mirrors/fdroidserver
1
0
Fork 0
mirror of https://github.com/f-droid/fdroidserver.git synced 2025-09-15 23:42:37 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

signindex: support signing index-v1.jar

Browse source 
This is a bit different than index.jar: instead of their being index.xml
and index_unsigned.jar, the presense of index-v1.json means that there is
unsigned data.  That file is then stuck into a jar and signed by the
signing process.  index-v1.json is never published to the repo.  It is
included in the binary transparency log, if that is enabled.
This commit is contained in:
Hans-Christoph Steiner 2017-03-16 18:51:43 +01:00
parent fa657ce720
commit 866528de5b
4 changed files with 57 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

19
fdroidserver/common.py
View file

@ -34,6 +34,7 @@ import logging
import hashlib import hashlib
import socket import socket
import base64 import base64
import zipfile
import xml.etree.ElementTree as XMLElementTree import xml.etree.ElementTree as XMLElementTree
from datetime import datetime from datetime import datetime
@ -410,6 +411,24 @@ def signjar(jar):
sys.exit(1) sys.exit(1)
def sign_index_v1(repodir, json_name):
"""
sign index-v1.json to make index-v1.jar
This is a bit different than index.jar: instead of their being index.xml
and index_unsigned.jar, the presense of index-v1.json means that there is
unsigned data. That file is then stuck into a jar and signed by the
signing process. index-v1.json is never published to the repo. It is
included in the binary transparency log, if that is enabled.
"""
name, ext = get_extension(json_name)
index_file = os.path.join(repodir, json_name)
jar_file = os.path.join(repodir, name + '.jar')
with zipfile.ZipFile(jar_file, 'w', zipfile.ZIP_DEFLATED) as jar:
jar.write(index_file, json_name)
signjar(jar_file)
def get_local_metadata_files(): def get_local_metadata_files():
'''get any metadata files local to an app's source repo '''get any metadata files local to an app's source repo

9
fdroidserver/signindex.py
View file

@ -54,12 +54,19 @@ def main():
unsigned = os.path.join(output_dir, 'index_unsigned.jar') unsigned = os.path.join(output_dir, 'index_unsigned.jar')
if os.path.exists(unsigned): if os.path.exists(unsigned):
common.signjar(unsigned) common.signjar(unsigned)
os.rename(unsigned, os.path.join(output_dir, 'index.jar')) os.rename(unsigned, os.path.join(output_dir, 'index.jar'))
logging.info('Signed index in ' + output_dir) logging.info('Signed index in ' + output_dir)
signed += 1 signed += 1
json_name = 'index-v1.json'
index_file = os.path.join(output_dir, json_name)
if os.path.exists(index_file):
common.sign_index_v1(output_dir, json_name)
os.remove(index_file)
logging.info('Signed ' + index_file)
signed += 1
if signed == 0: if signed == 0:
logging.info("Nothing to do") logging.info("Nothing to do")

10
fdroidserver/update.py
View file

@ -1282,13 +1282,9 @@ def make_index_v1(apps, packages, repodir, repodict, requestsdict):
json.dump(output, fp, default=_index_encoder_default) json.dump(output, fp, default=_index_encoder_default)
if options.nosign: if options.nosign:
logging.debug('index-v1 must have a signature, signindex will overwrite it!') logging.debug('index-v1 must have a signature, use `fdroid signindex` to create it!')
else:
jar_file = os.path.join(repodir, 'index-v1.jar') common.sign_index_v1(repodir, json_name)
with zipfile.ZipFile(jar_file, 'w', zipfile.ZIP_DEFLATED) as jar:
jar.write(index_file, json_name)
common.signjar(jar_file)
os.remove(index_file)
def make_index_v0(apps, apks, repodir, repodict, requestsdict): def make_index_v0(apps, apks, repodir, repodict, requestsdict):

27
tests/run-tests
View file

@ -113,6 +113,33 @@ echo_header "print fdroid version"
$fdroid --version $fdroid --version
#------------------------------------------------------------------------------#
echo_header 'run process when building and signing are on separate machines'
REPOROOT=`create_test_dir`
cd $REPOROOT
cp $WORKSPACE/tests/keystore.jks $REPOROOT/
$fdroid init --keystore keystore.jks --repo-keyalias=sova
echo 'keystorepass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo 'keypass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo "accepted_formats = ['txt', 'yml']" >> config.py
echo 'keydname = "CN=Birdman, OU=Cell, O=Alcatraz, L=Alcatraz, S=California, C=US"' >> config.py
test -d archive || mkdir archive
test -d metadata || mkdir metadata
cp $WORKSPACE/tests/metadata/info.guardianproject.urzip.yml metadata/
test -d repo || mkdir repo
test -d unsigned || mkdir unsigned
cp $WORKSPACE/tests/urzip-release-unsigned.apk unsigned/info.guardianproject.urzip_100.apk
$fdroid publish --verbose
$fdroid update --verbose --nosign
$fdroid signindex --verbose
test -e repo/index.xml
test -e repo/index.jar
test -e repo/index-v1.jar
test -L urzip.apk
grep -F '<application id=' repo/index.xml > /dev/null
#------------------------------------------------------------------------------# #------------------------------------------------------------------------------#
echo_header "test UTF-8 metadata" echo_header "test UTF-8 metadata"