Don't rsa sign packages by default, but do provide digests.

This commit is contained in:
Alex Shinn 2015-05-01 21:57:23 +09:00
parent 76ba196fba
commit f958a82028
3 changed files with 14 additions and 7 deletions

View file

@ -779,7 +779,7 @@
(call-with-input-file package port->bytevector)
package))
(snowball (maybe-gunzip raw-data))
(digest (digest-func snowball))
(digest (delay (digest-func snowball)))
(keys (call-with-input-file
(or (conf-get cfg 'key-file)
(string-append (conf-get-snow-dir cfg) "/priv-key.scm"))
@ -787,25 +787,29 @@
(email (or (conf-get cfg 'email)
(assoc-get (car keys) 'email)))
(rsa-key-sexp (find (rsa-identity=? email) keys))
(rsa-key (extract-rsa-private-key rsa-key-sexp)))
(rsa-key (extract-rsa-private-key rsa-key-sexp))
(use-rsa? (and rsa-key (conf-get cfg 'sign-uploads?))))
(append
`(signature
(email ,email))
(if (and rsa-key (conf-get cfg 'sign-uploads?))
(if (or use-rsa?
(not (conf-get cfg 'skip-digest?)))
`((digest ,digest-name)
(,digest-name ,(force digest)))
'())
(if use-rsa?
(let* ((sig (fast-eval
`(rsa-sign (make-rsa-key ,(rsa-key-bits rsa-key)
,(rsa-key-n rsa-key)
#f
,(rsa-key-d rsa-key))
;;,(hex-string->integer digest)
,(hex-string->bytevector digest))
,(hex-string->bytevector (force digest)))
'((chibi crypto rsa))))
(hex-sig (if (bytevector? sig)
(bytevector->hex-string sig)
(integer->hex-string sig))))
`((digest ,digest-name)
(,digest-name ,digest)
(rsa ,hex-sig)))
`((rsa ,hex-sig)))
'()))))
(define (command/sign cfg spec package)

View file

@ -19,6 +19,7 @@
(scheme char)
(scheme eval)
(scheme file)
(scheme lazy)
(scheme load)
(scheme process-context)
(scheme time)

View file

@ -62,8 +62,10 @@
(ignore-signature? boolean ("ignore-sig" "ignore-signature")
"don't verify package signatures")
(ignore-digest? boolean ("ignore-digest") "don't verify package checksums")
(skip-digest? boolean ("skip-digest") "don't provide digests without rsa")
(skip-version-checks? boolean ("skip-version-checks")
"don't verify implementation versions")
(sign-uploads? boolean ("sign-uploads") "sign with the rsa key if present")
(host string "base uri of snow repository")
(repository-uri string "uri of snow repository file")
(local-root-repository dirname "repository cache dir for root")