dashea/verify_signfiles.sh

## verify_signfiles.sh
#!/bin/sh

# Create the package signing key
gpg --homedir "$PWD" --batch --gen-key << EOF
Key-Type: RSA
Key-Length: 1024
Name-Real: Test User
Name-Email: test@example.com
Expire-Date: 0
%commit
EOF
gpg2 --homedir "$PWD" --batch --passphrase qweqwe --no-default-keyring --keyring "$PWD/testring.gpg" --quick-gen-key test@example.com

# Create the file signing key
openssl genrsa -out testkey.pem -passout pass:qweqwe 1024

# Create a package with one data file
cat - > test.spec << EOF
Name:           test
Version:        1.0
Release:        1
Summary:        test package
License:        GPLv2+
BuildArch:      noarch

%description
test package

%prep

%build

%install
mkdir -p %{buildroot}
echo 'hello world' > %{buildroot}/data

%files
/data

%changelog
EOF

rpmbuild -bb -D "_topdir ${PWD}" test.spec

# sign the files
rpmsign --addsign --signfiles --fskpath testkey.pem -D "_gpg_name test@example.com" -D "_gpg_path $PWD" -D "__gpg /usr/bin/gpg" -D '_file_signing_key_password qweqwe' RPMS/noarch/test-1.0-1.noarch.rpm

# Verify the signature
signature="$(rpm -q --qf '[%{FILESIGNATURES}\n]' RPMS/noarch/test-1.0-1.noarch.rpm)"

# First byte should be 0x03
rpmversion="$(echo "$signature" | cut -c1-2)"
if [ "$rpmversion" != "03" ]; then
    echo "Invalid rpm version: $rpmversion"
    exit 1
fi

# Second bytes is 0x02, the version of the ima-evm-utils headers
imaversion="$(echo "$signature" | cut -c3-4)"
if [ "$imaversion" != 02 ]; then
    echo "Wrong ima-evm-utils version: $imaversion"
    exit 1
fi

# Next is 0x04, to indicate the hash is SHA-256
hashid="$(echo "$signature" | cut -c5-6)"
if [ "$hashid" != 04 ]; then
    echo "Wrong hash identifier: $hashid"
    exit 1
fi

# Next is the key id, which is the last 4 bytes of the SHA-1 sum of the DER representation of the public key
expected_keyid="$(openssl rsa -outform DER -RSAPublicKey_out -in testkey.pem | openssl dgst -sha1 -hex | sed 's/.*\(........\)$/\1/')"
actual_keyid="$(echo "$signature" | cut -c7-14)"
if [ "$expected_keyid" != "$actual_keyid" ]; then
    echo "Key IDs do not match: expected $expected_keyid, actual $actual_keyid"
    exit 1
fi

# signature length, 2 bytes, should be 128
signature_length="$(echo "$signature" | cut -c15-18)"
if [ "$signature_length" != "0080" ]; then
    echo "Unexpected payload length: $signature_length"
    exit 1
fi

# the rest is the signature data, verify it against the source file contents
echo "$signature" | cut -c19- | xxd -r -p > test.signature
openssl rsa -outform PEM -pubout -in testkey.pem -out testkey.pub
echo 'hello world' | openssl dgst -sha256 -verify testkey.pub -signature test.signature
	#!/bin/sh

	# Create the package signing key
	gpg --homedir "$PWD" --batch --gen-key << EOF
	Key-Type: RSA
	Key-Length: 1024
	Name-Real: Test User
	Name-Email: test@example.com
	Expire-Date: 0
	%commit
	EOF
	gpg2 --homedir "$PWD" --batch --passphrase qweqwe --no-default-keyring --keyring "$PWD/testring.gpg" --quick-gen-key test@example.com

	# Create the file signing key
	openssl genrsa -out testkey.pem -passout pass:qweqwe 1024

	# Create a package with one data file
	cat - > test.spec << EOF
	Name: test
	Version: 1.0
	Release: 1
	Summary: test package
	License: GPLv2+
	BuildArch: noarch

	%description
	test package

	%prep

	%build

	%install
	mkdir -p %{buildroot}
	echo 'hello world' > %{buildroot}/data

	%files
	/data

	%changelog
	EOF

	rpmbuild -bb -D "_topdir ${PWD}" test.spec

	# sign the files
	rpmsign --addsign --signfiles --fskpath testkey.pem -D "_gpg_name test@example.com" -D "_gpg_path $PWD" -D "__gpg /usr/bin/gpg" -D '_file_signing_key_password qweqwe' RPMS/noarch/test-1.0-1.noarch.rpm

	# Verify the signature
	signature="$(rpm -q --qf '[%{FILESIGNATURES}\n]' RPMS/noarch/test-1.0-1.noarch.rpm)"

	# First byte should be 0x03
	rpmversion="$(echo "$signature" \| cut -c1-2)"
	if [ "$rpmversion" != "03" ]; then
	echo "Invalid rpm version: $rpmversion"
	exit 1
	fi

	# Second bytes is 0x02, the version of the ima-evm-utils headers
	imaversion="$(echo "$signature" \| cut -c3-4)"
	if [ "$imaversion" != 02 ]; then
	echo "Wrong ima-evm-utils version: $imaversion"
	exit 1
	fi

	# Next is 0x04, to indicate the hash is SHA-256
	hashid="$(echo "$signature" \| cut -c5-6)"
	if [ "$hashid" != 04 ]; then
	echo "Wrong hash identifier: $hashid"
	exit 1
	fi

	# Next is the key id, which is the last 4 bytes of the SHA-1 sum of the DER representation of the public key
	expected_keyid="$(openssl rsa -outform DER -RSAPublicKey_out -in testkey.pem \| openssl dgst -sha1 -hex \| sed 's/.*\(........\)$/\1/')"
	actual_keyid="$(echo "$signature" \| cut -c7-14)"
	if [ "$expected_keyid" != "$actual_keyid" ]; then
	echo "Key IDs do not match: expected $expected_keyid, actual $actual_keyid"
	exit 1
	fi

	# signature length, 2 bytes, should be 128
	signature_length="$(echo "$signature" \| cut -c15-18)"
	if [ "$signature_length" != "0080" ]; then
	echo "Unexpected payload length: $signature_length"
	exit 1
	fi

	# the rest is the signature data, verify it against the source file contents
	echo "$signature" \| cut -c19- \| xxd -r -p > test.signature
	openssl rsa -outform PEM -pubout -in testkey.pem -out testkey.pub
	echo 'hello world' \| openssl dgst -sha256 -verify testkey.pub -signature test.signature