From b6853cf3ee9c07e403ab694da712490dc1647ac1 Mon Sep 17 00:00:00 2001 From: Daniel Alley Date: Mon, 10 Jul 2023 11:39:17 -0400 Subject: [PATCH] PR review cleanups --- CHANGELOG.md | 15 ++++++++------- src/rpm/builder.rs | 13 +++++++------ src/rpm/signature/pgp.rs | 2 +- 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2554a057..e4928b67 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,19 +7,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] -## Breaking Change +### Breaking Change - Removed `RPM` prefix from type names, e.g. `RPMPackage` is renamed to `Package`. - `RPMBuilder` is renamed to `PackageBuilder`. - The `PackageBuilder::build_time` method is removed. Package build time is now included by default and can be clamped using the `PackageBuilder::source_date` method. +- Several of the signer and verifier trait APIs were changed -## Added +### Added - `PackageBuilder::source_date` method for clamping modification time of files, build time of the package, and signature timestamp. This functionality is required for reproducible generation of packages. -- `Package::sign_with_timestamp` method.s +- `Package::sign_with_timestamp` method for signing a package while using a specific + timestamp. This is needed to reproducibly sign packages. +- `PackageMetadata::signature_key_id` method for getting the signing key ID (superset + of the fingerprint) of the key used to sign a package as a hex-encoded string. + Key fingerprints can be easily extracted from this value. - The "rpmversion" tag is now populated so that packages know which library (and version) they were built with. - Support for signing and verification with EdDSA signatures @@ -29,10 +34,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Build time metadata is now included in the built package by default - The algorithm type is no longer baked into the Signing and Verifying APIs as it is unnecessary. -### Breaking Changes - -- Several of the signer and verifier trait APIs were changed - ### Fixed - CentOS 7 support by using long sizes only for packages bigger than 4 GiB. diff --git a/src/rpm/builder.rs b/src/rpm/builder.rs index 8c9dd2e3..d1a9e69d 100644 --- a/src/rpm/builder.rs +++ b/src/rpm/builder.rs @@ -517,8 +517,8 @@ impl PackageBuilder { } = Package::create_sig_header_digests(header.as_slice(), content.as_slice())?; let now = Timestamp::now(); - let t = match source_date { - Some(sde) if sde < now => sde, + let signature_timestamp = match source_date { + Some(source_date_epoch) if source_date_epoch < now => source_date_epoch, _ => now, }; @@ -528,17 +528,18 @@ impl PackageBuilder { header_and_content_digest_md5.as_slice(), ); - let sig_header_only = signer.sign(header.as_slice(), t)?; + let sig_header_only = signer.sign(header.as_slice(), signature_timestamp)?; let builder = match signer.algorithm() { - crate::signature::AlgorithmType::RSA => { + signature::AlgorithmType::RSA => { let mut header_and_content_cursor = io::Cursor::new(header.as_slice()).chain(io::Cursor::new(content.as_slice())); - let sig_header_and_archive = signer.sign(&mut header_and_content_cursor, t)?; + let sig_header_and_archive = + signer.sign(&mut header_and_content_cursor, signature_timestamp)?; builder.add_rsa_signature(sig_header_only.as_ref(), sig_header_and_archive.as_ref()) } - crate::signature::AlgorithmType::EdDSA => { + signature::AlgorithmType::EdDSA => { builder.add_eddsa_signature(sig_header_only.as_ref()) } }; diff --git a/src/rpm/signature/pgp.rs b/src/rpm/signature/pgp.rs index c06b8e1b..7600427a 100644 --- a/src/rpm/signature/pgp.rs +++ b/src/rpm/signature/pgp.rs @@ -103,7 +103,7 @@ impl Signer { secret_key, algorithm: AlgorithmType::EdDSA, }), - a => Err(Error::UnsupportedPGPKeyType(a)), + algorithm => Err(Error::UnsupportedPGPKeyType(algorithm)), } } }