On 18.03.2019 20:49, Ted Unangst wrote: > Andre Stoebe wrote: >> Hi, >> >> I, too, would like to have a way of signing the gzip archive in a >> reproducible way, so here's a diff that uses -n, similar to gzip(1). > > Thanks. I think it's more consistent to store a zero time stamp. This diff is > a little simpler and avoids some variable reabuse.
Hi Ted, I agree, this diff is pretty elegant. And it works fine here. Regards Andre > Index: signify.1 > =================================================================== > RCS file: /home/cvs/src/usr.bin/signify/signify.1,v > retrieving revision 1.45 > diff -u -p -r1.45 signify.1 > --- signify.1 26 Feb 2019 22:24:41 -0000 1.45 > +++ signify.1 18 Mar 2019 19:47:05 -0000 > @@ -35,7 +35,7 @@ > .Fl s Ar seckey > .Nm signify > .Fl S > -.Op Fl ez > +.Op Fl enz > .Op Fl x Ar sigfile > .Fl s Ar seckey > .Fl m Ar message > @@ -91,10 +91,15 @@ When verifying with > .Fl e , > the file to create. > .It Fl n > -Do not ask for a passphrase during key generation. > +When generating a key pair, do not ask for a passphrase. > Otherwise, > .Nm > will prompt the user for a passphrase to protect the secret key. > +When signing with > +.Fl z , > +store a zero time stamp in the > +.Xr gzip 1 > +header. > .It Fl p Ar pubkey > Public key produced by > .Fl G , > Index: signify.c > =================================================================== > RCS file: /home/cvs/src/usr.bin/signify/signify.c,v > retrieving revision 1.130 > diff -u -p -r1.130 signify.c > --- signify.c 17 Jan 2019 05:40:10 -0000 1.130 > +++ signify.c 18 Mar 2019 19:41:05 -0000 > @@ -80,7 +80,7 @@ usage(const char *error) > #ifndef VERIFYONLY > "\t%1$s -C [-q] -p pubkey -x sigfile [file ...]\n" > "\t%1$s -G [-n] [-c comment] -p pubkey -s seckey\n" > - "\t%1$s -S [-ez] [-x sigfile] -s seckey -m message\n" > + "\t%1$s -S [-enz] [-x sigfile] -s seckey -m message\n" > #endif > "\t%1$s -V [-eqz] [-p pubkey] [-t keytype] [-x sigfile] -m > message\n", > getprogname()); > @@ -754,7 +754,8 @@ main(int argc, char **argv) > char sigfilebuf[PATH_MAX]; > const char *comment = "signify"; > char *keytype = NULL; > - int ch, rounds; > + int ch; > + int none = 0; > int embedded = 0; > int quiet = 0; > int gzip = 0; > @@ -769,8 +770,6 @@ main(int argc, char **argv) > if (pledge("stdio rpath wpath cpath tty", NULL) == -1) > err(1, "pledge"); > > - rounds = 42; > - > while ((ch = getopt(argc, argv, "CGSVzc:em:np:qs:t:x:")) != -1) { > switch (ch) { > #ifndef VERIFYONLY > @@ -808,7 +807,7 @@ main(int argc, char **argv) > msgfile = optarg; > break; > case 'n': > - rounds = 0; > + none = 1; > break; > case 'p': > pubkeyfile = optarg; > @@ -871,14 +870,14 @@ main(int argc, char **argv) > if (!pubkeyfile || !seckeyfile) > usage("must specify pubkey and seckey"); > check_keyname_compliance(pubkeyfile, seckeyfile); > - generate(pubkeyfile, seckeyfile, rounds, comment); > + generate(pubkeyfile, seckeyfile, none ? 0 : 42, comment); > break; > case SIGN: > /* no pledge */ > if (gzip) { > if (!msgfile || !seckeyfile || !sigfile) > usage("must specify message sigfile seckey"); > - zsign(seckeyfile, msgfile, sigfile); > + zsign(seckeyfile, msgfile, sigfile, none); > } else { > if (!msgfile || !seckeyfile) > usage("must specify message and seckey"); > Index: signify.h > =================================================================== > RCS file: /home/cvs/src/usr.bin/signify/signify.h,v > retrieving revision 1.1 > diff -u -p -r1.1 signify.h > --- signify.h 2 Sep 2016 16:10:56 -0000 1.1 > +++ signify.h 18 Mar 2019 19:38:33 -0000 > @@ -19,7 +19,7 @@ > #ifndef signify_h > #define signify_h > extern void zverify(const char *, const char *, const char *, const char *); > -extern void zsign(const char *, const char *, const char *); > +extern void zsign(const char *, const char *, const char *, int); > > extern void *xmalloc(size_t); > extern void writeall(int, const void *, size_t, const char *); > Index: zsig.c > =================================================================== > RCS file: /home/cvs/src/usr.bin/signify/zsig.c,v > retrieving revision 1.15 > diff -u -p -r1.15 zsig.c > --- zsig.c 11 Jul 2017 23:52:05 -0000 1.15 > +++ zsig.c 18 Mar 2019 19:43:08 -0000 > @@ -231,7 +231,8 @@ zverify(const char *pubkeyfile, const ch > } > > void > -zsign(const char *seckeyfile, const char *msgfile, const char *sigfile) > +zsign(const char *seckeyfile, const char *msgfile, const char *sigfile, > + int skipdate) > { > size_t bufsize = MYBUFSIZE; > int fdin, fdout; > @@ -261,7 +262,11 @@ zsign(const char *seckeyfile, const char > > msg = xmalloc(space); > buffer = xmalloc(bufsize); > - time(&clock); > + if (skipdate) { > + clock = 0; > + } else { > + time(&clock); > + } > strftime(date, sizeof date, "%Y-%m-%dT%H:%M:%SZ", gmtime(&clock)); > snprintf(msg, space, > "date=%s\n" >