Commit 525759b2 authored by Hans-Christoph Steiner's avatar Hans-Christoph Steiner

stop passing passphrases via args, instead use prepared files

Any process can read the process table, and can therefore see the entire
command line of any other process.  That means its a bad idea to ever put
passwords as part of a command line.  Python is executing keytool and
jarsigner command lines here, so now instead of putting the password on the
command line, a file is passed instead with suitable file permissions.
This should reduce the exposure a lot.  But still, sensitive passwords
should not be written to any text file.

This change requires OpenJDK-7 since the :file option to -storepass and
-keypass was only added in Java 7's keytool and jarsigner.
parent caa88ec3
......@@ -94,8 +94,26 @@ def read_config(opts, config_file='config.py'):
if st.st_mode & stat.S_IRWXG or st.st_mode & stat.S_IRWXO:
logging.warn("unsafe permissions on {0} (should be 0600)!".format(config_file))
for k in ["keystorepass", "keypass"]:
if k in config:
write_password_file(k)
return config
def write_password_file(pwtype, password=None):
'''
writes out passwords to a protected file instead of passing passwords as
command line argments
'''
filename = '.fdroid.' + pwtype + '.txt'
fd = os.open(filename, os.O_CREAT | os.O_WRONLY, 0600)
if password == None:
os.write(fd, config[pwtype])
else:
os.write(fd, password)
os.close(fd)
config[pwtype + 'file'] = filename
# Given the arguments in the form of multiple appid:[vc] strings, this returns
# a dictionary with the set of vercodes specified for each package.
def read_pkg_args(args, allow_vercodes=False):
......
......@@ -56,12 +56,15 @@ def genpassword():
def genkey(keystore, repo_keyalias, password, keydname):
'''generate a new keystore with a new key in it for signing repos'''
logging.info('Generating a new key in "' + keystore + '"...')
write_password_file("keystorepass", password)
write_password_file("keypass", password)
p = FDroidPopen(['keytool', '-genkey',
'-keystore', keystore, '-alias', repo_keyalias,
'-keyalg', 'RSA', '-keysize', '4096',
'-sigalg', 'SHA256withRSA',
'-validity', '10000',
'-storepass', password, '-keypass', password,
'-storepass:file', config['keystorepassfile'],
'-keypass:file', config['keypassfile'],
'-dname', keydname])
if p.returncode != 0:
raise BuildException("Failed to generate key", p.stdout)
......
......@@ -122,23 +122,23 @@ def main():
# if not generate one...
p = FDroidPopen(['keytool', '-list',
'-alias', keyalias, '-keystore', config['keystore'],
'-storepass', config['keystorepass']])
'-storepass:file', config['keystorepass']])
if p.returncode !=0:
logging.info("Key does not exist - generating...")
p = FDroidPopen(['keytool', '-genkey',
'-keystore', config['keystore'], '-alias', keyalias,
'-keyalg', 'RSA', '-keysize', '2048',
'-validity', '10000',
'-storepass', config['keystorepass'],
'-keypass', config['keypass'],
'-storepass:file', config['keystorepassfile'],
'-keypass:file', config['keypassfile'],
'-dname', config['keydname']])
if p.returncode != 0:
raise BuildException("Failed to generate key")
# Sign the application...
p = FDroidPopen(['jarsigner', '-keystore', config['keystore'],
'-storepass', config['keystorepass'],
'-keypass', config['keypass'], '-sigalg',
'-storepass:file', config['keystorepassfile'],
'-keypass:file', config['keypassfile'], '-sigalg',
'MD5withRSA', '-digestalg', 'SHA1',
apkfile, keyalias])
if p.returncode != 0:
......
......@@ -642,7 +642,7 @@ def make_index(apps, apks, repodir, archive, categories):
p = FDroidPopen(['keytool', '-exportcert',
'-alias', config['repo_keyalias'],
'-keystore', config['keystore'],
'-storepass', config['keystorepass']])
'-storepass:file', config['keystorepassfile']])
if p.returncode != 0:
logging.critical("Failed to get repo pubkey")
sys.exit(1)
......@@ -796,7 +796,8 @@ def make_index(apps, apks, repodir, archive, categories):
# Sign the index...
p = FDroidPopen(['jarsigner', '-keystore', config['keystore'],
'-storepass', config['keystorepass'], '-keypass', config['keypass'],
'-storepass:file', config['keystorepassfile'],
'-keypass:file', config['keypassfile'],
'-digestalg', 'SHA1', '-sigalg', 'MD5withRSA',
os.path.join(repodir, 'index.jar') , config['repo_keyalias']])
if p.returncode != 0:
......
......@@ -62,12 +62,16 @@ repo_keyalias = None
#somewhere safe and secure, and backed up!
keystore = "/home/me/somewhere/my.keystore"
#The password for the keystore (at least 6 characters).
keystorepass = "password1"
#The password for keys - the same is used for each auto-generated key
#as well as for the repository key.
keypass = "password2"
# The password for the keystore (at least 6 characters). If this password is
# different than the keypass below, it can be OK to store the password in this
# file for real use. But in general, sensitive passwords should not be stored
# in text files!
#keystorepass = "password1"
# The password for keys - the same is used for each auto-generated key as well
# as for the repository key. You should not normally store this password in a
# file since it is a sensitive password.
#keypass = "password2"
#The distinguished name used for all keys.
keydname = "CN=Birdman, OU=Cell, O=Alcatraz, L=Alcatraz, S=California, C=US"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment