[1] | 1 | #! /usr/bin/perl
|
---|
| 2 |
|
---|
| 3 | # Copyright Rainer Wichmann (2004)
|
---|
| 4 | #
|
---|
| 5 | # License Information:
|
---|
| 6 | # This program is free software; you can redistribute it and/or modify
|
---|
| 7 | # it under the terms of the GNU General Public License as published by
|
---|
| 8 | # the Free Software Foundation; either version 2 of the License, or
|
---|
| 9 | # (at your option) any later version.
|
---|
| 10 | #
|
---|
| 11 | # This program is distributed in the hope that it will be useful,
|
---|
| 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
|
---|
| 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
---|
| 14 | # GNU General Public License for more details.
|
---|
| 15 | #
|
---|
| 16 | # You should have received a copy of the GNU General Public License
|
---|
| 17 | # along with this program; if not, write to the Free Software
|
---|
| 18 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
---|
| 19 | #
|
---|
| 20 |
|
---|
| 21 | use warnings;
|
---|
| 22 | use strict;
|
---|
| 23 | use Getopt::Long;
|
---|
| 24 | use File::Basename;
|
---|
[3] | 25 | use File::Copy;
|
---|
[1] | 26 | use File::stat;
|
---|
| 27 | use File::Temp qw/ tempfile tempdir unlink0 /;
|
---|
| 28 | use IO::Handle;
|
---|
[3] | 29 | use Fcntl qw(:DEFAULT :flock);
|
---|
[53] | 30 | use Tie::File;
|
---|
[1] | 31 |
|
---|
[30] | 32 | # Do I/O to the data file in binary mode (so it
|
---|
| 33 | # wouldn't complain about invalid UTF-8 characters).
|
---|
| 34 | use bytes;
|
---|
| 35 |
|
---|
[1] | 36 | File::Temp->safe_level( File::Temp::HIGH );
|
---|
| 37 |
|
---|
| 38 | my %opts = ();
|
---|
| 39 | my $action;
|
---|
| 40 | my $file1;
|
---|
| 41 | my $file2;
|
---|
| 42 | my $passphrase;
|
---|
[330] | 43 | my $secretkeyring;
|
---|
[1] | 44 | my $return_from_sign = 0;
|
---|
| 45 | my $no_print_examine = 0;
|
---|
[3] | 46 | my $no_remove_lock = 0;
|
---|
[1] | 47 | my $base = basename($0);
|
---|
| 48 |
|
---|
| 49 | my $cfgfile = "@myconffile@";
|
---|
| 50 | my $datafile = "@mydatafile@";
|
---|
| 51 | my $daemon = "@sbindir@/@install_name@";
|
---|
| 52 | my $gpg = "@mygpg@";
|
---|
| 53 |
|
---|
[191] | 54 | my $TARGETKEYID = "@mykeyid@";
|
---|
| 55 | my $KEYTAG = "@mykeytag@";
|
---|
| 56 |
|
---|
[3] | 57 | $cfgfile =~ s/^REQ_FROM_SERVER//;
|
---|
| 58 | $datafile =~ s/^REQ_FROM_SERVER//;
|
---|
| 59 |
|
---|
[1] | 60 | $gpg = "gpg" if ($gpg eq "");
|
---|
| 61 |
|
---|
[53] | 62 | sub check_gpg_agent() {
|
---|
| 63 | my $gpgconf = "$ENV{'HOME'}/.gnupg/gpg.conf";
|
---|
| 64 |
|
---|
| 65 | if (!-f "$gpgconf") {
|
---|
| 66 | $gpgconf = "$ENV{'HOME'}/.gnupg/options";
|
---|
| 67 | }
|
---|
| 68 |
|
---|
| 69 | if (-f $gpgconf) {
|
---|
| 70 |
|
---|
| 71 | my @array = ();
|
---|
| 72 | tie @array, 'Tie::File', $gpgconf or die "Cannot tie ${gpgconf}: $!";
|
---|
| 73 | my @grep = grep(/^\s*use-agent/, @array);
|
---|
| 74 |
|
---|
| 75 | # print "matches = $#grep\n";
|
---|
| 76 |
|
---|
| 77 | if ($#grep >= 0)
|
---|
| 78 | {
|
---|
| 79 | if (exists $ENV{'GPG_AGENT_INFO'})
|
---|
| 80 | {
|
---|
| 81 | my $socke = $ENV{'GPG_AGENT_INFO'};
|
---|
| 82 | $socke =~ s/:.*//;
|
---|
| 83 |
|
---|
| 84 | # print "socke = $socke\n";
|
---|
| 85 |
|
---|
| 86 | if (! -S $socke)
|
---|
| 87 | {
|
---|
| 88 | print "--------------------------------------------------\n";
|
---|
| 89 | print "\n";
|
---|
| 90 | print " GPG is set to use gpg-agent, but GPG agent is";
|
---|
| 91 | print " not running, though GPG_AGENT_INFO is defined.\n\n";
|
---|
| 92 | print " Please restart gpg-agent, or remove the use-agent\n";
|
---|
| 93 | print " option from ${gpgconf} and unset GPG_AGENT_INFO\n\n";
|
---|
| 94 | print "--------------------------------------------------\n";
|
---|
| 95 | print "\n";
|
---|
| 96 | exit 1;
|
---|
| 97 | }
|
---|
| 98 | }
|
---|
| 99 | else
|
---|
| 100 | {
|
---|
| 101 | print "--------------------------------------------------\n";
|
---|
| 102 | print "\n";
|
---|
| 103 | print " GPG is set to use gpg-agent, but ";
|
---|
| 104 | print " GPG_AGENT_INFO is not defined.\n\n";
|
---|
| 105 | print " Please start gpg-agent, or remove the use-agent\n";
|
---|
| 106 | print " option from ${gpgconf}\n\n";
|
---|
| 107 | print "--------------------------------------------------\n";
|
---|
| 108 | print "\n";
|
---|
| 109 | exit 1;
|
---|
| 110 | }
|
---|
| 111 | }
|
---|
| 112 | untie @array;
|
---|
| 113 | }
|
---|
| 114 | }
|
---|
| 115 |
|
---|
| 116 |
|
---|
[1] | 117 | sub usage() {
|
---|
| 118 | print "Usage:\n";
|
---|
| 119 | print " $base { -m F | --create-cfgfile } [options] [in.cfgfile]\n";
|
---|
| 120 | print " Sign the configuration file. If in.cfgfile is given, sign it\n";
|
---|
| 121 | print " and install it as configuration file.\n\n";
|
---|
| 122 |
|
---|
| 123 | print " $base { -m f | --print-cfgfile } [options] \n";
|
---|
| 124 | print " Print the configuration file to stdout. Signatures are removed.\n\n";
|
---|
| 125 |
|
---|
| 126 | print " $base { -m D | --create-datafile } [options] [in.datafile]\n";
|
---|
| 127 | print " Sign the database file. If in.datafile is given, sign it\n";
|
---|
| 128 | print " and install it as database file.\n\n";
|
---|
| 129 |
|
---|
| 130 | print " $base { -m d | --print-datafile } [options] \n";
|
---|
| 131 | print " Print the database file to stdout. Signatures are removed. Use\n";
|
---|
| 132 | print " option --list to list files in database rather than printing the raw file.\n\n";
|
---|
| 133 |
|
---|
| 134 | print " $base { -m R | --remove-signature } [options] file1 [file2 ...]\n";
|
---|
| 135 | print " Remove cleartext signature from input file(s). The file\n";
|
---|
| 136 | print " is replaced by the non-signed file.\n\n";
|
---|
| 137 |
|
---|
| 138 | print " $base { -m E | --sign } [options] file1 [file2 ...]\n";
|
---|
| 139 | print " Sign file(s) with a cleartext signature. The file\n";
|
---|
| 140 | print " is replaced by the signed file.\n\n";
|
---|
| 141 |
|
---|
| 142 | print " $base { -m e | --examine } [options] file1 [file2 ...]\n";
|
---|
| 143 | print " Report signature status of file(s).\n\n";
|
---|
| 144 |
|
---|
| 145 | print " $base { -m G | --generate-keys } [options] \n";
|
---|
| 146 | print " Generate a PGP keypair to use for signing.\n\n";
|
---|
| 147 |
|
---|
| 148 | print "Options:\n";
|
---|
| 149 | print " -c cfgfile --cfgfile cfgfile\n";
|
---|
| 150 | print " Select an alternate configuration file.\n\n";
|
---|
| 151 |
|
---|
| 152 | print " -d datafile --datafile datafile\n";
|
---|
| 153 | print " Select an alternate database file.\n\n";
|
---|
| 154 |
|
---|
| 155 | print " -p passphrase --passphrase passphrase\n";
|
---|
| 156 | print " Set the passphrase for gpg. By default, gpg will ask.\n\n";
|
---|
| 157 |
|
---|
[330] | 158 | print " -s secretkeyring --secretkeyring secretkeyring\n";
|
---|
| 159 | print " Select an alternate secret keyring for gpg.\n";
|
---|
| 160 | print " Will use '$ENV{'HOME'}/.gnupg/secring.gpg' by default.\n\n";
|
---|
| 161 |
|
---|
[1] | 162 | print " -l --list\n";
|
---|
| 163 | print " List the files in database rather than printing the raw file.\n\n";
|
---|
| 164 |
|
---|
| 165 | print " -v --verbose\n";
|
---|
| 166 | print " Verbose output.\n\n";
|
---|
| 167 | return;
|
---|
| 168 | }
|
---|
| 169 |
|
---|
| 170 | sub check_gpg_uid () {
|
---|
| 171 | if (0 != $>) {
|
---|
| 172 | print "--------------------------------------------------\n";
|
---|
| 173 | print "\n";
|
---|
| 174 | print " You are not root. Please remember that samhain/yule\n";
|
---|
| 175 | print " will use the public keyring of root to verify a signature.\n";
|
---|
| 176 | print "\n";
|
---|
| 177 | print "--------------------------------------------------\n";
|
---|
| 178 | } else {
|
---|
| 179 | if (!("@yulectl_prg@" =~ //)) {
|
---|
| 180 | print "--------------------------------------------------\n";
|
---|
| 181 | print "\n";
|
---|
| 182 | print " Please remember that yule will drop root after startup. Signature\n";
|
---|
| 183 | print " verification on SIGHUP will fail if you do not import the public key\n";
|
---|
| 184 | print " into the keyring of the non-root yule user.\n";
|
---|
| 185 | print "\n";
|
---|
| 186 | print "--------------------------------------------------\n";
|
---|
| 187 | }
|
---|
| 188 | }
|
---|
| 189 | }
|
---|
| 190 |
|
---|
| 191 | sub check_gpg_sign () {
|
---|
[330] | 192 | if ( defined($secretkeyring)) {
|
---|
| 193 | if ( (!-d "$secretkeyring")){
|
---|
| 194 | print "--------------------------------------------------\n";
|
---|
| 195 | print "\n";
|
---|
| 196 | print " Secret keyring $secretkeyring not found!\n";
|
---|
| 197 | print "\n";
|
---|
| 198 | print " Please check the path/name of the alternate secret keyring.\n";
|
---|
| 199 | print "\n";
|
---|
| 200 | print "--------------------------------------------------\n";
|
---|
| 201 | print "\n";
|
---|
| 202 | exit;
|
---|
| 203 | }
|
---|
| 204 | } else {
|
---|
| 205 | if ( (!-d "$ENV{'HOME'}/.gnupg") || (!-e "$ENV{'HOME'}/.gnupg/secring.gpg")) {
|
---|
| 206 | print "--------------------------------------------------\n";
|
---|
| 207 | print "\n";
|
---|
| 208 | if (!-d "$ENV{'HOME'}/.gnupg") {
|
---|
| 209 | print " Directory \$HOME/.gnupg not found!\n";
|
---|
| 210 | } else {
|
---|
| 211 | print " Secret keyring \$HOME/.gnupg/secring.gpg not found!\n";
|
---|
| 212 | }
|
---|
| 213 | print "\n";
|
---|
| 214 | print " This indicates that you have never created a \n";
|
---|
| 215 | print " public/private keypair, and thus cannot sign.\n";
|
---|
| 216 | print " \n";
|
---|
| 217 | print " Please use $0 --generate-keys or gpg --gen-key\n";
|
---|
| 218 | print " to generate a public/private keypair first.\n";
|
---|
| 219 | print "\n";
|
---|
| 220 | print "--------------------------------------------------\n";
|
---|
| 221 | print "\n";
|
---|
| 222 | exit;
|
---|
| 223 | }
|
---|
[1] | 224 | }
|
---|
| 225 | }
|
---|
| 226 |
|
---|
| 227 | sub check_gpg_verify () {
|
---|
| 228 | if ( (!-d "$ENV{'HOME'}/.gnupg") || (!-e "$ENV{'HOME'}/.gnupg/pubring.gpg")) {
|
---|
| 229 | print "--------------------------------------------------\n";
|
---|
| 230 | print "\n";
|
---|
| 231 | if (!-d "$ENV{'HOME'}/.gnupg") {
|
---|
| 232 | print " Directory \$HOME/.gnupg not found!\n";
|
---|
| 233 | } else {
|
---|
| 234 | print " Public keyring \$HOME/.gnupg/pubring.gpg not found!\n";
|
---|
| 235 | }
|
---|
| 236 | print "\n";
|
---|
| 237 | print " This indicates that you have never used gpg before \n";
|
---|
| 238 | print " and/or have no public keys to verify signatures.\n";
|
---|
| 239 | print " \n";
|
---|
| 240 | print " Please use 'gpg --export key_id' to export the public\n";
|
---|
| 241 | print " signing key of the user who is signing the\n";
|
---|
| 242 | print " configuration/database files.\n\n";
|
---|
| 243 | print " Then you can use 'gpg --import keyfile' to import the key\n";
|
---|
| 244 | print " into this user's public keyring.\n";
|
---|
| 245 | print "\n";
|
---|
| 246 | print "--------------------------------------------------\n";
|
---|
| 247 | print "\n";
|
---|
| 248 | exit;
|
---|
| 249 | }
|
---|
| 250 | }
|
---|
| 251 |
|
---|
| 252 |
|
---|
| 253 | sub generate () {
|
---|
| 254 | my $command = "$gpg --homedir $ENV{'HOME'}/.gnupg --gen-key";
|
---|
| 255 | check_gpg_uid();
|
---|
| 256 | system ($command) == 0
|
---|
| 257 | or die "system $command failed: $?";
|
---|
| 258 | exit;
|
---|
| 259 | }
|
---|
| 260 |
|
---|
| 261 | sub examine () {
|
---|
| 262 | my $iscfg = 0;
|
---|
| 263 | my $have_fp = 0;
|
---|
| 264 | my $have_sig = 0;
|
---|
| 265 | my $message = '';
|
---|
| 266 | my $retval = 9;
|
---|
| 267 | my $fh;
|
---|
| 268 | my $filename;
|
---|
| 269 |
|
---|
| 270 | if (!($file1 =~ /^\-$/)) {
|
---|
| 271 | die ("Cannot open $file1 for read: $!") unless ((-e $file1) && (-r _));
|
---|
| 272 | }
|
---|
| 273 | open FIN, "<$file1" or die "Cannot open $file1 for read: $!";
|
---|
| 274 |
|
---|
| 275 | my $dir = tempdir( CLEANUP => 1 );
|
---|
[3] | 276 | $filename = $dir . "/exa_jhfdbilw." . $$;
|
---|
[1] | 277 | open $fh, ">$filename" or die "Cannot open $filename";
|
---|
| 278 | autoflush $fh 1;
|
---|
| 279 |
|
---|
| 280 | while (<FIN>) {
|
---|
| 281 | print $fh $_;
|
---|
| 282 | if ($_ =~ /^\s*\[Misc\]/) {
|
---|
| 283 | $iscfg = 1;
|
---|
| 284 | }
|
---|
| 285 | }
|
---|
| 286 | if ($iscfg == 1) {
|
---|
| 287 | $message .= "File $file1 is a configuration file\n\n";
|
---|
| 288 | } else {
|
---|
| 289 | $message .= "File $file1 is a database file\n\n";
|
---|
| 290 | }
|
---|
| 291 |
|
---|
| 292 |
|
---|
| 293 | my $command = "$gpg --homedir $ENV{'HOME'}/.gnupg --status-fd 1 ";
|
---|
| 294 | $command .= "--verbose " if (defined($opts{'v'}));
|
---|
| 295 | $command .= "--verify $filename ";
|
---|
| 296 | if (defined($opts{'v'})) {
|
---|
| 297 | $command .= "2>&1";
|
---|
| 298 | } else {
|
---|
| 299 | $command .= "2>/dev/null";
|
---|
| 300 | }
|
---|
| 301 |
|
---|
| 302 | print STDOUT "Using: $command\n\n" if (defined($opts{'v'}));
|
---|
| 303 | open GPGIN, "$command |" or die "Cannot fork: $!";
|
---|
| 304 |
|
---|
| 305 | while (<GPGIN>) {
|
---|
| 306 | if ($_ =~ /^\[GNUPG:\] GOODSIG ([0-9A-F]+) (.*)$/) {
|
---|
| 307 | $message .= "GOOD signature with key: $1\n";
|
---|
| 308 | $message .= "Key owner: $2\n";
|
---|
| 309 | $have_sig = 1;
|
---|
| 310 | $retval = 0;
|
---|
| 311 | }
|
---|
| 312 | if ($_ =~ /^\[GNUPG:\] VALIDSIG ([0-9A-F]+) ([0-9\-]+)\s/) {
|
---|
| 313 | $message .= "Key fingerprint: $1\n";
|
---|
| 314 | $message .= "Signature generated on: $2\n\n";
|
---|
| 315 | $have_fp = 1;
|
---|
| 316 | $message .= "This file is signed with a valid signature.\n"
|
---|
| 317 | if ($have_sig == 1);
|
---|
| 318 | $have_sig = 1;
|
---|
| 319 | $have_fp = 1;
|
---|
| 320 | }
|
---|
| 321 | if ($_ =~ /^\[GNUPG:\] NODATA 1/) {
|
---|
| 322 | $message .= "NO signature found.\n\n";
|
---|
| 323 | $message .= "This file is not signed !!!\n";
|
---|
| 324 | $have_sig = 1;
|
---|
| 325 | $have_fp = 1;
|
---|
| 326 | $retval = 2;
|
---|
| 327 | }
|
---|
| 328 | if ($_ =~ /^\[GNUPG:\] BADSIG ([0-9A-F]+) (.*)$/) {
|
---|
| 329 | $message .= "BAD signature with key: $1\n";
|
---|
| 330 | $message .= "Key owner: $2\n\n";
|
---|
| 331 | $message .= "This file is signed with an invalid signature !!!\n";
|
---|
| 332 | $have_sig = 1;
|
---|
| 333 | $have_fp = 1;
|
---|
| 334 | $retval = 1;
|
---|
| 335 | }
|
---|
| 336 | if ($_ =~ /^\[GNUPG:\] NO_PUBKEY ([0-9A-F]+)/) {
|
---|
| 337 | $message .= "NOT CHECKED signature with key: $1\n\n";
|
---|
| 338 | $message .= "The signature of this file cannot be checked: no public key available !!!\n";
|
---|
| 339 | $have_sig = 1;
|
---|
| 340 | $have_fp = 1;
|
---|
| 341 | $retval = 1;
|
---|
| 342 | }
|
---|
| 343 | print STDOUT $_ if (defined($opts{'v'}));
|
---|
| 344 | }
|
---|
| 345 | close (GPGIN);
|
---|
| 346 | print STDOUT "\n" if (defined($opts{'v'}));
|
---|
| 347 | if ($have_sig == 0) {
|
---|
| 348 | $message .= "NO valid signature found\n";
|
---|
| 349 | }
|
---|
| 350 | elsif ($have_fp == 0) {
|
---|
| 351 | $message .= "NO fingerprint found\n";
|
---|
| 352 | }
|
---|
| 353 | close (FIN);
|
---|
| 354 | if ($no_print_examine == 0) {
|
---|
| 355 | print STDOUT $message;
|
---|
| 356 | }
|
---|
| 357 | unlink0( $fh, $filename ) or die "Cannot unlink $filename safely";
|
---|
| 358 | return $retval;
|
---|
| 359 | }
|
---|
| 360 |
|
---|
| 361 | sub remove () {
|
---|
| 362 | my $bodystart = 1;
|
---|
| 363 | my $sigstart = 0;
|
---|
| 364 | my $sigend = 0;
|
---|
| 365 | my $filename = "";
|
---|
| 366 | my $fh;
|
---|
| 367 | my $stats;
|
---|
| 368 |
|
---|
| 369 | open FH, "<$file1" or die "Cannot open file $file1 for read: $!";
|
---|
| 370 | if (!($file1 =~ /^\-$/)) {
|
---|
[3] | 371 | flock(FH, LOCK_EX) unless ($no_remove_lock == 1);
|
---|
[1] | 372 | my $dir = tempdir( CLEANUP => 1 ) or die "Tempdir failed";
|
---|
[3] | 373 | $filename = $dir . "/rem_iqegBCQb." . $$;
|
---|
[1] | 374 | open $fh, ">$filename" or die "Cannot open $filename";
|
---|
| 375 | $stats = stat($file1);
|
---|
| 376 | # ($fh, $filename) = tempfile(UNLINK => 1);
|
---|
| 377 | } else {
|
---|
| 378 | open $fh, ">$file1" or die "Cannot open file $file1 for write: $!";
|
---|
| 379 | }
|
---|
| 380 | autoflush $fh 1;
|
---|
| 381 | while (<FH>) {
|
---|
| 382 | if ($_ =~ /^-----BEGIN PGP SIGNED MESSAGE-----/) {
|
---|
| 383 | $sigstart = 1;
|
---|
| 384 | $bodystart = 0;
|
---|
| 385 | next;
|
---|
| 386 | } elsif (($sigstart == 1) && ($_ =~ /^\s+$/)) {
|
---|
| 387 | $sigstart = 0;
|
---|
| 388 | $bodystart = 1;
|
---|
| 389 | next;
|
---|
| 390 | } elsif ($_ =~ /^-----BEGIN PGP SIGNATURE-----/) {
|
---|
| 391 | $bodystart = 0;
|
---|
| 392 | $sigend = 1;
|
---|
| 393 | next;
|
---|
| 394 | } elsif (($sigend == 1) && ($_ =~ /^-----END PGP SIGNATURE-----/)) {
|
---|
| 395 | $sigend = 0;
|
---|
| 396 | $bodystart = 1;
|
---|
| 397 | next;
|
---|
| 398 | }
|
---|
| 399 | if ($bodystart == 1) {
|
---|
| 400 | print $fh $_;
|
---|
| 401 | }
|
---|
| 402 | }
|
---|
| 403 | if (!($file1 =~ /^\-$/)) {
|
---|
[3] | 404 | copy("$filename", "$file1")
|
---|
| 405 | or die "Copy $filename to $file1 failed: $!";
|
---|
[1] | 406 | chmod $stats->mode, $file1;
|
---|
| 407 | chown $stats->uid, $stats->gid, $file1;
|
---|
[3] | 408 | flock(FH, LOCK_UN) unless ($no_remove_lock == 1);
|
---|
| 409 | close FH;
|
---|
[1] | 410 | }
|
---|
| 411 | unlink0( $fh, $filename ) or die "Cannot unlink $filename safely";
|
---|
| 412 | return;
|
---|
| 413 | }
|
---|
| 414 |
|
---|
| 415 | sub print_cfgfile () {
|
---|
| 416 | my $bodystart = 0;
|
---|
| 417 | my $sigstart = 0;
|
---|
| 418 |
|
---|
| 419 | if (!defined($file2)) {
|
---|
| 420 | $file2 = '-';
|
---|
| 421 | }
|
---|
| 422 |
|
---|
| 423 | open FH, "<$file1" or die "Cannot open file $file1 for read: $!";
|
---|
| 424 | open FO, ">$file2" or die "Cannot open file $file2 for write: $!";
|
---|
| 425 | while (<FH>) {
|
---|
| 426 | if ($_ =~ /^-----BEGIN PGP SIGNED MESSAGE-----/) {
|
---|
| 427 | $sigstart = 1;
|
---|
| 428 | next;
|
---|
| 429 | } elsif (($sigstart == 1) && ($_ =~ /^\s+$/)) {
|
---|
| 430 | $sigstart = 0;
|
---|
| 431 | $bodystart = 1;
|
---|
| 432 | next;
|
---|
| 433 | } elsif ($_ =~ /^-----BEGIN PGP SIGNATURE-----/) {
|
---|
| 434 | $bodystart = 0;
|
---|
| 435 | exit;
|
---|
| 436 | }
|
---|
| 437 | if ($bodystart == 1) {
|
---|
| 438 | print FO $_;
|
---|
| 439 | }
|
---|
| 440 | }
|
---|
| 441 | exit;
|
---|
| 442 | }
|
---|
| 443 | sub print_datafile () {
|
---|
| 444 | die ("Cannot find program $daemon")
|
---|
| 445 | unless (-e $daemon);
|
---|
| 446 | if (defined($opts{'v'})) {
|
---|
| 447 | open FH, "$daemon --full-detail -d $datafile |"
|
---|
| 448 | or die "Cannot open datafile $datafile for read: $!";
|
---|
| 449 | } else {
|
---|
| 450 | open FH, "$daemon -d $datafile |"
|
---|
| 451 | or die "Cannot open datafile $datafile for read: $!";
|
---|
| 452 | }
|
---|
| 453 | while (<FH>) {
|
---|
| 454 | print $_;
|
---|
| 455 | }
|
---|
| 456 | exit;
|
---|
| 457 | }
|
---|
| 458 |
|
---|
| 459 | sub sign_file () {
|
---|
| 460 |
|
---|
| 461 | my $fileout = '';
|
---|
| 462 | my $bodystart = 1;
|
---|
| 463 | my $sigstart = 0;
|
---|
| 464 | my $sigend = 0;
|
---|
| 465 | my $stats;
|
---|
| 466 | my $fh1;
|
---|
| 467 | my $filename1;
|
---|
| 468 | my $flag1 = 0;
|
---|
| 469 |
|
---|
| 470 | check_gpg_uid();
|
---|
[53] | 471 | check_gpg_agent();
|
---|
[1] | 472 |
|
---|
| 473 | if (!defined($file2)) {
|
---|
| 474 | $file2 = $file1;
|
---|
| 475 | }
|
---|
| 476 |
|
---|
| 477 | if ($file1 =~ /^\-$/) {
|
---|
| 478 | my $dir = tempdir( CLEANUP => 1 ) or die "Tempdir failed";
|
---|
[3] | 479 | $filename1 = $dir . "/sig_vs8827sd." . $$;
|
---|
[1] | 480 | open $fh1, ">$filename1" or die "Cannot open $filename1";
|
---|
| 481 | $flag1 = 1;
|
---|
| 482 | # my ($fh1, $filename1) = tempfile(UNLINK => 1);
|
---|
| 483 |
|
---|
| 484 | while (<STDIN>) {
|
---|
| 485 | if ($_ =~ /^-----BEGIN PGP SIGNED MESSAGE-----/) {
|
---|
| 486 | $sigstart = 1;
|
---|
| 487 | $bodystart = 0;
|
---|
| 488 | next;
|
---|
| 489 | } elsif (($sigstart == 1) && ($_ =~ /^\s+$/)) {
|
---|
| 490 | $sigstart = 0;
|
---|
| 491 | $bodystart = 1;
|
---|
| 492 | next;
|
---|
| 493 | } elsif ($_ =~ /^-----BEGIN PGP SIGNATURE-----/) {
|
---|
| 494 | $bodystart = 0;
|
---|
| 495 | $sigend = 1;
|
---|
| 496 | next;
|
---|
| 497 | } elsif (($sigend == 1) && ($_ =~ /^-----END PGP SIGNATURE-----/)) {
|
---|
| 498 | $sigend = 0;
|
---|
| 499 | $bodystart = 1;
|
---|
| 500 | next;
|
---|
| 501 | }
|
---|
| 502 | if ($bodystart == 1) {
|
---|
| 503 | print $fh1 $_;
|
---|
| 504 | }
|
---|
| 505 | #
|
---|
| 506 | # print $fh1 $_;
|
---|
| 507 | #
|
---|
| 508 | }
|
---|
| 509 | $file1 = $filename1;
|
---|
| 510 | $fileout = '-';
|
---|
| 511 | } else {
|
---|
[3] | 512 | open (LOCKFILE, "<$file1") or die "Cannot open $file1: $!";
|
---|
| 513 | flock(LOCKFILE, LOCK_EX);
|
---|
[1] | 514 | $no_print_examine = 1;
|
---|
[3] | 515 | $no_remove_lock = 1;
|
---|
[1] | 516 | if (examine() < 2) {
|
---|
| 517 | remove();
|
---|
| 518 | }
|
---|
| 519 | $fileout = $file1 . ".asc";
|
---|
[3] | 520 | $stats = stat($file1)
|
---|
| 521 | or die "No file $file1: $!";
|
---|
[1] | 522 | }
|
---|
| 523 |
|
---|
| 524 | if (defined($passphrase)) {
|
---|
| 525 | local $SIG{PIPE} = 'IGNORE';
|
---|
[330] | 526 | my $command = "$gpg --homedir $ENV{'HOME'}/.gnupg --passphrase-fd 0 -a ${KEYTAG} ${TARGETKEYID} --clearsign -o $fileout --not-dash-escaped ";
|
---|
| 527 | $command .= "--secret-keyring $secretkeyring " if (defined($opts{'s'}));
|
---|
| 528 | $command .= "$file1";
|
---|
[1] | 529 | open (FH, "|$command") or die "can't fork: $!";
|
---|
| 530 | print FH "$passphrase" or die "can't write: $!";
|
---|
| 531 | close FH or die "can't close: status=$?";
|
---|
| 532 | } else {
|
---|
[330] | 533 | my $command = "$gpg --homedir $ENV{'HOME'}/.gnupg -a ${KEYTAG} ${TARGETKEYID} --clearsign -o $fileout --not-dash-escaped ";
|
---|
| 534 | $command .= "--secret-keyring $secretkeyring " if (defined($opts{'s'}));
|
---|
| 535 | $command .= "$file1";
|
---|
[1] | 536 | system("$command") == 0
|
---|
| 537 | or die "system $command failed: $?";
|
---|
| 538 | }
|
---|
| 539 |
|
---|
| 540 | if (!($fileout =~ /^\-$/)) {
|
---|
| 541 | my $st_old = stat($file1)
|
---|
| 542 | or die "No file $file1: $!";
|
---|
| 543 | my $st_new = stat($fileout)
|
---|
| 544 | or die "No file $fileout: $!";
|
---|
| 545 | die ("Signed file is smaller than unsigned file")
|
---|
| 546 | unless ($st_new->size > $st_old->size);
|
---|
[3] | 547 | move("$fileout", "$file2")
|
---|
| 548 | or die "Move $fileout to $file2 failed: $!";
|
---|
[1] | 549 | chmod $stats->mode, $file2;
|
---|
| 550 | chown $stats->uid, $stats->gid, $file2;
|
---|
[3] | 551 | flock(LOCKFILE, LOCK_UN);
|
---|
[1] | 552 | }
|
---|
| 553 |
|
---|
| 554 | if ($flag1 == 1) {
|
---|
| 555 | unlink0( $fh1, $filename1 ) or die "Cannot unlink $filename1 safely";
|
---|
| 556 | }
|
---|
| 557 | if ($return_from_sign == 1) {
|
---|
| 558 | return;
|
---|
| 559 | }
|
---|
| 560 | exit;
|
---|
| 561 | }
|
---|
| 562 |
|
---|
| 563 | Getopt::Long::Configure ("posix_default");
|
---|
| 564 | Getopt::Long::Configure ("bundling");
|
---|
| 565 | # Getopt::Long::Configure ("debug");
|
---|
| 566 |
|
---|
| 567 | GetOptions (\%opts, 'm=s', 'h|help', 'v|verbose', 'l|list',
|
---|
| 568 | 'c|cfgfile=s',
|
---|
| 569 | 'd|datafile=s',
|
---|
| 570 | 'p|passphrase=s',
|
---|
[330] | 571 | 's|secretkeyring=s',
|
---|
[1] | 572 | 'create-cfgfile', # -m F
|
---|
| 573 | 'print-cfgfile', # -m f
|
---|
| 574 | 'create-datafile', # -m D
|
---|
| 575 | 'print-datafile', # -m d
|
---|
| 576 | 'remove-signature',# -m R
|
---|
| 577 | 'sign', # -m E
|
---|
| 578 | 'examine', # -m e
|
---|
| 579 | 'generate-keys'); # -m G
|
---|
| 580 |
|
---|
| 581 | if (defined ($opts{'h'})) {
|
---|
| 582 | usage();
|
---|
| 583 | exit;
|
---|
| 584 | }
|
---|
| 585 |
|
---|
| 586 | if (defined($opts{'c'})) {
|
---|
| 587 | $cfgfile = $opts{'c'};
|
---|
| 588 | }
|
---|
| 589 | if (defined($opts{'d'})) {
|
---|
| 590 | $datafile = $opts{'d'};
|
---|
| 591 | }
|
---|
| 592 | if (defined($opts{'p'})) {
|
---|
| 593 | $passphrase = $opts{'p'};
|
---|
| 594 | }
|
---|
[330] | 595 | if (defined($opts{'s'})) {
|
---|
| 596 | $secretkeyring = $opts{'s'};
|
---|
| 597 | }
|
---|
[1] | 598 |
|
---|
| 599 | if (defined ($opts{'m'}) && ($opts{'m'} =~ /[FfDdREeG]{1}/) ) {
|
---|
| 600 | $action = $opts{'m'};
|
---|
| 601 | }
|
---|
| 602 | elsif (defined ($opts{'create-cfgfile'})) {
|
---|
| 603 | $action = 'F';
|
---|
| 604 | }
|
---|
| 605 | elsif (defined ($opts{'print-cfgfile'})) {
|
---|
| 606 | $action = 'f';
|
---|
| 607 | }
|
---|
[30] | 608 | elsif (defined ($opts{'create-datafile'})) {
|
---|
[1] | 609 | $action = 'D';
|
---|
| 610 | }
|
---|
[30] | 611 | elsif (defined ($opts{'print-datafile'})) {
|
---|
[1] | 612 | $action = 'd';
|
---|
| 613 | }
|
---|
| 614 | elsif (defined ($opts{'remove-signature'})) {
|
---|
| 615 | $action = 'R';
|
---|
| 616 | }
|
---|
| 617 | elsif (defined ($opts{'sign'})) {
|
---|
| 618 | $action = 'E';
|
---|
| 619 | }
|
---|
| 620 | elsif (defined ($opts{'examine'})) {
|
---|
| 621 | $action = 'e';
|
---|
| 622 | }
|
---|
| 623 | elsif (defined ($opts{'generate-keys'})) {
|
---|
| 624 | $action = 'G';
|
---|
| 625 | }
|
---|
| 626 | else {
|
---|
| 627 | usage();
|
---|
| 628 | die ("No valid action specified !");
|
---|
| 629 | }
|
---|
| 630 |
|
---|
| 631 | if (defined($ARGV[0])) {
|
---|
| 632 | $file1 = $ARGV[0];
|
---|
| 633 | }
|
---|
| 634 | if (defined($ARGV[1])) {
|
---|
| 635 | $file2 = $ARGV[1];
|
---|
| 636 | }
|
---|
| 637 |
|
---|
| 638 |
|
---|
| 639 | if (($action =~ /[REe]{1}/) && !defined($file1)) {
|
---|
| 640 | usage();
|
---|
| 641 | die("Option -m $action requires a filename (or '-' for stdio)\n");
|
---|
| 642 | }
|
---|
| 643 |
|
---|
| 644 | if ($action =~ /^F$/) {
|
---|
| 645 | if (!defined($file1)) {
|
---|
| 646 | $file1 = $cfgfile;
|
---|
| 647 | }
|
---|
| 648 | $file2 = $cfgfile;
|
---|
| 649 | sign_file ();
|
---|
| 650 | }
|
---|
| 651 |
|
---|
| 652 | if ($action =~ /^D$/) {
|
---|
| 653 | if (!defined($file1)) {
|
---|
| 654 | $file1 = $datafile;
|
---|
| 655 | }
|
---|
| 656 | $file2 = $datafile;
|
---|
| 657 | sign_file ();
|
---|
| 658 | }
|
---|
| 659 |
|
---|
| 660 | if ($action =~ /^R$/) {
|
---|
| 661 | # $file1 defined
|
---|
| 662 | my $i = 0;
|
---|
| 663 | while (defined($ARGV[$i])) {
|
---|
| 664 | $file1 = $ARGV[$i];
|
---|
| 665 | remove ();
|
---|
| 666 | ++$i;
|
---|
| 667 | }
|
---|
| 668 | }
|
---|
| 669 |
|
---|
| 670 | if ($action =~ /^E$/) {
|
---|
| 671 | # $file1 defined
|
---|
| 672 | # default: $file2 = $file1
|
---|
| 673 | check_gpg_sign();
|
---|
| 674 | my $i = 0;
|
---|
| 675 | while (defined($ARGV[$i])) {
|
---|
| 676 | $file1 = $ARGV[$i];
|
---|
| 677 | $file2 = $file1;
|
---|
| 678 | $return_from_sign = 1;
|
---|
| 679 | sign_file ();
|
---|
| 680 | ++$i;
|
---|
| 681 | }
|
---|
| 682 | }
|
---|
| 683 |
|
---|
| 684 | if ($action =~ /^e$/) {
|
---|
| 685 | # $file1 defined
|
---|
| 686 | # default: $file2 = stdout
|
---|
| 687 | check_gpg_verify();
|
---|
| 688 | my $i = 0;
|
---|
| 689 | while (defined($ARGV[$i])) {
|
---|
| 690 | print "\n";
|
---|
| 691 | $file1 = $ARGV[$i];
|
---|
| 692 | examine ();
|
---|
| 693 | ++$i;
|
---|
| 694 | print "\n--------------------------------\n" if (defined($ARGV[$i]));
|
---|
| 695 | }
|
---|
| 696 | }
|
---|
| 697 |
|
---|
| 698 | if ($action =~ /^f$/) {
|
---|
| 699 | $file1 = $cfgfile;
|
---|
| 700 | $file2 = "-";
|
---|
| 701 | print_cfgfile ();
|
---|
| 702 | }
|
---|
| 703 |
|
---|
| 704 | if ($action =~ /^d$/) {
|
---|
| 705 | # $file1 irrelevant
|
---|
| 706 | if (defined($opts{'l'})) {
|
---|
| 707 | print_datafile ();
|
---|
| 708 | } else {
|
---|
| 709 | $file1 = $datafile;
|
---|
| 710 | $file2 = "-";
|
---|
| 711 | print_cfgfile ();
|
---|
| 712 | }
|
---|
| 713 | }
|
---|
| 714 |
|
---|
| 715 |
|
---|
| 716 |
|
---|