Merge commit 'refs/merge-requests/137' of gitorious.org:f-droid/fdroidserver

2024-10-03 17:50:11 +02:00 · 2014-04-01 23:47:11 +02:00 · 2014-04-01 23:47:11 +02:00 · 802d5e298c
commit 802d5e298c
parent 870ed87a36 7bb490221a
7 changed files with 47 additions and 19 deletions
--- a/sampleconfigs/config.py
+++ b/sampleconfigs/config.py
@ -60,14 +60,18 @@ repo_keyalias = None

 #The keystore to use for release keys when building. This needs to be
 #somewhere safe and secure, and backed up!
-keystore = "/home/me/somewhere/my.keystore"
+#keystore = "/home/me/.local/share/fdroidserver/keystore.jks"

-#The password for the keystore (at least 6 characters).
-keystorepass = "password1"
+# The password for the keystore (at least 6 characters).  If this password is
+# different than the keypass below, it can be OK to store the password in this
+# file for real use.  But in general, sensitive passwords should not be stored
+# in text files!
+#keystorepass = "password1"

-#The password for keys - the same is used for each auto-generated key
-#as well as for the repository key.
-keypass = "password2"
+# The password for keys - the same is used for each auto-generated key as well
+# as for the repository key.  You should not normally store this password in a
+# file since it is a sensitive password.
+#keypass = "password2"

 #The distinguished name used for all keys.
 keydname = "CN=Birdman, OU=Cell, O=Alcatraz, L=Alcatraz, S=California, C=US"
--- a/sampleconfigs/makebs.config.py
+++ b/sampleconfigs/makebs.config.py
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@ -66,6 +66,8 @@ def read_config(opts, config_file='config.py'):
        'stats_to_carbon': False,
        'repo_maxage': 0,
        'build_server_always': False,
+        'keystore': os.path.join(os.getenv('HOME'),
+                                 '.local', 'share', 'fdroidserver', 'keystore.jks'),
        'char_limits': {
            'Summary' : 50,
            'Description' : 1500
@ -95,8 +97,26 @@ def read_config(opts, config_file='config.py'):
        if st.st_mode & stat.S_IRWXG or st.st_mode & stat.S_IRWXO:
            logging.warn("unsafe permissions on {0} (should be 0600)!".format(config_file))

+    for k in ["keystorepass", "keypass"]:
+        if k in config:
+            write_password_file(k)
+
    return config

+def write_password_file(pwtype, password=None):
+    '''
+    writes out passwords to a protected file instead of passing passwords as
+    command line argments
+    '''
+    filename = '.fdroid.' + pwtype + '.txt'
+    fd = os.open(filename, os.O_CREAT | os.O_WRONLY, 0600)
+    if password == None:
+        os.write(fd, config[pwtype])
+    else:
+        os.write(fd, password)
+    os.close(fd)
+    config[pwtype + 'file'] = filename
+
 # Given the arguments in the form of multiple appid:[vc] strings, this returns
 # a dictionary with the set of vercodes specified for each package.
 def read_pkg_args(args, allow_vercodes=False):
--- a/fdroidserver/init.py
+++ b/fdroidserver/init.py
@ -56,12 +56,15 @@ def genpassword():
 def genkey(keystore, repo_keyalias, password, keydname):
    '''generate a new keystore with a new key in it for signing repos'''
    logging.info('Generating a new key in "' + keystore + '"...')
+    write_password_file("keystorepass", password)
+    write_password_file("keypass", password)
    p = FDroidPopen(['keytool', '-genkey',
                '-keystore', keystore, '-alias', repo_keyalias,
                '-keyalg', 'RSA', '-keysize', '4096',
                '-sigalg', 'SHA256withRSA',
                '-validity', '10000',
-                '-storepass', password, '-keypass', password,
+                '-storepass:file', config['keystorepassfile'],
+                '-keypass:file', config['keypassfile'],
                '-dname', keydname])
    if p.returncode != 0:
        raise BuildException("Failed to generate key", p.stdout)
@ -106,7 +109,7 @@ def main():
        # 'metadata' and 'tmp' are created in fdroid
        os.mkdir('repo')
        shutil.copy(os.path.join(examplesdir, 'fdroid-icon.png'), fdroiddir)
-        shutil.copyfile(os.path.join(examplesdir, 'sampleconfigs', 'config.py'), 'config.py')
+        shutil.copyfile(os.path.join(examplesdir, 'config.py'), 'config.py')
        os.chmod('config.py', 0o0600)
    else:
        logging.info('Looks like this is already an F-Droid repo, cowardly refusing to overwrite it...')
--- a/fdroidserver/publish.py
+++ b/fdroidserver/publish.py
@ -122,23 +122,23 @@ def main():
        # if not generate one...
        p = FDroidPopen(['keytool', '-list',
            '-alias', keyalias, '-keystore', config['keystore'],
-            '-storepass', config['keystorepass']])
+            '-storepass:file', config['keystorepass']])
        if p.returncode !=0:
            logging.info("Key does not exist - generating...")
            p = FDroidPopen(['keytool', '-genkey',
                '-keystore', config['keystore'], '-alias', keyalias,
                '-keyalg', 'RSA', '-keysize', '2048',
                '-validity', '10000',
-                '-storepass', config['keystorepass'],
-                '-keypass', config['keypass'],
+                '-storepass:file', config['keystorepassfile'],
+                '-keypass:file', config['keypassfile'],
                '-dname', config['keydname']])
            if p.returncode != 0:
                raise BuildException("Failed to generate key")

        # Sign the application...
        p = FDroidPopen(['jarsigner', '-keystore', config['keystore'],
-            '-storepass', config['keystorepass'],
-            '-keypass', config['keypass'], '-sigalg',
+            '-storepass:file', config['keystorepassfile'],
+            '-keypass:file', config['keypassfile'], '-sigalg',
            'MD5withRSA', '-digestalg', 'SHA1',
                apkfile, keyalias])
        if p.returncode != 0:
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@ -642,7 +642,7 @@ def make_index(apps, apks, repodir, archive, categories):
            p = FDroidPopen(['keytool', '-exportcert',
                                  '-alias', config['repo_keyalias'],
                                  '-keystore', config['keystore'],
-                                  '-storepass', config['keystorepass']])
+                                  '-storepass:file', config['keystorepassfile']])
            if p.returncode != 0:
                logging.critical("Failed to get repo pubkey")
                sys.exit(1)
@ -796,7 +796,8 @@ def make_index(apps, apks, repodir, archive, categories):

        # Sign the index...
        p = FDroidPopen(['jarsigner', '-keystore', config['keystore'],
-            '-storepass', config['keystorepass'], '-keypass', config['keypass'],
+            '-storepass:file', config['keystorepassfile'],
+            '-keypass:file', config['keypassfile'],
            '-digestalg', 'SHA1', '-sigalg', 'MD5withRSA',
            os.path.join(repodir, 'index.jar') , config['repo_keyalias']])
        if p.returncode != 0:
--- a/setup.py
+++ b/setup.py
@ -13,10 +13,10 @@ setup(name='FDroidServer',
      scripts=['fdroid', 'fd-commit'],
      data_files=[
        ('share/doc/fdroidserver/examples',
-         [ 'config.buildserver.py',
-             'sampleconfigs/config.sample.py',
-             'sampleconfigs/makebs.config.sample.py',
-          'fdroid-icon.png']),
+         [ 'buildserver/config.buildserver.py',
+           'examples/config.py',
+           'examples/makebs.config.py',
+           'fdroid-icon.png']),
        ],
      install_requires=[
        'python-magic',