void zsign(const char *, const char *, const char *);
+extern void zsign(const char *, const char *, const char *, int);
extern void *xmalloc(size_t);
extern void writeall(int, const void *, size_t, const char *);
Index: zsig.c
===
RCS file: /cvs/src/usr.bin/signify/zsig.c,v
retrieving revision 1.15
diff -u -p -r1.15 zsig.c
--- zsig.c 11 Jul 2017 23:52:05 - 1.15
+++ zsig.c 25 Feb 2019 11:55:57 -
@@ -231,7 +231,8 @@ zverify(const char *pubkeyfile, const ch
}
void
-zsign(const char *seckeyfile, const char *msgfile, const char *sigfile)
+zsign(const char *seckeyfile, const char *msgfile, const char *sigfile,
+int storedate)
{
size_t bufsize = MYBUFSIZE;
int fdin, fdout;
@@ -242,8 +243,6 @@ zsign(const char *seckeyfile, const char
char *p;
uint8_t *buffer;
uint8_t *sighdr;
- char date[80];
- time_t clock;
fdin = xopen(msgfile, O_RDONLY, 0);
if (fstat(fdin, ) == -1 || !S_ISREG(sb.st_mode))
@@ -261,14 +260,24 @@ zsign(const char *seckeyfile, const char
msg = xmalloc(space);
buffer = xmalloc(bufsize);
- time();
- strftime(date, sizeof date, "%Y-%m-%dT%H:%M:%SZ", gmtime());
- snprintf(msg, space,
- "date=%s\n"
- "key=%s\n"
- "algorithm=SHA512/256\n"
- "blocksize=%zu\n\n",
- date, seckeyfile, bufsize);
+ if (storedate) {
+ char date[80];
+ time_t clock;
+ time();
+ strftime(date, sizeof date, "%Y-%m-%dT%H:%M:%SZ",
+ gmtime());
+ snprintf(msg, space,
+ "date=%s\n"
+ "key=%s\n"
+ "algorithm=SHA512/256\n"
+ "blocksize=%zu\n\n",
+ date, seckeyfile, bufsize);
+ } else
+ snprintf(msg, space,
+ "key=%s\n"
+ "algorithm=SHA512/256\n"
+ "blocksize=%zu\n\n",
+ seckeyfile, bufsize);
p = strchr(msg, 0);
while (1) {
Re: remove date from signify zsig
Stuart Henderson wrote: > On 2019/02/23 18:02, Ted Unangst wrote: > > signify -z adds a date= line to the header, but nothing reads it. It's also > > not very useful, since it's outside the signature. It would still not be > > useful, because nothing about the signify design cares about when something > > was signed. It does cause trouble, however, because signing the same thing > > twice results in two different files. Normal signify operation produces > > consistent signatures. > > pkg_add reads this header and copies to the @digital-signature line > in the +CONTENTS file. It is directly user visible too, for the "always > updated" quirks package, the @digital-signature line is read and displayed: I was trying to find such code, but obviously failed. > I'm not sure what you mean "outside the signature", changing the > date string does cause validation to fail, so it must be covered by > the signature? Ah, it is. Never mind then. The context is that some people are trying to use signify in a determinisitic reproducible way, and the dates keep changing. At first this looked like an unnecessary addition, but if we're using it, then that's how things are.
Re: remove date from signify zsig
On 2019/02/23 18:02, Ted Unangst wrote: > signify -z adds a date= line to the header, but nothing reads it. It's also > not very useful, since it's outside the signature. It would still not be > useful, because nothing about the signify design cares about when something > was signed. It does cause trouble, however, because signing the same thing > twice results in two different files. Normal signify operation produces > consistent signatures. pkg_add reads this header and copies to the @digital-signature line in the +CONTENTS file. It is directly user visible too, for the "always updated" quirks package, the @digital-signature line is read and displayed: # pkg_add -u quirks quirks-3.104 signed on 2019-02-23T23:46:16Z And at least some users make use of this to know when the package build was done. I'm not sure what you mean "outside the signature", changing the date string does cause validation to fail, so it must be covered by the signature?
remove date from signify zsig
signify -z adds a date= line to the header, but nothing reads it. It's also
not very useful, since it's outside the signature. It would still not be
useful, because nothing about the signify design cares about when something
was signed. It does cause trouble, however, because signing the same thing
twice results in two different files. Normal signify operation produces
consistent signatures.
Index: zsig.c
===
RCS file: /cvs/src/usr.bin/signify/zsig.c,v
retrieving revision 1.15
diff -u -p -r1.15 zsig.c
--- zsig.c 11 Jul 2017 23:52:05 - 1.15
+++ zsig.c 23 Feb 2019 22:55:59 -
@@ -242,8 +242,6 @@ zsign(const char *seckeyfile, const char
char *p;
uint8_t *buffer;
uint8_t *sighdr;
- char date[80];
- time_t clock;
fdin = xopen(msgfile, O_RDONLY, 0);
if (fstat(fdin, ) == -1 || !S_ISREG(sb.st_mode))
@@ -261,14 +259,11 @@ zsign(const char *seckeyfile, const char
msg = xmalloc(space);
buffer = xmalloc(bufsize);
- time();
- strftime(date, sizeof date, "%Y-%m-%dT%H:%M:%SZ", gmtime());
snprintf(msg, space,
- "date=%s\n"
"key=%s\n"
"algorithm=SHA512/256\n"
"blocksize=%zu\n\n",
- date, seckeyfile, bufsize);
+ seckeyfile, bufsize);
p = strchr(msg, 0);
while (1) {
