# HG changeset patch # User Sascha Wilde # Date 1405334926 -7200 # Node ID e65e2a0be7c822b25f3b25b51f8262250cc7178a # Parent 60d3f59f08039f3bb7a9b8cf347d440b2f46beae# Parent 20ca946800033f3b104caccd2684059e265d90e8 Merged diff -r 20ca94680003 -r e65e2a0be7c8 INSTALL --- a/INSTALL Mon Jul 14 12:46:47 2014 +0200 +++ b/INSTALL Mon Jul 14 12:48:46 2014 +0200 @@ -13,17 +13,17 @@ export YOURPREFIX= export PATH=$YOURPREFIX/bin:$PATH - curl https://download.qt-project.org/official_releases/qt/5.3/5.3.0/single/qt-everywhere-opensource-src-5.3.0.tar.xz.mirrorlist | grep SHA-256 - -e6f47e69a5ce707452dd4bad1fd1919201a71e88be1b06afe1d302a3935daf1f + curl https://download.qt-project.org/official_releases/qt/5.3/5.3.1/single/qt-everywhere-opensource-src-5.3.1.tar.xz.mirrorlist | grep SHA-256 - http://qt-mirror.dannhauer.de/official_releases/qt/5.3/5.3.0/single/qt-everywhere-opensource-src-5.3.0.tar.xz +29d2ab3b1aef87e2dd806b278802e357274016475a513341348040468bf233ac - sha256sum qt-everywhere-opensource-src-5.3.0.tar.xz + http://qt-mirror.dannhauer.de/official_releases/qt/5.3/5.3.1/single/qt-everywhere-opensource-src-5.3.1.tar.xz - tar -xvmlf qt-everywhere-opensource-src-5.3.0.tar.xz + sha256sum qt-everywhere-opensource-src-5.3.1.tar.xz - cd qt-everywhere-opensource-src-5.3.0/qtbase + tar -xf qt-everywhere-opensource-src-5.3.1.tar.xz + + cd qt-everywhere-opensource-src-5.3.1/qtbase build dependencies have to to be installed at this point, see ../qtbase/src/plugins/platforms/xcb/README @@ -32,14 +32,14 @@ -opensource \ -release -nomake tests -nomake examples -confirm-license \ -static -no-cups -no-nis -no-icu -fontconfig \ - -no-directfb -opengl desktop -no-kms -no-eglfs -no-egl -no-openssl -no-glib \ - -system-libpng -qpa xcb -xcb -no-nis -no-libjpeg -no-gif - nice make -j8 + -no-directfb -no-opengl -no-kms -no-eglfs -no-egl -no-openssl -no-glib \ + -system-libpng -qpa xcb -xcb -no-nis -no-libjpeg -no-gif && \ + nice make && \ make install - cd qttools/src/designer/uitools - qmake - nice make -j8 + cd qttools/src/designer/uitools && \ + qmake && \ + nice make -j8 && \ make install cd qttools/src/linguist diff -r 20ca94680003 -r e65e2a0be7c8 common/binverify.c --- a/common/binverify.c Mon Jul 14 12:46:47 2014 +0200 +++ b/common/binverify.c Mon Jul 14 12:48:46 2014 +0200 @@ -10,7 +10,6 @@ #include "strhelp.h" #include "logging.h" - #ifdef RELEASE_BUILD #include "pubkey-release.h" #else @@ -232,6 +231,8 @@ #include #include #include +#include +#include #pragma GCC diagnostic pop bin_verify_result @@ -247,7 +248,7 @@ hash[32]; bin_verify_result retval = VerifyUnknownError; - pk_context pub_key_ctx; + x509_crt codesign_cert; if (strnlen(filename, name_len + 1) != name_len || name_len == 0) { @@ -264,24 +265,24 @@ } /* Fetch the signature from the end of data */ - if (data_size < sig_b64_size + 4) + if (data_size < sig_b64_size + 5) { ERRORPRINTF ("File to small to contain a signature.\n"); retval = VerifyInvalidSignature; goto done; } - if (data[data_size - sig_b64_size - 1] != ':' || - data[data_size - sig_b64_size - 2] != 'S' || - data[data_size - sig_b64_size - 3] != '\n'|| - data[data_size - sig_b64_size - 4] != '\r') + if (data[data_size - sig_b64_size - 2] != ':' || + data[data_size - sig_b64_size - 3] != 'S' || + data[data_size - sig_b64_size - 4] != '\n'|| + data[data_size - sig_b64_size - 5] != '\r') { ERRORPRINTF ("Failed to find valid signature line.\n"); retval = VerifyInvalidSignature; goto done; } - strncpy(signature_b64, data - sig_b64_size, sig_b64_size); + strncpy(signature_b64, data + (data_size - sig_b64_size - 1), sig_b64_size); signature_b64[sig_b64_size] = '\0'; ret = base64_decode(signature, &sig_size, @@ -289,33 +290,45 @@ if (ret != 0 || sig_size != TRUSTBRIDGE_RSA_KEY_SIZE / 8) { + ERRORPRINTF ("Base 64 decode failed with error: %i\n", ret); goto done; } /* Hash is calculated over the data without the signature at the end. */ - sha256((unsigned char *)data, data_size - sig_b64_size - 4, hash, 0); + sha256((unsigned char *)data, data_size - sig_b64_size - 5, hash, 0); - pk_init(&pub_key_ctx); + x509_crt_init(&codesign_cert); - ret = pk_parse_public_key(&pub_key_ctx, public_key_codesign_pem, - public_key_codesign_pem_size); + /* Parse the pinned certificate */ + ret = x509_crt_parse(&codesign_cert, + public_key_codesign_pem, + public_key_codesign_pem_size); if (ret != 0) { - ERRORPRINTF ("pk_parse_public_key failed with -0x%04x\n\n", -ret); - pk_free(&pub_key_ctx); + char errbuf[1020]; + polarssl_strerror(ret, errbuf, 1020); + errbuf[1019] = '\0'; /* Just to be sure */ + ERRORPRINTF ("x509_crt_parse failed with -0x%04x\n%s\n", -ret, errbuf); + x509_crt_free(&codesign_cert); return VerifyUnknownError; } - ret = pk_verify(&pub_key_ctx, POLARSSL_MD_SHA256, hash, 0, + ret = pk_verify(&codesign_cert.pk, POLARSSL_MD_SHA256, hash, 0, signature, sig_size); if (ret != 0) { - ERRORPRINTF ("pk_verify failed with -0x%04x\n\n", -ret); + char errbuf[1020]; + polarssl_strerror(ret, errbuf, 1020); + errbuf[1019] = '\0'; /* Just to be sure */ + ERRORPRINTF ("pk_verify failed with -0x%04x\n %s\n", -ret, errbuf); + x509_crt_free(&codesign_cert); + retval = VerifyInvalidSignature; + goto done; } - pk_free(&pub_key_ctx); + x509_crt_free(&codesign_cert); - return VerifyValid; + retval = VerifyValid; done: xfree (data); diff -r 20ca94680003 -r e65e2a0be7c8 common/binverify.h --- a/common/binverify.h Mon Jul 14 12:46:47 2014 +0200 +++ b/common/binverify.h Mon Jul 14 12:48:46 2014 +0200 @@ -43,10 +43,12 @@ * embedded PKCS 7 "authenticode" signatures embedded into the * file. * - * On Linux the last pattern of \r\nS: (0x0d0a533A) is looked up and - * afterwards a 3072 Bit Base64 encoded RSA signature is expected. + * On Linux the file is epxected to and with the pattern of + * \r\nS: (0x0d0a533A) followed by a 3072 Bit Base64 encoded RSA + * signature. * The signature is verified against the built in codesigning key in * the same certificate that is used for windows verification. + * If the pattern is not found the verification fails. * * @param[in] filename absolute null terminated UTF-8 encoded path to the file. * @param[in] name_len length of the filename. diff -r 20ca94680003 -r e65e2a0be7c8 packaging/linux-installer.inc.in --- a/packaging/linux-installer.inc.in Mon Jul 14 12:46:47 2014 +0200 +++ b/packaging/linux-installer.inc.in Mon Jul 14 12:48:46 2014 +0200 @@ -66,7 +66,7 @@ -f, --force install to given prefix, even when a current installation with different prefix exists. -d, --deinstall deinstall files from current installation - -s, --system=PATH make an system wide (de)installation + -s, --system=PATH create a system wide (de)installation --help display this help and exit --version output version information and exit EOF @@ -265,12 +265,21 @@ echo "Removing configuration files:" rm_files "${tbcfg_files[@]}" rm_empty_dirs "$instcfg_path" + + echo "Removing TrustBridge from autostart" + if [ "${SUDO_USER+X}" ] ; then + homedir=$(getent passwd "${SUDO_USER}" | cut -d ':' -f 6) + rm_files "${homedir}/.config/autostart/tustbridge.desktop" + else + config_home=${XDG_CONFIG_HOME:-~/.config} + rm_files "${config_home}/autostart/tustbridge.desktop" + fi } deinstall() { if [ "${oldinstcfg[PREFIX]}" ] ; then - echo "Really deinstall TrustBridge from '${oldinstcfg[PREFIX]}'?" + echo "Really deinstall TrustBridge from '${oldinstcfg[PREFIX]}'? [y/n]" yorn || exit 0 deinstall_certs local deinstdir="${oldinstcfg[PREFIX]}/bin" @@ -288,6 +297,41 @@ fi } +write_autostart() +{ + cat > "$1" << EOF +[Desktop Entry] +Type=Application +Name=TrustBridge +Exec="${instcfg[PREFIX]}/bin/trustbridge" --tray +EOF + chown "${SUDO_USER:-${USER}}" "$1" + chmod 700 "$1" +} + +setup_autostart() +{ + # Supported desktop environments: Unity, GNOME, XFCE, LXDE, KDE + + if [ $SYSINST -eq 1 -a "${SUDO_USER+X}" ] ; then + homedir=$(getent passwd "${SUDO_USER}" | cut -d ':' -f 6) + install -d "${instcfg[PREFIX]}" || fatal "Could not create '${instcfg[PREFIX]}'!" + if [ ! -d "${homedir}/.config/autostart/" ]; then + install -d "${homedir}/.config/autostart/" || \ + fatal "Failed to create autostart directory: '${homedir}/.config/autostart/'" + fi + write_autostart "${homedir}/.config/autostart/tustbridge.desktop" + # System wide installation with a nonstandard XDG_CONFIG_HOME or KDEHOME is not + # respected with regards to autostart. + else + config_home=${XDG_CONFIG_HOME:-~/.config} + if [ ! -d "${config_home}/autostart" ]; then + install -d "${config_home}/autostart" || \ + fatal "Failed to create autostart directory: '${config_home}/autostart'" + fi + write_autostart "${config_home}/autostart/tustbridge.desktop" + fi +} #====================================================================== # main() @@ -358,6 +402,9 @@ echo "Setting up cronjob ..." setup_cronjob +echo "Setting up autostart ..." +setup_autostart + echo "Writing installation configuration to: $instcfg_file ..." write_instcfg exit 0 diff -r 20ca94680003 -r e65e2a0be7c8 ui/certificateitemwidget.cpp --- a/ui/certificateitemwidget.cpp Mon Jul 14 12:46:47 2014 +0200 +++ b/ui/certificateitemwidget.cpp Mon Jul 14 12:48:46 2014 +0200 @@ -55,6 +55,10 @@ mLabel->setTextFormat(Qt::RichText); mLabel->setSizePolicy(QSizePolicy::Expanding, QSizePolicy::Expanding); + + mLabel->setTextInteractionFlags( + Qt::TextSelectableByMouse | + Qt::TextSelectableByKeyboard); mComboBox->setSizePolicy(QSizePolicy::Minimum, QSizePolicy::Minimum); connect(mComboBox, SIGNAL(currentIndexChanged(int)), this, SLOT(currentStateChanged(int))); diff -r 20ca94680003 -r e65e2a0be7c8 ui/createinstallerdialog.cpp --- a/ui/createinstallerdialog.cpp Mon Jul 14 12:46:47 2014 +0200 +++ b/ui/createinstallerdialog.cpp Mon Jul 14 12:48:46 2014 +0200 @@ -235,7 +235,7 @@ /* Sign the linux installer */ QDir linuxDir(binDir.path() + "/linux"); if (!linuxDir.exists()) { - showErrorMessage(tr("Failed to find the directory for linux binaries: %s") + showErrorMessage(tr("Failed to find the directory for linux binaries: %1") .arg(linuxDir.path())); return; } @@ -243,12 +243,12 @@ nameFilter << "*.sh"; QStringList candidates = linuxDir.entryList(nameFilter, QDir::Files | QDir::Readable); if (candidates.isEmpty()) { - showErrorMessage(tr("Failed to find a readable *.sh file in: %s") + showErrorMessage(tr("Failed to find a readable *.sh file in: %1") .arg(linuxDir.path())); return; } if (candidates.size() > 1) { - showErrorMessage(tr("Unexpected additional .sh files in: %s") + showErrorMessage(tr("Unexpected additional .sh files in: %1") .arg(linuxDir.path())); return; } diff -r 20ca94680003 -r e65e2a0be7c8 ui/l10n/administrator_de_DE.ts --- a/ui/l10n/administrator_de_DE.ts Mon Jul 14 12:46:47 2014 +0200 +++ b/ui/l10n/administrator_de_DE.ts Mon Jul 14 12:48:46 2014 +0200 @@ -1,6 +1,6 @@ - + AboutDialog @@ -15,7 +15,7 @@ TrustBridge is a secure root certificate installer for Windows and Linux. - TrustBridge ist ein sicherer Wurzelzertifikatsinstaller für Windows und Linux. + TrustBridge ist ein sicherer Wurzelzertifikatsinstaller für Windows und Linux. @@ -130,41 +130,31 @@ - signing certificate: + signing certificate: - + Signaturzertifikat: - -new certificates: + +new certificates: - + Neue Zertifikate: - certificates marked to remove: - - - - - signing certificate: - - Signiertes Zertifikat: - - certificates marked to remove: - Zertifikate als gelöscht markiert: + Zertifikate zum löschen markiert: new certificates: - Neues Zertifikat: + Neues Zertifikat: All managed root certificates of the certificate list: - Alle verwalteten Wurzelzertifikate der Zertifikatsliste: + Alle verwalteten Wurzelzertifikate der Zertifikatsliste: @@ -193,7 +183,7 @@ Select certificate file - Zertifikatslistendatei auswählen + Zertifikatslistendatei auswählen @@ -253,11 +243,11 @@ Issuer CN - Aussteller CN + Aussteller CN Issuer O - Aussteller O + Aussteller O @@ -271,7 +261,7 @@ SHA1 Fingerprint - SHA1 Fingerabdruck + SHA1 Fingerabdruck @@ -297,12 +287,12 @@ Save all managed root certificates in a new, signed certificate list - Alle verwalteten Wurzelzertifikate in einer neuen, signierten Zertifikatsliste speichern + Alle verwalteten Wurzelzertifikate in einer neuen, signierten Zertifikatsliste speichern In addition, each certificate list will be savedautomatically in the archive directory: - Zusätzlich wird jede Zertifikatsliste automatisch im folgenden Archiv-Verzeichnis gespeichert: + Zusätzlich wird jede Zertifikatsliste automatisch im folgenden Archiv-Verzeichnis gespeichert: Sign list @@ -403,7 +393,7 @@ Failed to calculate key hash. - + Fehler bei der Berechnung des Schlüsselfingerabdrucks. @@ -422,15 +412,15 @@ Create and signed a TrustBridge binary installer from source. - Ein TrustBridge-Installationspaket aus den Quellen erstellen und signieren. + Ein TrustBridge-Installationspaket aus den Quellen erstellen und signieren. Select source archive: - Quellcode-Archiv auswählen: + Quellcode-Archiv auswählen: Select code signing certificate (secret key): - Code Signing Zertifikat auswählen (privater Schlüssel): + Code Signing Zertifikat auswählen (privater Schlüssel): @@ -519,23 +509,27 @@ - Failed to find the directory for linux binaries: %s - + Failed to find the directory for linux binaries: %1 + Verzeichnis der Linux Anwendung '%1' konnte nicht gefunden werden. - Failed to find a readable *.sh file in: %s - + Failed to find a readable *.sh file in: %1 + Keine lesbare *.sh Datei in '%1' gefunden. - Unexpected additional .sh files in: %s - + Unexpected additional .sh files in: %1 + Mehrere .sh Dateien in: %1 + + + Failed to find the directory for linux binaries: %s + Das Verzeichnis für Linux Binärdaten %1 konnte nicht gefunden werden. Signing Linux package... - + Signieren des Linux Pakets... @@ -570,26 +564,26 @@ Failed to load certificate: %1 - Fehler beim laden des Schlüssels: %1 + Fehler beim laden des Schlüssels: %1 Only 3072 bit RSA keys are supported by the current format. - Nur 3027 bit RSA Schlüssel werden vom aktuellen Format unterstützt. + Nur 3072 bit RSA Schlüssel werden vom aktuellen Format unterstützt. Failed to open input file: %1 - + Fehler beim öffnen der Datei: %1 Failed to read input file: %1 - + Fehler beim lesen der Datei: %1 Select source archive - Archiv auswählen + Archiv auswählen @@ -601,12 +595,12 @@ FinishedDialog Success! - Erfolgreich! + Erfolgreich! Successfully created installation package - + Installationspaket erfolgreich erstellt. @@ -628,7 +622,7 @@ QObject Failed to parse certificate - Fehler beim Parsen des Zertifikats + Fehler beim Parsen des Zertifikats diff -r 20ca94680003 -r e65e2a0be7c8 ui/l10n/trustbridge_de_DE.ts --- a/ui/l10n/trustbridge_de_DE.ts Mon Jul 14 12:46:47 2014 +0200 +++ b/ui/l10n/trustbridge_de_DE.ts Mon Jul 14 12:48:46 2014 +0200 @@ -52,21 +52,21 @@ Valid: %1 until %2 - + Gültig von: %1 bis %2 Fingerprint (SHA1): &lt;%1&gt; - + Fingerabdruck (SHA1): &lt;%1&gt; - - + + uninstall Deinstallieren - + keep Behalten @@ -187,22 +187,22 @@ Installed certificates from: - + Installierte Zertifikate vom: TrustBridge Version: - + TrustBridge Version: + + + Last sucessful update check: + Zuletzt nach Aktualisierungen gesucht: - Last sucessful update check: - - - Last successful update check: - + Zuletzt nach Aktualisierungen gesucht: diff -r 20ca94680003 -r e65e2a0be7c8 ui/mainwindow.cpp --- a/ui/mainwindow.cpp Mon Jul 14 12:46:47 2014 +0200 +++ b/ui/mainwindow.cpp Mon Jul 14 12:48:46 2014 +0200 @@ -527,7 +527,7 @@ if (lastCheck.isValid()) { const QString lastUpdateCheck = QLocale::system().toString(lastCheck, DATETIME_FORMAT); mLastUpdateCheck = - new QLabel(tr("Last sucessful update check:")); + new QLabel(tr("Last successful update check:")); mLastUpdateCheckContents = new QLabel(lastUpdateCheck); } else { mLastUpdateCheck = new QLabel(tr("Last successful update check:")); diff -r 20ca94680003 -r e65e2a0be7c8 ui/tests/CMakeLists.txt --- a/ui/tests/CMakeLists.txt Mon Jul 14 12:46:47 2014 +0200 +++ b/ui/tests/CMakeLists.txt Mon Jul 14 12:48:46 2014 +0200 @@ -121,31 +121,19 @@ COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/append-sig.sh ${CMAKE_CURRENT_SOURCE_DIR}/data/codesign/codesigning.key ${CMAKE_CURRENT_BINARY_DIR}/fakeinst ${CMAKE_CURRENT_BINARY_DIR}/fakeinst-signed ) -# add_custom_command( -# TARGET binverifytest -# POST_BUILD -# COMMAND ${OSSLSIGNCODE_EXECUTABLE} sign -certs ${CMAKE_CURRENT_SOURCE_DIR}/data/codesign/codesigning.pem -# -key ${CMAKE_CURRENT_SOURCE_DIR}/data/codesign/codesigning-other.key -# -h sha256 -in ${CMAKE_CURRENT_BINARY_DIR}/fakeinst.exe -# -out ${CMAKE_CURRENT_BINARY_DIR}/fakeinst-other-key.exe -# ) -# add_custom_command( -# TARGET binverifytest -# POST_BUILD -# COMMAND ${OSSLSIGNCODE_EXECUTABLE} sign -certs ${CMAKE_CURRENT_SOURCE_DIR}/data/codesign/codesigning-other.pem -# -key ${CMAKE_CURRENT_SOURCE_DIR}/data/codesign/codesigning-other.key -# -h sha256 -in ${CMAKE_CURRENT_BINARY_DIR}/fakeinst.exe -# -out ${CMAKE_CURRENT_BINARY_DIR}/fakeinst-other-cert.exe -# ) -# add_custom_command( -# TARGET binverifytest -# POST_BUILD -# COMMAND ${OSSLSIGNCODE_EXECUTABLE} sign -certs ${CMAKE_CURRENT_SOURCE_DIR}/data/codesign/codesigning.pem -# -key ${CMAKE_CURRENT_SOURCE_DIR}/data/codesign/codesigning.key -# -h sha256 -in ${CMAKE_CURRENT_BINARY_DIR}/fakeinst.exe -# -out ${CMAKE_CURRENT_BINARY_DIR}/fakeinst-invalid.exe && -# ${CMAKE_STRIP} ${CMAKE_CURRENT_BINARY_DIR}/fakeinst-invalid.exe -# ) + add_custom_command( + TARGET binverifytest + POST_BUILD + COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/append-sig.sh ${CMAKE_CURRENT_SOURCE_DIR}/data/codesign/codesigning-other.key + ${CMAKE_CURRENT_BINARY_DIR}/fakeinst ${CMAKE_CURRENT_BINARY_DIR}/fakeinst-other-key + ) + add_custom_command( + TARGET binverifytest + POST_BUILD + COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/append-sig.sh ${CMAKE_CURRENT_SOURCE_DIR}/data/codesign/codesigning.key + ${CMAKE_CURRENT_BINARY_DIR}/fakeinst ${CMAKE_CURRENT_BINARY_DIR}/fakeinst-invalid && + sed -i s/Fakeinstaller/Bakeinstaller/g ${CMAKE_CURRENT_BINARY_DIR}/fakeinst-invalid + ) endif() endif () diff -r 20ca94680003 -r e65e2a0be7c8 ui/tests/append-sig.sh --- a/ui/tests/append-sig.sh Mon Jul 14 12:46:47 2014 +0200 +++ b/ui/tests/append-sig.sh Mon Jul 14 12:48:46 2014 +0200 @@ -1,3 +1,3 @@ #!/bin/bash cp $2 $3 -echo \\r\\nS:$(openssl dgst -sha256 -sign $1 < $2 | base64 -w0) >> $3 +echo -e \\r\\nS:$(openssl dgst -sha256 -sign $1 < $2 | base64 -w0) >> $3 diff -r 20ca94680003 -r e65e2a0be7c8 ui/tests/binverifytest.cpp --- a/ui/tests/binverifytest.cpp Mon Jul 14 12:46:47 2014 +0200 +++ b/ui/tests/binverifytest.cpp Mon Jul 14 12:48:46 2014 +0200 @@ -47,12 +47,15 @@ strlen("fakeinst-invalid" EXE_SUFFIX))); } -/* Check that a signature with a different (valid) certificate is not validated */ +#ifdef Q_OS_WIN +/* Check that a signature with a different (valid) certificate is not validated + * on Linux only the key is checked not the certificate */ void BinVerifyTest::testOtherCert() { QVERIFY(VerifyInvalidCertificate == verify_binary ("fakeinst-other-cert" EXE_SUFFIX, strlen("fakeinst-other-cert" EXE_SUFFIX))); } +#endif /* Check that no signature is not validated */ void BinVerifyTest::testNoSignature() diff -r 20ca94680003 -r e65e2a0be7c8 ui/tests/binverifytest.h --- a/ui/tests/binverifytest.h Mon Jul 14 12:46:47 2014 +0200 +++ b/ui/tests/binverifytest.h Mon Jul 14 12:48:46 2014 +0200 @@ -19,7 +19,9 @@ void testMiscErrors(); void testValidBinary(); void testOtherKey(); +#ifdef Q_OS_WIN void testOtherCert(); +#endif void testInvalidSig(); }; #endif