From 1ea2cbb678f7263d110138b1f164e1f427b743a1 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Thu, 10 Aug 2023 20:11:00 +0200
Subject: [PATCH 1/4] [ticket/17173] Add scripts for generating and verifying
 package signatures

PHPBB3-17173
---
 build/generate_signature.php | 51 ++++++++++++++++++++++++++++++++
 build/verify_signature.php   | 56 ++++++++++++++++++++++++++++++++++++
 2 files changed, 107 insertions(+)
 create mode 100644 build/generate_signature.php
 create mode 100644 build/verify_signature.php

diff --git a/build/generate_signature.php b/build/generate_signature.php
new file mode 100644
index 0000000000..fa0b7df0bf
--- /dev/null
+++ b/build/generate_signature.php
@@ -0,0 +1,51 @@
+#!/usr/bin/env php
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+if ($_SERVER['argc'] != 3)
+{
+	echo "Please specify the secret key and filename for which the signature should be created, e.g. generate_signature.php mySecretSecret path/to/file\n";
+	exit(1);
+}
+
+$secret_key = base64_decode($_SERVER['argv'][1]);
+$file_path = $_SERVER['argv'][2];
+
+if (!extension_loaded('sodium'))
+{
+	die('Required sodium extension not loaded');
+}
+
+if (!file_exists($file_path))
+{
+	die('File does not exist');
+}
+
+$hash = hash_file('sha384', $file_path, true);
+try
+{
+	$signature = sodium_crypto_sign_detached($hash, $secret_key);
+} catch (SodiumException $e)
+{
+	$keypair = sodium_crypto_sign_keypair();
+
+	$secret_key = base64_encode(sodium_crypto_sign_secretkey($keypair));
+	$public_key = base64_encode(sodium_crypto_sign_publickey($keypair));
+	echo 'Unable to create the signature: ' . $e->getMessage() . "\n";
+	echo "Maybe use these keys:\nPublic key: {$public_key}\nSecret key: {$secret_key}\n";
+	die();
+}
+
+$signature = base64_encode($signature);
+
+file_put_contents($file_path . '.sig', $signature);
diff --git a/build/verify_signature.php b/build/verify_signature.php
new file mode 100644
index 0000000000..fd432ed638
--- /dev/null
+++ b/build/verify_signature.php
@@ -0,0 +1,56 @@
+#!/usr/bin/env php
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+if ($_SERVER['argc'] != 4)
+{
+	echo "Please specify the public key, filename for which the signature should be check, and the signature file, e.g. verify_signature.php superPublicKey path/to/file path/to/signature\n";
+	exit(1);
+}
+
+$public_key = base64_decode($_SERVER['argv'][1]);
+$file_path = $_SERVER['argv'][2];
+$signature_path = $_SERVER['argv'][3];
+
+if (!extension_loaded('sodium'))
+{
+	die('Required sodium extension not loaded');
+}
+
+if (!file_exists($file_path))
+{
+	die('File does not exist');
+}
+
+if (!file_exists($signature_path))
+{
+	die('Signature file does not exist');
+}
+
+$hash = hash_file('sha384', $file_path, true);
+$signature = base64_decode(file_get_contents($signature_path));
+
+try
+{
+	if (sodium_crypto_sign_verify_detached($signature, $hash, $public_key))
+	{
+		echo 'Signature is valid!';
+	}
+	else
+	{
+		echo 'Signature is not valid!';
+	}
+} catch (SodiumException $e)
+{
+	die('Unable to verify the signature: ' . $e->getMessage() . "\n");
+}

From 74f3453db146014d7f77b7d1740ac1053653c0b8 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Fri, 11 Aug 2023 19:36:30 +0200
Subject: [PATCH 2/4] [ticket/17173] Add functionality for signing build
 packages to build script

PHPBB3-17173
---
 .gitignore      |  1 +
 build/build.xml | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/.gitignore b/.gitignore
index ede6c3e8f3..69f93652be 100644
--- a/.gitignore
+++ b/.gitignore
@@ -49,6 +49,7 @@
 /vagrant/phpbb-install-config.yml
 .vagrant
 node_modules
+/build/package_signature
 
 # Excludes IDE / editors files
 *~
diff --git a/build/build.xml b/build/build.xml
index ddc1e0464e..0334bd6c2f 100644
--- a/build/build.xml
+++ b/build/build.xml
@@ -203,6 +203,10 @@
 		<phingcall target="checksum-dir">
 			<property name="dir" value="build/new_version/release_files" />
 		</phingcall>
+
+		<phingcall target="sign-packages">
+			<property name="dir" value="build/new_version/release_files" />
+		</phingcall>
 	</target>
 
 	<target name="checksum-dir">
@@ -219,6 +223,31 @@
 		<exec dir="${dir}" command="sha256sum ${filename} > ${filename}.sha256" />
 	</target>
 
+	<target name="sign-packages">
+		<property name="packageSignatureExists" value="false" />
+		<exec command="if [ -f 'build/package_signature' ]; then echo 'true'; else echo 'false'; fi;" outputProperty="packageSignatureExists" />
+		<if>
+			<equals arg1="${packageSignatureExists}" arg2="true" />
+			<then>
+				<foreach param="filename" absparam="absfilename" target="sign-file">
+					<fileset dir="${dir}">
+						<type type="file" />
+						<include name="*.tar.bz2"/>
+						<include name="*.zip"/>
+					</fileset>
+				</foreach>
+			</then>
+			<else>
+				<echo msg="Skipping signing of packages due to missing build/package_signature"/>
+			</else>
+		</if>
+	</target>
+
+	<target name="sign-file">
+		<echo msg="Creating signature file for ${absfilename}" />
+		<exec command="php build/generate_signature.php `cat build/package_signature` ${absfilename}" />
+	</target>
+
 	<target name="announcement" depends="prepare">
 		<echo msg="Writing download links and checksums for email announcement to save/announcement_email_${newversion}.txt" />
 		<exec dir="build" escape="false"

From 432d09b09c471203fa2878bb5fc6d9cd1c4b64f0 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 13 Aug 2023 13:20:15 +0200
Subject: [PATCH 3/4] [ticket/17173] Add signature to packages.json

PHPBB3-17173
---
 build/build.xml                 | 2 ++
 build/generate_package_json.php | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/build/build.xml b/build/build.xml
index 0334bd6c2f..5252f74f5a 100644
--- a/build/build.xml
+++ b/build/build.xml
@@ -207,6 +207,8 @@
 		<phingcall target="sign-packages">
 			<property name="dir" value="build/new_version/release_files" />
 		</phingcall>
+
+		<exec dir="build" command="php generate_package_json.php > new_version/packages.json"/>
 	</target>
 
 	<target name="checksum-dir">
diff --git a/build/generate_package_json.php b/build/generate_package_json.php
index fc67485136..29ad4fd64f 100644
--- a/build/generate_package_json.php
+++ b/build/generate_package_json.php
@@ -120,6 +120,12 @@ function phpbb_add_package_file(array &$package_list, $name, $file_name, $type,
 		$filedata->filesize = filesize($file_path);
 		$filedata->checksum = trim(preg_replace('/(^\w+)(.+)/', '$1', file_get_contents($file_path . '.sha256')));
 		$filedata->filetype = $extension;
+
+		if (file_exists($file_path . '.sig'))
+		{
+			$filedata->signature = trim(file_get_contents($file_path . '.sig'));
+		}
+
 		$package_file->files[] = $filedata;
 	}
 

From 2a952381138025a9c2550b69584bac384f7a981b Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Thu, 21 Sep 2023 10:59:45 +0200
Subject: [PATCH 4/4] [ticket/17173] Fix code according to coding guidelines

PHPBB3-17173
---
 build/generate_signature.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/build/generate_signature.php b/build/generate_signature.php
index fa0b7df0bf..d1b5675119 100644
--- a/build/generate_signature.php
+++ b/build/generate_signature.php
@@ -35,7 +35,8 @@ $hash = hash_file('sha384', $file_path, true);
 try
 {
 	$signature = sodium_crypto_sign_detached($hash, $secret_key);
-} catch (SodiumException $e)
+}
+catch (SodiumException $e)
 {
 	$keypair = sodium_crypto_sign_keypair();