changeset 1387:c64b6c56ce96 0.9.8

(issue95) Change keys for release build. Fix release build usage.
author Andre Heinecke <andre.heinecke@intevation.de>
date Thu, 15 Jan 2015 16:46:36 +0100
parents 90a8eb36e9b0
children 6ca035ea02ca f3e2df6b49ba
files CMakeLists.txt common/binverify.c common/pubkey-release.h common/pubkey-test.h ui/CMakeLists.txt ui/certs-release.qrc ui/certs-test.qrc ui/certs.qrc ui/downloader.cpp ui/main.cpp ui/sslconnection.cpp
diffstat 11 files changed, 92 insertions(+), 39 deletions(-) [+]
line wrap: on
line diff
--- a/CMakeLists.txt	Thu Jan 15 16:14:35 2015 +0100
+++ b/CMakeLists.txt	Thu Jan 15 16:46:36 2015 +0100
@@ -13,7 +13,7 @@
 option(USE_CURL "Use libcurl to download updates and certificate lists." ON)
 option(USE_CLANG "Use clang to compile trustbridge." OFF)
 
-set(DOWNLOAD_SERVER "https://tb-devel.intevation.de:443" CACHE STRING "Used as download server" )
+set(DOWNLOAD_SERVER "https://updates.trustbridge.de:443" CACHE STRING "Used as download server" )
 set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${CMAKE_SOURCE_DIR}/cmake/")
 
 #Old qtmain linking behavior to be compatible with cmake versions < 2.8.11
@@ -22,6 +22,12 @@
   cmake_policy(SET CMP0020 OLD)
 endif()
 
+if (DO_RELEASE_BUILD)
+   message (STATUS "Building in release mode")
+   # Release build should automatically use tag build
+   add_definitions(-DIS_TAG_BUILD)
+endif()
+
 if (USE_CLANG)
    message (STATUS "Using clang options to build trustbridge.")
    # This is a bit of a hack but necessary on Ubuntu 14.4
@@ -74,7 +80,6 @@
       set (CMAKE_BUILD_TYPE RELEASE)
    endif (NOT CMAKE_BUILD_TYPE)
    add_definitions (-DRELEASE_BUILD)
-   set(USE_REAL_RESOURCES ON)
 else()
 # Default to debug build
    if (NOT CMAKE_BUILD_TYPE)
@@ -84,10 +89,6 @@
    endif (NOT CMAKE_BUILD_TYPE)
 endif()
 
-if(USE_REAL_RESOURCES)
-   add_definitions (-DUSE_REAL_RESOURCES)
-endif()
-
 if (NOT USE_CLANG)
 # Warn level to be used for privileged parts
    set(WARN_HARDENING_FLAGS " -Wextra -Wconversion -Wformat-security")
--- a/common/binverify.c	Thu Jan 15 16:14:35 2015 +0100
+++ b/common/binverify.c	Thu Jan 15 16:46:36 2015 +0100
@@ -417,11 +417,11 @@
 verify_binary_linux(const char *filename, size_t name_len)
 {
   int ret = -1;
-  const size_t sig_b64_size = TRUSTBRIDGE_RSA_KEY_SIZE / 8 * 4 / 3;
+  const size_t sig_b64_size = TRUSTBRIDGE_RSA_CODESIGN_SIZE / 8 * 4 / 3;
   char *data = NULL,
         signature_b64[sig_b64_size + 1];
   size_t data_size = 0,
-         sig_size = TRUSTBRIDGE_RSA_KEY_SIZE / 8;
+         sig_size = TRUSTBRIDGE_RSA_CODESIGN_SIZE / 8;
   unsigned char signature[sig_size],
            hash[32];
   FILE *fptr = NULL;
@@ -471,7 +471,7 @@
   ret = base64_decode(signature, &sig_size,
                       (unsigned char *)signature_b64, sig_b64_size);
 
-  if (ret != 0 || sig_size != TRUSTBRIDGE_RSA_KEY_SIZE / 8)
+  if (ret != 0 || sig_size != TRUSTBRIDGE_RSA_CODESIGN_SIZE / 8)
     {
       ERRORPRINTF ("Base 64 decode failed with error: %i\n", ret);
       goto done;
--- a/common/pubkey-release.h	Thu Jan 15 16:14:35 2015 +0100
+++ b/common/pubkey-release.h	Thu Jan 15 16:46:36 2015 +0100
@@ -10,27 +10,64 @@
 
 /**@def The size of the RSA modulus */
 #define TRUSTBRIDGE_RSA_KEY_SIZE 3072
+#define TRUSTBRIDGE_RSA_CODESIGN_SIZE 2048
 
 static const unsigned char public_key_pem[] =
 "-----BEGIN PUBLIC KEY-----\n"
-"MIIDIjANBgkqhkiG9w0BAQEFAAOCAw8AMIIDCgKCAYEArUZK1sMV8cWeP48nExEh\n"
-"YiyIB5PMjjfvP9kJCTvfz0VKgD7H9KiTnRddLeYTAQTUmyr6NfgbLP3XMg1FNveN\n"
-"4JON1K+nkqNljQSzV8KzTokrmgKFA6PbVNh1pH7r44ZHygAbL8spymjYsuIiZYDj\n"
-"Ci2gxFza0bt67i+Z25iNZbppefVXrnkzFOFSjXp61BEcD6AbVIXE1MJkQ0dMavvl\n"
-"NAFgMsRaIWREKs4Ar9v9ez1L+RcJv4MaKvF1FtWN9oPwA+6OrCiYq4nJxKFQhu/T\n"
-"zTEEGAj5UChFRPzpmYlUQooaQ1V0O/aNqGQ35RvAth2xMr1WpykeqsF9dpwhAIKR\n"
-"HvrCwtWT7OE37GnL/VLcLbEa5Ns1OMu+U557AVYpachGIRf6DAt8nbwNEHCsPXz0\n"
-"LCwu7FKuw7/SitzlWwV4pHBkEQmb99CBg+Tr246BKdarE1JWuIBZJiVa4qiSPOd3\n"
-"9mSeWa9ObVY6HBgmSu5LjVL+GLK9tb7qU9Rj70kaUtYRAoIBgQCZHx2nfiyVPNtf\n"
-"viKdUcds44KQiAQMnngkZscDDuckq+gFKlzfDamPEMvkV+tdnn8N0ReNeMjPmMHU\n"
-"9HxcoF1OEYFAgbRp8ukih6Rw3sy9LurOzhkU13hKU9onz76I2Dq8sJXlxDh6Ar6y\n"
-"038gRg1q1RRsTHjuYApkTkyelQpTJMojbAhxCk5QxTuOsrmXDU2udnX2KrLAVmXV\n"
-"XJw4AEtSph2KBtHwzrWOaE45KtrtCgRiJlUWp6QjVOzQab7hHZP4azyRrOEqoOar\n"
-"czfQp4Bm83ylpfoWmjN6O8cQ33Dk0U2uiRsydHZ8279qbHFqhEK70+On+B/jXHvb\n"
-"/CeouejmQ4EaEcYePxdhiX3nTb/tZgzMx4VnRaX/dP84lJqMuQgpyx7bU3FbOZ6g\n"
-"dY996wJMMlvO+o16AoRyOYmGNr12tNTRABVAxWDNt3lmXSNkqZTFWCZ1jDxdTFIP\n"
-"UIgOq9QtcyVuyyblizSKNtKaFNHtOMA5UNcKLNZ98GbFCBs3S1s=\n"
+"MIIDITANBgkqhkiG9w0BAQEFAAOCAw4AMIIDCQKCAYEArRkubwwOjaXo80+J1P6s\n"
+"Vgj4FbZmA80ZtThEyMDHV3kRjxduGkFspqtArOg/XxqAxkxIXVZexs9BbXCvX8sk\n"
+"PLYy5U1pCquC4eAtTCAnpsFESD8fQMq3p4e3PSJS7dem7CFafC2CYS5HtBSkOM8X\n"
+"gxCdo8nlWPVIbjxibcHe52XzovjIGdQyeY+nWwH1bxC3AveQZx3Do5kKT+hD9D/N\n"
+"+QBnO1FdlhNV1mDNUjqbroRj95vMzBxd5WLo8put+7+i21ZmYNnZjXxsboJSOn97\n"
+"8BGiXcs5nTGyRT/8DoNOnTpey/hF1qOFLyaxEWr48JMSSuRWC+OPmTFDuLr3iJD5\n"
+"djVQggzN3qfHTqA6006vh5o+GPZ3kkr+LNGrkrwycvOwy2ruHDQJqtbh8LD5cz0n\n"
+"5gQqXEqKh8zdXI9RxrV26NMkDUqANM0W+JMLGWq9W/NZvnwgMKDO9v+yPSNogCep\n"
+"r8FTa9ncdG4GdjQt0Pzpweg4YW9TnftAFBounZzLGhclAoIBgHC+AZEzXawxOjTV\n"
+"RbV6UVahKZl1ApTLWLGQ7TKtnTdKnF3cmr+OurmNte0aRPsWrpn+wZM8fHlW15qu\n"
+"52Uw5ysHlI/FfPwEH22Kwr0zUtRuaHXz22AaGoPKpEVv1DSHv4y244u5IQeaDYiT\n"
+"T47Uti4vFzPniFPMX9Y4563kR2sezHamLX/Hm+Ajkk7nzodkN371RxAxZ2BR6IMp\n"
+"y5vNZG62T5I3bAh9j5efLIZz8GNvw3oyWvThmfywqTnLLuY4HvDaP2DG9sM1ZV3d\n"
+"sQYMAVlnBlnNrdb1ykWdPyDoV/Sx8cfywp0EXG+PxwqcrvU29T6LIUfiSVytBV6E\n"
+"E5o8ZC1lU7jPVZOE3LBxtMZo1nW/o4Fv4t+inOPD7UkC2iXxrVTiX2NS+u0geSjB\n"
+"+2pyNUYicAi1MDFOmH/J72jjijnlU2KaIysUcQSCevuiBIxiy12EczzfuFxRn+KY\n"
+"08AmPPbGqMAEuvqwd4VgyezZyk0xFvlAjrM4DjRCWnIN2oxnEw==\n"
 "-----END PUBLIC KEY-----\n";
 
 static const size_t public_key_pem_size = 1145;
+
+/* Key used for codesigning */
+static const unsigned char public_key_codesign_pem[] =
+"-----BEGIN CERTIFICATE-----\n"
+"MIIFVTCCBD2gAwIBAgISESHmLplyf8qoTvRpHLz5YjBVMA0GCSqGSIb3DQEBCwUA\n"
+"MFoxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTAwLgYD\n"
+"VQQDEydHbG9iYWxTaWduIENvZGVTaWduaW5nIENBIC0gU0hBMjU2IC0gRzIwHhcN\n"
+"MTQxMjE4MTI0NTIwWhcNMTcxMjE4MTI0NTIwWjCB0zELMAkGA1UEBhMCREUxHDAa\n"
+"BgNVBAgTE05vcmRyaGVpbi1XZXN0ZmFsZW4xDTALBgNVBAcTBEJvbm4xQzBBBgNV\n"
+"BAoTOkJ1bmRlc2FtdCBmdWVyIFNpY2hlcmhlaXQgaW4gZGVyIEluZm9ybWF0aW9u\n"
+"c3RlY2huaWsgKEJTSSkxDTALBgNVBAsTBEJ1bmQxQzBBBgNVBAMTOkJ1bmRlc2Ft\n"
+"dCBmdWVyIFNpY2hlcmhlaXQgaW4gZGVyIEluZm9ybWF0aW9uc3RlY2huaWsgKEJT\n"
+"SSkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCh/orNtgIA91+WqxUe\n"
+"aHPPwpAxJwZJQ8RHLAHhRueTrbRczZZ1aGwvwXu7nYXqFBp0IDhd4Y0wWiiQ7np6\n"
+"L78sy42gKpMWzPYE1TfQp3n0MzE8UPNpJcc1s5FUawU3Zo9Ku5bJr9nL2ExCjaGG\n"
+"x7etmK6e4dYmkNbEQoVhcdoCvgoS5InJA3icxKZBtwLvcsbZM7kP1OpPyvt07Bjk\n"
+"PR8+gkzrtdRT4kjEI8IgV4Tc9Dp3pXyzF4uBVDqO0IJ5FLzCB6UK9GrlXAvglCyj\n"
+"jsssDJfZarsv/7Rqs0YGHecG3thzZNT267coqFyEr/tMkaxHT0THf01w62j8YlO8\n"
+"SySnAgMBAAGjggGZMIIBlTAOBgNVHQ8BAf8EBAMCB4AwTAYDVR0gBEUwQzBBBgkr\n"
+"BgEEAaAyATIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j\n"
+"b20vcmVwb3NpdG9yeS8wCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzBC\n"
+"BgNVHR8EOzA5MDegNaAzhjFodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzL2dz\n"
+"Y29kZXNpZ25zaGEyZzIuY3JsMIGQBggrBgEFBQcBAQSBgzCBgDBEBggrBgEFBQcw\n"
+"AoY4aHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Njb2Rlc2ln\n"
+"bnNoYTJnMi5jcnQwOAYIKwYBBQUHMAGGLGh0dHA6Ly9vY3NwMi5nbG9iYWxzaWdu\n"
+"LmNvbS9nc2NvZGVzaWduc2hhMmcyMB0GA1UdDgQWBBQTtBrTj8Ev+Nfecl7bsKyl\n"
+"UuNkpTAfBgNVHSMEGDAWgBQZSrha5E0xpRTlXuwvoxz6gIwyazANBgkqhkiG9w0B\n"
+"AQsFAAOCAQEARpVuzf+4MfV4Yf+Hv79heZvEonzT4qtbWp2exUAGZyAA4QWqISes\n"
+"xWTKEpQ9motvK/YmXWHWEtRgq7LhzsMhkfGPI/ViEImhk25OMSXbfvTIML6QzHdc\n"
+"GBEOqAcw7h9wN+vYnLw7Y6NYmLxZ2InK+JkQJcLvi0Qhg8IvmtQU/OZFZeKRW3Pb\n"
+"NV1YSttetRaEy+v1H6b/k3poAwO+HjYwy4LpnjC/l7oel061ycl90R1EnMApx1Un\n"
+"wjPDfpRcI9IH59m6Ab2Nbzx8BaFvJDslT18wdqmzT/C4ODNKJ+7SpO0i8lNHu/TR\n"
+"oqVkQl0NMmov+5iYxJCgcMWYtS1yiw/Z8w==\n"
+"-----END CERTIFICATE-----\n";
+
+static const size_t  public_key_codesign_pem_size = 1911;
 #endif
--- a/common/pubkey-test.h	Thu Jan 15 16:14:35 2015 +0100
+++ b/common/pubkey-test.h	Thu Jan 15 16:46:36 2015 +0100
@@ -10,6 +10,7 @@
 
 /**@def The size of the RSA modulus */
 #define TRUSTBRIDGE_RSA_KEY_SIZE 3072
+#define TRUSTBRIDGE_RSA_CODESIGN_SIZE 2048
 
 /* PEM encoded public key */
 static const unsigned char public_key_pem[] =
--- a/ui/CMakeLists.txt	Thu Jan 15 16:14:35 2015 +0100
+++ b/ui/CMakeLists.txt	Thu Jan 15 16:46:36 2015 +0100
@@ -69,9 +69,19 @@
 # Seperated to make it easier to include the sources in tests
 set(TRUSTBRIDGE_RESOURCES
    ${CMAKE_CURRENT_SOURCE_DIR}/icons.qrc
-   ${CMAKE_CURRENT_SOURCE_DIR}/certs.qrc
    ${CMAKE_CURRENT_SOURCE_DIR}/fonts.qrc
 )
+if(DO_RELEASE_BUILD)
+   set(TRUSTBRIDGE_RESOURCES
+      ${TRUSTBRIDGE_RESOURCES}
+      ${CMAKE_CURRENT_SOURCE_DIR}/certs-release.qrc
+   )
+else()
+   set(TRUSTBRIDGE_RESOURCES
+      ${TRUSTBRIDGE_RESOURCES}
+      ${CMAKE_CURRENT_SOURCE_DIR}/certs-test.qrc
+   )
+endif()
 
 set(ADMINISTRATOR_RESOURCES
    ${CMAKE_CURRENT_SOURCE_DIR}/icons.qrc
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ui/certs-release.qrc	Thu Jan 15 16:46:36 2015 +0100
@@ -0,0 +1,5 @@
+<!DOCTYPE RCC><RCC version="1.0">
+<qresource prefix="/certs">
+    <file alias="ssl-certificate">certificates/updates_trustbridge_de.der</file>
+</qresource>
+</RCC>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ui/certs-test.qrc	Thu Jan 15 16:46:36 2015 +0100
@@ -0,0 +1,5 @@
+<!DOCTYPE RCC><RCC version="1.0">
+<qresource prefix="/certs">
+    <file alias="ssl-certificate">certificates/ssl-test.der</file>
+</qresource>
+</RCC>
--- a/ui/certs.qrc	Thu Jan 15 16:14:35 2015 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,5 +0,0 @@
-<!DOCTYPE RCC><RCC version="1.0">
-<qresource prefix="/certs">
-    <file alias="ssl-test">certificates/ssl-test.der</file>
-</qresource>
-</RCC>
--- a/ui/downloader.cpp	Thu Jan 15 16:14:35 2015 +0100
+++ b/ui/downloader.cpp	Thu Jan 15 16:46:36 2015 +0100
@@ -8,7 +8,7 @@
 #include "downloader.h"
 
 #ifndef DOWNLOAD_SERVER
-#define DOWNLOAD_SERVER "https://tb-devel.intevation.de"
+#define DOWNLOAD_SERVER "https://updates.trustbridge.de"
 #endif
 
 #include <QFile>
--- a/ui/main.cpp	Thu Jan 15 16:14:35 2015 +0100
+++ b/ui/main.cpp	Thu Jan 15 16:46:36 2015 +0100
@@ -121,6 +121,9 @@
     if (arguments.contains("--version")) {
         printf (APPNAME " Version: %s \n",
                 QApplication::applicationVersion().toLocal8Bit().constData());
+#ifndef RELEASE_BUILD
+        printf ("Test Version! - Not for productive use!\n";
+#endif
         printf (COPYRIGHT);
         return 0;
     }
--- a/ui/sslconnection.cpp	Thu Jan 15 16:14:35 2015 +0100
+++ b/ui/sslconnection.cpp	Thu Jan 15 16:46:36 2015 +0100
@@ -26,12 +26,8 @@
     mErrorState(NoError)
 {
     if (certificate.isEmpty()) {
-#ifdef RELEASE_BUILD
-        /* TODO (issue95) Change certificate here in case of release build */
-        QFile certResource(":certs/ssl-test");
-#else
-        QFile certResource(":certs/ssl-test");
-#endif
+        QFile certResource(":certs/ssl-certificate");
+
         certResource.open(QFile::ReadOnly);
         mPinnedCert = certResource.readAll();
         certResource.close();

http://wald.intevation.org/projects/trustbridge/