Merge pull request #6523 from marc1706/ticket/17173

[ticket/17173] Add functionality for signing build packages
2025-06-08 04:18:52 +00:00 · 2023-09-22 11:59:13 +02:00 · 2023-09-22 11:59:13 +02:00 · a791b813c3
commit a791b813c3
parent 89a4102eda 2a95238113
5 changed files with 146 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -49,6 +49,7 @@
 /vagrant/phpbb-install-config.yml
 .vagrant
 node_modules
 /build/package_signature
 # Excludes IDE / editors files
 *~
--- a/build/build.xml
+++ b/build/build.xml
@ -203,6 +203,12 @@
 		<phingcall target="checksum-dir">
 			<property name="dir" value="build/new_version/release_files" />
 		</phingcall>
 		<phingcall target="sign-packages">
 			<property name="dir" value="build/new_version/release_files" />
 		</phingcall>
 		<exec dir="build" command="php generate_package_json.php > new_version/packages.json"/>
 	</target>
 	<target name="checksum-dir">
@ -219,6 +225,31 @@
 		<exec dir="${dir}" command="sha256sum ${filename} > ${filename}.sha256" />
 	</target>
 	<target name="sign-packages">
 		<property name="packageSignatureExists" value="false" />
 		<exec command="if [ -f 'build/package_signature' ]; then echo 'true'; else echo 'false'; fi;" outputProperty="packageSignatureExists" />
 		<if>
 			<equals arg1="${packageSignatureExists}" arg2="true" />
 			<then>
 				<foreach param="filename" absparam="absfilename" target="sign-file">
 					<fileset dir="${dir}">
 						<type type="file" />
 						<include name="*.tar.bz2"/>
 						<include name="*.zip"/>
 					</fileset>
 				</foreach>
 			</then>
 			<else>
 				<echo msg="Skipping signing of packages due to missing build/package_signature"/>
 			</else>
 		</if>
 	</target>
 	<target name="sign-file">
 		<echo msg="Creating signature file for ${absfilename}" />
 		<exec command="php build/generate_signature.php `cat build/package_signature` ${absfilename}" />
 	</target>
 	<target name="announcement" depends="prepare">
 		<echo msg="Writing download links and checksums for email announcement to save/announcement_email_${newversion}.txt" />
 		<exec dir="build" escape="false"
--- a/build/generate_package_json.php
+++ b/build/generate_package_json.php
@ -120,6 +120,12 @@ function phpbb_add_package_file(array &$package_list, $name, $file_name, $type,
 		$filedata->filesize = filesize($file_path);
 		$filedata->checksum = trim(preg_replace('/(^\w+)(.+)/', '$1', file_get_contents($file_path . '.sha256')));
 		$filedata->filetype = $extension;
 		if (file_exists($file_path . '.sig'))
 		{
 			$filedata->signature = trim(file_get_contents($file_path . '.sig'));
 		}
 		$package_file->files[] = $filedata;
 	}
--- a/build/generate_signature.php
+++ b/build/generate_signature.php
@ -0,0 +1,52 @@
 #!/usr/bin/env php
 <?php
 /**
 *
 * This file is part of the phpBB Forum Software package.
 *
 * @copyright (c) phpBB Limited <https://www.phpbb.com>
 * @license GNU General Public License, version 2 (GPL-2.0)
 *
 * For full copyright and license information, please see
 * the docs/CREDITS.txt file.
 *
 */
 if ($_SERVER['argc'] != 3)
 {
 	echo "Please specify the secret key and filename for which the signature should be created, e.g. generate_signature.php mySecretSecret path/to/file\n";
 	exit(1);
 }
 $secret_key = base64_decode($_SERVER['argv'][1]);
 $file_path = $_SERVER['argv'][2];
 if (!extension_loaded('sodium'))
 {
 	die('Required sodium extension not loaded');
 }
 if (!file_exists($file_path))
 {
 	die('File does not exist');
 }
 $hash = hash_file('sha384', $file_path, true);
 try
 {
 	$signature = sodium_crypto_sign_detached($hash, $secret_key);
 }
 catch (SodiumException $e)
 {
 	$keypair = sodium_crypto_sign_keypair();
 	$secret_key = base64_encode(sodium_crypto_sign_secretkey($keypair));
 	$public_key = base64_encode(sodium_crypto_sign_publickey($keypair));
 	echo 'Unable to create the signature: ' . $e->getMessage() . "\n";
 	echo "Maybe use these keys:\nPublic key: {$public_key}\nSecret key: {$secret_key}\n";
 	die();
 }
 $signature = base64_encode($signature);
 file_put_contents($file_path . '.sig', $signature);
--- a/build/verify_signature.php
+++ b/build/verify_signature.php
@ -0,0 +1,56 @@
 #!/usr/bin/env php
 <?php
 /**
 *
 * This file is part of the phpBB Forum Software package.
 *
 * @copyright (c) phpBB Limited <https://www.phpbb.com>
 * @license GNU General Public License, version 2 (GPL-2.0)
 *
 * For full copyright and license information, please see
 * the docs/CREDITS.txt file.
 *
 */
 if ($_SERVER['argc'] != 4)
 {
 	echo "Please specify the public key, filename for which the signature should be check, and the signature file, e.g. verify_signature.php superPublicKey path/to/file path/to/signature\n";
 	exit(1);
 }
 $public_key = base64_decode($_SERVER['argv'][1]);
 $file_path = $_SERVER['argv'][2];
 $signature_path = $_SERVER['argv'][3];
 if (!extension_loaded('sodium'))
 {
 	die('Required sodium extension not loaded');
 }
 if (!file_exists($file_path))
 {
 	die('File does not exist');
 }
 if (!file_exists($signature_path))
 {
 	die('Signature file does not exist');
 }
 $hash = hash_file('sha384', $file_path, true);
 $signature = base64_decode(file_get_contents($signature_path));
 try
 {
 	if (sodium_crypto_sign_verify_detached($signature, $hash, $public_key))
 	{
 		echo 'Signature is valid!';
 	}
 	else
 	{
 		echo 'Signature is not valid!';
 	}
 } catch (SodiumException $e)
 {
 	die('Unable to verify the signature: ' . $e->getMessage() . "\n");
 }