mirror of
https://gitlab.com/fdroid/fdroidserver.git
synced 2024-08-16 11:20:10 +02:00
move keystore gen logic to common function
This moves the method for generating a new keystore for the repo signing key to a common function so that it can be used in more subcommands beyond `fdroid init`. The immediate idea is to make `fdroid update --create-key` upgrade unsigned repos to signed ones so we can make fdroidclient only use signed repos.
This commit is contained in:
parent
af360199f1
commit
276123856c
@ -32,6 +32,7 @@ import magic
|
|||||||
import logging
|
import logging
|
||||||
import hashlib
|
import hashlib
|
||||||
import socket
|
import socket
|
||||||
|
|
||||||
from distutils.version import LooseVersion
|
from distutils.version import LooseVersion
|
||||||
from zipfile import ZipFile
|
from zipfile import ZipFile
|
||||||
|
|
||||||
@ -2024,25 +2025,47 @@ def genpassword():
|
|||||||
return h.digest().encode('base64').strip()
|
return h.digest().encode('base64').strip()
|
||||||
|
|
||||||
|
|
||||||
def genkey(keystore, repo_keyalias, password, keydname):
|
def genkeystore(localconfig):
|
||||||
'''generate a new keystore with a new key in it for signing repos'''
|
'''Generate a new key with random passwords and add it to new keystore'''
|
||||||
logging.info('Generating a new key in "' + keystore + '"...')
|
logging.info('Generating a new key in "' + localconfig['keystore'] + '"...')
|
||||||
write_password_file("keystorepass", password)
|
keystoredir = os.path.dirname(localconfig['keystore'])
|
||||||
write_password_file("keypass", password)
|
if keystoredir is None or keystoredir == '':
|
||||||
|
keystoredir = os.path.join(os.getcwd(), keystoredir)
|
||||||
|
if not os.path.exists(keystoredir):
|
||||||
|
os.makedirs(keystoredir, mode=0o700)
|
||||||
|
|
||||||
|
write_password_file("keystorepass", localconfig['keystorepass'])
|
||||||
|
write_password_file("keypass", localconfig['keypass'])
|
||||||
p = FDroidPopen(['keytool', '-genkey',
|
p = FDroidPopen(['keytool', '-genkey',
|
||||||
'-keystore', keystore, '-alias', repo_keyalias,
|
'-keystore', localconfig['keystore'],
|
||||||
|
'-alias', localconfig['repo_keyalias'],
|
||||||
'-keyalg', 'RSA', '-keysize', '4096',
|
'-keyalg', 'RSA', '-keysize', '4096',
|
||||||
'-sigalg', 'SHA256withRSA',
|
'-sigalg', 'SHA256withRSA',
|
||||||
'-validity', '10000',
|
'-validity', '10000',
|
||||||
'-storepass:file', config['keystorepassfile'],
|
'-storepass:file', config['keystorepassfile'],
|
||||||
'-keypass:file', config['keypassfile'],
|
'-keypass:file', config['keypassfile'],
|
||||||
'-dname', keydname])
|
'-dname', localconfig['keydname']])
|
||||||
# TODO keypass should be sent via stdin
|
# TODO keypass should be sent via stdin
|
||||||
os.chmod(keystore, 0o0600)
|
os.chmod(localconfig['keystore'], 0o0600)
|
||||||
if p.returncode != 0:
|
if p.returncode != 0:
|
||||||
raise BuildException("Failed to generate key", p.output)
|
raise BuildException("Failed to generate key", p.output)
|
||||||
# now show the lovely key that was just generated
|
# now show the lovely key that was just generated
|
||||||
p = FDroidPopen(['keytool', '-list', '-v',
|
p = FDroidPopen(['keytool', '-list', '-v',
|
||||||
'-keystore', keystore, '-alias', repo_keyalias,
|
'-keystore', localconfig['keystore'],
|
||||||
|
'-alias', localconfig['repo_keyalias'],
|
||||||
'-storepass:file', config['keystorepassfile']])
|
'-storepass:file', config['keystorepassfile']])
|
||||||
logging.info(p.output.strip() + '\n\n')
|
logging.info(p.output.strip() + '\n\n')
|
||||||
|
|
||||||
|
|
||||||
|
def write_to_config(thisconfig, key, value=None):
|
||||||
|
'''write a key/value to the local config.py'''
|
||||||
|
if value is None:
|
||||||
|
origkey = key + '_orig'
|
||||||
|
value = thisconfig[origkey] if origkey in thisconfig else thisconfig[key]
|
||||||
|
with open('config.py', 'r') as f:
|
||||||
|
data = f.read()
|
||||||
|
pattern = '\n[\s#]*' + key + '\s*=\s*"[^"]*"'
|
||||||
|
repl = '\n' + key + ' = "' + value + '"'
|
||||||
|
data = re.sub(pattern, repl, data)
|
||||||
|
with open('config.py', 'w') as f:
|
||||||
|
f.writelines(data)
|
||||||
|
@ -34,20 +34,6 @@ config = {}
|
|||||||
options = None
|
options = None
|
||||||
|
|
||||||
|
|
||||||
def write_to_config(thisconfig, key, value=None):
|
|
||||||
'''write a key/value to the local config.py'''
|
|
||||||
if value is None:
|
|
||||||
origkey = key + '_orig'
|
|
||||||
value = thisconfig[origkey] if origkey in thisconfig else thisconfig[key]
|
|
||||||
with open('config.py', 'r') as f:
|
|
||||||
data = f.read()
|
|
||||||
pattern = '\n[\s#]*' + key + '\s*=\s*"[^"]*"'
|
|
||||||
repl = '\n' + key + ' = "' + value + '"'
|
|
||||||
data = re.sub(pattern, repl, data)
|
|
||||||
with open('config.py', 'w') as f:
|
|
||||||
f.writelines(data)
|
|
||||||
|
|
||||||
|
|
||||||
def disable_in_config(key, value):
|
def disable_in_config(key, value):
|
||||||
'''write a key/value to the local config.py, then comment it out'''
|
'''write a key/value to the local config.py, then comment it out'''
|
||||||
with open('config.py', 'r') as f:
|
with open('config.py', 'r') as f:
|
||||||
@ -138,7 +124,7 @@ def main():
|
|||||||
# If android_home is not None, the path given from the command line
|
# If android_home is not None, the path given from the command line
|
||||||
# will be directly written in the config.
|
# will be directly written in the config.
|
||||||
if 'sdk_path' in test_config:
|
if 'sdk_path' in test_config:
|
||||||
write_to_config(test_config, 'sdk_path', options.android_home)
|
common.write_to_config(test_config, 'sdk_path', options.android_home)
|
||||||
else:
|
else:
|
||||||
logging.warn('Looks like this is already an F-Droid repo, cowardly refusing to overwrite it...')
|
logging.warn('Looks like this is already an F-Droid repo, cowardly refusing to overwrite it...')
|
||||||
logging.info('Try running `fdroid init` in an empty directory.')
|
logging.info('Try running `fdroid init` in an empty directory.')
|
||||||
@ -164,7 +150,7 @@ def main():
|
|||||||
test_config['build_tools'] = ''
|
test_config['build_tools'] = ''
|
||||||
else:
|
else:
|
||||||
test_config['build_tools'] = dirname
|
test_config['build_tools'] = dirname
|
||||||
write_to_config(test_config, 'build_tools')
|
common.write_to_config(test_config, 'build_tools')
|
||||||
common.ensure_build_tools_exists(test_config)
|
common.ensure_build_tools_exists(test_config)
|
||||||
|
|
||||||
# now that we have a local config.py, read configuration...
|
# now that we have a local config.py, read configuration...
|
||||||
@ -189,21 +175,21 @@ def main():
|
|||||||
if not os.path.exists(keystore):
|
if not os.path.exists(keystore):
|
||||||
logging.info('"' + keystore
|
logging.info('"' + keystore
|
||||||
+ '" does not exist, creating a new keystore there.')
|
+ '" does not exist, creating a new keystore there.')
|
||||||
write_to_config(test_config, 'keystore', keystore)
|
common.write_to_config(test_config, 'keystore', keystore)
|
||||||
repo_keyalias = None
|
repo_keyalias = None
|
||||||
if options.repo_keyalias:
|
if options.repo_keyalias:
|
||||||
repo_keyalias = options.repo_keyalias
|
repo_keyalias = options.repo_keyalias
|
||||||
write_to_config(test_config, 'repo_keyalias', repo_keyalias)
|
common.write_to_config(test_config, 'repo_keyalias', repo_keyalias)
|
||||||
if options.distinguished_name:
|
if options.distinguished_name:
|
||||||
keydname = options.distinguished_name
|
keydname = options.distinguished_name
|
||||||
write_to_config(test_config, 'keydname', keydname)
|
common.write_to_config(test_config, 'keydname', keydname)
|
||||||
if keystore == 'NONE': # we're using a smartcard
|
if keystore == 'NONE': # we're using a smartcard
|
||||||
write_to_config(test_config, 'repo_keyalias', '1') # seems to be the default
|
common.write_to_config(test_config, 'repo_keyalias', '1') # seems to be the default
|
||||||
disable_in_config('keypass', 'never used with smartcard')
|
disable_in_config('keypass', 'never used with smartcard')
|
||||||
write_to_config(test_config, 'smartcardoptions',
|
common.write_to_config(test_config, 'smartcardoptions',
|
||||||
('-storetype PKCS11 -providerName SunPKCS11-OpenSC '
|
('-storetype PKCS11 -providerName SunPKCS11-OpenSC '
|
||||||
+ '-providerClass sun.security.pkcs11.SunPKCS11 '
|
+ '-providerClass sun.security.pkcs11.SunPKCS11 '
|
||||||
+ '-providerArg opensc-fdroid.cfg'))
|
+ '-providerArg opensc-fdroid.cfg'))
|
||||||
# find opensc-pkcs11.so
|
# find opensc-pkcs11.so
|
||||||
if not os.path.exists('opensc-fdroid.cfg'):
|
if not os.path.exists('opensc-fdroid.cfg'):
|
||||||
if os.path.exists('/usr/lib/opensc-pkcs11.so'):
|
if os.path.exists('/usr/lib/opensc-pkcs11.so'):
|
||||||
@ -225,22 +211,17 @@ def main():
|
|||||||
with open('opensc-fdroid.cfg', 'w') as f:
|
with open('opensc-fdroid.cfg', 'w') as f:
|
||||||
f.write(opensc_fdroid)
|
f.write(opensc_fdroid)
|
||||||
elif not os.path.exists(keystore):
|
elif not os.path.exists(keystore):
|
||||||
# no existing or specified keystore, generate the whole thing
|
|
||||||
keystoredir = os.path.dirname(keystore)
|
|
||||||
if keystoredir is None or keystoredir == '':
|
|
||||||
keystoredir = os.path.join(os.getcwd(), keystoredir)
|
|
||||||
if not os.path.exists(keystoredir):
|
|
||||||
os.makedirs(keystoredir, mode=0o700)
|
|
||||||
password = common.genpassword()
|
password = common.genpassword()
|
||||||
write_to_config(test_config, 'keystorepass', password)
|
c = dict(test_config)
|
||||||
write_to_config(test_config, 'keypass', password)
|
c['keystorepass'] = password
|
||||||
if options.repo_keyalias is None:
|
c['keypass'] = password
|
||||||
repo_keyalias = socket.getfqdn()
|
c['repo_keyalias'] = socket.getfqdn()
|
||||||
write_to_config(test_config, 'repo_keyalias', repo_keyalias)
|
c['keydname'] = 'CN=' + c['repo_keyalias'] + ', OU=F-Droid'
|
||||||
if not options.distinguished_name:
|
common.write_to_config(test_config, 'keystorepass', password)
|
||||||
keydname = 'CN=' + repo_keyalias + ', OU=F-Droid'
|
common.write_to_config(test_config, 'keypass', password)
|
||||||
write_to_config(test_config, 'keydname', keydname)
|
common.write_to_config(test_config, 'repo_keyalias', c['repo_keyalias'])
|
||||||
common.genkey(keystore, repo_keyalias, password, keydname)
|
common.write_to_config(test_config, 'keydname', c['keydname'])
|
||||||
|
common.genkeystore(c)
|
||||||
|
|
||||||
logging.info('Built repo based in "' + fdroiddir + '"')
|
logging.info('Built repo based in "' + fdroiddir + '"')
|
||||||
logging.info('with this config:')
|
logging.info('with this config:')
|
||||||
|
Loading…
Reference in New Issue
Block a user