Merge pull request #11 from open-edge-platform/pg-dev

Implementing trust chain for Debian Packages.gz

Author: yockgen

go.mod

@@ -3,6 +3,7 @@ module github.com/intel-innersource/os.linux.tiberos.os-curation-tool
 go 1.22.12
 
 require (
+	github.com/ProtonMail/go-crypto v1.2.0
 	github.com/cavaliergopher/rpm v1.3.0
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
 	github.com/schollz/progressbar/v3 v3.12.0
@@ -13,13 +14,14 @@ require (
 )
 
 require (
+	github.com/cloudflare/circl v1.6.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
 	github.com/rivo/uniseg v0.4.2 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.6.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/term v0.5.0 // indirect
+	golang.org/x/crypto v0.33.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/term v0.29.0 // indirect
 )

go.sum

@@ -1,5 +1,9 @@
+github.com/ProtonMail/go-crypto v1.2.0 h1:+PhXXn4SPGd+qk76TlEePBfOfivE0zkWFenhGhFLzWs=
+github.com/ProtonMail/go-crypto v1.2.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
 github.com/cavaliergopher/rpm v1.3.0 h1:UHX46sasX8MesUXXQ+UbkFLUX4eUWTlEcX8jcnRBIgI=
 github.com/cavaliergopher/rpm v1.3.0/go.mod h1:vEumo1vvtrHM1Ov86f6+k8j7zNKOxQfHDCAIcR/36ZI=
+github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
+github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -36,16 +40,16 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
+golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

internal/debutils/resolver.go

@@ -96,20 +96,63 @@ func ResolvePackageInfos(requested []provider.PackageInfo, all []provider.Packag
 }
 
 // ParsePrimary parses the Packages.gz file from gzHref.
-func ParsePrimary(baseURL, gzHref string) ([]provider.PackageInfo, error) {
+func ParsePrimary(baseURL, pkggz string, releaseFile string, releaseSign string, pbGPGKey string) ([]provider.PackageInfo, error) {
 	logger := zap.L().Sugar()
 
-	// Download the debian repo .gz file with all components meta data
-	pkgMetaDir := "./builds"
-	PkgMetaFile := "./builds/elxr12/Packages.gz"
-	if dir := os.DirFS(PkgMetaFile); dir != nil {
-		pkgMetaDir = filepath.Dir(PkgMetaFile)
+	// Ensure pkgMetaDir exists, create if not
+	pkgMetaDir := "./builds/elxr12"
+	if err := os.MkdirAll(pkgMetaDir, 0755); err != nil {
+		return nil, fmt.Errorf("failed to create pkgMetaDir: %v", err)
 	}
-	err := pkgfetcher.FetchPackages([]string{gzHref}, pkgMetaDir, 1)
+
+	//verify release file
+	localPkggzFile := filepath.Join(pkgMetaDir, filepath.Base(pkggz))
+	localReleaseFile := filepath.Join(pkgMetaDir, filepath.Base(releaseFile))
+	localReleaseSign := filepath.Join(pkgMetaDir, filepath.Base(releaseSign))
+	localPBGPGKey := filepath.Join(pkgMetaDir, filepath.Base(pbGPGKey))
+
+	// Remove any existing local files to ensure fresh downloads
+	localFiles := []string{localPkggzFile, localReleaseFile, localReleaseSign, localPBGPGKey}
+	for _, f := range localFiles {
+		if _, err := os.Stat(f); err == nil {
+			if remErr := os.Remove(f); remErr != nil {
+				return nil, fmt.Errorf("failed to remove old file %s: %v", f, remErr)
+			}
+		}
+	}
+
+	// Download the debian repo files
+	err := pkgfetcher.FetchPackages([]string{pkggz, releaseFile, releaseSign, pbGPGKey}, pkgMetaDir, 1)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch critical repo config packages: %v", err)
+	}
+	// Verify the release file
+	relVryResult, err := VerifyRelease(localReleaseFile, localReleaseSign, localPBGPGKey)
 	if err != nil {
-		return nil, fmt.Errorf("failed to fetch packages: %v", err)
+		return nil, fmt.Errorf("failed to verify release file: %v", err)
 	}
+	if !relVryResult {
+		return nil, fmt.Errorf("release file verification failed")
+	}
+
+	// verify the sham256 checksum of the Packages.gz file
+	pkggzVryResult, err := VerifyPackagegz(localReleaseFile, localPkggzFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to verify pkg file: %v", err)
+	}
+	if !pkggzVryResult {
+		return nil, fmt.Errorf("package file verification failed")
+	}
+
+	// Getting sha256sum of the Packages.gz file from the release file
+	// and verifying it with the local Packages.gz file
+	// localPkgMetaFile := filepath.Join(pkgMetaDir, filepath.Base(pkggz))
+	localPkgMetaFile := filepath.Join(pkgMetaDir, "Packages.gz")
+	logger.Infof("localPkgMetaFile: %s", localPkgMetaFile)
 
+	//Decompress the Packages.gz file
+	// The decompressed file will be named Packages (without .gz)
+	PkgMetaFile := pkgMetaDir + "/Packages.gz"
 	pkgMetaFileNoExt := filepath.Join(filepath.Dir(PkgMetaFile), strings.TrimSuffix(filepath.Base(PkgMetaFile), filepath.Ext(PkgMetaFile)))
 
 	files, err := Decompress(PkgMetaFile, pkgMetaFileNoExt)
@@ -118,14 +161,13 @@ func ParsePrimary(baseURL, gzHref string) ([]provider.PackageInfo, error) {
 	}
 	logger.Infof("decompressed files: %v", files)
 
-	// Parse the decompressed file
+	//Parse the decompressed file
 	f, err := os.Open(files[0])
 	if err != nil {
 		return nil, fmt.Errorf("failed to open decompressed file: %v", err)
 	}
 	defer f.Close()
 
-	// packages file parser
 	var pkgs []provider.PackageInfo
 	pkg := provider.PackageInfo{}
 	reader := bufio.NewReader(f)

internal/debutils/verify.go

@@ -1,16 +1,20 @@
 package debutils
 
 import (
+	"bufio"
 	"fmt"
 	"path/filepath"
 	"strings"
 	"sync"
 	"time"
 
+	"bytes"
 	"crypto/sha256"
 	"io"
 	"os"
 
+	"github.com/ProtonMail/go-crypto/openpgp"
+	"github.com/ProtonMail/go-crypto/openpgp/packet"
 	"github.com/schollz/progressbar/v3"
 	"go.uber.org/zap"
 )
@@ -23,9 +27,78 @@ type Result struct {
 	Error    error         // any error (signature fail, I/O, etc)
 }
 
-// VerifyAll takes a slice of RPM file paths, verifies each one in parallel,
+func VerifyPackagegz(relPath string, pkggzPath string) (bool, error) {
+	logger := zap.L().Sugar()
+	logger.Infof("Verifying package %s", pkggzPath)
+
+	// Get expected checksum from Release file
+	checksum, err := findChecksumInRelease(relPath, "SHA256", "main/binary-amd64/Packages.gz")
+	logger.Infof("Checksum from Release file (%s): %s Err:%s", relPath, checksum, err)
+	if err != nil {
+		return false, fmt.Errorf("failed to get checksum from Release: %w", err)
+	}
+
+	// Compute actual checksum of Packages.gz
+	actual, err := computeFileSHA256(pkggzPath)
+	if err != nil {
+		return false, fmt.Errorf("failed to compute checksum for %s: %w", pkggzPath, err)
+	}
+
+	// Compare
+	if !strings.EqualFold(actual, checksum) {
+		logger.Errorf("Checksum mismatch: expected %s, got %s", checksum, actual)
+		return false, fmt.Errorf("checksum mismatch: expected %s, got %s", checksum, actual)
+	}
+
+	logger.Infof("Checksum verified successfully for %s", pkggzPath)
+	return true, nil
+}
+
+func VerifyRelease(relPath string, relSignPath string, pKeyPath string) (bool, error) {
+	logger := zap.L().Sugar()
+
+	// Read the public key
+	keyringBytes, err := os.ReadFile(pKeyPath)
+	if err != nil {
+		return false, fmt.Errorf("failed to read public key: %w", err)
+	}
+
+	// Read the Release file and its signature
+	release, err := os.ReadFile(relPath)
+	if err != nil {
+		return false, fmt.Errorf("failed to read Release file: %w", err)
+	}
+	signature, err := os.ReadFile(relSignPath)
+	if err != nil {
+		return false, fmt.Errorf("failed to read Release signature: %w", err)
+	}
+
+	// Import the public key
+	keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewReader(keyringBytes))
+	if err != nil {
+		return false, fmt.Errorf("failed to parse public key: %w", err)
+	}
+
+	// Verify the signature
+	sigReader := bytes.NewReader(signature)
+	releaseReader := bytes.NewReader(release)
+	_, err = openpgp.CheckArmoredDetachedSignature(
+		openpgp.EntityList(keyring), // cast to KeyRing
+		releaseReader,
+		sigReader,
+		&packet.Config{}, // pass a config, or nil
+	)
+	if err != nil {
+		return false, fmt.Errorf("signature verification failed: %w", err)
+	}
+
+	logger.Infof("Release file verified successfully")
+	return true, nil
+}
+
+// VerifyAll takes a slice of DEB file paths, verifies each one in parallel,
 // and returns a slice of results in the same order.
-func VerifyAll(paths []string, pkgChecksum map[string]string, pubkeyPath string, workers int) []Result {
+func VerifyDEBs(paths []string, pkgChecksum map[string]string, workers int) []Result {
 	logger := zap.L().Sugar()
 
 	logger.Infof("Verifying %d packages with %d workers", len(paths), workers)
@@ -153,3 +226,51 @@ func computeFileSHA256(path string) (string, error) {
 	}
 	return fmt.Sprintf("%x", hasher.Sum(nil)), nil
 }
+
+// FindChecksumInRelease parses the Release file and returns the checksum for the given file and checksum type.
+// Example: findChecksumInRelease("Release", "SHA256", "main/binary-amd64/Packages.gz")
+func findChecksumInRelease(releasePath, checksumType, fileName string) (string, error) {
+	f, err := os.Open(releasePath)
+	if err != nil {
+		return "", fmt.Errorf("failed to open release file: %v", err)
+	}
+	defer f.Close()
+
+	scanner := bufio.NewScanner(f)
+	inChecksumSection := false
+
+	for scanner.Scan() {
+		line := scanner.Text()
+		line = strings.TrimSpace(line)
+
+		// Check for the start of the checksum section
+		if strings.HasSuffix(line, ":") && strings.EqualFold(strings.TrimSuffix(line, ":"), checksumType) {
+			inChecksumSection = true
+			continue
+		}
+
+		// If we are in the checksum section, look for the file
+		if inChecksumSection {
+			// End of section if we hit a new section header or blank line
+			if line == "" || strings.HasSuffix(line, ":") {
+				break
+			}
+
+			parts := strings.Fields(line)
+			if len(parts) < 3 {
+				continue
+			}
+			if parts[2] == fileName {
+				return parts[0], nil
+			}
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return "", fmt.Errorf("error reading release file: %v", err)
+	}
+
+	logger := zap.L().Sugar()
+	logger.Warnf("Could not find %s in section %s of %s", fileName, checksumType, releasePath)
+	return "", fmt.Errorf("checksum for %s (%s) not found", fileName, checksumType)
+}