* Re: [PR PATCH] [Updated] xbps: patch in workaround for openssl3 compat
[not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-45557@inbox.vuxu.org>
@ 2023-08-15 17:36 ` classabbyamp
2023-08-15 21:05 ` classabbyamp
2023-08-16 23:21 ` [PR PATCH] [Merged]: " classabbyamp
2 siblings, 0 replies; 3+ messages in thread
From: classabbyamp @ 2023-08-15 17:36 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 531 bytes --]
There is an updated pull request by classabbyamp against master on the void-packages repository
https://github.com/classabbyamp/void-packages xbps-sig2
https://github.com/void-linux/void-packages/pull/45557
xbps: patch in workaround for openssl3 compat
<!-- Uncomment relevant sections and delete options which are not applicable -->
#### Testing the changes
- I tested the changes in this PR: **YES**
backport of void-linux/xbps#565
A patch file from https://github.com/void-linux/void-packages/pull/45557.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-xbps-sig2-45557.patch --]
[-- Type: text/x-diff, Size: 10936 bytes --]
From a420070b57d976b1a02bbb11cc4a883b8bc24fbf Mon Sep 17 00:00:00 2001
From: classabbyamp <void@placeviolette.net>
Date: Tue, 8 Aug 2023 01:28:56 -0400
Subject: [PATCH] xbps: patch in workaround for openssl3 compat
---
srcpkgs/xbps/patches/openssl3.patch | 46 ++++++
srcpkgs/xbps/patches/sig2.patch | 220 ++++++++++++++++++++++++++++
srcpkgs/xbps/template | 2 +-
3 files changed, 267 insertions(+), 1 deletion(-)
create mode 100644 srcpkgs/xbps/patches/openssl3.patch
create mode 100644 srcpkgs/xbps/patches/sig2.patch
diff --git a/srcpkgs/xbps/patches/openssl3.patch b/srcpkgs/xbps/patches/openssl3.patch
new file mode 100644
index 0000000000000..b47a998a5ac24
--- /dev/null
+++ b/srcpkgs/xbps/patches/openssl3.patch
@@ -0,0 +1,46 @@
+From db1766986c4389eb7e17c0e0076971b711617ef9 Mon Sep 17 00:00:00 2001
+From: Juan RP <xtraeme@gmail.com>
+Date: Thu, 16 Apr 2020 14:57:18 +0200
+Subject: [PATCH] configure: accept any openssl version.
+
+---
+ configure | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure b/configure
+index da8ae75fa..383bc927b 100755
+--- a/configure
++++ b/configure
+@@ -704,7 +704,7 @@ fi
+ # libssl with pkg-config support is required.
+ #
+ printf "Checking for libssl via pkg-config ... "
+-if pkg-config --exists 'libssl < 1.2' && ! pkg-config --exists libtls ; then
++if pkg-config --exists 'libssl' && ! pkg-config --exists libtls ; then
+ echo "found OpenSSL version $(pkg-config --modversion libssl)."
+ elif pkg-config --exists libssl libtls; then
+ echo "found LibreSSL version $(pkg-config --modversion libssl)."
+
+---
+From a65013e7370479243de62d56b44eb08d6bae943d Mon Sep 17 00:00:00 2001
+From: classabbyamp <void@placeviolette.net>
+Date: Tue, 8 Aug 2023 01:32:17 -0400
+Subject: [PATCH] configure: workaround for openssl3 compat
+
+---
+ configure | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/configure b/configure
+index 303c90a1..c7d78bf1 100755
+--- a/configure
++++ b/configure
+@@ -368,6 +368,8 @@ fi
+ if [ "$CC" = "tcc" ]; then
+ echo "CFLAGS += -Wno-error" >>$CONFIG_MK
+ fi
++# openssl 3 compatibility
++echo "CFLAGS += -Wno-error=deprecated-declarations">>$CONFIG_MK
+
+ # libfetch
+ echo "CPPFLAGS += -I\$(TOPDIR)/lib/fetch" >>$CONFIG_MK
diff --git a/srcpkgs/xbps/patches/sig2.patch b/srcpkgs/xbps/patches/sig2.patch
new file mode 100644
index 0000000000000..36a319096ff0a
--- /dev/null
+++ b/srcpkgs/xbps/patches/sig2.patch
@@ -0,0 +1,220 @@
+https://github.com/void-linux/xbps/pull/565 but rebased on 0.59.1
+
+From d7a0fc190b00fbb083688993971f466df834ceaa Mon Sep 17 00:00:00 2001
+From: classabbyamp <void@placeviolette.net>
+Date: Tue, 8 Aug 2023 00:36:10 -0400
+Subject: [PATCH] lib/, bin/: fix signature type, now called *.sig2
+
+Since 8d5c48b, xbps has used a sha1 ASN1 prefix with a sha256 hash, and
+as of openssl v3, openssl cares about this. This works around that in a
+compatible way by moving to a second sig file, binpkg.sig2.
+
+For xbps-remove -O and xbps-rindex -r, also clean up obselete .sig files.
+---
+ bin/xbps-remove/clean-cache.c | 10 +++++++++-
+ bin/xbps-rindex/remove-obsoletes.c | 13 +++++++++++--
+ bin/xbps-rindex/sign.c | 9 ++-------
+ include/xbps.h.in | 4 ++--
+ lib/transaction_fetch.c | 10 +++++-----
+ lib/util.c | 6 +++---
+ lib/verifysig.c | 4 ++--
+ 7 files changed, 34 insertions(+), 22 deletions(-)
+
+diff --git a/bin/xbps-remove/clean-cache.c b/bin/xbps-remove/clean-cache.c
+index 43ff6057..680a4d1e 100644
+--- a/bin/xbps-remove/clean-cache.c
++++ b/bin/xbps-remove/clean-cache.c
+@@ -43,7 +43,7 @@ cleaner_cb(struct xbps_handle *xhp, xbps_object_t obj,
+ {
+ xbps_dictionary_t repo_pkgd;
+ const char *binpkg, *rsha256;
+- char *binpkgsig, *pkgver, *arch;
++ char *binpkgsig, *binpkgsig2, *pkgver, *arch;
+ bool drun = false;
+
+ /* Extract drun (dry-run) flag from arg*/
+@@ -78,6 +78,7 @@ cleaner_cb(struct xbps_handle *xhp, xbps_object_t obj,
+ }
+ }
+ binpkgsig = xbps_xasprintf("%s.sig", binpkg);
++ binpkgsig2 = xbps_xasprintf("%s.sig2", binpkg);
+ if (!drun && unlink(binpkg) == -1) {
+ fprintf(stderr, "Failed to remove `%s': %s\n",
+ binpkg, strerror(errno));
+@@ -91,6 +92,13 @@ cleaner_cb(struct xbps_handle *xhp, xbps_object_t obj,
+ }
+ }
+ free(binpkgsig);
++ if (!drun && unlink(binpkgsig2) == -1) {
++ if (errno != ENOENT) {
++ fprintf(stderr, "Failed to remove `%s': %s\n",
++ binpkgsig2, strerror(errno));
++ }
++ }
++ free(binpkgsig2);
+
+ return 0;
+ }
+diff --git a/bin/xbps-rindex/remove-obsoletes.c b/bin/xbps-rindex/remove-obsoletes.c
+index 80cf2fff..de776145 100644
+--- a/bin/xbps-rindex/remove-obsoletes.c
++++ b/bin/xbps-rindex/remove-obsoletes.c
+@@ -39,11 +39,12 @@
+ static int
+ remove_pkg(const char *repodir, const char *file)
+ {
+- char *filepath, *sigpath;
++ char *filepath, *sigpath, *sig2path;
+ int rv = 0;
+
+ filepath = xbps_xasprintf("%s/%s", repodir, file);
+ sigpath = xbps_xasprintf("%s.sig", filepath);
++ sig2path = xbps_xasprintf("%s.sig2", filepath);
+ if (remove(filepath) == -1) {
+ if (errno != ENOENT) {
+ rv = errno;
+@@ -55,10 +56,18 @@ remove_pkg(const char *repodir, const char *file)
+ if (errno != ENOENT) {
+ rv = errno;
+ fprintf(stderr, "xbps-rindex: failed to remove "
+- "package signature `%s': %s\n", sigpath, strerror(rv));
++ "legacy package signature `%s': %s\n", sigpath, strerror(rv));
++ }
++ }
++ if (remove(sig2path) == -1) {
++ if (errno != ENOENT) {
++ rv = errno;
++ xbps_error_printf("xbps-rindex: failed to remove "
++ "package signature `%s': %s\n", sig2path, strerror(rv));
+ }
+ }
+ free(sigpath);
++ free(sig2path);
+ free(filepath);
+
+ return rv;
+diff --git a/bin/xbps-rindex/sign.c b/bin/xbps-rindex/sign.c
+index 666f7e24..94886f80 100644
+--- a/bin/xbps-rindex/sign.c
++++ b/bin/xbps-rindex/sign.c
+@@ -106,12 +106,7 @@ rsa_sign_file(RSA *rsa, const char *file,
+ return false;
+ }
+
+- /*
+- * XXX: NID_sha1 is wrong, doesn't make it any weaker
+- * but the ASN1 is wrong, OpenSSL/LibreSSL doesn't care.
+- * Other implementations like golang fail because of this.
+- */
+- if (!RSA_sign(NID_sha1, digest, XBPS_SHA256_DIGEST_SIZE,
++ if (!RSA_sign(NID_sha256, digest, XBPS_SHA256_DIGEST_SIZE,
+ *sigret, siglen, rsa)) {
+ free(*sigret);
+ return false;
+@@ -262,7 +257,7 @@ sign_pkg(struct xbps_handle *xhp, const char *binpkg, const char *privkey, bool
+ char *sigfile = NULL;
+ int rv = 0, sigfile_fd = -1;
+
+- sigfile = xbps_xasprintf("%s.sig", binpkg);
++ sigfile = xbps_xasprintf("%s.sig2", binpkg);
+ /*
+ * Skip pkg if file signature exists
+ */
+diff --git a/include/xbps.h.in b/include/xbps.h.in
+index a8024a2b..07af916b 100644
+--- a/include/xbps.h.in
++++ b/include/xbps.h.in
+@@ -1958,8 +1958,8 @@ bool xbps_verify_signature(struct xbps_repo *repo, const char *sigfile,
+ * in \a repo.
+ *
+ * @param[in] repo Repository to use with the RSA public key associated.
+- * @param[in] fname The filename to verify, the signature file must have a .sig
+- * extension, i.e `<fname>.sig`.
++ * @param[in] fname The filename to verify, the signature file must have a .sig2
++ * extension, i.e `<fname>.sig2`.
+ *
+ * @return True if the signature is valid, false otherwise.
+ */
+diff --git a/lib/transaction_fetch.c b/lib/transaction_fetch.c
+index c3cc7ed0..456d500d 100644
+--- a/lib/transaction_fetch.c
++++ b/lib/transaction_fetch.c
+@@ -69,7 +69,7 @@ verify_binpkg(struct xbps_handle *xhp, xbps_dictionary_t pkgd)
+ xbps_set_cb_state(xhp, XBPS_STATE_VERIFY_FAIL, rv, pkgver,
+ "%s: removed pkg archive and its signature.", pkgver);
+ (void)remove(binfile);
+- sigfile = xbps_xasprintf("%s.sig", binfile);
++ sigfile = xbps_xasprintf("%s.sig2", binfile);
+ (void)remove(sigfile);
+ free(sigfile);
+ goto out;
+@@ -108,8 +108,8 @@ download_binpkg(struct xbps_handle *xhp, xbps_dictionary_t repo_pkgd)
+ xbps_dictionary_get_cstring_nocopy(repo_pkgd, "pkgver", &pkgver);
+ xbps_dictionary_get_cstring_nocopy(repo_pkgd, "architecture", &arch);
+
+- snprintf(buf, sizeof buf, "%s/%s.%s.xbps.sig", repoloc, pkgver, arch);
+- sigsuffix = buf+(strlen(buf)-sizeof (".sig")+1);
++ snprintf(buf, sizeof buf, "%s/%s.%s.xbps.sig2", repoloc, pkgver, arch);
++ sigsuffix = buf+(strlen(buf)-sizeof (".sig2")+1);
+
+ xbps_set_cb_state(xhp, XBPS_STATE_DOWNLOAD, 0, pkgver,
+ "Downloading `%s' signature (from `%s')...", pkgver, repoloc);
+@@ -143,8 +143,8 @@ download_binpkg(struct xbps_handle *xhp, xbps_dictionary_t repo_pkgd)
+ xbps_set_cb_state(xhp, XBPS_STATE_VERIFY, 0, pkgver,
+ "%s: verifying RSA signature...", pkgver);
+
+- snprintf(buf, sizeof buf, "%s/%s.%s.xbps.sig", xhp->cachedir, pkgver, arch);
+- sigsuffix = buf+(strlen(buf)-sizeof (".sig")+1);
++ snprintf(buf, sizeof buf, "%s/%s.%s.xbps.sig2", xhp->cachedir, pkgver, arch);
++ sigsuffix = buf+(strlen(buf)-sizeof (".sig2")+1);
+
+ if ((repo = xbps_rpool_get_repo(repoloc)) == NULL) {
+ rv = errno;
+diff --git a/lib/util.c b/lib/util.c
+index 71afd43b..296c399d 100644
+--- a/lib/util.c
++++ b/lib/util.c
+@@ -403,15 +403,15 @@ xbps_remote_binpkg_exists(struct xbps_handle *xhp, xbps_dictionary_t pkgd)
+ "architecture", &arch))
+ return NULL;
+
+- snprintf(path, sizeof(path), "%s/%s.%s.xbps.sig", xhp->cachedir,
++ snprintf(path, sizeof(path), "%s/%s.%s.xbps.sig2", xhp->cachedir,
+ pkgver, arch);
+
+ /* check if the signature file exists */
+ if (access(path, R_OK) != 0)
+ return false;
+
+- /* strip the .sig suffix and check if binpkg file exists */
+- path[strlen(path)-sizeof (".sig")+1] = '\0';
++ /* strip the .sig2 suffix and check if binpkg file exists */
++ path[strlen(path)-sizeof (".sig2")+1] = '\0';
+
+ return access(path, R_OK) == 0;
+ }
+diff --git a/lib/verifysig.c b/lib/verifysig.c
+index 56537989..9aa574c2 100644
+--- a/lib/verifysig.c
++++ b/lib/verifysig.c
+@@ -63,7 +63,7 @@ rsa_verify_hash(struct xbps_repo *repo, xbps_data_t pubkey,
+ return false;
+ }
+
+- rv = RSA_verify(NID_sha1, sha256, SHA256_DIGEST_LENGTH, sig, siglen, rsa);
++ rv = RSA_verify(NID_sha256, sha256, SHA256_DIGEST_LENGTH, sig, siglen, rsa);
+ RSA_free(rsa);
+ BIO_free(bio);
+ ERR_free_strings();
+@@ -145,7 +145,7 @@ xbps_verify_file_signature(struct xbps_repo *repo, const char *fname)
+ return false;
+ }
+
+- snprintf(sig, sizeof sig, "%s.sig", fname);
++ snprintf(sig, sizeof sig, "%s.sig2", fname);
+ val = xbps_verify_signature(repo, sig, digest);
+
+ return val;
+--
+2.41.0
+
diff --git a/srcpkgs/xbps/template b/srcpkgs/xbps/template
index 1c9373c498dc8..2d02a562b4954 100644
--- a/srcpkgs/xbps/template
+++ b/srcpkgs/xbps/template
@@ -1,7 +1,7 @@
# Template file for 'xbps'
pkgname=xbps
version=0.59.1
-revision=8
+revision=9
bootstrap=yes
build_style=configure
short_desc="XBPS package system utilities"
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PR PATCH] [Updated] xbps: patch in workaround for openssl3 compat
[not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-45557@inbox.vuxu.org>
2023-08-15 17:36 ` [PR PATCH] [Updated] xbps: patch in workaround for openssl3 compat classabbyamp
@ 2023-08-15 21:05 ` classabbyamp
2023-08-16 23:21 ` [PR PATCH] [Merged]: " classabbyamp
2 siblings, 0 replies; 3+ messages in thread
From: classabbyamp @ 2023-08-15 21:05 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 531 bytes --]
There is an updated pull request by classabbyamp against master on the void-packages repository
https://github.com/classabbyamp/void-packages xbps-sig2
https://github.com/void-linux/void-packages/pull/45557
xbps: patch in workaround for openssl3 compat
<!-- Uncomment relevant sections and delete options which are not applicable -->
#### Testing the changes
- I tested the changes in this PR: **YES**
backport of void-linux/xbps#565
A patch file from https://github.com/void-linux/void-packages/pull/45557.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-xbps-sig2-45557.patch --]
[-- Type: text/x-diff, Size: 11863 bytes --]
From de71256133361860905ded2af609bd8a256df384 Mon Sep 17 00:00:00 2001
From: classabbyamp <void@placeviolette.net>
Date: Tue, 8 Aug 2023 01:28:56 -0400
Subject: [PATCH] xbps: patch in workaround for openssl3 compat
---
srcpkgs/xbps/patches/openssl3.patch | 46 ++++++
srcpkgs/xbps/patches/sig2.patch | 246 ++++++++++++++++++++++++++++
srcpkgs/xbps/template | 2 +-
3 files changed, 293 insertions(+), 1 deletion(-)
create mode 100644 srcpkgs/xbps/patches/openssl3.patch
create mode 100644 srcpkgs/xbps/patches/sig2.patch
diff --git a/srcpkgs/xbps/patches/openssl3.patch b/srcpkgs/xbps/patches/openssl3.patch
new file mode 100644
index 0000000000000..b47a998a5ac24
--- /dev/null
+++ b/srcpkgs/xbps/patches/openssl3.patch
@@ -0,0 +1,46 @@
+From db1766986c4389eb7e17c0e0076971b711617ef9 Mon Sep 17 00:00:00 2001
+From: Juan RP <xtraeme@gmail.com>
+Date: Thu, 16 Apr 2020 14:57:18 +0200
+Subject: [PATCH] configure: accept any openssl version.
+
+---
+ configure | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure b/configure
+index da8ae75fa..383bc927b 100755
+--- a/configure
++++ b/configure
+@@ -704,7 +704,7 @@ fi
+ # libssl with pkg-config support is required.
+ #
+ printf "Checking for libssl via pkg-config ... "
+-if pkg-config --exists 'libssl < 1.2' && ! pkg-config --exists libtls ; then
++if pkg-config --exists 'libssl' && ! pkg-config --exists libtls ; then
+ echo "found OpenSSL version $(pkg-config --modversion libssl)."
+ elif pkg-config --exists libssl libtls; then
+ echo "found LibreSSL version $(pkg-config --modversion libssl)."
+
+---
+From a65013e7370479243de62d56b44eb08d6bae943d Mon Sep 17 00:00:00 2001
+From: classabbyamp <void@placeviolette.net>
+Date: Tue, 8 Aug 2023 01:32:17 -0400
+Subject: [PATCH] configure: workaround for openssl3 compat
+
+---
+ configure | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/configure b/configure
+index 303c90a1..c7d78bf1 100755
+--- a/configure
++++ b/configure
+@@ -368,6 +368,8 @@ fi
+ if [ "$CC" = "tcc" ]; then
+ echo "CFLAGS += -Wno-error" >>$CONFIG_MK
+ fi
++# openssl 3 compatibility
++echo "CFLAGS += -Wno-error=deprecated-declarations">>$CONFIG_MK
+
+ # libfetch
+ echo "CPPFLAGS += -I\$(TOPDIR)/lib/fetch" >>$CONFIG_MK
diff --git a/srcpkgs/xbps/patches/sig2.patch b/srcpkgs/xbps/patches/sig2.patch
new file mode 100644
index 0000000000000..973a84173d48a
--- /dev/null
+++ b/srcpkgs/xbps/patches/sig2.patch
@@ -0,0 +1,246 @@
+https://github.com/void-linux/xbps/pull/565 but rebased on 0.59.1
+
+From d7a0fc190b00fbb083688993971f466df834ceaa Mon Sep 17 00:00:00 2001
+From: classabbyamp <void@placeviolette.net>
+Date: Tue, 8 Aug 2023 00:36:10 -0400
+Subject: [PATCH] lib/, bin/: fix signature type, now called *.sig2
+
+Since 8d5c48b, xbps has used a sha1 ASN1 prefix with a sha256 hash, and
+as of openssl v3, openssl cares about this. This works around that in a
+compatible way by moving to a second sig file, binpkg.sig2.
+
+For xbps-remove -O and xbps-rindex -r, also clean up obselete .sig files.
+---
+ bin/xbps-remove/clean-cache.c | 10 +++++++++-
+ bin/xbps-rindex/remove-obsoletes.c | 13 +++++++++++--
+ bin/xbps-rindex/sign.c | 9 ++-------
+ include/xbps.h.in | 4 ++--
+ lib/transaction_fetch.c | 10 +++++-----
+ lib/util.c | 6 +++---
+ lib/verifysig.c | 4 ++--
+ 7 files changed, 34 insertions(+), 22 deletions(-)
+
+diff --git a/bin/xbps-remove/clean-cache.c b/bin/xbps-remove/clean-cache.c
+index 43ff6057..680a4d1e 100644
+--- a/bin/xbps-remove/clean-cache.c
++++ b/bin/xbps-remove/clean-cache.c
+@@ -43,7 +43,7 @@ cleaner_cb(struct xbps_handle *xhp, xbps_object_t obj,
+ {
+ xbps_dictionary_t repo_pkgd;
+ const char *binpkg, *rsha256;
+- char *binpkgsig, *pkgver, *arch;
++ char *binpkgsig, *binpkgsig2, *pkgver, *arch;
+ bool drun = false;
+
+ /* Extract drun (dry-run) flag from arg*/
+@@ -78,6 +78,7 @@ cleaner_cb(struct xbps_handle *xhp, xbps_object_t obj,
+ }
+ }
+ binpkgsig = xbps_xasprintf("%s.sig", binpkg);
++ binpkgsig2 = xbps_xasprintf("%s.sig2", binpkg);
+ if (!drun && unlink(binpkg) == -1) {
+ fprintf(stderr, "Failed to remove `%s': %s\n",
+ binpkg, strerror(errno));
+@@ -91,6 +92,13 @@ cleaner_cb(struct xbps_handle *xhp, xbps_object_t obj,
+ }
+ }
+ free(binpkgsig);
++ if (!drun && unlink(binpkgsig2) == -1) {
++ if (errno != ENOENT) {
++ fprintf(stderr, "Failed to remove `%s': %s\n",
++ binpkgsig2, strerror(errno));
++ }
++ }
++ free(binpkgsig2);
+
+ return 0;
+ }
+diff --git a/bin/xbps-rindex/remove-obsoletes.c b/bin/xbps-rindex/remove-obsoletes.c
+index 80cf2fff..de776145 100644
+--- a/bin/xbps-rindex/remove-obsoletes.c
++++ b/bin/xbps-rindex/remove-obsoletes.c
+@@ -39,11 +39,12 @@
+ static int
+ remove_pkg(const char *repodir, const char *file)
+ {
+- char *filepath, *sigpath;
++ char *filepath, *sigpath, *sig2path;
+ int rv = 0;
+
+ filepath = xbps_xasprintf("%s/%s", repodir, file);
+ sigpath = xbps_xasprintf("%s.sig", filepath);
++ sig2path = xbps_xasprintf("%s.sig2", filepath);
+ if (remove(filepath) == -1) {
+ if (errno != ENOENT) {
+ rv = errno;
+@@ -55,10 +56,18 @@ remove_pkg(const char *repodir, const char *file)
+ if (errno != ENOENT) {
+ rv = errno;
+ fprintf(stderr, "xbps-rindex: failed to remove "
+- "package signature `%s': %s\n", sigpath, strerror(rv));
++ "legacy package signature `%s': %s\n", sigpath, strerror(rv));
++ }
++ }
++ if (remove(sig2path) == -1) {
++ if (errno != ENOENT) {
++ rv = errno;
++ xbps_error_printf("xbps-rindex: failed to remove "
++ "package signature `%s': %s\n", sig2path, strerror(rv));
+ }
+ }
+ free(sigpath);
++ free(sig2path);
+ free(filepath);
+
+ return rv;
+diff --git a/bin/xbps-rindex/sign.c b/bin/xbps-rindex/sign.c
+index 666f7e24..94886f80 100644
+--- a/bin/xbps-rindex/sign.c
++++ b/bin/xbps-rindex/sign.c
+@@ -106,12 +106,7 @@ rsa_sign_file(RSA *rsa, const char *file,
+ return false;
+ }
+
+- /*
+- * XXX: NID_sha1 is wrong, doesn't make it any weaker
+- * but the ASN1 is wrong, OpenSSL/LibreSSL doesn't care.
+- * Other implementations like golang fail because of this.
+- */
+- if (!RSA_sign(NID_sha1, digest, XBPS_SHA256_DIGEST_SIZE,
++ if (!RSA_sign(NID_sha256, digest, XBPS_SHA256_DIGEST_SIZE,
+ *sigret, siglen, rsa)) {
+ free(*sigret);
+ return false;
+@@ -262,7 +257,7 @@ sign_pkg(struct xbps_handle *xhp, const char *binpkg, const char *privkey, bool
+ char *sigfile = NULL;
+ int rv = 0, sigfile_fd = -1;
+
+- sigfile = xbps_xasprintf("%s.sig", binpkg);
++ sigfile = xbps_xasprintf("%s.sig2", binpkg);
+ /*
+ * Skip pkg if file signature exists
+ */
+diff --git a/include/xbps.h.in b/include/xbps.h.in
+index a8024a2b..07af916b 100644
+--- a/include/xbps.h.in
++++ b/include/xbps.h.in
+@@ -1958,8 +1958,8 @@ bool xbps_verify_signature(struct xbps_repo *repo, const char *sigfile,
+ * in \a repo.
+ *
+ * @param[in] repo Repository to use with the RSA public key associated.
+- * @param[in] fname The filename to verify, the signature file must have a .sig
+- * extension, i.e `<fname>.sig`.
++ * @param[in] fname The filename to verify, the signature file must have a .sig2
++ * extension, i.e `<fname>.sig2`.
+ *
+ * @return True if the signature is valid, false otherwise.
+ */
+diff --git a/lib/transaction_fetch.c b/lib/transaction_fetch.c
+index c3cc7ed0..456d500d 100644
+--- a/lib/transaction_fetch.c
++++ b/lib/transaction_fetch.c
+@@ -69,7 +69,7 @@ verify_binpkg(struct xbps_handle *xhp, xbps_dictionary_t pkgd)
+ xbps_set_cb_state(xhp, XBPS_STATE_VERIFY_FAIL, rv, pkgver,
+ "%s: removed pkg archive and its signature.", pkgver);
+ (void)remove(binfile);
+- sigfile = xbps_xasprintf("%s.sig", binfile);
++ sigfile = xbps_xasprintf("%s.sig2", binfile);
+ (void)remove(sigfile);
+ free(sigfile);
+ goto out;
+@@ -108,8 +108,8 @@ download_binpkg(struct xbps_handle *xhp, xbps_dictionary_t repo_pkgd)
+ xbps_dictionary_get_cstring_nocopy(repo_pkgd, "pkgver", &pkgver);
+ xbps_dictionary_get_cstring_nocopy(repo_pkgd, "architecture", &arch);
+
+- snprintf(buf, sizeof buf, "%s/%s.%s.xbps.sig", repoloc, pkgver, arch);
+- sigsuffix = buf+(strlen(buf)-sizeof (".sig")+1);
++ snprintf(buf, sizeof buf, "%s/%s.%s.xbps.sig2", repoloc, pkgver, arch);
++ sigsuffix = buf+(strlen(buf)-sizeof (".sig2")+1);
+
+ xbps_set_cb_state(xhp, XBPS_STATE_DOWNLOAD, 0, pkgver,
+ "Downloading `%s' signature (from `%s')...", pkgver, repoloc);
+@@ -143,8 +143,8 @@ download_binpkg(struct xbps_handle *xhp, xbps_dictionary_t repo_pkgd)
+ xbps_set_cb_state(xhp, XBPS_STATE_VERIFY, 0, pkgver,
+ "%s: verifying RSA signature...", pkgver);
+
+- snprintf(buf, sizeof buf, "%s/%s.%s.xbps.sig", xhp->cachedir, pkgver, arch);
+- sigsuffix = buf+(strlen(buf)-sizeof (".sig")+1);
++ snprintf(buf, sizeof buf, "%s/%s.%s.xbps.sig2", xhp->cachedir, pkgver, arch);
++ sigsuffix = buf+(strlen(buf)-sizeof (".sig2")+1);
+
+ if ((repo = xbps_rpool_get_repo(repoloc)) == NULL) {
+ rv = errno;
+diff --git a/lib/util.c b/lib/util.c
+index 71afd43b..296c399d 100644
+--- a/lib/util.c
++++ b/lib/util.c
+@@ -403,15 +403,15 @@ xbps_remote_binpkg_exists(struct xbps_handle *xhp, xbps_dictionary_t pkgd)
+ "architecture", &arch))
+ return NULL;
+
+- snprintf(path, sizeof(path), "%s/%s.%s.xbps.sig", xhp->cachedir,
++ snprintf(path, sizeof(path), "%s/%s.%s.xbps.sig2", xhp->cachedir,
+ pkgver, arch);
+
+ /* check if the signature file exists */
+ if (access(path, R_OK) != 0)
+ return false;
+
+- /* strip the .sig suffix and check if binpkg file exists */
+- path[strlen(path)-sizeof (".sig")+1] = '\0';
++ /* strip the .sig2 suffix and check if binpkg file exists */
++ path[strlen(path)-sizeof (".sig2")+1] = '\0';
+
+ return access(path, R_OK) == 0;
+ }
+diff --git a/lib/verifysig.c b/lib/verifysig.c
+index 56537989..9aa574c2 100644
+--- a/lib/verifysig.c
++++ b/lib/verifysig.c
+@@ -63,7 +63,7 @@ rsa_verify_hash(struct xbps_repo *repo, xbps_data_t pubkey,
+ return false;
+ }
+
+- rv = RSA_verify(NID_sha1, sha256, SHA256_DIGEST_LENGTH, sig, siglen, rsa);
++ rv = RSA_verify(NID_sha256, sha256, SHA256_DIGEST_LENGTH, sig, siglen, rsa);
+ RSA_free(rsa);
+ BIO_free(bio);
+ ERR_free_strings();
+@@ -145,7 +145,7 @@ xbps_verify_file_signature(struct xbps_repo *repo, const char *fname)
+ return false;
+ }
+
+- snprintf(sig, sizeof sig, "%s.sig", fname);
++ snprintf(sig, sizeof sig, "%s.sig2", fname);
+ val = xbps_verify_signature(repo, sig, digest);
+
+ return val;
+--
+2.41.0
+---
+From 51e886baec3fd0edf1ed74e7c29badc3936f3696 Mon Sep 17 00:00:00 2001
+From: classabbyamp <void@placeviolette.net>
+Date: Tue, 15 Aug 2023 16:42:33 -0400
+Subject: [PATCH] lib/transaction_fetch.c: don't rely on digest being NULL
+
+caused issues when .xbps existed locally but .sig2 did not.
+---
+ lib/transaction_fetch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/transaction_fetch.c b/lib/transaction_fetch.c
+index 4af461db..4cbe288e 100644
+--- a/lib/transaction_fetch.c
++++ b/lib/transaction_fetch.c
+@@ -159,7 +159,7 @@ download_binpkg(struct xbps_handle *xhp, xbps_dictionary_t repo_pkgd)
+ * If digest is not set, binary package was not downloaded,
+ * i.e. 304 not modified, verify by file instead.
+ */
+- if (*digest) {
++ if (fetchLastErrCode == FETCH_UNCHANGED) {
+ *sigsuffix = '\0';
+ if (!xbps_verify_file_signature(repo, buf)) {
+ rv = EPERM;
+--
+2.41.0
+
diff --git a/srcpkgs/xbps/template b/srcpkgs/xbps/template
index 1c9373c498dc8..2d02a562b4954 100644
--- a/srcpkgs/xbps/template
+++ b/srcpkgs/xbps/template
@@ -1,7 +1,7 @@
# Template file for 'xbps'
pkgname=xbps
version=0.59.1
-revision=8
+revision=9
bootstrap=yes
build_style=configure
short_desc="XBPS package system utilities"
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PR PATCH] [Merged]: xbps: patch in workaround for openssl3 compat
[not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-45557@inbox.vuxu.org>
2023-08-15 17:36 ` [PR PATCH] [Updated] xbps: patch in workaround for openssl3 compat classabbyamp
2023-08-15 21:05 ` classabbyamp
@ 2023-08-16 23:21 ` classabbyamp
2 siblings, 0 replies; 3+ messages in thread
From: classabbyamp @ 2023-08-16 23:21 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 363 bytes --]
There's a merged pull request on the void-packages repository
xbps: patch in workaround for openssl3 compat
https://github.com/void-linux/void-packages/pull/45557
Description:
<!-- Uncomment relevant sections and delete options which are not applicable -->
#### Testing the changes
- I tested the changes in this PR: **YES**
backport of void-linux/xbps#565
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-08-16 23:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-45557@inbox.vuxu.org>
2023-08-15 17:36 ` [PR PATCH] [Updated] xbps: patch in workaround for openssl3 compat classabbyamp
2023-08-15 21:05 ` classabbyamp
2023-08-16 23:21 ` [PR PATCH] [Merged]: " classabbyamp
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).