libAPG/src/sign.c at 1ea3a0594e6bbfd12d9b962dcb93c8706e3b6d8b · NurOS-Linux/libAPG · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
// NurOS Ruzen42 2026 apg/sign.c
// Last change: Feb 2

#include <sodium.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>

#include "../include/util.h"

const char *key_path = "/etc/apg/keys/";

bool
sign_file_by_key(const char *path, const char *sig_path, const unsigned char *public_key)
{
  if (sodium_init() < 0) return false;

  unsigned char signature[crypto_sign_BYTES];

  FILE *sig_f = fopen(sig_path, "rb");
  if (!sig_f) return false;

  size_t sig_read = fread(signature, 1, crypto_sign_BYTES, sig_f);
  fclose(sig_f);
  if (sig_read != crypto_sign_BYTES) return false;

  crypto_sign_state state;
  crypto_sign_init(&state);

  FILE *pkg_f = fopen(path, "rb");
  if (!pkg_f) return false;

  unsigned char buffer[4096];
  size_t bytes_read;

  while ((bytes_read = fread(buffer, 1, sizeof(buffer), pkg_f)) > 0) {
    crypto_sign_update(&state, buffer, bytes_read);
  }
  fclose(pkg_f);

  if (crypto_sign_final_verify(&state, signature, public_key) != 0) {
    return false;
  }
  return true;
}


bool
sign_file(const char *pkg_path)
{
  char *sig_path = concat(pkg_path, ".sig");
  if (!sig_path) return false;

  char *key_file = concat(key_path, "trusted.pub");
  if (!key_file) {
    free(sig_path);
    return false;
  }

  unsigned char public_key[crypto_sign_PUBLICKEYBYTES];
  FILE *key_f = fopen(key_file, "rb");
  free(key_file);
  if (!key_f) {
    free(sig_path);
    return false;
  }

  size_t key_read = fread(public_key, 1, crypto_sign_PUBLICKEYBYTES, key_f);
  fclose(key_f);
  if (key_read != crypto_sign_PUBLICKEYBYTES) {
    free(sig_path);
    return false;
  }

  bool result = sign_file_by_key(pkg_path, sig_path, public_key);
  free(sig_path);
  return result;
}