fix(signing): enforce binary data signing for valid RPM signatures

atomicturtle · atomicturtle · commit 7e3bebd7013d · 2026-01-07T09:58:49.000-05:00
- Update signing_engine.py to sign bytes instead of hash strings
- Update oracle-service.py to require base64 'data' field
- Fixes invalid RPM signature generation
- Adds verification test script

Signed-off-by: Scott R. Shinn &lt;scott@atomicorp.com&gt;
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 NAME = chelon
 VERSION = 1.0.0
-RELEASE = 1
+RELEASE = 2
 
 .PHONY: all clean srpm rpm
 
diff --git a/chelon.spec b/chelon.spec
@@ -1,6 +1,6 @@
 Name:           chelon
 Version:        1.0.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Remote GPG package signing service (Chelon)
 
 License:        GPL-2.0-or-later
diff --git a/server/oracle-service.py b/server/oracle-service.py
@@ -101,14 +101,10 @@ def _handle_signing(operation):
             data_id = f"raw_data:{len(sign_target)}b"
         except Exception as e:
             return jsonify({'error': f'Invalid Base64 data: {e}'}), 400
-    elif package_hash:
-        sign_target = package_hash
-        data_id = package_hash
-    elif repodata_hash:
-        sign_target = repodata_hash
-        data_id = repodata_hash
+    elif package_hash or repodata_hash:
+        return jsonify({'error': 'Signing by hash is deprecated. Please provide base64 encoded "data".'}), 400
     else:
-        return jsonify({'error': 'Missing signing target (data, package_hash, or repodata_hash)'}), 400
+        return jsonify({'error': 'Missing "data" field (base64 encoded content required)'}), 400
     
     # Sign the data
     try:
diff --git a/server/signing_engine.py b/server/signing_engine.py
@@ -46,12 +46,12 @@ def list_keys(self) -> List[Dict]:
                 })
         return keys
     
-    def sign_data(self, data_hash: str, key_type: str, passphrase: str = None) -> str:
+    def sign_data(self, data: bytes, key_type: str, passphrase: str = None) -> str:
         """
         Sign data using specified key
         
         Args:
-            data_hash: Hash of data to sign (e.g., "sha256:abc123...")
+            data: Raw data to sign (bytes)
             key_type: Type of key to use ('legacy' or 'modern')
             passphrase: GPG key passphrase
         
@@ -62,9 +62,9 @@ def sign_data(self, data_hash: str, key_type: str, passphrase: str = None) -> st
         
         logger.info(f"Signing data with {key_type} key ({key_id})")
         
-        # Sign the hash
+        # Sign the data
         signed = self.gpg.sign(
-            data_hash,
+            data,
             keyid=key_id,
             passphrase=passphrase,
             detach=True,
diff --git a/tests/test_signing_fix.py b/tests/test_signing_fix.py
@@ -0,0 +1,74 @@
+
+import sys
+import os
+import shutil
+import tempfile
+import unittest
+from unittest.mock import patch, MagicMock
+
+# Add server to path
+sys.path.insert(0, '/usr/share/chelon/server')
+
+from signing_engine import SigningEngine
+import gnupg
+
+class TestSigningFix(unittest.TestCase):
+    def setUp(self):
+        self.temp_dir = tempfile.mkdtemp()
+        self.gpg_home = os.path.join(self.temp_dir, '.gnupg')
+        os.makedirs(self.gpg_home, mode=0o700)
+        self.gpg = gnupg.GPG(gnupghome=self.gpg_home)
+        
+        # Generate a key
+        input_data = self.gpg.gen_key_input(
+            key_type="RSA",
+            key_length=1024,
+            name_real="Test Key",
+            name_email="test@example.com",
+            no_protection=True
+        )
+        self.key = self.gpg.gen_key(input_data)
+        self.key_id = self.key.fingerprint[-8:] # Get short ID
+        
+        print(f"Generated test key: {self.key_id}")
+
+    def tearDown(self):
+        shutil.rmtree(self.temp_dir)
+
+    def test_sign_binary_data(self):
+        engine = SigningEngine(gnupg_home=self.gpg_home)
+        
+        # Monkeypatch keys to use our test key
+        with patch.dict(engine.KEYS, {'modern': self.key_id, 'legacy': '00000000'}, clear=True):
+            data = b"Hello, World! This is binary data."
+            
+            # Sign
+            signature = engine.sign_data(data, 'modern')
+            
+            print(f"Signature generated:\n{signature}")
+            
+            # Write sig and data to temp files for robust verification
+            sig_path = os.path.join(self.temp_dir, 'sig.asc')
+            data_path = os.path.join(self.temp_dir, 'data.bin')
+            
+            with open(sig_path, 'w') as f:
+                f.write(signature)
+            with open(data_path, 'wb') as f:
+                f.write(data)
+                
+            # Verify using file-based method
+            with open(sig_path, 'rb') as f:
+                verified = self.gpg.verify_file(f, data_path)
+            
+            if not verified.valid:
+                print(f"Verification failed!")
+                print(f"Status: {verified.status}")
+                print(f"Problems: {verified.problems}")
+                print(f"Stderr:\n{verified.stderr}")
+            self.assertTrue(verified.valid)
+            self.assertEqual(verified.key_id, self.key.fingerprint[-16:]) # python-gnupg returns 16 char ID often
+            
+            print("Verification successful!")
+
+if __name__ == '__main__':
+    unittest.main()
