1 /* $NetBSD: pkg_signature.c,v 1.4 2021/04/10 19:49:59 nia Exp $ */
2
3 #if HAVE_CONFIG_H
4 #include "config.h"
5 #endif
6 #include <nbcompat.h>
7 #if HAVE_SYS_CDEFS_H
8 #include <sys/cdefs.h>
9 #endif
10 __RCSID("$NetBSD: pkg_signature.c,v 1.4 2021/04/10 19:49:59 nia Exp $");
11
12 /*-
13 * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>.
14 * All rights reserved.
15 *
16 * Redistribution and use in source and binary forms, with or without
17 * modification, are permitted provided that the following conditions
18 * are met:
19 *
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in
24 * the documentation and/or other materials provided with the
25 * distribution.
26 *
27 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
28 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
29 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
30 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
31 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
32 * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING,
33 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
34 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
35 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
36 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
37 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * SUCH DAMAGE.
39 */
40
41 #if HAVE_SYS_WAIT_H
42 #include <sys/wait.h>
43 #endif
44 #include <ctype.h>
45 #if HAVE_ERR_H
46 #include <err.h>
47 #endif
48 #include <errno.h>
49 #include <fcntl.h>
50 #include <limits.h>
51 #include <stdlib.h>
52 #ifndef NETBSD
53 #include <nbcompat/sha2.h>
54 #else
55 #include <sha2.h>
56 #endif
57 #include <signal.h>
58 #ifdef NETBSD
59 #include <unistd.h>
60 #else
61 #include <nbcompat/unistd.h>
62 #endif
63
64 #include <archive.h>
65 #include <archive_entry.h>
66
67 #include "lib.h"
68
69 #define HASH_FNAME "+PKG_HASH"
70 #define SIGNATURE_FNAME "+PKG_SIGNATURE"
71 #define GPG_SIGNATURE_FNAME "+PKG_GPG_SIGNATURE"
72
73 struct signature_archive {
74 struct archive *archive;
75 off_t pkg_size;
76 size_t sign_block_len, sign_block_number, sign_cur_block;
77 char **sign_blocks;
78 unsigned char *sign_buf;
79 };
80
81 static void
hash_block(unsigned char * buf,size_t buf_len,char hash[SHA512_DIGEST_STRING_LENGTH])82 hash_block(unsigned char *buf, size_t buf_len,
83 char hash[SHA512_DIGEST_STRING_LENGTH])
84 {
85 unsigned char digest[SHA512_DIGEST_LENGTH];
86 SHA512_CTX hash_ctx;
87 int i;
88
89 SHA512_Init(&hash_ctx);
90 SHA512_Update(&hash_ctx, buf, buf_len);
91 SHA512_Final(digest, &hash_ctx);
92 for (i = 0; i < SHA512_DIGEST_LENGTH; ++i) {
93 unsigned char c;
94
95 c = digest[i] / 16;
96 if (c < 10)
97 hash[2 * i] = '0' + c;
98 else
99 hash[2 * i] = 'a' - 10 + c;
100
101 c = digest[i] % 16;
102 if (c < 10)
103 hash[2 * i + 1] = '0' + c;
104 else
105 hash[2 * i + 1] = 'a' - 10 + c;
106 }
107 hash[2 * i] = '\0';
108 }
109
110 static ssize_t
verify_signature_read_cb(struct archive * archive,void * cookie,const void ** buf)111 verify_signature_read_cb(struct archive *archive, void *cookie, const void **buf)
112 {
113 struct signature_archive *state = cookie;
114 char hash[SHA512_DIGEST_STRING_LENGTH];
115 ssize_t len, expected;
116
117 if (state->sign_cur_block >= state->sign_block_number)
118 return 0;
119
120 /* The following works for sign_block_len > 1 */
121 if (state->sign_cur_block + 1 == state->sign_block_number)
122 expected = state->pkg_size % state->sign_block_len;
123 else
124 expected = state->sign_block_len;
125
126 len = archive_read_data(state->archive, state->sign_buf, expected);
127 if (len != expected) {
128 warnx("Short read from package");
129 return -1;
130 }
131
132 hash_block(state->sign_buf, len, hash);
133
134 if (strcmp(hash, state->sign_blocks[state->sign_cur_block]) != 0) {
135 warnx("Invalid signature of block %llu",
136 (unsigned long long)state->sign_cur_block);
137 return -1;
138 }
139 ++state->sign_cur_block;
140 *buf = state->sign_buf;
141 return len;
142 }
143
144 static void
free_signature_int(struct signature_archive * state)145 free_signature_int(struct signature_archive *state)
146 {
147 size_t i;
148
149 if (state->sign_blocks != NULL) {
150 for (i = 0; i < state->sign_block_number; ++i)
151 free(state->sign_blocks[i]);
152 }
153 free(state->sign_blocks);
154 free(state->sign_buf);
155 free(state);
156 }
157
158 static int
verify_signature_close_cb(struct archive * archive,void * cookie)159 verify_signature_close_cb(struct archive *archive, void *cookie)
160 {
161 struct signature_archive *state = cookie;
162
163 archive_read_free(state->archive);
164 free_signature_int(state);
165 return 0;
166 }
167
168 static int
read_file_from_archive(const char * archive_name,struct archive * archive,struct archive_entry ** entry,const char * fname,char ** content,size_t * len)169 read_file_from_archive(const char *archive_name, struct archive *archive,
170 struct archive_entry **entry,
171 const char *fname, char **content, size_t *len)
172 {
173 int r;
174
175 *content = NULL;
176 *len = 0;
177
178 retry:
179 if (*entry == NULL &&
180 (r = archive_read_next_header(archive, entry)) != ARCHIVE_OK) {
181 if (r == ARCHIVE_FATAL) {
182 warnx("Cannot read from archive `%s': %s",
183 archive_name, archive_error_string(archive));
184 } else {
185 warnx("Premature end of archive `%s'", archive_name);
186 }
187 *entry = NULL;
188 return -1;
189 }
190 if (strcmp(archive_entry_pathname(*entry), "//") == 0) {
191 archive_read_data_skip(archive);
192 *entry = NULL;
193 goto retry;
194 }
195
196 if (strcmp(fname, archive_entry_pathname(*entry)) != 0)
197 return 1;
198
199 if (archive_entry_size(*entry) > SSIZE_MAX - 1) {
200 warnx("Signature of archive `%s' too large to process",
201 archive_name);
202 return 1;
203 }
204 *len = archive_entry_size(*entry);
205 *content = xmalloc(*len + 1);
206
207 if (archive_read_data(archive, *content, *len) != (ssize_t)*len) {
208 warnx("Cannot read complete %s from archive `%s'", fname,
209 archive_name);
210 free(*content);
211 *len = 0;
212 *content = NULL;
213 return 1;
214 }
215 (*content)[*len] = '\0';
216 *entry = NULL;
217
218 return 0;
219 }
220
221 static int
parse_hash_file(const char * hash_file,char ** pkgname,struct signature_archive * state)222 parse_hash_file(const char *hash_file, char **pkgname,
223 struct signature_archive *state)
224 {
225 static const char block1[] = "pkgsrc signature\n\nversion: 1\npkgname: ";
226 static const char block2[] = "algorithm: SHA512\nblock size: ";
227 static const char block3[] = "file size: ";
228 static const char block4[] = "end pkgsrc signature\n";
229 char *next;
230 size_t i, len;
231
232 *pkgname = NULL;
233
234 if (strncmp(hash_file, block1, strlen(block1)) != 0)
235 goto cleanup;
236 hash_file += strlen(block1);
237
238 len = strcspn(hash_file, "\n");
239 *pkgname = xmalloc(len + 1);
240 memcpy(*pkgname, hash_file, len);
241 (*pkgname)[len] = '\0';
242 for (i = 0; i < len; ++i) {
243 if (!isgraph((unsigned char)(*pkgname)[i]))
244 goto cleanup;
245 }
246 hash_file += len + 1;
247
248 if (strncmp(hash_file, block2, strlen(block2)) != 0)
249 goto cleanup;
250 hash_file += strlen(block2);
251
252 errno = 0;
253 if (!isdigit((unsigned char)*hash_file))
254 goto cleanup;
255 state->sign_block_len = strtoul(hash_file, &next, 10);
256 hash_file = next;
257
258 /* Assert sane minimum block size of 1KB */
259 if (*hash_file++ != '\n' || errno == ERANGE || state->sign_block_len < 1024)
260 goto cleanup;
261
262 if (strncmp(hash_file, block3, strlen(block3)) != 0)
263 goto cleanup;
264 hash_file += strlen(block3);
265
266 errno = 0;
267 if (!isdigit((unsigned char)*hash_file))
268 goto cleanup;
269 if (/* CONSTCOND */sizeof(off_t) >= sizeof(long long))
270 state->pkg_size = strtoll(hash_file, &next, 10);
271 else
272 state->pkg_size = strtol(hash_file, &next, 10);
273 hash_file = next;
274 if (*hash_file++ != '\n' || errno == ERANGE || state->pkg_size < 1)
275 goto cleanup;
276
277 if (*hash_file++ != '\n')
278 goto cleanup;
279
280 if (state->pkg_size / state->sign_block_len > SSIZE_MAX)
281 goto cleanup;
282 state->sign_block_number = (state->pkg_size +
283 state->sign_block_len - 1) / state->sign_block_len;
284
285 state->sign_buf = xmalloc(state->sign_block_len);
286 state->sign_blocks = xcalloc(state->sign_block_number, sizeof(char *));
287
288 for (i = 0; i < state->sign_block_number; ++i) {
289 len = strspn(hash_file, "01234567889abcdef");
290 if (len != SHA512_DIGEST_LENGTH * 2 || hash_file[len] != '\n')
291 goto cleanup_hashes;
292 state->sign_blocks[i] = xmalloc(len + 1);
293 memcpy(state->sign_blocks[i], hash_file, len);
294 state->sign_blocks[i][len] = '\0';
295 hash_file += len + 1;
296 }
297
298 if (strcmp(hash_file, block4) != 0)
299 goto cleanup_hashes;
300
301 return 0;
302
303 cleanup_hashes:
304 for (i = 0; i < state->sign_block_number; ++i)
305 free(state->sign_blocks[i]);
306 free(state->sign_blocks);
307 state->sign_blocks = NULL;
308
309 cleanup:
310 warnx("Unknown format of hash file");
311 free(*pkgname);
312 *pkgname = NULL;
313 return -1;
314 }
315
316 int
pkg_verify_signature(const char * archive_name,struct archive ** archive,struct archive_entry ** entry,char ** pkgname)317 pkg_verify_signature(const char *archive_name, struct archive **archive,
318 struct archive_entry **entry, char **pkgname)
319 {
320 struct signature_archive *state;
321 struct archive_entry *my_entry;
322 struct archive *a;
323 char *hash_file, *signature_file;
324 size_t hash_len, signature_len;
325 int r, has_sig;
326
327 *pkgname = NULL;
328
329 state = xcalloc(sizeof(*state), 1);
330
331 r = read_file_from_archive(archive_name, *archive, entry, HASH_FNAME,
332 &hash_file, &hash_len);
333 if (r == -1) {
334 archive_read_free(*archive);
335 *archive = NULL;
336 free(state);
337 goto no_valid_signature;
338 } else if (r == 1) {
339 free(state);
340 goto no_valid_signature;
341 }
342
343 if (parse_hash_file(hash_file, pkgname, state))
344 goto no_valid_signature;
345
346 r = read_file_from_archive(archive_name, *archive, entry, SIGNATURE_FNAME,
347 &signature_file, &signature_len);
348 if (r == -1) {
349 archive_read_free(*archive);
350 *archive = NULL;
351 free(state);
352 free(hash_file);
353 goto no_valid_signature;
354 } else if (r != 0) {
355 if (*entry != NULL)
356 r = read_file_from_archive(archive_name, *archive,
357 entry, GPG_SIGNATURE_FNAME,
358 &signature_file, &signature_len);
359 if (r == -1) {
360 archive_read_free(*archive);
361 *archive = NULL;
362 free(state);
363 free(hash_file);
364 goto no_valid_signature;
365 } else if (r != 0) {
366 free(hash_file);
367 free(state);
368 goto no_valid_signature;
369 }
370 has_sig = !gpg_verify(hash_file, hash_len, gpg_keyring_verify,
371 signature_file, signature_len);
372
373 free(signature_file);
374 } else {
375 #ifdef HAVE_SSL
376 has_sig = !easy_pkcs7_verify(hash_file, hash_len, signature_file,
377 signature_len, certs_packages, 1);
378
379 free(signature_file);
380 #else
381 warnx("No OpenSSL support compiled in, skipping signature");
382 has_sig = 0;
383 free(signature_file);
384 #endif
385 }
386
387 r = archive_read_next_header(*archive, &my_entry);
388 if (r != ARCHIVE_OK) {
389 warnx("Cannot read inner package: %s",
390 archive_error_string(*archive));
391 free_signature_int(state);
392 goto no_valid_signature;
393 }
394
395 if (archive_entry_size(my_entry) != state->pkg_size) {
396 warnx("Package size doesn't match signature");
397 free_signature_int(state);
398 goto no_valid_signature;
399 }
400
401 state->archive = *archive;
402
403 a = prepare_archive();
404 if (archive_read_open(a, state, NULL, verify_signature_read_cb,
405 verify_signature_close_cb)) {
406 warnx("Can't open signed package file");
407 archive_read_free(a);
408 goto no_valid_signature;
409 }
410 *archive = a;
411 *entry = NULL;
412
413 return has_sig ? 0 : -1;
414
415 no_valid_signature:
416 return -1;
417 }
418
419 int
pkg_full_signature_check(const char * archive_name,struct archive ** archive)420 pkg_full_signature_check(const char *archive_name, struct archive **archive)
421 {
422 struct archive_entry *entry = NULL;
423 char *pkgname;
424 int r;
425
426 if (pkg_verify_signature(archive_name, archive, &entry, &pkgname))
427 return -1;
428 if (pkgname == NULL)
429 return 0;
430
431 /* XXX read PLIST and compare pkgname */
432 while ((r = archive_read_next_header(*archive, &entry)) == ARCHIVE_OK)
433 archive_read_data_skip(*archive);
434
435 free(pkgname);
436 return r == ARCHIVE_EOF ? 0 : -1;
437 }
438
439 static char *
extract_pkgname(int fd)440 extract_pkgname(int fd)
441 {
442 package_t plist;
443 plist_t *p;
444 struct archive *a;
445 struct archive_entry *entry;
446 char *buf;
447 ssize_t len;
448 int r;
449
450 a = prepare_archive();
451 if (archive_read_open_fd(a, fd, 1024)) {
452 warnx("Cannot open binary package: %s",
453 archive_error_string(a));
454 archive_read_free(a);
455 return NULL;
456 }
457
458 r = archive_read_next_header(a, &entry);
459 if (r != ARCHIVE_OK) {
460 warnx("Cannot extract package name: %s",
461 r == ARCHIVE_EOF ? "EOF" : archive_error_string(a));
462 archive_read_free(a);
463 return NULL;
464 }
465 if (strcmp(archive_entry_pathname(entry), "+CONTENTS") != 0) {
466 warnx("Invalid binary package, doesn't start with +CONTENTS");
467 archive_read_free(a);
468 return NULL;
469 }
470 if (archive_entry_size(entry) > SSIZE_MAX - 1) {
471 warnx("+CONTENTS too large to process");
472 archive_read_free(a);
473 return NULL;
474 }
475
476 len = archive_entry_size(entry);
477 buf = xmalloc(len + 1);
478
479 if (archive_read_data(a, buf, len) != len) {
480 warnx("Short read when extracing +CONTENTS");
481 free(buf);
482 archive_read_free(a);
483 return NULL;
484 }
485 buf[len] = '\0';
486
487 archive_read_free(a);
488
489 parse_plist(&plist, buf);
490 free(buf);
491 p = find_plist(&plist, PLIST_NAME);
492 if (p != NULL) {
493 buf = xstrdup(p->name);
494 } else {
495 warnx("Invalid PLIST: missing @name");
496 buf = NULL;
497 }
498 free_plist(&plist);
499
500 if (lseek(fd, 0, SEEK_SET) != 0) {
501 warn("Cannot seek in archive");
502 free(buf);
503 return NULL;
504 }
505
506 return buf;
507 }
508
509 static const char hash_template[] =
510 "pkgsrc signature\n"
511 "\n"
512 "version: 1\n"
513 "pkgname: %s\n"
514 "algorithm: SHA512\n"
515 "block size: 65536\n"
516 "file size: %lld\n"
517 "\n";
518
519 static const char hash_trailer[] = "end pkgsrc signature\n";
520
521 #ifdef HAVE_SSL
522 void
pkg_sign_x509(const char * name,const char * output,const char * key_file,const char * cert_file)523 pkg_sign_x509(const char *name, const char *output, const char *key_file, const char *cert_file)
524 {
525 struct archive *pkg;
526 struct archive_entry *entry, *hash_entry, *sign_entry;
527 int fd;
528 struct stat sb;
529 char *hash_file, *signature_file, *tmp, *pkgname, hash[SHA512_DIGEST_STRING_LENGTH];
530 unsigned char block[65536];
531 off_t i, size;
532 size_t block_len, signature_len;
533
534 if ((fd = open(name, O_RDONLY)) == -1)
535 err(EXIT_FAILURE, "Cannot open binary package %s", name);
536 if (fstat(fd, &sb) == -1)
537 err(EXIT_FAILURE, "Cannot stat %s", name);
538
539 entry = archive_entry_new();
540 archive_entry_copy_stat(entry, &sb);
541
542 pkgname = extract_pkgname(fd);
543 hash_file = xasprintf(hash_template, pkgname,
544 (long long)archive_entry_size(entry));
545 free(pkgname);
546
547 for (i = 0; i < archive_entry_size(entry); i += block_len) {
548 if (i + (off_t)sizeof(block) < archive_entry_size(entry))
549 block_len = sizeof(block);
550 else
551 block_len = archive_entry_size(entry) % sizeof(block);
552 if (read(fd, block, block_len) != (ssize_t)block_len)
553 err(2, "short read");
554 hash_block(block, block_len, hash);
555 tmp = xasprintf("%s%s\n", hash_file, hash);
556 free(hash_file);
557 hash_file = tmp;
558 }
559 tmp = xasprintf("%s%s", hash_file, hash_trailer);
560 free(hash_file);
561 hash_file = tmp;
562
563 if (easy_pkcs7_sign(hash_file, strlen(hash_file), &signature_file,
564 &signature_len, key_file, cert_file))
565 err(EXIT_FAILURE, "Cannot sign hash file");
566
567 lseek(fd, 0, SEEK_SET);
568
569 sign_entry = archive_entry_clone(entry);
570 hash_entry = archive_entry_clone(entry);
571 pkgname = strrchr(name, '/');
572 archive_entry_set_pathname(entry, pkgname != NULL ? pkgname + 1 : name);
573 archive_entry_set_pathname(hash_entry, HASH_FNAME);
574 archive_entry_set_pathname(sign_entry, SIGNATURE_FNAME);
575 archive_entry_set_size(hash_entry, strlen(hash_file));
576 archive_entry_set_size(sign_entry, signature_len);
577
578 pkg = archive_write_new();
579 archive_write_set_format_ar_bsd(pkg);
580 archive_write_open_filename(pkg, output);
581
582 archive_write_header(pkg, hash_entry);
583 archive_write_data(pkg, hash_file, strlen(hash_file));
584 archive_write_finish_entry(pkg);
585 archive_entry_free(hash_entry);
586
587 archive_write_header(pkg, sign_entry);
588 archive_write_data(pkg, signature_file, signature_len);
589 archive_write_finish_entry(pkg);
590 archive_entry_free(sign_entry);
591
592 size = archive_entry_size(entry);
593 archive_write_header(pkg, entry);
594
595 for (i = 0; i < size; i += block_len) {
596 if (i + (off_t)sizeof(block) < size)
597 block_len = sizeof(block);
598 else
599 block_len = size % sizeof(block);
600 if (read(fd, block, block_len) != (ssize_t)block_len)
601 err(2, "short read");
602 archive_write_data(pkg, block, block_len);
603 }
604 archive_write_finish_entry(pkg);
605 archive_entry_free(entry);
606
607 archive_write_free(pkg);
608
609 close(fd);
610
611 exit(0);
612 }
613 #endif
614
615 void
pkg_sign_gpg(const char * name,const char * output)616 pkg_sign_gpg(const char *name, const char *output)
617 {
618 struct archive *pkg;
619 struct archive_entry *entry, *hash_entry, *sign_entry;
620 int fd;
621 struct stat sb;
622 char *hash_file, *signature_file, *tmp, *pkgname, hash[SHA512_DIGEST_STRING_LENGTH];
623 unsigned char block[65536];
624 off_t i, size;
625 size_t block_len, signature_len;
626
627 if ((fd = open(name, O_RDONLY)) == -1)
628 err(EXIT_FAILURE, "Cannot open binary package %s", name);
629 if (fstat(fd, &sb) == -1)
630 err(EXIT_FAILURE, "Cannot stat %s", name);
631
632 entry = archive_entry_new();
633 archive_entry_copy_stat(entry, &sb);
634
635 pkgname = extract_pkgname(fd);
636 hash_file = xasprintf(hash_template, pkgname,
637 (long long)archive_entry_size(entry));
638 free(pkgname);
639
640 for (i = 0; i < archive_entry_size(entry); i += block_len) {
641 if (i + (off_t)sizeof(block) < archive_entry_size(entry))
642 block_len = sizeof(block);
643 else
644 block_len = archive_entry_size(entry) % sizeof(block);
645 if (read(fd, block, block_len) != (ssize_t)block_len)
646 err(2, "short read");
647 hash_block(block, block_len, hash);
648 tmp = xasprintf("%s%s\n", hash_file, hash);
649 free(hash_file);
650 hash_file = tmp;
651 }
652 tmp = xasprintf("%s%s", hash_file, hash_trailer);
653 free(hash_file);
654 hash_file = tmp;
655
656 if (detached_gpg_sign(hash_file, strlen(hash_file), &signature_file,
657 &signature_len, gpg_keyring_sign, gpg_sign_as))
658 err(EXIT_FAILURE, "Cannot sign hash file");
659
660 lseek(fd, 0, SEEK_SET);
661
662 sign_entry = archive_entry_clone(entry);
663 hash_entry = archive_entry_clone(entry);
664 pkgname = strrchr(name, '/');
665 archive_entry_set_pathname(entry, pkgname != NULL ? pkgname + 1 : name);
666 archive_entry_set_pathname(hash_entry, HASH_FNAME);
667 archive_entry_set_pathname(sign_entry, GPG_SIGNATURE_FNAME);
668 archive_entry_set_size(hash_entry, strlen(hash_file));
669 archive_entry_set_size(sign_entry, signature_len);
670
671 pkg = archive_write_new();
672 archive_write_set_format_ar_bsd(pkg);
673 archive_write_open_filename(pkg, output);
674
675 archive_write_header(pkg, hash_entry);
676 archive_write_data(pkg, hash_file, strlen(hash_file));
677 archive_write_finish_entry(pkg);
678 archive_entry_free(hash_entry);
679
680 archive_write_header(pkg, sign_entry);
681 archive_write_data(pkg, signature_file, signature_len);
682 archive_write_finish_entry(pkg);
683 archive_entry_free(sign_entry);
684
685 size = archive_entry_size(entry);
686 archive_write_header(pkg, entry);
687
688 for (i = 0; i < size; i += block_len) {
689 if (i + (off_t)sizeof(block) < size)
690 block_len = sizeof(block);
691 else
692 block_len = size % sizeof(block);
693 if (read(fd, block, block_len) != (ssize_t)block_len)
694 err(2, "short read");
695 archive_write_data(pkg, block, block_len);
696 }
697 archive_write_finish_entry(pkg);
698 archive_entry_free(entry);
699
700 archive_write_free(pkg);
701
702 close(fd);
703
704 exit(0);
705 }
706