Mercurial > trustbridge
changeset 1387:c64b6c56ce96 0.9.8
(issue95) Change keys for release build. Fix release build usage.
author | Andre Heinecke <andre.heinecke@intevation.de> |
---|---|
date | Thu, 15 Jan 2015 16:46:36 +0100 |
parents | 90a8eb36e9b0 |
children | 6ca035ea02ca f3e2df6b49ba |
files | CMakeLists.txt common/binverify.c common/pubkey-release.h common/pubkey-test.h ui/CMakeLists.txt ui/certs-release.qrc ui/certs-test.qrc ui/certs.qrc ui/downloader.cpp ui/main.cpp ui/sslconnection.cpp |
diffstat | 11 files changed, 92 insertions(+), 39 deletions(-) [+] |
line wrap: on
line diff
--- a/CMakeLists.txt Thu Jan 15 16:14:35 2015 +0100 +++ b/CMakeLists.txt Thu Jan 15 16:46:36 2015 +0100 @@ -13,7 +13,7 @@ option(USE_CURL "Use libcurl to download updates and certificate lists." ON) option(USE_CLANG "Use clang to compile trustbridge." OFF) -set(DOWNLOAD_SERVER "https://tb-devel.intevation.de:443" CACHE STRING "Used as download server" ) +set(DOWNLOAD_SERVER "https://updates.trustbridge.de:443" CACHE STRING "Used as download server" ) set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${CMAKE_SOURCE_DIR}/cmake/") #Old qtmain linking behavior to be compatible with cmake versions < 2.8.11 @@ -22,6 +22,12 @@ cmake_policy(SET CMP0020 OLD) endif() +if (DO_RELEASE_BUILD) + message (STATUS "Building in release mode") + # Release build should automatically use tag build + add_definitions(-DIS_TAG_BUILD) +endif() + if (USE_CLANG) message (STATUS "Using clang options to build trustbridge.") # This is a bit of a hack but necessary on Ubuntu 14.4 @@ -74,7 +80,6 @@ set (CMAKE_BUILD_TYPE RELEASE) endif (NOT CMAKE_BUILD_TYPE) add_definitions (-DRELEASE_BUILD) - set(USE_REAL_RESOURCES ON) else() # Default to debug build if (NOT CMAKE_BUILD_TYPE) @@ -84,10 +89,6 @@ endif (NOT CMAKE_BUILD_TYPE) endif() -if(USE_REAL_RESOURCES) - add_definitions (-DUSE_REAL_RESOURCES) -endif() - if (NOT USE_CLANG) # Warn level to be used for privileged parts set(WARN_HARDENING_FLAGS " -Wextra -Wconversion -Wformat-security")
--- a/common/binverify.c Thu Jan 15 16:14:35 2015 +0100 +++ b/common/binverify.c Thu Jan 15 16:46:36 2015 +0100 @@ -417,11 +417,11 @@ verify_binary_linux(const char *filename, size_t name_len) { int ret = -1; - const size_t sig_b64_size = TRUSTBRIDGE_RSA_KEY_SIZE / 8 * 4 / 3; + const size_t sig_b64_size = TRUSTBRIDGE_RSA_CODESIGN_SIZE / 8 * 4 / 3; char *data = NULL, signature_b64[sig_b64_size + 1]; size_t data_size = 0, - sig_size = TRUSTBRIDGE_RSA_KEY_SIZE / 8; + sig_size = TRUSTBRIDGE_RSA_CODESIGN_SIZE / 8; unsigned char signature[sig_size], hash[32]; FILE *fptr = NULL; @@ -471,7 +471,7 @@ ret = base64_decode(signature, &sig_size, (unsigned char *)signature_b64, sig_b64_size); - if (ret != 0 || sig_size != TRUSTBRIDGE_RSA_KEY_SIZE / 8) + if (ret != 0 || sig_size != TRUSTBRIDGE_RSA_CODESIGN_SIZE / 8) { ERRORPRINTF ("Base 64 decode failed with error: %i\n", ret); goto done;
--- a/common/pubkey-release.h Thu Jan 15 16:14:35 2015 +0100 +++ b/common/pubkey-release.h Thu Jan 15 16:46:36 2015 +0100 @@ -10,27 +10,64 @@ /**@def The size of the RSA modulus */ #define TRUSTBRIDGE_RSA_KEY_SIZE 3072 +#define TRUSTBRIDGE_RSA_CODESIGN_SIZE 2048 static const unsigned char public_key_pem[] = "-----BEGIN PUBLIC KEY-----\n" -"MIIDIjANBgkqhkiG9w0BAQEFAAOCAw8AMIIDCgKCAYEArUZK1sMV8cWeP48nExEh\n" -"YiyIB5PMjjfvP9kJCTvfz0VKgD7H9KiTnRddLeYTAQTUmyr6NfgbLP3XMg1FNveN\n" -"4JON1K+nkqNljQSzV8KzTokrmgKFA6PbVNh1pH7r44ZHygAbL8spymjYsuIiZYDj\n" -"Ci2gxFza0bt67i+Z25iNZbppefVXrnkzFOFSjXp61BEcD6AbVIXE1MJkQ0dMavvl\n" -"NAFgMsRaIWREKs4Ar9v9ez1L+RcJv4MaKvF1FtWN9oPwA+6OrCiYq4nJxKFQhu/T\n" -"zTEEGAj5UChFRPzpmYlUQooaQ1V0O/aNqGQ35RvAth2xMr1WpykeqsF9dpwhAIKR\n" -"HvrCwtWT7OE37GnL/VLcLbEa5Ns1OMu+U557AVYpachGIRf6DAt8nbwNEHCsPXz0\n" -"LCwu7FKuw7/SitzlWwV4pHBkEQmb99CBg+Tr246BKdarE1JWuIBZJiVa4qiSPOd3\n" -"9mSeWa9ObVY6HBgmSu5LjVL+GLK9tb7qU9Rj70kaUtYRAoIBgQCZHx2nfiyVPNtf\n" -"viKdUcds44KQiAQMnngkZscDDuckq+gFKlzfDamPEMvkV+tdnn8N0ReNeMjPmMHU\n" -"9HxcoF1OEYFAgbRp8ukih6Rw3sy9LurOzhkU13hKU9onz76I2Dq8sJXlxDh6Ar6y\n" -"038gRg1q1RRsTHjuYApkTkyelQpTJMojbAhxCk5QxTuOsrmXDU2udnX2KrLAVmXV\n" -"XJw4AEtSph2KBtHwzrWOaE45KtrtCgRiJlUWp6QjVOzQab7hHZP4azyRrOEqoOar\n" -"czfQp4Bm83ylpfoWmjN6O8cQ33Dk0U2uiRsydHZ8279qbHFqhEK70+On+B/jXHvb\n" -"/CeouejmQ4EaEcYePxdhiX3nTb/tZgzMx4VnRaX/dP84lJqMuQgpyx7bU3FbOZ6g\n" -"dY996wJMMlvO+o16AoRyOYmGNr12tNTRABVAxWDNt3lmXSNkqZTFWCZ1jDxdTFIP\n" -"UIgOq9QtcyVuyyblizSKNtKaFNHtOMA5UNcKLNZ98GbFCBs3S1s=\n" +"MIIDITANBgkqhkiG9w0BAQEFAAOCAw4AMIIDCQKCAYEArRkubwwOjaXo80+J1P6s\n" +"Vgj4FbZmA80ZtThEyMDHV3kRjxduGkFspqtArOg/XxqAxkxIXVZexs9BbXCvX8sk\n" +"PLYy5U1pCquC4eAtTCAnpsFESD8fQMq3p4e3PSJS7dem7CFafC2CYS5HtBSkOM8X\n" +"gxCdo8nlWPVIbjxibcHe52XzovjIGdQyeY+nWwH1bxC3AveQZx3Do5kKT+hD9D/N\n" +"+QBnO1FdlhNV1mDNUjqbroRj95vMzBxd5WLo8put+7+i21ZmYNnZjXxsboJSOn97\n" +"8BGiXcs5nTGyRT/8DoNOnTpey/hF1qOFLyaxEWr48JMSSuRWC+OPmTFDuLr3iJD5\n" +"djVQggzN3qfHTqA6006vh5o+GPZ3kkr+LNGrkrwycvOwy2ruHDQJqtbh8LD5cz0n\n" +"5gQqXEqKh8zdXI9RxrV26NMkDUqANM0W+JMLGWq9W/NZvnwgMKDO9v+yPSNogCep\n" +"r8FTa9ncdG4GdjQt0Pzpweg4YW9TnftAFBounZzLGhclAoIBgHC+AZEzXawxOjTV\n" +"RbV6UVahKZl1ApTLWLGQ7TKtnTdKnF3cmr+OurmNte0aRPsWrpn+wZM8fHlW15qu\n" +"52Uw5ysHlI/FfPwEH22Kwr0zUtRuaHXz22AaGoPKpEVv1DSHv4y244u5IQeaDYiT\n" +"T47Uti4vFzPniFPMX9Y4563kR2sezHamLX/Hm+Ajkk7nzodkN371RxAxZ2BR6IMp\n" +"y5vNZG62T5I3bAh9j5efLIZz8GNvw3oyWvThmfywqTnLLuY4HvDaP2DG9sM1ZV3d\n" +"sQYMAVlnBlnNrdb1ykWdPyDoV/Sx8cfywp0EXG+PxwqcrvU29T6LIUfiSVytBV6E\n" +"E5o8ZC1lU7jPVZOE3LBxtMZo1nW/o4Fv4t+inOPD7UkC2iXxrVTiX2NS+u0geSjB\n" +"+2pyNUYicAi1MDFOmH/J72jjijnlU2KaIysUcQSCevuiBIxiy12EczzfuFxRn+KY\n" +"08AmPPbGqMAEuvqwd4VgyezZyk0xFvlAjrM4DjRCWnIN2oxnEw==\n" "-----END PUBLIC KEY-----\n"; static const size_t public_key_pem_size = 1145; + +/* Key used for codesigning */ +static const unsigned char public_key_codesign_pem[] = +"-----BEGIN CERTIFICATE-----\n" +"MIIFVTCCBD2gAwIBAgISESHmLplyf8qoTvRpHLz5YjBVMA0GCSqGSIb3DQEBCwUA\n" +"MFoxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTAwLgYD\n" +"VQQDEydHbG9iYWxTaWduIENvZGVTaWduaW5nIENBIC0gU0hBMjU2IC0gRzIwHhcN\n" +"MTQxMjE4MTI0NTIwWhcNMTcxMjE4MTI0NTIwWjCB0zELMAkGA1UEBhMCREUxHDAa\n" +"BgNVBAgTE05vcmRyaGVpbi1XZXN0ZmFsZW4xDTALBgNVBAcTBEJvbm4xQzBBBgNV\n" +"BAoTOkJ1bmRlc2FtdCBmdWVyIFNpY2hlcmhlaXQgaW4gZGVyIEluZm9ybWF0aW9u\n" +"c3RlY2huaWsgKEJTSSkxDTALBgNVBAsTBEJ1bmQxQzBBBgNVBAMTOkJ1bmRlc2Ft\n" +"dCBmdWVyIFNpY2hlcmhlaXQgaW4gZGVyIEluZm9ybWF0aW9uc3RlY2huaWsgKEJT\n" +"SSkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCh/orNtgIA91+WqxUe\n" +"aHPPwpAxJwZJQ8RHLAHhRueTrbRczZZ1aGwvwXu7nYXqFBp0IDhd4Y0wWiiQ7np6\n" +"L78sy42gKpMWzPYE1TfQp3n0MzE8UPNpJcc1s5FUawU3Zo9Ku5bJr9nL2ExCjaGG\n" +"x7etmK6e4dYmkNbEQoVhcdoCvgoS5InJA3icxKZBtwLvcsbZM7kP1OpPyvt07Bjk\n" +"PR8+gkzrtdRT4kjEI8IgV4Tc9Dp3pXyzF4uBVDqO0IJ5FLzCB6UK9GrlXAvglCyj\n" +"jsssDJfZarsv/7Rqs0YGHecG3thzZNT267coqFyEr/tMkaxHT0THf01w62j8YlO8\n" +"SySnAgMBAAGjggGZMIIBlTAOBgNVHQ8BAf8EBAMCB4AwTAYDVR0gBEUwQzBBBgkr\n" +"BgEEAaAyATIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j\n" +"b20vcmVwb3NpdG9yeS8wCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzBC\n" +"BgNVHR8EOzA5MDegNaAzhjFodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzL2dz\n" +"Y29kZXNpZ25zaGEyZzIuY3JsMIGQBggrBgEFBQcBAQSBgzCBgDBEBggrBgEFBQcw\n" +"AoY4aHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Njb2Rlc2ln\n" +"bnNoYTJnMi5jcnQwOAYIKwYBBQUHMAGGLGh0dHA6Ly9vY3NwMi5nbG9iYWxzaWdu\n" +"LmNvbS9nc2NvZGVzaWduc2hhMmcyMB0GA1UdDgQWBBQTtBrTj8Ev+Nfecl7bsKyl\n" +"UuNkpTAfBgNVHSMEGDAWgBQZSrha5E0xpRTlXuwvoxz6gIwyazANBgkqhkiG9w0B\n" +"AQsFAAOCAQEARpVuzf+4MfV4Yf+Hv79heZvEonzT4qtbWp2exUAGZyAA4QWqISes\n" +"xWTKEpQ9motvK/YmXWHWEtRgq7LhzsMhkfGPI/ViEImhk25OMSXbfvTIML6QzHdc\n" +"GBEOqAcw7h9wN+vYnLw7Y6NYmLxZ2InK+JkQJcLvi0Qhg8IvmtQU/OZFZeKRW3Pb\n" +"NV1YSttetRaEy+v1H6b/k3poAwO+HjYwy4LpnjC/l7oel061ycl90R1EnMApx1Un\n" +"wjPDfpRcI9IH59m6Ab2Nbzx8BaFvJDslT18wdqmzT/C4ODNKJ+7SpO0i8lNHu/TR\n" +"oqVkQl0NMmov+5iYxJCgcMWYtS1yiw/Z8w==\n" +"-----END CERTIFICATE-----\n"; + +static const size_t public_key_codesign_pem_size = 1911; #endif
--- a/common/pubkey-test.h Thu Jan 15 16:14:35 2015 +0100 +++ b/common/pubkey-test.h Thu Jan 15 16:46:36 2015 +0100 @@ -10,6 +10,7 @@ /**@def The size of the RSA modulus */ #define TRUSTBRIDGE_RSA_KEY_SIZE 3072 +#define TRUSTBRIDGE_RSA_CODESIGN_SIZE 2048 /* PEM encoded public key */ static const unsigned char public_key_pem[] =
--- a/ui/CMakeLists.txt Thu Jan 15 16:14:35 2015 +0100 +++ b/ui/CMakeLists.txt Thu Jan 15 16:46:36 2015 +0100 @@ -69,9 +69,19 @@ # Seperated to make it easier to include the sources in tests set(TRUSTBRIDGE_RESOURCES ${CMAKE_CURRENT_SOURCE_DIR}/icons.qrc - ${CMAKE_CURRENT_SOURCE_DIR}/certs.qrc ${CMAKE_CURRENT_SOURCE_DIR}/fonts.qrc ) +if(DO_RELEASE_BUILD) + set(TRUSTBRIDGE_RESOURCES + ${TRUSTBRIDGE_RESOURCES} + ${CMAKE_CURRENT_SOURCE_DIR}/certs-release.qrc + ) +else() + set(TRUSTBRIDGE_RESOURCES + ${TRUSTBRIDGE_RESOURCES} + ${CMAKE_CURRENT_SOURCE_DIR}/certs-test.qrc + ) +endif() set(ADMINISTRATOR_RESOURCES ${CMAKE_CURRENT_SOURCE_DIR}/icons.qrc
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ui/certs-release.qrc Thu Jan 15 16:46:36 2015 +0100 @@ -0,0 +1,5 @@ +<!DOCTYPE RCC><RCC version="1.0"> +<qresource prefix="/certs"> + <file alias="ssl-certificate">certificates/updates_trustbridge_de.der</file> +</qresource> +</RCC>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ui/certs-test.qrc Thu Jan 15 16:46:36 2015 +0100 @@ -0,0 +1,5 @@ +<!DOCTYPE RCC><RCC version="1.0"> +<qresource prefix="/certs"> + <file alias="ssl-certificate">certificates/ssl-test.der</file> +</qresource> +</RCC>
--- a/ui/certs.qrc Thu Jan 15 16:14:35 2015 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,5 +0,0 @@ -<!DOCTYPE RCC><RCC version="1.0"> -<qresource prefix="/certs"> - <file alias="ssl-test">certificates/ssl-test.der</file> -</qresource> -</RCC>
--- a/ui/downloader.cpp Thu Jan 15 16:14:35 2015 +0100 +++ b/ui/downloader.cpp Thu Jan 15 16:46:36 2015 +0100 @@ -8,7 +8,7 @@ #include "downloader.h" #ifndef DOWNLOAD_SERVER -#define DOWNLOAD_SERVER "https://tb-devel.intevation.de" +#define DOWNLOAD_SERVER "https://updates.trustbridge.de" #endif #include <QFile>
--- a/ui/main.cpp Thu Jan 15 16:14:35 2015 +0100 +++ b/ui/main.cpp Thu Jan 15 16:46:36 2015 +0100 @@ -121,6 +121,9 @@ if (arguments.contains("--version")) { printf (APPNAME " Version: %s \n", QApplication::applicationVersion().toLocal8Bit().constData()); +#ifndef RELEASE_BUILD + printf ("Test Version! - Not for productive use!\n"; +#endif printf (COPYRIGHT); return 0; }
--- a/ui/sslconnection.cpp Thu Jan 15 16:14:35 2015 +0100 +++ b/ui/sslconnection.cpp Thu Jan 15 16:46:36 2015 +0100 @@ -26,12 +26,8 @@ mErrorState(NoError) { if (certificate.isEmpty()) { -#ifdef RELEASE_BUILD - /* TODO (issue95) Change certificate here in case of release build */ - QFile certResource(":certs/ssl-test"); -#else - QFile certResource(":certs/ssl-test"); -#endif + QFile certResource(":certs/ssl-certificate"); + certResource.open(QFile::ReadOnly); mPinnedCert = certResource.readAll(); certResource.close();