lanzaboote/rust/tool/src/signature.rs

use std::ffi::OsString;
use std::io::Write;
use std::path::{Path, PathBuf};
use std::process::Command;

use anyhow::{Context, Result};

pub struct KeyPair {
    pub private_key: PathBuf,
    pub public_key: PathBuf,
}

impl KeyPair {
    pub fn new(public_key: &Path, private_key: &Path) -> Self {
        Self {
            public_key: public_key.into(),
            private_key: private_key.into(),
        }
    }

    pub fn sign_and_copy(&self, from: &Path, to: &Path) -> Result<()> {
        let args: Vec<OsString> = vec![
            OsString::from("--key"),
            self.private_key.clone().into(),
            OsString::from("--cert"),
            self.public_key.clone().into(),
            from.as_os_str().to_owned(),
            OsString::from("--output"),
            to.as_os_str().to_owned(),
        ];

        let output = Command::new("sbsign").args(&args).output()?;

        if !output.status.success() {
            std::io::stderr()
                .write_all(&output.stderr)
                .context("Failed to write output of sbsign to stderr.")?;
            log::debug!("sbsign failed with args: `{args:?}`.");
            return Err(anyhow::anyhow!("Failed to sign {to:?}."));
        }

        Ok(())
    }

    /// Verify the signature of a PE binary. Return true if the signature was verified.
    pub fn verify(&self, path: &Path) -> bool {
        let args: Vec<OsString> = vec![
            OsString::from("--cert"),
            self.public_key.clone().into(),
            path.as_os_str().to_owned(),
        ];

        let output = match Command::new("sbverify").args(&args).output() {
            Ok(output) => output,
            Err(_) => return false,
        };

        if !output.status.success() {
            if std::io::stderr().write_all(&output.stderr).is_err() {
                return false;
            };
            log::debug!("sbverify failed with args: `{args:?}`.");
            return false;
        }
        true
    }
}
lanzatool: remove Path -> String conversions in signature module 2022-12-28 16:49:45 -06:00			`use std::ffi::OsString;`
lanzatool: write sbsign output to stdout 2022-12-29 20:39:39 -06:00			`use std::io::Write;`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 04:59:54 -06:00			`use std::path::{Path, PathBuf};`
lanzatool: improve signer code 2022-11-25 06:07:04 -06:00			`use std::process::Command;`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 04:59:54 -06:00
lanzatool: add context to sbsing output failure 2022-12-30 19:57:01 -06:00			`use anyhow::{Context, Result};`
lanzatool: reuse code for signer 2022-11-25 08:46:33 -06:00
lanzatool: appease clippy 2022-11-26 16:19:08 -06:00			`pub struct KeyPair {`
lanzatool: improve signer code 2022-11-25 06:07:04 -06:00			`pub private_key: PathBuf,`
			`pub public_key: PathBuf,`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 04:59:54 -06:00			`}`

lanzatool: appease clippy 2022-11-26 16:19:08 -06:00			`impl KeyPair {`
lanzatool: improve signer code 2022-11-25 06:07:04 -06:00			`pub fn new(public_key: &Path, private_key: &Path) -> Self {`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 04:59:54 -06:00			`Self {`
lanzatool: improve signer code 2022-11-25 06:07:04 -06:00			`public_key: public_key.into(),`
			`private_key: private_key.into(),`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 04:59:54 -06:00			`}`
			`}`

lanzatool: sign and copy in one step) 2022-11-26 08:32:43 -06:00			`pub fn sign_and_copy(&self, from: &Path, to: &Path) -> Result<()> {`
lanzatool: remove Path -> String conversions in signature module 2022-12-28 16:49:45 -06:00			`let args: Vec<OsString> = vec![`
			`OsString::from("--key"),`
			`self.private_key.clone().into(),`
			`OsString::from("--cert"),`
			`self.public_key.clone().into(),`
			`from.as_os_str().to_owned(),`
			`OsString::from("--output"),`
			`to.as_os_str().to_owned(),`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 04:59:54 -06:00			`];`

lanzatool: hide sbsign output on happy path 2022-11-26 08:34:48 -06:00			`let output = Command::new("sbsign").args(&args).output()?;`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 04:59:54 -06:00
lanzatool: hide sbsign output on happy path 2022-11-26 08:34:48 -06:00			`if !output.status.success() {`
lanzatool: add context to sbsing output failure 2022-12-30 19:57:01 -06:00			`std::io::stderr()`
			`.write_all(&output.stderr)`
Merge pull request #122 from nix-community/renovate/all fix(deps): update all dependencies 2023-02-27 03:03:37 -06:00			`.context("Failed to write output of sbsign to stderr.")?;`
			log::debug!("sbsign failed with args: `{args:?}`.");
			`return Err(anyhow::anyhow!("Failed to sign {to:?}."));`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 04:59:54 -06:00			`}`

			`Ok(())`
			`}`
tool: smarter systemd-boot install The process of installing systemd-boot is "smarter" because it now considers a a few conditions instead of doing nothing if there is a file at the deistination path. systemd-boot is now forcibly installed (i.e. overwriting any file at the destination) if (1) there is no file at the destination, OR (2) a newer version of systemd-boot is available, OR (3) the signature of the file at the destination could not be verified. 2023-01-17 18:58:45 -06:00
			`/// Verify the signature of a PE binary. Return true if the signature was verified.`
			`pub fn verify(&self, path: &Path) -> bool {`
			`let args: Vec<OsString> = vec![`
			`OsString::from("--cert"),`
			`self.public_key.clone().into(),`
			`path.as_os_str().to_owned(),`
			`];`

			`let output = match Command::new("sbverify").args(&args).output() {`
			`Ok(output) => output,`
			`Err(_) => return false,`
			`};`

			`if !output.status.success() {`
			`if std::io::stderr().write_all(&output.stderr).is_err() {`
			`return false;`
			`};`
Merge pull request #122 from nix-community/renovate/all fix(deps): update all dependencies 2023-02-27 03:03:37 -06:00			log::debug!("sbverify failed with args: `{args:?}`.");
tool: smarter systemd-boot install The process of installing systemd-boot is "smarter" because it now considers a a few conditions instead of doing nothing if there is a file at the deistination path. systemd-boot is now forcibly installed (i.e. overwriting any file at the destination) if (1) there is no file at the destination, OR (2) a newer version of systemd-boot is available, OR (3) the signature of the file at the destination could not be verified. 2023-01-17 18:58:45 -06:00			`return false;`
			`}`
			`true`
			`}`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 04:59:54 -06:00			`}`