Andre Stoebe wrote:
> Hi,
> 
> I, too, would like to have a way of signing the gzip archive in a
> reproducible way, so here's a diff that uses -n, similar to gzip(1).

Thanks. I think it's more consistent to store a zero time stamp. This diff is
a little simpler and avoids some variable reabuse.


Index: signify.1
===================================================================
RCS file: /home/cvs/src/usr.bin/signify/signify.1,v
retrieving revision 1.45
diff -u -p -r1.45 signify.1
--- signify.1   26 Feb 2019 22:24:41 -0000      1.45
+++ signify.1   18 Mar 2019 19:47:05 -0000
@@ -35,7 +35,7 @@
 .Fl s Ar seckey
 .Nm signify
 .Fl S
-.Op Fl ez
+.Op Fl enz
 .Op Fl x Ar sigfile
 .Fl s Ar seckey
 .Fl m Ar message
@@ -91,10 +91,15 @@ When verifying with
 .Fl e ,
 the file to create.
 .It Fl n
-Do not ask for a passphrase during key generation.
+When generating a key pair, do not ask for a passphrase.
 Otherwise,
 .Nm
 will prompt the user for a passphrase to protect the secret key.
+When signing with
+.Fl z ,
+store a zero time stamp in the
+.Xr gzip 1
+header.
 .It Fl p Ar pubkey
 Public key produced by
 .Fl G ,
Index: signify.c
===================================================================
RCS file: /home/cvs/src/usr.bin/signify/signify.c,v
retrieving revision 1.130
diff -u -p -r1.130 signify.c
--- signify.c   17 Jan 2019 05:40:10 -0000      1.130
+++ signify.c   18 Mar 2019 19:41:05 -0000
@@ -80,7 +80,7 @@ usage(const char *error)
 #ifndef VERIFYONLY
            "\t%1$s -C [-q] -p pubkey -x sigfile [file ...]\n"
            "\t%1$s -G [-n] [-c comment] -p pubkey -s seckey\n"
-           "\t%1$s -S [-ez] [-x sigfile] -s seckey -m message\n"
+           "\t%1$s -S [-enz] [-x sigfile] -s seckey -m message\n"
 #endif
            "\t%1$s -V [-eqz] [-p pubkey] [-t keytype] [-x sigfile] -m 
message\n",
            getprogname());
@@ -754,7 +754,8 @@ main(int argc, char **argv)
        char sigfilebuf[PATH_MAX];
        const char *comment = "signify";
        char *keytype = NULL;
-       int ch, rounds;
+       int ch;
+       int none = 0;
        int embedded = 0;
        int quiet = 0;
        int gzip = 0;
@@ -769,8 +770,6 @@ main(int argc, char **argv)
        if (pledge("stdio rpath wpath cpath tty", NULL) == -1)
                err(1, "pledge");
 
-       rounds = 42;
-
        while ((ch = getopt(argc, argv, "CGSVzc:em:np:qs:t:x:")) != -1) {
                switch (ch) {
 #ifndef VERIFYONLY
@@ -808,7 +807,7 @@ main(int argc, char **argv)
                        msgfile = optarg;
                        break;
                case 'n':
-                       rounds = 0;
+                       none = 1;
                        break;
                case 'p':
                        pubkeyfile = optarg;
@@ -871,14 +870,14 @@ main(int argc, char **argv)
                if (!pubkeyfile || !seckeyfile)
                        usage("must specify pubkey and seckey");
                check_keyname_compliance(pubkeyfile, seckeyfile);
-               generate(pubkeyfile, seckeyfile, rounds, comment);
+               generate(pubkeyfile, seckeyfile, none ? 0 : 42, comment);
                break;
        case SIGN:
                /* no pledge */
                if (gzip) {
                        if (!msgfile || !seckeyfile || !sigfile)
                                usage("must specify message sigfile seckey");
-                       zsign(seckeyfile, msgfile, sigfile);
+                       zsign(seckeyfile, msgfile, sigfile, none);
                } else {
                        if (!msgfile || !seckeyfile)
                                usage("must specify message and seckey");
Index: signify.h
===================================================================
RCS file: /home/cvs/src/usr.bin/signify/signify.h,v
retrieving revision 1.1
diff -u -p -r1.1 signify.h
--- signify.h   2 Sep 2016 16:10:56 -0000       1.1
+++ signify.h   18 Mar 2019 19:38:33 -0000
@@ -19,7 +19,7 @@
 #ifndef signify_h
 #define signify_h
 extern void zverify(const char *, const char *, const char *, const char *);
-extern void zsign(const char *, const char *, const char *);
+extern void zsign(const char *, const char *, const char *, int);
 
 extern void *xmalloc(size_t);
 extern void writeall(int, const void *, size_t, const char *);
Index: zsig.c
===================================================================
RCS file: /home/cvs/src/usr.bin/signify/zsig.c,v
retrieving revision 1.15
diff -u -p -r1.15 zsig.c
--- zsig.c      11 Jul 2017 23:52:05 -0000      1.15
+++ zsig.c      18 Mar 2019 19:43:08 -0000
@@ -231,7 +231,8 @@ zverify(const char *pubkeyfile, const ch
 }
 
 void
-zsign(const char *seckeyfile, const char *msgfile, const char *sigfile)
+zsign(const char *seckeyfile, const char *msgfile, const char *sigfile,
+    int skipdate)
 {
        size_t bufsize = MYBUFSIZE;
        int fdin, fdout;
@@ -261,7 +262,11 @@ zsign(const char *seckeyfile, const char
 
        msg = xmalloc(space);
        buffer = xmalloc(bufsize);
-       time(&clock);
+       if (skipdate) {
+               clock = 0;
+       } else {
+               time(&clock);
+       }
        strftime(date, sizeof date, "%Y-%m-%dT%H:%M:%SZ", gmtime(&clock));
        snprintf(msg, space,
            "date=%s\n"

Reply via email to