vendor: Bundle signify(1)

signify(1) is a tool originally developed for OpenBSD that uses modern
EdDSA signatures on the ed25519 elliptic curve. Bundling this tool gives
us a good way forward away from our single RSA 4096 public key that has
now been in use since 2011 for all packages, all base updates and all
ports trees.

Shipping signify allows us to use (a) modern cryptography, (b) avoid
using the same key for everything and (c) eventually phase out the
RSA-RIPEMD160 signatures.

The vendor/signify-osx directory is a clone of
https://github.com/jpouellet/signify-osx/, udpated with the latest
OpenBSD upstream signify source code from CVS using the 'make up' target
of the signify-osx Makefile.
This commit is contained in:
Clemens Lang
2020-06-06 16:48:14 +02:00
committed by Joshua Root
parent f75a24e54c
commit d74a2d4a54
113 changed files with 7861 additions and 8 deletions
+1
View File
@@ -62,5 +62,6 @@ vendor/tcl8.*/unix/**/*Uuid.h
Makefile
pkgIndex.tcl
!vendor/tcllib*/**/pkgIndex.tcl
!vendor/signify-osx/Makefile
/dist/
Generated Vendored
+22 -8
View File
@@ -1,14 +1,16 @@
TCL_SUBDIR= @VENDOR_TCL_SUBDIR@
TCLX_SUBDIR= @VENDOR_TCLX_SUBDIR@
TCLLIB_SUBDIR= @VENDOR_TCLLIB_SUBDIR@
SIGNIFY_SUBDIR= signify-osx
PREFIX= @prefix@
DESTROOT= @abs_top_builddir@/vendor/vendor-destroot
CC= @CC@
.PHONY: all clean distclean install destroot test
.PHONY: destroot-tcl destroot-tclx destroot-tcllib
.PHONY: install-tcl install-tclx install-tcllib
.PHONY: %-tcl %-tclx %-tcllib
.PHONY: destroot-tcl destroot-tclx destroot-tcllib destroot-signify
.PHONY: install-tcl install-tclx install-tcllib install-signify
.PHONY: %-tcl %-tclx %-tcllib %-signify
# for make all, run destroot (where destroot will depend on all of each
# subpackage)
@@ -32,7 +34,11 @@ all-tclx: all-tcl
# tcllib requires a working tclsh
all-tcllib: all-tcl
destroot: destroot-tcl destroot-tclx destroot-tcllib
%-signify:
@echo ===\> making $(@:%-signify=%) in ${DIRPRFX}${SIGNIFY_SUBDIR}
@umask 0022; $(MAKE) -C ${SIGNIFY_SUBDIR} $(@:%-signify=%) CC=${CC}
destroot: destroot-tcl destroot-tclx destroot-tcllib destroot-signify
destroot-tcl: all-tcl
@echo ===\> staging to destroot in ${DIRPRFX}@VENDOR_TCL_SUBDIR@
@umask 0022; $(MAKE) -C @VENDOR_TCL_SUBDIR@ DESTDIR=${DESTROOT} @VENDOR_TCL_INSTALL@
@@ -46,7 +52,11 @@ destroot-tcllib: all-tcllib
@umask 0022; $(MAKE) -C @VENDOR_TCLLIB_SUBDIR@ DESTDIR=${DESTROOT} TCLSH_PROG=@INTREE_TCLSH@ @VENDOR_TCLLIB_INSTALL@
@chmod -R ugo+rX ${DESTROOT}${PREFIX}/libexec/macports/lib/tcllib*
install: install-tcl install-tclx install-tcllib
destroot-signify:
@echo ===\> staging to destroot in ${DIRPRFX}${SIGNIFY_SUBDIR}
@umask 0022; $(MAKE) -C ${SIGNIFY_SUBDIR} install PREFIX=${DESTROOT}${PREFIX}/libexec/macports CC=${CC}
install: install-tcl install-tclx install-tcllib install-signify
TCL_PACKAGE_PATH=@TCL_PACKAGE_PATH@
TCL_PREFIX=@TCL_PREFIX@
@@ -83,16 +93,20 @@ install-tcllib:
@umask 0022; $(MAKE) -C @VENDOR_TCLLIB_SUBDIR@ TCLSH_PROG=@INTREE_TCLSH@ @VENDOR_TCLLIB_INSTALL@
@chmod -R ugo+rX $(DESTDIR)${PREFIX}/libexec/macports/lib/tcllib*
install-signify:
@echo ===\> making $(@:%-signify=%) in ${DIRPRFX}${SIGNIFY_SUBDIR}
@umask 0022; $(MAKE) -C ${SIGNIFY_SUBDIR} install PREFIX=$(DESTDIR)${PREFIX}/libexec/macports CC=${CC}
test:
clean: clean-tcl clean-tcllib clean-tclx
clean: clean-tcl clean-tcllib clean-tclx clean-signify
rm -rf ${DESTROOT}
distclean: distclean-tcl distclean-tcllib distclean-tclx
distclean: distclean-tcl distclean-tcllib distclean-tclx distclean-signify
rm -f Makefile
rm -rf vendor-destroot
rm -f tclsh
codesign:: tcl/unix/libtcl8.6.dylib tcl/unix/tclsh tclx/libtclx8.6.dylib tcl/unix/pkgs/itcl4.2.3/libitcl4.2.3.dylib tcl/unix/pkgs/tdbc1.1.5/libtdbc1.1.5.dylib tcl/unix/pkgs/tdbcpostgres1.1.5/libtdbcpostgres1.1.5.dylib tcl/unix/pkgs/thread2.8.8/libthread2.8.8.dylib tcl/unix/pkgs/tdbcmysql1.1.5/libtdbcmysql1.1.5.dylib tcl/unix/pkgs/tdbcodbc1.1.5/libtdbcodbc1.1.5.dylib tcl/unix/pkgs/sqlite3.40.0/libsqlite3.40.0.dylib
codesign:: signify-osx/signify tcl/unix/libtcl8.6.dylib tcl/unix/tclsh tclx/libtclx8.6.dylib tcl/unix/pkgs/itcl4.2.4/libitcl4.2.4.dylib tcl/unix/pkgs/tdbc1.1.7/libtdbc1.1.7.dylib tcl/unix/pkgs/tdbcpostgres1.1.7/libtdbcpostgres1.1.7.dylib tcl/unix/pkgs/thread2.8.9/libthread2.8.9.dylib tcl/unix/pkgs/tdbcmysql1.1.7/libtdbcmysql1.1.7.dylib tcl/unix/pkgs/tdbcodbc1.1.7/libtdbcodbc1.1.7.dylib tcl/unix/pkgs/sqlite3.44.2/libsqlite3.44.2.dylib
../src/codesign.sh $?
+5
View File
@@ -0,0 +1,5 @@
/explicit_bzero
/signify
/signify.1
/test-results/
/**/CVS/
+13
View File
@@ -0,0 +1,13 @@
Copyright (c) 2014-2018 Jean-Philippe Ouellet <jpo@vt.edu>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+136
View File
@@ -0,0 +1,136 @@
PREFIX= /usr/local
BINDIR= ${PREFIX}/bin
MANDIR= ${PREFIX}/share/man
CVSROOT= anoncvs@anoncvs.openbsd.org:/cvs
#CVSROOT= anoncvs@anoncvs3.usa.openbsd.org:/cvs
### sources from upstream
SRCS+= src/lib/libc/crypt/blowfish.c
SRCS+= src/lib/libc/hash/sha2.c
SRCS+= src/lib/libc/net/base64.c
SRCS+= src/lib/libc/string/explicit_bzero.c
SRCS+= src/lib/libutil/bcrypt_pbkdf.c
SRCS+= src/lib/libutil/ohash.c
SRCS+= src/usr.bin/signify/crypto_api.c
SRCS+= src/usr.bin/signify/fe25519.c
SRCS+= src/usr.bin/signify/mod_ed25519.c
SRCS+= src/usr.bin/signify/mod_ge25519.c
SRCS+= src/usr.bin/signify/signify.c
SRCS+= src/usr.bin/signify/sc25519.c
SRCS+= src/usr.bin/signify/zsig.c
INCL+= src/include/blf.h
INCL+= src/include/sha2.h
INCL+= src/lib/libutil/ohash.h
INCL+= src/lib/libutil/util.h # only for bcrypt_pbkdf decl
INCL+= src/usr.bin/signify/crypto_api.h
INCL+= src/usr.bin/signify/fe25519.h
INCL+= src/usr.bin/signify/ge25519.h
INCL+= src/usr.bin/signify/ge25519_base.data
INCL+= src/usr.bin/signify/sc25519.h
INCL+= src/usr.bin/signify/signify.h
MAN= src/usr.bin/signify/signify.1
FETCH_ONLY+= src/etc/signify # keys
FETCH_ONLY+= src/lib/libc/hash/helper.c # src of generated files
FETCH_ONLY+= src/regress/lib/libc/explicit_bzero
FETCH_ONLY+= src/regress/usr.bin/signify
FROM_CVS+= ${SRCS} ${INCL} ${MAN} ${FETCH_ONLY}
### local files
HASH_HELPERS+= src/lib/libc/hash/sha256hl.c
HASH_HELPERS+= src/lib/libc/hash/sha512hl.c
HASH_HELPERS+= src/lib/libc/hash/sha512_256hl.c
LOCAL_SRCS+= ${HASH_HELPERS}
LOCAL_SRCS+= hashaliases.c
LOCAL_SRCS+= freezero.c
### build cfg
CFLAGS+= -Isrc/include
CFLAGS+= -Isrc/lib/libutil
CFLAGS+= -include missing.h
CFLAGS+= '-DDEF_WEAK(a)=__asm__("")'
CFLAGS+= '-DMAKE_CLONE(a,b)=__asm__("")'
CFLAGS+= '-Dpledge(a,b)=(0)'
CFLAGS+= -Wall -Wextra
CFLAGS+= -Wno-pointer-sign
CFLAGS+= -Wno-sign-compare
CFLAGS+= -Wno-unused-parameter
### targets
.PHONY: fetch hash-helpers clean install check test up check-updates ls
signify: ${LOCAL_SRCS} ${SRCS} ${INCL}
${CC} ${CFLAGS} -o $@ ${SRCS} ${LOCAL_SRCS}
cp src/usr.bin/signify/signify.1 .
hash-helpers: ${HASH_HELPERS}
src/lib/libc/hash/sha256hl.c: src/lib/libc/hash/helper.c
sed -e 's/hashinc/sha2.h/g' \
-e 's/HASH/SHA256/g' \
-e 's/SHA[0-9][0-9][0-9]_CTX/SHA2_CTX/g' $< > $@
src/lib/libc/hash/sha512hl.c: src/lib/libc/hash/helper.c
sed -e 's/hashinc/sha2.h/g' \
-e 's/HASH/SHA512/g' \
-e 's/SHA[0-9][0-9][0-9]_CTX/SHA2_CTX/g' $< > $@
src/lib/libc/hash/sha512_256hl.c: src/lib/libc/hash/helper.c
sed -e 's/hashinc/sha2.h/g' \
-e 's/HASH/SHA512_256/g' \
-e 's/SHA512_256_CTX/SHA2_CTX/g' $< > $@
src/lib/libc/hash/helper.c:
$(error Missing source files... Maybe you want to `make fetch`?)
fetch:
# Fetch the sources via CVS.
cvs -qd ${CVSROOT} get -P ${FROM_CVS}
# Don't keep CVS Root files around. All they do is cause false-positives
# for change detection when fetching from different CVS mirrors.
find src -name Root -exec rm {} +
install: signify
install -d ${BINDIR} ${MANDIR}/man1
install -Ss -m 755 signify ${BINDIR}
install -S -m 644 signify.1 ${MANDIR}/man1
### regression test targets
REGRESS_BZ_SRCS= src/lib/libc/string/explicit_bzero.c
REGRESS_BZ_SRCS+= src/regress/lib/libc/explicit_bzero/explicit_bzero.c
explicit_bzero: ${REGRESS_BZ_SRCS}
${CC} ${CFLAGS} -o $@ ${REGRESS_BZ_SRCS}
check: test
test: signify explicit_bzero
@sh ./regress.sh
### syncing with upstream
up: check-updates
check-updates:
@(cd src && CVS_RSH=ssh cvs -qnd ${CVSROOT} up 2>&1 \
| (grep -v '^? ' || echo 'Up to date!'))
### misc
ls:
@echo $(FROM_CVS:src/%=%)
clean:
rm -rf signify signify.1 test-results explicit_bzero
+61
View File
@@ -0,0 +1,61 @@
## macOS port of OpenBSD's [signify(1)](https://man.openbsd.org/signify.1)
This macOS port of OpenBSD's `signify` utility intentionally tracks upstream
OpenBSD sources directly, keeping only the smallest portability layer possible,
with the explicit #1 goal of making it as easy to audit as possible.
The latest version was tested on macOS 10.14.2 with Apple LLVM 9.1.0.
Older versions were previously tested as far back as OS X 10.6.8 with GCC 4.2.1.
Some of the OpenBSD-specific functions used by signify that previously required
portability shims were introduced in macOS 10.12(.1), and the corresponding
portability shims have been removed to keep the code as lean and easily
auditable as possible. If you need support for a newer signify on an older
macOS, feel free to open an issue.
Man page at https://man.openbsd.org/signify.1
`src/` is the result of `make fetch` (cvs get) and `make hash-helpers` (sed) as
of the time of the last commit.
If you don't trust me (or github) to not have modified anything in there to
insert a backdoor (why should you?), but you trust the upstream OpenBSD version,
then simply `rm -r src` it and audit the rest of the files that constitute
this "port". It's only ~200 lines, you can do it :)
### Easy (non-paranoid, 3rd party-trusting) installation
If you prefer [MacPorts](https://www.macports.org/):
```
$ sudo port install signify
```
If you prefer [Homebrew](http://brew.sh/):
```
$ brew install signify-osx
```
### Building it yourself
I've included a copy of the upstream signify source in this repo for
convenience, but you should probably fetch it yourself. Doing so requires a
working `cvs`, which does not come with new OS X systems by default, so
either install that first (with macports or homebrew or whatever), or just
use the src shipped in this repo (as I know it works).
To get the latest upstream source:
```
rm -r src
make fetch
```
and then the usual `make`, `make install`.
### Testing
To run the regression tests, `make test`.
### Keeping -current
To check for upstream updates, `make check-updates`. (requires working CVS)
+12
View File
@@ -0,0 +1,12 @@
#include <stdlib.h>
#include "missing.h"
void
freezero(void *ptr, size_t sz)
{
if (ptr == NULL)
return;
explicit_bzero(ptr, sz);
free(ptr);
}
+69
View File
@@ -0,0 +1,69 @@
/*
* OS X compilers seem to have trouble resolving MAKE_CLONE()es,
* so just make explicit wrapper functions.
*/
#include <sha2.h>
/* MAKE_CLONE(SHA224Transform, SHA256Transform); */
void
SHA224Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH])
{
SHA256Transform(state, data);
}
/* MAKE_CLONE(SHA224Update, SHA256Update); */
void
SHA224Update(SHA2_CTX *context, const u_int8_t *data, size_t len)
{
SHA256Update(context, data, len);
}
/* MAKE_CLONE(SHA224Pad, SHA256Pad); */
void
SHA224Pad(SHA2_CTX *context)
{
SHA256Pad(context);
}
/* MAKE_CLONE(SHA384Transform, SHA512Transform); */
void
SHA384Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
{
SHA512Transform(state, data);
}
/* MAKE_CLONE(SHA384Update, SHA512Update); */
void
SHA384Update(SHA2_CTX *context, const u_int8_t *data, size_t len)
{
SHA512Update(context, data, len);
}
/* MAKE_CLONE(SHA384Pad, SHA512Pad); */
void
SHA384Pad(SHA2_CTX *context)
{
SHA512Pad(context);
}
/* MAKE_CLONE(SHA512_256Transform, SHA512Transform); */
void
SHA512_256Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
{
SHA512Transform(state, data);
}
/* MAKE_CLONE(SHA512_256Update, SHA512Update); */
void
SHA512_256Update(SHA2_CTX *context, const u_int8_t *data, size_t len)
{
SHA512Update(context, data, len);
}
/* MAKE_CLONE(SHA512_256Pad, SHA512Pad); */
void
SHA512_256Pad(SHA2_CTX *context)
{
SHA512Pad(context);
}
+2
View File
@@ -0,0 +1,2 @@
untrusted comment: LibreSSL Portable public key
RWQg/nutTVqCUVUw8OhyHt9n51IC8mdQRd1b93dOyVrwtIXmMI+dtGFe
+2
View File
@@ -0,0 +1,2 @@
untrusted comment: openbsd 5.5 base public key
RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h
+2
View File
@@ -0,0 +1,2 @@
untrusted comment: openbsd 5.5 firmware public key
RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO
+2
View File
@@ -0,0 +1,2 @@
untrusted comment: openbsd 5.5 packages public key
RWQQC1M9dhm/tja/ktitJs/QVI1kGTQr7W7jtUmdZ4uTp+4yZJ6RRHb5
+2
View File
@@ -0,0 +1,2 @@
untrusted comment: openbsd 5.6 base public key
RWR0EANmo9nqhpPbPUZDIBcRtrVcRwQxZ8UKGWY8Ui4RHi229KFL84wV
+2
View File
@@ -0,0 +1,2 @@
untrusted comment: openbsd 5.6 firmware public key
RWT4e3jpYgSeLYs62aDsUkcvHR7+so5S/Fz/++B859j61rfNVcQTRxMw
+2
View File
@@ -0,0 +1,2 @@
untrusted comment: openbsd 5.6 packages public key
RWSPEf7Vpp2j0PTDG+eLs5L700nlqBFzEcSmHuv3ypVUEOYwso+UucXb
+2
View File
@@ -0,0 +1,2 @@
untrusted comment: openbsd 5.7 base public key
RWSvUZXnw9gUb70PdeSNnpSmodCyIPJEGN1wWr+6Time1eP7KiWJ5eAM
+2
View File
@@ -0,0 +1,2 @@
untrusted comment: OpenBSD 5.7 firmware public key
RWSuRBL44FVkb2QuvtlwOJmzS9UJtbKZd7GEYcol8HPXu4On/Ct1LoZr
+2
View File
@@ -0,0 +1,2 @@
untrusted comment: openbsd 5.7 packages public key
RWTJ1iHLn/zcvJJSbxJIEU9ChlfAlU16XoLLxmxciliOFWfTLyOv0vQs
+2
View File
@@ -0,0 +1,2 @@
untrusted comment: openbsd 5.8 base public key
RWQNNZXtC/MqP3Eiu+6FBz/qrxiWQwDhd+9Yljzp62UP4KzFmmvzVk60
+2
View File
@@ -0,0 +1,2 @@
untrusted comment: OpenBSD 5.8 firmware public key
RWTpkvg4fhJCDx9yL4bUCou/vtAecPVTfcaaGESQeBruwX/qHToMvWh6

Some files were not shown because too many files have changed in this diff Show More