1 /* $NetBSD: pkg_signature.c,v 1.2 2013/09/11 12:59:19 khorben Exp $ */
2
3 #if HAVE_CONFIG_H
4 #include "config.h"
5 #endif
6 #include <nbcompat.h>
7 #if HAVE_SYS_CDEFS_H
8 #include <sys/cdefs.h>
9 #endif
10 __RCSID("$NetBSD: pkg_signature.c,v 1.2 2013/09/11 12:59:19 khorben Exp $");
11
12 /*-
13 * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>.
14 * All rights reserved.
15 *
16 * Redistribution and use in source and binary forms, with or without
17 * modification, are permitted provided that the following conditions
18 * are met:
19 *
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in
24 * the documentation and/or other materials provided with the
25 * distribution.
26 *
27 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
28 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
29 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
30 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
31 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
32 * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING,
33 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
34 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
35 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
36 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
37 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * SUCH DAMAGE.
39 */
40
41 #if HAVE_SYS_WAIT_H
42 #include <sys/wait.h>
43 #endif
44 #include <ctype.h>
45 #if HAVE_ERR_H
46 #include <err.h>
47 #endif
48 #include <errno.h>
49 #include <fcntl.h>
50 #include <stdlib.h>
51 #ifndef NETBSD
52 #include <nbcompat/sha2.h>
53 #else
54 #include <sha2.h>
55 #endif
56 #include <signal.h>
57 #ifdef NETBSD
58 #include <unistd.h>
59 #else
60 #include <nbcompat/unistd.h>
61 #endif
62
63 #include <archive.h>
64 #include <archive_entry.h>
65
66 #include "lib.h"
67
68 #define HASH_FNAME "+PKG_HASH"
69 #define SIGNATURE_FNAME "+PKG_SIGNATURE"
70 #define GPG_SIGNATURE_FNAME "+PKG_GPG_SIGNATURE"
71
72 struct signature_archive {
73 struct archive *archive;
74 off_t pkg_size;
75 size_t sign_block_len, sign_block_number, sign_cur_block;
76 char **sign_blocks;
77 unsigned char *sign_buf;
78 };
79
80 static void
hash_block(unsigned char * buf,size_t buf_len,char hash[SHA512_DIGEST_STRING_LENGTH])81 hash_block(unsigned char *buf, size_t buf_len,
82 char hash[SHA512_DIGEST_STRING_LENGTH])
83 {
84 unsigned char digest[SHA512_DIGEST_LENGTH];
85 SHA512_CTX hash_ctx;
86 int i;
87
88 SHA512_Init(&hash_ctx);
89 SHA512_Update(&hash_ctx, buf, buf_len);
90 SHA512_Final(digest, &hash_ctx);
91 for (i = 0; i < SHA512_DIGEST_LENGTH; ++i) {
92 unsigned char c;
93
94 c = digest[i] / 16;
95 if (c < 10)
96 hash[2 * i] = '0' + c;
97 else
98 hash[2 * i] = 'a' - 10 + c;
99
100 c = digest[i] % 16;
101 if (c < 10)
102 hash[2 * i + 1] = '0' + c;
103 else
104 hash[2 * i + 1] = 'a' - 10 + c;
105 }
106 hash[2 * i] = '\0';
107 }
108
109 static ssize_t
verify_signature_read_cb(struct archive * archive,void * cookie,const void ** buf)110 verify_signature_read_cb(struct archive *archive, void *cookie, const void **buf)
111 {
112 struct signature_archive *state = cookie;
113 char hash[SHA512_DIGEST_STRING_LENGTH];
114 ssize_t len, expected;
115
116 if (state->sign_cur_block >= state->sign_block_number)
117 return 0;
118
119 /* The following works for sign_block_len > 1 */
120 if (state->sign_cur_block + 1 == state->sign_block_number)
121 expected = state->pkg_size % state->sign_block_len;
122 else
123 expected = state->sign_block_len;
124
125 len = archive_read_data(state->archive, state->sign_buf, expected);
126 if (len != expected) {
127 warnx("Short read from package");
128 return -1;
129 }
130
131 hash_block(state->sign_buf, len, hash);
132
133 if (strcmp(hash, state->sign_blocks[state->sign_cur_block]) != 0) {
134 warnx("Invalid signature of block %llu",
135 (unsigned long long)state->sign_cur_block);
136 return -1;
137 }
138 ++state->sign_cur_block;
139 *buf = state->sign_buf;
140 return len;
141 }
142
143 static void
free_signature_int(struct signature_archive * state)144 free_signature_int(struct signature_archive *state)
145 {
146 size_t i;
147
148 if (state->sign_blocks != NULL) {
149 for (i = 0; i < state->sign_block_number; ++i)
150 free(state->sign_blocks[i]);
151 }
152 free(state->sign_blocks);
153 free(state->sign_buf);
154 free(state);
155 }
156
157 static int
verify_signature_close_cb(struct archive * archive,void * cookie)158 verify_signature_close_cb(struct archive *archive, void *cookie)
159 {
160 struct signature_archive *state = cookie;
161
162 archive_read_finish(state->archive);
163 free_signature_int(state);
164 return 0;
165 }
166
167 static int
read_file_from_archive(const char * archive_name,struct archive * archive,struct archive_entry ** entry,const char * fname,char ** content,size_t * len)168 read_file_from_archive(const char *archive_name, struct archive *archive,
169 struct archive_entry **entry,
170 const char *fname, char **content, size_t *len)
171 {
172 int r;
173
174 *content = NULL;
175 *len = 0;
176
177 retry:
178 if (*entry == NULL &&
179 (r = archive_read_next_header(archive, entry)) != ARCHIVE_OK) {
180 if (r == ARCHIVE_FATAL) {
181 warnx("Cannot read from archive `%s': %s",
182 archive_name, archive_error_string(archive));
183 } else {
184 warnx("Premature end of archive `%s'", archive_name);
185 }
186 *entry = NULL;
187 return -1;
188 }
189 if (strcmp(archive_entry_pathname(*entry), "//") == 0) {
190 archive_read_data_skip(archive);
191 *entry = NULL;
192 goto retry;
193 }
194
195 if (strcmp(fname, archive_entry_pathname(*entry)) != 0)
196 return 1;
197
198 if (archive_entry_size(*entry) > SSIZE_MAX - 1) {
199 warnx("Signature of archive `%s' too large to process",
200 archive_name);
201 return 1;
202 }
203 *len = archive_entry_size(*entry);
204 *content = xmalloc(*len + 1);
205
206 if (archive_read_data(archive, *content, *len) != (ssize_t)*len) {
207 warnx("Cannot read complete %s from archive `%s'", fname,
208 archive_name);
209 free(*content);
210 *len = 0;
211 *content = NULL;
212 return 1;
213 }
214 (*content)[*len] = '\0';
215 *entry = NULL;
216
217 return 0;
218 }
219
220 static int
parse_hash_file(const char * hash_file,char ** pkgname,struct signature_archive * state)221 parse_hash_file(const char *hash_file, char **pkgname,
222 struct signature_archive *state)
223 {
224 static const char block1[] = "pkgsrc signature\n\nversion: 1\npkgname: ";
225 static const char block2[] = "algorithm: SHA512\nblock size: ";
226 static const char block3[] = "file size: ";
227 static const char block4[] = "end pkgsrc signature\n";
228 char *next;
229 size_t i, len;
230
231 *pkgname = NULL;
232
233 if (strncmp(hash_file, block1, strlen(block1)) != 0)
234 goto cleanup;
235 hash_file += strlen(block1);
236
237 len = strcspn(hash_file, "\n");
238 *pkgname = xmalloc(len + 1);
239 memcpy(*pkgname, hash_file, len);
240 (*pkgname)[len] = '\0';
241 for (i = 0; i < len; ++i) {
242 if (!isgraph((unsigned char)(*pkgname)[i]))
243 goto cleanup;
244 }
245 hash_file += len + 1;
246
247 if (strncmp(hash_file, block2, strlen(block2)) != 0)
248 goto cleanup;
249 hash_file += strlen(block2);
250
251 errno = 0;
252 if (!isdigit((unsigned char)*hash_file))
253 goto cleanup;
254 state->sign_block_len = strtoul(hash_file, &next, 10);
255 hash_file = next;
256
257 /* Assert sane minimum block size of 1KB */
258 if (*hash_file++ != '\n' || errno == ERANGE || state->sign_block_len < 1024)
259 goto cleanup;
260
261 if (strncmp(hash_file, block3, strlen(block3)) != 0)
262 goto cleanup;
263 hash_file += strlen(block3);
264
265 errno = 0;
266 if (!isdigit((unsigned char)*hash_file))
267 goto cleanup;
268 if (/* CONSTCOND */sizeof(off_t) >= sizeof(long long))
269 state->pkg_size = strtoll(hash_file, &next, 10);
270 else
271 state->pkg_size = strtol(hash_file, &next, 10);
272 hash_file = next;
273 if (*hash_file++ != '\n' || errno == ERANGE || state->pkg_size < 1)
274 goto cleanup;
275
276 if (*hash_file++ != '\n')
277 goto cleanup;
278
279 if (state->pkg_size / state->sign_block_len > SSIZE_MAX)
280 goto cleanup;
281 state->sign_block_number = (state->pkg_size +
282 state->sign_block_len - 1) / state->sign_block_len;
283
284 state->sign_buf = xmalloc(state->sign_block_len);
285 state->sign_blocks = xcalloc(state->sign_block_number, sizeof(char *));
286
287 for (i = 0; i < state->sign_block_number; ++i) {
288 len = strspn(hash_file, "01234567889abcdef");
289 if (len != SHA512_DIGEST_LENGTH * 2 || hash_file[len] != '\n')
290 goto cleanup_hashes;
291 state->sign_blocks[i] = xmalloc(len + 1);
292 memcpy(state->sign_blocks[i], hash_file, len);
293 state->sign_blocks[i][len] = '\0';
294 hash_file += len + 1;
295 }
296
297 if (strcmp(hash_file, block4) != 0)
298 goto cleanup_hashes;
299
300 return 0;
301
302 cleanup_hashes:
303 for (i = 0; i < state->sign_block_number; ++i)
304 free(state->sign_blocks[i]);
305 free(state->sign_blocks);
306 state->sign_blocks = NULL;
307
308 cleanup:
309 warnx("Unknown format of hash file");
310 free(*pkgname);
311 *pkgname = NULL;
312 return -1;
313 }
314
315 int
pkg_verify_signature(const char * archive_name,struct archive ** archive,struct archive_entry ** entry,char ** pkgname)316 pkg_verify_signature(const char *archive_name, struct archive **archive,
317 struct archive_entry **entry, char **pkgname)
318 {
319 struct signature_archive *state;
320 struct archive_entry *my_entry;
321 struct archive *a;
322 char *hash_file, *signature_file;
323 size_t hash_len, signature_len;
324 int r, has_sig;
325
326 *pkgname = NULL;
327
328 state = xcalloc(sizeof(*state), 1);
329
330 r = read_file_from_archive(archive_name, *archive, entry, HASH_FNAME,
331 &hash_file, &hash_len);
332 if (r == -1) {
333 archive_read_finish(*archive);
334 *archive = NULL;
335 free(state);
336 goto no_valid_signature;
337 } else if (r == 1) {
338 free(state);
339 goto no_valid_signature;
340 }
341
342 if (parse_hash_file(hash_file, pkgname, state))
343 goto no_valid_signature;
344
345 r = read_file_from_archive(archive_name, *archive, entry, SIGNATURE_FNAME,
346 &signature_file, &signature_len);
347 if (r == -1) {
348 archive_read_finish(*archive);
349 *archive = NULL;
350 free(state);
351 free(hash_file);
352 goto no_valid_signature;
353 } else if (r != 0) {
354 if (*entry != NULL)
355 r = read_file_from_archive(archive_name, *archive,
356 entry, GPG_SIGNATURE_FNAME,
357 &signature_file, &signature_len);
358 if (r == -1) {
359 archive_read_finish(*archive);
360 *archive = NULL;
361 free(state);
362 free(hash_file);
363 goto no_valid_signature;
364 } else if (r != 0) {
365 free(hash_file);
366 free(state);
367 goto no_valid_signature;
368 }
369 has_sig = !detached_gpg_verify(hash_file, hash_len,
370 signature_file, signature_len, gpg_keyring_verify);
371
372 free(signature_file);
373 } else {
374 #ifdef HAVE_SSL
375 has_sig = !easy_pkcs7_verify(hash_file, hash_len, signature_file,
376 signature_len, certs_packages, 1);
377
378 free(signature_file);
379 #else
380 warnx("No OpenSSL support compiled in, skipping signature");
381 has_sig = 0;
382 free(signature_file);
383 #endif
384 }
385
386 r = archive_read_next_header(*archive, &my_entry);
387 if (r != ARCHIVE_OK) {
388 warnx("Cannot read inner package: %s",
389 archive_error_string(*archive));
390 free_signature_int(state);
391 goto no_valid_signature;
392 }
393
394 if (archive_entry_size(my_entry) != state->pkg_size) {
395 warnx("Package size doesn't match signature");
396 free_signature_int(state);
397 goto no_valid_signature;
398 }
399
400 state->archive = *archive;
401
402 a = archive_read_new();
403 archive_read_support_compression_all(a);
404 archive_read_support_format_all(a);
405 if (archive_read_open(a, state, NULL, verify_signature_read_cb,
406 verify_signature_close_cb)) {
407 warnx("Can't open signed package file");
408 archive_read_finish(a);
409 goto no_valid_signature;
410 }
411 *archive = a;
412 *entry = NULL;
413
414 return has_sig ? 0 : -1;
415
416 no_valid_signature:
417 return -1;
418 }
419
420 int
pkg_full_signature_check(const char * archive_name,struct archive ** archive)421 pkg_full_signature_check(const char *archive_name, struct archive **archive)
422 {
423 struct archive_entry *entry = NULL;
424 char *pkgname;
425 int r;
426
427 if (pkg_verify_signature(archive_name, archive, &entry, &pkgname))
428 return -1;
429 if (pkgname == NULL)
430 return 0;
431
432 /* XXX read PLIST and compare pkgname */
433 while ((r = archive_read_next_header(*archive, &entry)) == ARCHIVE_OK)
434 archive_read_data_skip(*archive);
435
436 free(pkgname);
437 return r == ARCHIVE_EOF ? 0 : -1;
438 }
439
440 static char *
extract_pkgname(int fd)441 extract_pkgname(int fd)
442 {
443 package_t plist;
444 plist_t *p;
445 struct archive *a;
446 struct archive_entry *entry;
447 char *buf;
448 ssize_t len;
449 int r;
450
451 a = archive_read_new();
452 archive_read_support_compression_all(a);
453 archive_read_support_format_all(a);
454 if (archive_read_open_fd(a, fd, 1024)) {
455 warnx("Cannot open binary package: %s",
456 archive_error_string(a));
457 archive_read_finish(a);
458 return NULL;
459 }
460
461 r = archive_read_next_header(a, &entry);
462 if (r != ARCHIVE_OK) {
463 warnx("Cannot extract package name: %s",
464 r == ARCHIVE_EOF ? "EOF" : archive_error_string(a));
465 archive_read_finish(a);
466 return NULL;
467 }
468 if (strcmp(archive_entry_pathname(entry), "+CONTENTS") != 0) {
469 warnx("Invalid binary package, doesn't start with +CONTENTS");
470 archive_read_finish(a);
471 return NULL;
472 }
473 if (archive_entry_size(entry) > SSIZE_MAX - 1) {
474 warnx("+CONTENTS too large to process");
475 archive_read_finish(a);
476 return NULL;
477 }
478
479 len = archive_entry_size(entry);
480 buf = xmalloc(len + 1);
481
482 if (archive_read_data(a, buf, len) != len) {
483 warnx("Short read when extracing +CONTENTS");
484 free(buf);
485 archive_read_finish(a);
486 return NULL;
487 }
488 buf[len] = '\0';
489
490 archive_read_finish(a);
491
492 parse_plist(&plist, buf);
493 free(buf);
494 p = find_plist(&plist, PLIST_NAME);
495 if (p != NULL) {
496 buf = xstrdup(p->name);
497 } else {
498 warnx("Invalid PLIST: missing @name");
499 buf = NULL;
500 }
501 free_plist(&plist);
502
503 if (lseek(fd, 0, SEEK_SET) != 0) {
504 warn("Cannot seek in archive");
505 free(buf);
506 return NULL;
507 }
508
509 return buf;
510 }
511
512 static const char hash_template[] =
513 "pkgsrc signature\n"
514 "\n"
515 "version: 1\n"
516 "pkgname: %s\n"
517 "algorithm: SHA512\n"
518 "block size: 65536\n"
519 "file size: %lld\n"
520 "\n";
521
522 static const char hash_trailer[] = "end pkgsrc signature\n";
523
524 #ifdef HAVE_SSL
525 void
pkg_sign_x509(const char * name,const char * output,const char * key_file,const char * cert_file)526 pkg_sign_x509(const char *name, const char *output, const char *key_file, const char *cert_file)
527 {
528 struct archive *pkg;
529 struct archive_entry *entry, *hash_entry, *sign_entry;
530 int fd;
531 struct stat sb;
532 char *hash_file, *signature_file, *tmp, *pkgname, hash[SHA512_DIGEST_STRING_LENGTH];
533 unsigned char block[65536];
534 off_t i, size;
535 size_t block_len, signature_len;
536
537 if ((fd = open(name, O_RDONLY)) == -1)
538 err(EXIT_FAILURE, "Cannot open binary package %s", name);
539 if (fstat(fd, &sb) == -1)
540 err(EXIT_FAILURE, "Cannot stat %s", name);
541
542 entry = archive_entry_new();
543 archive_entry_copy_stat(entry, &sb);
544
545 pkgname = extract_pkgname(fd);
546 hash_file = xasprintf(hash_template, pkgname,
547 (long long)archive_entry_size(entry));
548 free(pkgname);
549
550 for (i = 0; i < archive_entry_size(entry); i += block_len) {
551 if (i + (off_t)sizeof(block) < archive_entry_size(entry))
552 block_len = sizeof(block);
553 else
554 block_len = archive_entry_size(entry) % sizeof(block);
555 if (read(fd, block, block_len) != (ssize_t)block_len)
556 err(2, "short read");
557 hash_block(block, block_len, hash);
558 tmp = xasprintf("%s%s\n", hash_file, hash);
559 free(hash_file);
560 hash_file = tmp;
561 }
562 tmp = xasprintf("%s%s", hash_file, hash_trailer);
563 free(hash_file);
564 hash_file = tmp;
565
566 if (easy_pkcs7_sign(hash_file, strlen(hash_file), &signature_file,
567 &signature_len, key_file, cert_file))
568 err(EXIT_FAILURE, "Cannot sign hash file");
569
570 lseek(fd, 0, SEEK_SET);
571
572 sign_entry = archive_entry_clone(entry);
573 hash_entry = archive_entry_clone(entry);
574 pkgname = strrchr(name, '/');
575 archive_entry_set_pathname(entry, pkgname != NULL ? pkgname + 1 : name);
576 archive_entry_set_pathname(hash_entry, HASH_FNAME);
577 archive_entry_set_pathname(sign_entry, SIGNATURE_FNAME);
578 archive_entry_set_size(hash_entry, strlen(hash_file));
579 archive_entry_set_size(sign_entry, signature_len);
580
581 pkg = archive_write_new();
582 archive_write_set_compression_none(pkg);
583 archive_write_set_format_ar_bsd(pkg);
584 archive_write_open_filename(pkg, output);
585
586 archive_write_header(pkg, hash_entry);
587 archive_write_data(pkg, hash_file, strlen(hash_file));
588 archive_write_finish_entry(pkg);
589 archive_entry_free(hash_entry);
590
591 archive_write_header(pkg, sign_entry);
592 archive_write_data(pkg, signature_file, signature_len);
593 archive_write_finish_entry(pkg);
594 archive_entry_free(sign_entry);
595
596 size = archive_entry_size(entry);
597 archive_write_header(pkg, entry);
598
599 for (i = 0; i < size; i += block_len) {
600 if (i + (off_t)sizeof(block) < size)
601 block_len = sizeof(block);
602 else
603 block_len = size % sizeof(block);
604 if (read(fd, block, block_len) != (ssize_t)block_len)
605 err(2, "short read");
606 archive_write_data(pkg, block, block_len);
607 }
608 archive_write_finish_entry(pkg);
609 archive_entry_free(entry);
610
611 archive_write_finish(pkg);
612
613 close(fd);
614
615 exit(0);
616 }
617 #endif
618
619 void
pkg_sign_gpg(const char * name,const char * output)620 pkg_sign_gpg(const char *name, const char *output)
621 {
622 struct archive *pkg;
623 struct archive_entry *entry, *hash_entry, *sign_entry;
624 int fd;
625 struct stat sb;
626 char *hash_file, *signature_file, *tmp, *pkgname, hash[SHA512_DIGEST_STRING_LENGTH];
627 unsigned char block[65536];
628 off_t i, size;
629 size_t block_len, signature_len;
630
631 if ((fd = open(name, O_RDONLY)) == -1)
632 err(EXIT_FAILURE, "Cannot open binary package %s", name);
633 if (fstat(fd, &sb) == -1)
634 err(EXIT_FAILURE, "Cannot stat %s", name);
635
636 entry = archive_entry_new();
637 archive_entry_copy_stat(entry, &sb);
638
639 pkgname = extract_pkgname(fd);
640 hash_file = xasprintf(hash_template, pkgname,
641 (long long)archive_entry_size(entry));
642 free(pkgname);
643
644 for (i = 0; i < archive_entry_size(entry); i += block_len) {
645 if (i + (off_t)sizeof(block) < archive_entry_size(entry))
646 block_len = sizeof(block);
647 else
648 block_len = archive_entry_size(entry) % sizeof(block);
649 if (read(fd, block, block_len) != (ssize_t)block_len)
650 err(2, "short read");
651 hash_block(block, block_len, hash);
652 tmp = xasprintf("%s%s\n", hash_file, hash);
653 free(hash_file);
654 hash_file = tmp;
655 }
656 tmp = xasprintf("%s%s", hash_file, hash_trailer);
657 free(hash_file);
658 hash_file = tmp;
659
660 if (detached_gpg_sign(hash_file, strlen(hash_file), &signature_file,
661 &signature_len, gpg_keyring_sign, gpg_sign_as))
662 err(EXIT_FAILURE, "Cannot sign hash file");
663
664 lseek(fd, 0, SEEK_SET);
665
666 sign_entry = archive_entry_clone(entry);
667 hash_entry = archive_entry_clone(entry);
668 pkgname = strrchr(name, '/');
669 archive_entry_set_pathname(entry, pkgname != NULL ? pkgname + 1 : name);
670 archive_entry_set_pathname(hash_entry, HASH_FNAME);
671 archive_entry_set_pathname(sign_entry, GPG_SIGNATURE_FNAME);
672 archive_entry_set_size(hash_entry, strlen(hash_file));
673 archive_entry_set_size(sign_entry, signature_len);
674
675 pkg = archive_write_new();
676 archive_write_set_compression_none(pkg);
677 archive_write_set_format_ar_bsd(pkg);
678 archive_write_open_filename(pkg, output);
679
680 archive_write_header(pkg, hash_entry);
681 archive_write_data(pkg, hash_file, strlen(hash_file));
682 archive_write_finish_entry(pkg);
683 archive_entry_free(hash_entry);
684
685 archive_write_header(pkg, sign_entry);
686 archive_write_data(pkg, signature_file, signature_len);
687 archive_write_finish_entry(pkg);
688 archive_entry_free(sign_entry);
689
690 size = archive_entry_size(entry);
691 archive_write_header(pkg, entry);
692
693 for (i = 0; i < size; i += block_len) {
694 if (i + (off_t)sizeof(block) < size)
695 block_len = sizeof(block);
696 else
697 block_len = size % sizeof(block);
698 if (read(fd, block, block_len) != (ssize_t)block_len)
699 err(2, "short read");
700 archive_write_data(pkg, block, block_len);
701 }
702 archive_write_finish_entry(pkg);
703 archive_entry_free(entry);
704
705 archive_write_finish(pkg);
706
707 close(fd);
708
709 exit(0);
710 }
711