Merge 9b7585c673 into bb0e4ce581

2024-05-04 14:52:05 -04:00 · 2024-05-04 14:52:05 -04:00 · 9ad4f4f53a
parent bb0e4ce581 9b7585c673
commit 9ad4f4f53a
2 changed files with 65 additions and 4 deletions
--- a/modules/packages/rpm/sign.go
+++ b/modules/packages/rpm/sign.go
@ -0,0 +1,39 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package rpm
+
+import (
+	"bytes"
+	"io"
+
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/packages"
+
+	"github.com/sassoftware/go-rpmutils"
+	"golang.org/x/crypto/openpgp"
+)
+
+func SignPackage(rpm *packages.HashedBuffer, privateKey string) (io.Reader, int64, error) {
+	keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewReader([]byte(privateKey)))
+	if err != nil {
+		// failed to parse  key
+		return nil, 0, err
+	}
+	entity := keyring[0]
+	h, err := rpmutils.SignRpmStream(rpm, entity.PrivateKey, nil)
+	if err != nil {
+		// error signing rpm
+		return nil, 0, err
+	}
+	signBlob, err := h.DumpSignatureHeader(false)
+	if err != nil {
+		// error writing sig header
+		return nil, 0, err
+	}
+	if len(signBlob)%8 != 0 {
+		log.Info("incorrect padding: got %d bytes, expected a multiple of 8", len(signBlob))
+		return nil, 0, err
+	}
+	return bytes.NewReader(signBlob), int64(h.OriginalSignatureHeaderSize()), nil
+}
--- a/routers/api/packages/rpm/rpm.go
+++ b/routers/api/packages/rpm/rpm.go
@ -133,7 +133,30 @@ func UploadPackageFile(ctx *context.Context) {
 	}
 	defer buf.Close()

-	pck, err := rpm_module.ParsePackage(buf)
+	pri, _, err := rpm_service.GetOrCreateKeyPair(ctx.Package.Owner.ID)
+	if err != nil {
+		apiError(ctx, http.StatusInternalServerError, err)
+		return
+	}
+	hBuf, seek, err := rpm_module.SignPackage(buf, pri)
+	if _, err := buf.Seek(seek, io.SeekStart); err != nil {
+		apiError(ctx, http.StatusInternalServerError, err)
+		return
+	}
+	signBuf, err := packages_module.CreateHashedBufferFromReader(io.MultiReader(hBuf, buf))
+	if err != nil {
+		apiError(ctx, http.StatusInternalServerError, err)
+		return
+	}
+
+	defer signBuf.Close()
+
+	if _, err := signBuf.Seek(0, io.SeekStart); err != nil {
+		apiError(ctx, http.StatusInternalServerError, err)
+		return
+	}
+
+	pck, err := rpm_module.ParsePackage(signBuf)
 	if err != nil {
 		if errors.Is(err, util.ErrInvalidArgument) {
 			apiError(ctx, http.StatusBadRequest, err)
@ -142,8 +165,7 @@ func UploadPackageFile(ctx *context.Context) {
 		}
 		return
 	}
-
-	if _, err := buf.Seek(0, io.SeekStart); err != nil {
+	if _, err := signBuf.Seek(0, io.SeekStart); err != nil {
 		apiError(ctx, http.StatusInternalServerError, err)
 		return
 	}
@ -172,7 +194,7 @@ func UploadPackageFile(ctx *context.Context) {
 				CompositeKey: group,
 			},
 			Creator: ctx.Doer,
-			Data:    buf,
+			Data:    signBuf,
 			IsLead:  true,
 			Properties: map[string]string{
 				rpm_module.PropertyGroup:        group,