make publish and update work with a smartcard HSM

Followup to fdroid/fdroidserver!779. We need to add smartcardoptions to every call to keytool and jarsigner as well as handle when keypass not being required and not allowed for pkcs11 keystores.
2024-07-04 16:30:12 +02:00 · 2020-08-14 15:44:34 +02:00 · 2020-08-14 15:44:34 +02:00 · 004d13a48a
commit 004d13a48a
parent 066978cbcf
3 changed files with 36 additions and 25 deletions
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@ -3045,13 +3045,16 @@ def sign_apk(unsigned_path, signed_path, keyalias):
    else:
        signature_algorithm = ['-sigalg', 'SHA256withRSA', '-digestalg', 'SHA-256']

-    p = FDroidPopen([config['jarsigner'], '-keystore', config['keystore'],
-                     '-storepass:env', 'FDROID_KEY_STORE_PASS',
-                     '-keypass:env', 'FDROID_KEY_PASS']
-                    + signature_algorithm + [unsigned_path, keyalias],
+    cmd = [config['jarsigner'], '-keystore', config['keystore'],
+           '-storepass:env', 'FDROID_KEY_STORE_PASS']
+    if config['keystore'] == 'NONE':
+        cmd += config['smartcardoptions']
+    else:
+        cmd += '-keypass:env', 'FDROID_KEY_PASS'
+    p = FDroidPopen(cmd + signature_algorithm + [unsigned_path, keyalias],
                    envs={
                        'FDROID_KEY_STORE_PASS': config['keystorepass'],
-                        'FDROID_KEY_PASS': config['keypass'], })
+                        'FDROID_KEY_PASS': config.get('keypass', "")})
    if p.returncode != 0:
        raise BuildException(_("Failed to sign application"), p.output)

--- a/fdroidserver/publish.py
+++ b/fdroidserver/publish.py
@ -77,12 +77,13 @@ def read_fingerprints_from_keystore():
    are managed by F-Droid, grouped by appid.
    """
    env_vars = {'LC_ALL': 'C.UTF-8',
-                'FDROID_KEY_STORE_PASS': config['keystorepass'],
-                'FDROID_KEY_PASS': config['keypass']}
-    p = FDroidPopen([config['keytool'], '-list',
-                     '-v', '-keystore', config['keystore'],
-                     '-storepass:env', 'FDROID_KEY_STORE_PASS'],
-                    envs=env_vars, output=False)
+                'FDROID_KEY_STORE_PASS': config['keystorepass']}
+    cmd = [config['keytool'], '-list',
+           '-v', '-keystore', config['keystore'],
+           '-storepass:env', 'FDROID_KEY_STORE_PASS']
+    if config['keystore'] == 'NONE':
+        cmd += config['smartcardoptions']
+    p = FDroidPopen(cmd, envs=env_vars, output=False)
    if p.returncode != 0:
        raise FDroidException('could not read keystore {}'.format(config['keystore']))

@ -115,7 +116,7 @@ def sign_sig_key_fingerprint_list(jar_file):
    else:  # smardcards never use -keypass
        cmd += '-keypass:env', 'FDROID_KEY_PASS'
    env_vars = {'FDROID_KEY_STORE_PASS': config['keystorepass'],
-                'FDROID_KEY_PASS': config['keypass']}
+                'FDROID_KEY_PASS': config.get('keypass', "")}
    p = common.FDroidPopen(cmd, envs=env_vars)
    if p.returncode != 0:
        raise FDroidException("Failed to sign '{}'!".format(jar_file))
@ -340,20 +341,27 @@ def main():
                # if not generate one...
                env_vars = {'LC_ALL': 'C.UTF-8',
                            'FDROID_KEY_STORE_PASS': config['keystorepass'],
-                            'FDROID_KEY_PASS': config['keypass']}
-                p = FDroidPopen([config['keytool'], '-list',
-                                 '-alias', keyalias, '-keystore', config['keystore'],
-                                 '-storepass:env', 'FDROID_KEY_STORE_PASS'], envs=env_vars)
+                            'FDROID_KEY_PASS': config.get('keypass', "")}
+                cmd = [config['keytool'], '-list',
+                       '-alias', keyalias, '-keystore', config['keystore'],
+                       '-storepass:env', 'FDROID_KEY_STORE_PASS']
+                if config['keystore'] == 'NONE':
+                    cmd += config['smartcardoptions']
+                p = FDroidPopen(cmd, envs=env_vars)
                if p.returncode != 0:
                    logging.info("Key does not exist - generating...")
-                    p = FDroidPopen([config['keytool'], '-genkey',
-                                     '-keystore', config['keystore'],
-                                     '-alias', keyalias,
-                                     '-keyalg', 'RSA', '-keysize', '2048',
-                                     '-validity', '10000',
-                                     '-storepass:env', 'FDROID_KEY_STORE_PASS',
-                                     '-keypass:env', 'FDROID_KEY_PASS',
-                                     '-dname', config['keydname']], envs=env_vars)
+                    cmd = [config['keytool'], '-genkey',
+                           '-keystore', config['keystore'],
+                           '-alias', keyalias,
+                           '-keyalg', 'RSA', '-keysize', '2048',
+                           '-validity', '10000',
+                           '-storepass:env', 'FDROID_KEY_STORE_PASS',
+                           '-dname', config['keydname']]
+                    if config['keystore'] == 'NONE':
+                        cmd += config['smartcardoptions']
+                    else:
+                        cmd += '-keypass:env', 'FDROID_KEY_PASS'
+                    p = FDroidPopen(cmd, envs=env_vars)
                    if p.returncode != 0:
                        raise BuildException("Failed to generate key", p.output)
                    if appid not in generated_keys:
--- a/fdroidserver/signindex.py
+++ b/fdroidserver/signindex.py
@ -52,7 +52,7 @@ def sign_jar(jar):
        args += ['-keypass:env', 'FDROID_KEY_PASS']
    env_vars = {
        'FDROID_KEY_STORE_PASS': config['keystorepass'],
-        'FDROID_KEY_PASS': config['keypass'],
+        'FDROID_KEY_PASS': config.get('keypass', ""),
    }
    p = common.FDroidPopen(args, envs=env_vars)
    if p.returncode != 0: