From 9a0847455532fd203768d37266aa461e65352095 Mon Sep 17 00:00:00 2001 From: Michał Górny Date: Wed, 1 Mar 2023 20:25:55 +0100 Subject: Support verifying detached signatures of data from stdin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes: https://github.com/projg2/gemato/issues/28 Signed-off-by: Michał Górny --- gemato/cli.py | 6 +++--- gemato/openpgp.py | 16 +++++++++++----- tests/test_openpgp.py | 7 ++++--- 3 files changed, 18 insertions(+), 11 deletions(-) diff --git a/gemato/cli.py b/gemato/cli.py index b404da4..b85d9c4 100644 --- a/gemato/cli.py +++ b/gemato/cli.py @@ -618,8 +618,8 @@ class OpenPGPVerifyDetachedCommand(VerifyingOpenPGPMixin, GematoCommand): help="Path to the file containing the OpenPGP signature") subp.add_argument( "data_file", - type=Path, - help="Path to the file to verify") + type=argparse.FileType("rb"), + help="Path to the file to verify or \"-\" for stdin") def parse_args(self, args, argp): super().parse_args(args, argp) @@ -642,7 +642,7 @@ class OpenPGPVerifyDetachedCommand(VerifyingOpenPGPMixin, GematoCommand): return 1 else: logging.info( - f"File {self.data_file} verified succesfully against " + f"File {self.data_file.name} verified successfully against " f"the signature in {self.signature_file}:") self.print_signatures(sigs) diff --git a/gemato/openpgp.py b/gemato/openpgp.py index e2f89ed..630872d 100644 --- a/gemato/openpgp.py +++ b/gemato/openpgp.py @@ -310,14 +310,15 @@ class SystemGPGEnvironment: def verify_detached(self, signature_file: Path, - data_file: Path, + data_file: typing.IO[bytes], require_all_good: bool = True, ) -> OpenPGPSignatureList: """ Verify the file against a detached signature Verify the data from data_file against the detached signature - from signature_file. Both files are specified by Path. + from signature_file. data_file should be an open file, + whereas signature_file should be a Path object. Raise an exception if the verification fails. If require_all_good is True and the file contains multiple OpenPGP @@ -328,7 +329,8 @@ class SystemGPGEnvironment: _, out, err = self._spawn_gpg( [GNUPG, "--batch", "--status-fd", "1", "--verify", - str(signature_file), str(data_file)]) + str(signature_file), "-"], + stdin_file=data_file) return self._process_gpg_verify_output(out, err, require_all_good) def clear_sign_file(self, f, outf, keyid=None): @@ -353,14 +355,18 @@ class SystemGPGEnvironment: outf.write(out.decode('utf8')) def _spawn_gpg(self, argv, stdin='', env_override={}, - raise_on_error=None): + raise_on_error=None, + stdin_file: typing.Optional[typing.IO[bytes]] = None): env = os.environ.copy() env['TZ'] = 'UTC' env.update(env_override) + if stdin_file is None: + stdin_file = subprocess.PIPE + try: p = subprocess.Popen(argv, - stdin=subprocess.PIPE, + stdin=stdin_file, stdout=subprocess.PIPE, stderr=subprocess.PIPE, env=env) diff --git a/tests/test_openpgp.py b/tests/test_openpgp.py index 149b769..0c43fc6 100644 --- a/tests/test_openpgp.py +++ b/tests/test_openpgp.py @@ -1140,9 +1140,10 @@ def test_verify_detached(tmp_path, key_var, two_sigs): with open(tmp_path / "sig.bin", "wb") as f: f.write(base64.b64decode(TWO_SIGNATURES)) - sig = openpgp_env.verify_detached( - tmp_path / "sig.bin", tmp_path / "data.bin", - require_all_good=two_sigs) + with open(tmp_path / "data.bin", "rb") as f: + sig = openpgp_env.verify_detached( + tmp_path / "sig.bin", f, + require_all_good=two_sigs) assert_signature(sig, "TWO_SIGNATURE_MANIFEST", expect_both=two_sigs) -- cgit v1.2.3