1
0
mirror of https://gitlab.com/fdroid/fdroidserver.git synced 2024-11-20 13:50:12 +01:00

stop passing passphrases via args, instead use prepared files

Any process can read the process table, and can therefore see the entire
command line of any other process.  That means its a bad idea to ever put
passwords as part of a command line.  Python is executing keytool and
jarsigner command lines here, so now instead of putting the password on the
command line, a file is passed instead with suitable file permissions.
This should reduce the exposure a lot.  But still, sensitive passwords
should not be written to any text file.

This change requires OpenJDK-7 since the :file option to -storepass and
-keypass was only added in Java 7's keytool and jarsigner.
This commit is contained in:
Hans-Christoph Steiner 2014-03-31 21:02:42 -04:00
parent caa88ec388
commit 525759b235
5 changed files with 39 additions and 13 deletions

View File

@ -94,8 +94,26 @@ def read_config(opts, config_file='config.py'):
if st.st_mode & stat.S_IRWXG or st.st_mode & stat.S_IRWXO:
logging.warn("unsafe permissions on {0} (should be 0600)!".format(config_file))
for k in ["keystorepass", "keypass"]:
if k in config:
write_password_file(k)
return config
def write_password_file(pwtype, password=None):
'''
writes out passwords to a protected file instead of passing passwords as
command line argments
'''
filename = '.fdroid.' + pwtype + '.txt'
fd = os.open(filename, os.O_CREAT | os.O_WRONLY, 0600)
if password == None:
os.write(fd, config[pwtype])
else:
os.write(fd, password)
os.close(fd)
config[pwtype + 'file'] = filename
# Given the arguments in the form of multiple appid:[vc] strings, this returns
# a dictionary with the set of vercodes specified for each package.
def read_pkg_args(args, allow_vercodes=False):

View File

@ -56,12 +56,15 @@ def genpassword():
def genkey(keystore, repo_keyalias, password, keydname):
'''generate a new keystore with a new key in it for signing repos'''
logging.info('Generating a new key in "' + keystore + '"...')
write_password_file("keystorepass", password)
write_password_file("keypass", password)
p = FDroidPopen(['keytool', '-genkey',
'-keystore', keystore, '-alias', repo_keyalias,
'-keyalg', 'RSA', '-keysize', '4096',
'-sigalg', 'SHA256withRSA',
'-validity', '10000',
'-storepass', password, '-keypass', password,
'-storepass:file', config['keystorepassfile'],
'-keypass:file', config['keypassfile'],
'-dname', keydname])
if p.returncode != 0:
raise BuildException("Failed to generate key", p.stdout)

View File

@ -122,23 +122,23 @@ def main():
# if not generate one...
p = FDroidPopen(['keytool', '-list',
'-alias', keyalias, '-keystore', config['keystore'],
'-storepass', config['keystorepass']])
'-storepass:file', config['keystorepass']])
if p.returncode !=0:
logging.info("Key does not exist - generating...")
p = FDroidPopen(['keytool', '-genkey',
'-keystore', config['keystore'], '-alias', keyalias,
'-keyalg', 'RSA', '-keysize', '2048',
'-validity', '10000',
'-storepass', config['keystorepass'],
'-keypass', config['keypass'],
'-storepass:file', config['keystorepassfile'],
'-keypass:file', config['keypassfile'],
'-dname', config['keydname']])
if p.returncode != 0:
raise BuildException("Failed to generate key")
# Sign the application...
p = FDroidPopen(['jarsigner', '-keystore', config['keystore'],
'-storepass', config['keystorepass'],
'-keypass', config['keypass'], '-sigalg',
'-storepass:file', config['keystorepassfile'],
'-keypass:file', config['keypassfile'], '-sigalg',
'MD5withRSA', '-digestalg', 'SHA1',
apkfile, keyalias])
if p.returncode != 0:

View File

@ -642,7 +642,7 @@ def make_index(apps, apks, repodir, archive, categories):
p = FDroidPopen(['keytool', '-exportcert',
'-alias', config['repo_keyalias'],
'-keystore', config['keystore'],
'-storepass', config['keystorepass']])
'-storepass:file', config['keystorepassfile']])
if p.returncode != 0:
logging.critical("Failed to get repo pubkey")
sys.exit(1)
@ -796,7 +796,8 @@ def make_index(apps, apks, repodir, archive, categories):
# Sign the index...
p = FDroidPopen(['jarsigner', '-keystore', config['keystore'],
'-storepass', config['keystorepass'], '-keypass', config['keypass'],
'-storepass:file', config['keystorepassfile'],
'-keypass:file', config['keypassfile'],
'-digestalg', 'SHA1', '-sigalg', 'MD5withRSA',
os.path.join(repodir, 'index.jar') , config['repo_keyalias']])
if p.returncode != 0:

View File

@ -62,12 +62,16 @@ repo_keyalias = None
#somewhere safe and secure, and backed up!
keystore = "/home/me/somewhere/my.keystore"
#The password for the keystore (at least 6 characters).
keystorepass = "password1"
# The password for the keystore (at least 6 characters). If this password is
# different than the keypass below, it can be OK to store the password in this
# file for real use. But in general, sensitive passwords should not be stored
# in text files!
#keystorepass = "password1"
#The password for keys - the same is used for each auto-generated key
#as well as for the repository key.
keypass = "password2"
# The password for keys - the same is used for each auto-generated key as well
# as for the repository key. You should not normally store this password in a
# file since it is a sensitive password.
#keypass = "password2"
#The distinguished name used for all keys.
keydname = "CN=Birdman, OU=Cell, O=Alcatraz, L=Alcatraz, S=California, C=US"