hughsie / libjcat Goto Github PK
View Code? Open in Web Editor NEWLibrary for reading and writing Jcat files
License: GNU Lesser General Public License v2.1
Library for reading and writing Jcat files
License: GNU Lesser General Public License v2.1
Hi, it looks like the "let's create a jcat file with a single checksum" sample from the README doesn't work with jcat-tool v0.1.4:
ubuntu@foo:~/tmp$ jcat-tool --version
libjcat 0.1.4
ubuntu@foo:~/tmp$ jcat-tool sign test.jcat firmware.bin sha256
Invalid arguments, expected FILENAME SOURCE CERT PRIVKEY
Usage:
<SNIP>
Most of the OSS projects are using openssl instedad gnutls.
It would be good to have possibility to build libjcat against openssl.
e.g. using the client binary, I can do --output_inclusion_proof
for the manifest to get the current checkpoint.
I'm a bit clueless on how to do that with the current exported API. :)
e.g. using the client
binary, I can do --output_checkpoint
to get the current checkpoint.
Is this just a case of calling jcat_bt_parse_checkpoint and then reading out the cp_hash?
Jcat:ERROR:../libjcat/jcat-self-test.c:221:jcat_sha1_engine_func: assertion failed (error == NULL): Failed to open file ?/build/source/data/tests/colorhug/firmware.bin?: No such file or directory (g-file-error-quark, 4)
Bail out! Jcat:ERROR:../libjcat/jcat-self-test.c:221:jcat_sha1_engine_func: assertion failed (error == NULL): Failed to open file ?/build/source/data/tests/colorhug/firmware.bin?: No such file or directory (g-file-error-quark, 4)
Describe the bug
jcat-tool verify
fails due to sha1: verifying data is not supported
Steps to Reproduce
wget wget https://fwupd.org/downloads/firmware.xml.gz
wget https://fwupd.org/downloads/firmware.xml.gz.jcat
mv firmware.xml.gz firmware-01310-stable.xml.gz
$jcat-tool verify -v firmware.xml.gz.jcat --public-keys /etc/pki/fwupd
(jcat-tool:82699): GLib-GIO-DEBUG: 22:07:08.728: _g_io_module_get_default: Found default implementation gvfs (GDaemonVfs) for ‘gio-vfs’
firmware-01310-stable.xml.gz:
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.730: reading ./firmware-01310-stable.xml.gz with 479016 bytes
FAILED sha1: verifying data is not supported
FAILED sha256: verifying data is not supported
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.730: ignoring GPG-KEY-Linux-Vendor-Firmware-Service as not PKCS-7 certificate
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.730: ignoring GPG-KEY-Linux-Foundation-Firmware as not PKCS-7 certificate
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.730: trying to load certificate from /etc/pki/fwupd/LVFS-CA.pem
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.730: reading /etc/pki/fwupd/LVFS-CA.pem with 1679 bytes
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.731: loaded 1 certificates
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.731: ignoring GPG-KEY-Hughski-Limited as not PKCS-7 certificate
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.731: got 1 PKCS7 signatures
PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.737: using gpgme v1.13.1-unknown
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.761: Using engine at /home/nkaminski/.local/share/libjcat/gnupg
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.768: Adding GnuPG public key /etc/pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.780: importing key 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2 [0] Success
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.780: Adding GnuPG public key /etc/pki/fwupd/GPG-KEY-Linux-Foundation-Firmware
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.792: importing key F2F0325648E1AE4956710198C6361787A0A849E1 [0] Success
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.792: ignoring LVFS-CA.pem as not GPG public key
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.792: Adding GnuPG public key /etc/pki/fwupd/GPG-KEY-Hughski-Limited
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.803: importing key 7E5439F64986F7A9E973809BAD8A528FEC44881E [0] Success
(jcat-tool:82699): Jcat-DEBUG: 22:07:08.814: returned signature fingerprint 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
FAILED: Validation failed
Validation failed
Expected behavior
jcat-tool
should check sha1 and sha256, as it is presented in the README.md.
jcat version information
Fedora 32: 0.1.5 (dnf Updates Testing and package built from master),
Ubuntu 20.04: 0.1.0 (apt)
Meson tests pass.
Describe the bug
jcat-tool verify
does not validate the file named as AliasId
. It's needed to change the file name to ID
.
Steps to Reproduce
wget wget https://fwupd.org/downloads/firmware.xml.gz
wget https://fwupd.org/downloads/firmware.xml.gz.jcat
jcat-tool verify -v firmware.xml.gz.jcat --public-keys /etc/pki/fwupd
$ jcat-tool verify -v firmware.xml.gz.jcat --public-keys /etc/pki/fwupd
(jcat-tool:86530): GLib-GIO-DEBUG: 22:47:11.296: _g_io_module_get_default: Found default implementation gvfs (GDaemonVfs) for ‘gio-vfs’
firmware-01310-stable.xml.gz:
FAILED: Failed to open file “./firmware-01310-stable.xml.gz”: No such file or directory
Validation failed
jcat info
:
JcatFile:
Version: 0.1
JcatItem:
ID: firmware-01310-stable.xml.gz
AliasId: firmware.xml.gz
JcatBlob:
Kind: sha1
Flags: is-utf8
Timestamp: 2021-01-13T09:36:07Z
Size: 0x28
Data: e48d8fff38d7ae4d71f23cf7df3796b547a5db94
JcatBlob:
Kind: sha256
Flags: is-utf8
Timestamp: 2021-01-13T09:36:07Z
Size: 0x40
Data: 500b7b495b54af762edd9e02c550540c2c0b73821ca576c6a98420ff55cf5524
JcatBlob:
Kind: pkcs7
Flags: is-utf8
Timestamp: 2021-01-13T09:36:07Z
Size: 0x8c0
Data: -----BEGIN PKCS7-----
MIIGUgYJKoZIhvcNAQcCoIIGQzCCBj8CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
hvcNAQcBoIIEOjCCBDYwggKeoAMCAQICDFprhisibP88kP07YjANBgkqhkiG9w0B
[...]
WqpvPqXiEFxtwS2rAiqSsPQIg9SOVg4Y3oW9NBTMuw4tUxuMGvmhIoQur50ReT/p
lc1waTFmozFKyvbkHi5dbIvn3wNRUFERGlSla1Oq8LdsenKyrfGZc6yOf6ERH8ct
mOerswrj7ttfejcWvbsTzhKh6Q4kwn1kFbPNw/nQMVBwm5F/LJM=
-----END PKCS7-----
JcatBlob:
Kind: gpg
Flags: is-utf8
Timestamp: 2021-01-13T09:36:07Z
Size: 0x1e8
Data: -----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEP8a4BEEO0IQNjy+XSKbYDkU4usIFAl/+vwcACgkQSKbYDkU4
[...]
lwdAMiN33i2qjuoZW054RyLQRWt8ZA==
=yARu
-----END PGP SIGNATURE-----
Expected behavior
jcat-tool
should find and validate file named as AliasId
.
jcat version information
Fedora 32: 0.1.5 (dnf Updates Testing and package built from master)
Fedora 32: 0.1.2 (dnf)
:D
In d6dc3e9 the meson version was bumped to 0.52. This has broken LGTM CI on fwupd since it only has meson 0.51.2. Can it be bumped down back to 0.51 instead?
The build-time tests assume they can sign /etc/machine-id, but distro packages are sometimes built in a minimal chroot/container that doesn't have any init system or related packages (systemd or otherwise), so nothing creates a machine ID there.
Patch on the way.
Rather than distros cherry pick the security patch, I think it would be good to spin a new release soon.
It seems that at least in Debian and Ubuntu there is a package called sleuthkit
that provides the binary jcat
. Would you consider renaming it to jcat-tool
, or json-catalog
(or anything else similar)?
Otherwise it's going to mean having to have a conflicts relationship to sleuthkit
so people can never install them side by side.
On Darwin the build still fails:
[21/39] Generating jcat_mapfile with a custom command..
FAILED: libjcat/jcat.map
/private/tmp/nix-build-libjcat-0.1.0.drv-0/source/contrib/generate-version-script.py LIBJCAT libjcat/Jcat-1.0.gir libjcat/jcat.map
/private/tmp/nix-build-libjcat-0.1.0.drv-0/source/contrib/generate-version-script.py: line 8: import: command not found
/private/tmp/nix-build-libjcat-0.1.0.drv-0/source/contrib/generate-version-script.py: line 9: import: command not found
/private/tmp/nix-build-libjcat-0.1.0.drv-0/source/contrib/generate-version-script.py: line 11: from: command not found
/private/tmp/nix-build-libjcat-0.1.0.drv-0/source/contrib/generate-version-script.py: line 13: XMLNS: command not found
/private/tmp/nix-build-libjcat-0.1.0.drv-0/source/contrib/generate-version-script.py: line 14: XMLNS_C: command not found
/private/tmp/nix-build-libjcat-0.1.0.drv-0/source/contrib/generate-version-script.py: line 16: syntax error near unexpected token `('
/private/tmp/nix-build-libjcat-0.1.0.drv-0/source/contrib/generate-version-script.py: line 16: `def usage(return_code):'
ninja: build stopped: subcommand failed.
Full log https://logs.nix.ci/?key=nixos/nixpkgs.83755&attempt_id=6e5d7606-89b1-415f-8201-73c9572e8bc5 (might disappear)
Downstream PR: NixOS/nixpkgs#83755
How serious is the problem that gzip is trying to solve?
I see that JSON tools don't really see gzip compression as something that belongs to the ecosystem
jqlang/jq#968
I remember we had this happening on fwupd too.
$ wine jcat-tool.exe
Command not found
Usage:
jcat-tool.exe [OPTION…]
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.