Andre Stoebe wrote:
> Hi,
>
> I, too, would like to have a way of signing the gzip archive in a
> reproducible way, so here's a diff that uses -n, similar to gzip(1).
Thanks. I think it's more consistent to store a zero time stamp. This diff is
a little simpler and avoids some variable reabuse.
Index: signify.1
===================================================================
RCS file: /home/cvs/src/usr.bin/signify/signify.1,v
retrieving revision 1.45
diff -u -p -r1.45 signify.1
--- signify.1 26 Feb 2019 22:24:41 -0000 1.45
+++ signify.1 18 Mar 2019 19:47:05 -0000
@@ -35,7 +35,7 @@
.Fl s Ar seckey
.Nm signify
.Fl S
-.Op Fl ez
+.Op Fl enz
.Op Fl x Ar sigfile
.Fl s Ar seckey
.Fl m Ar message
@@ -91,10 +91,15 @@ When verifying with
.Fl e ,
the file to create.
.It Fl n
-Do not ask for a passphrase during key generation.
+When generating a key pair, do not ask for a passphrase.
Otherwise,
.Nm
will prompt the user for a passphrase to protect the secret key.
+When signing with
+.Fl z ,
+store a zero time stamp in the
+.Xr gzip 1
+header.
.It Fl p Ar pubkey
Public key produced by
.Fl G ,
Index: signify.c
===================================================================
RCS file: /home/cvs/src/usr.bin/signify/signify.c,v
retrieving revision 1.130
diff -u -p -r1.130 signify.c
--- signify.c 17 Jan 2019 05:40:10 -0000 1.130
+++ signify.c 18 Mar 2019 19:41:05 -0000
@@ -80,7 +80,7 @@ usage(const char *error)
#ifndef VERIFYONLY
"\t%1$s -C [-q] -p pubkey -x sigfile [file ...]\n"
"\t%1$s -G [-n] [-c comment] -p pubkey -s seckey\n"
- "\t%1$s -S [-ez] [-x sigfile] -s seckey -m message\n"
+ "\t%1$s -S [-enz] [-x sigfile] -s seckey -m message\n"
#endif
"\t%1$s -V [-eqz] [-p pubkey] [-t keytype] [-x sigfile] -m
message\n",
getprogname());
@@ -754,7 +754,8 @@ main(int argc, char **argv)
char sigfilebuf[PATH_MAX];
const char *comment = "signify";
char *keytype = NULL;
- int ch, rounds;
+ int ch;
+ int none = 0;
int embedded = 0;
int quiet = 0;
int gzip = 0;
@@ -769,8 +770,6 @@ main(int argc, char **argv)
if (pledge("stdio rpath wpath cpath tty", NULL) == -1)
err(1, "pledge");
- rounds = 42;
-
while ((ch = getopt(argc, argv, "CGSVzc:em:np:qs:t:x:")) != -1) {
switch (ch) {
#ifndef VERIFYONLY
@@ -808,7 +807,7 @@ main(int argc, char **argv)
msgfile = optarg;
break;
case 'n':
- rounds = 0;
+ none = 1;
break;
case 'p':
pubkeyfile = optarg;
@@ -871,14 +870,14 @@ main(int argc, char **argv)
if (!pubkeyfile || !seckeyfile)
usage("must specify pubkey and seckey");
check_keyname_compliance(pubkeyfile, seckeyfile);
- generate(pubkeyfile, seckeyfile, rounds, comment);
+ generate(pubkeyfile, seckeyfile, none ? 0 : 42, comment);
break;
case SIGN:
/* no pledge */
if (gzip) {
if (!msgfile || !seckeyfile || !sigfile)
usage("must specify message sigfile seckey");
- zsign(seckeyfile, msgfile, sigfile);
+ zsign(seckeyfile, msgfile, sigfile, none);
} else {
if (!msgfile || !seckeyfile)
usage("must specify message and seckey");
Index: signify.h
===================================================================
RCS file: /home/cvs/src/usr.bin/signify/signify.h,v
retrieving revision 1.1
diff -u -p -r1.1 signify.h
--- signify.h 2 Sep 2016 16:10:56 -0000 1.1
+++ signify.h 18 Mar 2019 19:38:33 -0000
@@ -19,7 +19,7 @@
#ifndef signify_h
#define signify_h
extern void zverify(const char *, const char *, const char *, const char *);
-extern void zsign(const char *, const char *, const char *);
+extern void zsign(const char *, const char *, const char *, int);
extern void *xmalloc(size_t);
extern void writeall(int, const void *, size_t, const char *);
Index: zsig.c
===================================================================
RCS file: /home/cvs/src/usr.bin/signify/zsig.c,v
retrieving revision 1.15
diff -u -p -r1.15 zsig.c
--- zsig.c 11 Jul 2017 23:52:05 -0000 1.15
+++ zsig.c 18 Mar 2019 19:43:08 -0000
@@ -231,7 +231,8 @@ zverify(const char *pubkeyfile, const ch
}
void
-zsign(const char *seckeyfile, const char *msgfile, const char *sigfile)
+zsign(const char *seckeyfile, const char *msgfile, const char *sigfile,
+ int skipdate)
{
size_t bufsize = MYBUFSIZE;
int fdin, fdout;
@@ -261,7 +262,11 @@ zsign(const char *seckeyfile, const char
msg = xmalloc(space);
buffer = xmalloc(bufsize);
- time(&clock);
+ if (skipdate) {
+ clock = 0;
+ } else {
+ time(&clock);
+ }
strftime(date, sizeof date, "%Y-%m-%dT%H:%M:%SZ", gmtime(&clock));
snprintf(msg, space,
"date=%s\n"