search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Use warnings module for deprecation warnings, not logging.
[zeroinstall/zeroinstall-mseaborn.git] / zeroinstall / injector / gpg.py
blob07034cd968633cca49ffa1dbcd8bb2997ddfce54
1 """
2 Python interface to GnuPG.
3
4 This module is used to invoke GnuPG to check the digital signatures on interfaces.
5
6 @see: L{iface_cache.PendingFeed}
7 """
8
9 # Copyright (C) 2006, Thomas Leonard
10 # See the README file for details, or visit http://0install.net.
11
12 import base64, re
13 import os
14 import tempfile
15 import traceback
16 from trust import trust_db
17 from model import SafeException
18
19 class Signature(object):
20 """Abstract base class for signature check results."""
21 status = None
22
23 def __init__(self, status):
24 self.status = status
25
26 def is_trusted(self, domain = None):
27 return False
28
29 def need_key(self):
30 """Returns the ID of the key that must be downloaded to check this signature."""
31 return None
32
33 class ValidSig(Signature):
34 """A valid signature check result."""
35 FINGERPRINT = 0
36 TIMESTAMP = 2
37
38 def __str__(self):
39 return "Valid signature from " + self.status[self.FINGERPRINT]
40
41 def is_trusted(self, domain = None):
42 return trust_db.is_trusted(self.status[self.FINGERPRINT], domain)
43
44 def get_timestamp(self):
45 return int(self.status[self.TIMESTAMP])
46
47 fingerprint = property(lambda self: self.status[self.FINGERPRINT])
48
49 def get_details(self):
50 cin, cout = os.popen2(('gpg', '--with-colons', '--no-secmem-warning', '--list-keys', self.fingerprint))
51 cin.close()
52 details = []
53 for line in cout:
54 details.append(line.split(':'))
55 cout.close()
56 return details
57
58 class BadSig(Signature):
59 """A bad signature (doesn't match the message)."""
60 KEYID = 0
61
62 def __str__(self):
63 return "BAD signature by " + self.status[self.KEYID] + \
64 " (the message has been tampered with)"
65
66 class ErrSig(Signature):
67 """Error while checking a signature."""
68 KEYID = 0
69 ALG = 1
70 RC = -1
71
72 def __str__(self):
73 msg = "ERROR signature by %s: " % self.status[self.KEYID]
74 rc = int(self.status[self.RC])
75 if rc == 4:
76 msg += "Unknown or unsupported algorithm '%s'" % self.status[self.ALG]
77 elif rc == 9:
78 msg += "Unknown key. Try 'gpg --recv-key %s'" % self.status[self.KEYID]
79 else:
80 msg += "Unknown reason code %d" % rc
81 return msg
82
83 def need_key(self):
84 rc = int(self.status[self.RC])
85 if rc == 9:
86 return self.status[self.KEYID]
87 return None
88
89 class Key:
90 """A GPG key.
91 @since: 0.27
92 """
93 def __init__(self, fingerprint):
94 self.fingerprint = fingerprint
95 self.name = '(unknown)'
96
97 def get_short_name(self):
98 return self.name.split(' (', 1)[0].split(' <', 1)[0]
99
100 def load_keys(fingerprints):
101 """Load a set of keys at once.
102 This is much more efficient than making individual calls to L{load_key}.
103 @return: a list of loaded keys, indexed by fingerprint
104 @rtype: {str: L{Key}}
105 @since 0.27"""
106
107 keys = {}
108
109 # Otherwise GnuPG returns everything...
110 if not fingerprints: return keys
111
112 for fp in fingerprints:
113 keys[fp] = Key(fp)
114
115 current_fpr = None
116 current_uid = None
117
118 cin, cout = os.popen2(['gpg', '--fixed-list-mode', '--with-colons', '--list-keys',
119 '--with-fingerprint', '--with-fingerprint'] + fingerprints)
120 cin.close()
121 try:
122 for line in cout:
123 if line.startswith('pub:'):
124 current_fpr = None
125 current_uid = None
126 if line.startswith('fpr:'):
127 current_fpr = line.split(':')[9]
128 if current_fpr in keys and current_uid:
129 # This is probably a subordinate key, where the fingerprint
130 # comes after the uid, not before. Note: we assume the subkey is
131 # cross-certified, as recent always ones are.
132 keys[current_fpr].name = current_uid
133 if line.startswith('uid:'):
134 assert current_fpr is not None
135 parts = line.split(':')
136 current_uid = parts[9]
137 if current_fpr in keys:
138 keys[current_fpr].name = current_uid
139 finally:
140 cout.close()
141
142 return keys
143
144 def load_key(fingerprint):
145 """Query gpg for information about this key.
146 @return: a new key
147 @rtype: L{Key}
148 @since: 0.27"""
149 return load_keys([fingerprint])[fingerprint]
150
151 def import_key(stream):
152 """Run C{gpg --import} with this stream as stdin."""
153 errors = tempfile.TemporaryFile()
154
155 child = os.fork()
156 if child == 0:
157 # We are the child
158 try:
159 try:
160 os.dup2(stream.fileno(), 0)
161 os.dup2(errors.fileno(), 2)
162 os.execlp('gpg', 'gpg', '--no-secmem-warning', '--quiet', '--import')
163 except:
164 traceback.print_exc()
165 finally:
166 os._exit(1)
167 assert False
168
169 pid, status = os.waitpid(child, 0)
170 assert pid == child
171
172 errors.seek(0)
173 error_messages = errors.read().strip()
174 errors.close()
175
176 if error_messages:
177 raise SafeException("Errors from 'gpg --import':\n%s" % error_messages)
178
179 def _check_plain_stream(stream):
180 data = tempfile.TemporaryFile() # Python2.2 does not support 'prefix'
181 errors = tempfile.TemporaryFile()
182
183 status_r, status_w = os.pipe()
184
185 child = os.fork()
186
187 if child == 0:
188 # We are the child
189 try:
190 try:
191 os.close(status_r)
192 os.dup2(stream.fileno(), 0)
193 os.dup2(data.fileno(), 1)
194 os.dup2(errors.fileno(), 2)
195 os.execlp('gpg', 'gpg', '--no-secmem-warning', '--decrypt',
196 # Not all versions support this:
197 #'--max-output', str(1024 * 1024),
198 '--batch',
199 '--status-fd', str(status_w))
200 except:
201 traceback.print_exc()
202 finally:
203 os._exit(1)
204 assert False
205
206 # We are the parent
207 os.close(status_w)
208
209 try:
210 sigs = _get_sigs_from_gpg_status_stream(status_r, child, errors)
211 finally:
212 data.seek(0)
213 return (data, sigs)
214
215 def _check_xml_stream(stream):
216 xml_comment_start = '<!-- Base64 Signature'
217
218 data_to_check = stream.read()
219
220 last_comment = data_to_check.rfind('\n' + xml_comment_start)
221 if last_comment < 0:
222 raise SafeException("No signature block in XML. Maybe this file isn't signed?")
223 last_comment += 1 # Include new-line in data
224
225 data = tempfile.TemporaryFile()
226 data.write(data_to_check[:last_comment])
227 data.flush()
228 os.lseek(data.fileno(), 0, 0)
229
230 errors = tempfile.TemporaryFile()
231
232 sig_lines = data_to_check[last_comment:].split('\n')
233 if sig_lines[0].strip() != xml_comment_start:
234 raise SafeException('Bad signature block: extra data on comment line')
235 while sig_lines and not sig_lines[-1].strip():
236 del sig_lines[-1]
237 if sig_lines[-1].strip() != '-->':
238 raise SafeException('Bad signature block: last line is not end-of-comment')
239 sig_data = '\n'.join(sig_lines[1:-1])
240
241 if re.match('^[ A-Za-z0-9+/=\n]+$', sig_data) is None:
242 raise SafeException("Invalid characters found in base 64 encoded signature")
243 try:
244 sig_data = base64.decodestring(sig_data) # (b64decode is Python 2.4)
245 except Exception, ex:
246 raise SafeException("Invalid base 64 encoded signature: " + str(ex))
247
248 sig_fd, sig_name = tempfile.mkstemp(prefix = 'injector-sig-')
249 try:
250 sig_file = os.fdopen(sig_fd, 'w')
251 sig_file.write(sig_data)
252 sig_file.close()
253
254 status_r, status_w = os.pipe()
255
256 child = os.fork()
257
258 if child == 0:
259 # We are the child
260 try:
261 try:
262 os.close(status_r)
263 os.dup2(data.fileno(), 0)
264 os.dup2(errors.fileno(), 2)
265 os.execlp('gpg', 'gpg', '--no-secmem-warning',
266 # Not all versions support this:
267 #'--max-output', str(1024 * 1024),
268 '--batch',
269 '--status-fd', str(status_w),
270 '--verify', sig_name, '-')
271 except:
272 traceback.print_exc()
273 finally:
274 os._exit(1)
275 assert False
276
277 # We are the parent
278 os.close(status_w)
279
280 try:
281 sigs = _get_sigs_from_gpg_status_stream(status_r, child, errors)
282 finally:
283 os.lseek(stream.fileno(), 0, 0)
284 stream.seek(0)
285 finally:
286 os.unlink(sig_name)
287 return (stream, sigs)
288
289 def _find_in_path(prog):
290 for d in os.environ['PATH'].split(':'):
291 path = os.path.join(d, prog)
292 if os.path.isfile(path):
293 return path
294 return None
295
296 def check_stream(stream):
297 """Pass stream through gpg --decrypt to get the data, the error text,
298 and a list of signatures (good or bad). If stream starts with "<?xml "
299 then get the signature from a comment at the end instead (and the returned
300 data is the original stream). stream must be seekable.
301 @note: Stream returned may or may not be the one passed in. Be careful!
302 @return: (data_stream, [Signatures])"""
303 if not _find_in_path('gpg'):
304 raise SafeException("GnuPG is not installed ('gpg' not in $PATH). See http://gnupg.org")
305
306 #stream.seek(0)
307 #all = stream.read()
308 stream.seek(0)
309
310 start = stream.read(6)
311 stream.seek(0)
312 if start == "<?xml ":
313 return _check_xml_stream(stream)
314 elif start == '-----B':
315 import warnings
316 warnings.warn("Plain GPG-signed feeds are deprecated!", DeprecationWarning, stacklevel = 2)
317 os.lseek(stream.fileno(), 0, 0)
318 return _check_plain_stream(stream)
319 else:
320 raise SafeException("This is not a Zero Install feed! It should be an XML document, but it starts:\n%s" % repr(stream.read(120)))
321
322 def _get_sigs_from_gpg_status_stream(status_r, child, errors):
323 """Read messages from status_r and collect signatures from it.
324 When done, reap 'child'.
325 If there are no signatures, throw SafeException (using errors
326 for the error message if non-empty)."""
327 sigs = []
328
329 # Should we error out on bad signatures, even if there's a good
330 # signature too?
331
332 for line in os.fdopen(status_r):
333 assert line.endswith('\n')
334 assert line.startswith('[GNUPG:] ')
335 line = line[9:-1]
336 split_line = line.split(' ')
337 code = split_line[0]
338 args = split_line[1:]
339 if code == 'VALIDSIG':
340 sigs.append(ValidSig(args))
341 elif code == 'BADSIG':
342 sigs.append(BadSig(args))
343 elif code == 'ERRSIG':
344 sigs.append(ErrSig(args))
345
346 pid, status = os.waitpid(child, 0)
347 assert pid == child
348
349 errors.seek(0)
350
351 error_messages = errors.read().strip()
352 errors.close()
353
354 if not sigs:
355 if error_messages:
356 raise SafeException("No signatures found. Errors from GPG:\n%s" % error_messages)
357 else:
358 raise SafeException("No signatures found. No error messages from GPG.")
359
360 return sigs
Branch of Zero-Install to support filename substitution