From 2e58e8b7d92c7b2f376a6bbcf50ebdb3412a63b6 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Mon, 13 Jul 2009 08:44:27 -0500 Subject: add rpmbuild-md5 so that srpms can easily be made for oldstyle hases to do scratch builds on old distros from newer ones --- ChangeLog | 3 +- Makefile.am | 9 ++++- NEWS | 3 ++ README | 1 + configure.ac | 2 +- src/fedora-cert.py | 77 +++++++++++++++++++++++++----------- src/lib/fedora-cert.py | 104 +++++++++++++++++++++++++++++++++++++++++++++++++ src/rpmbuild-md5 | 2 + 8 files changed, 175 insertions(+), 26 deletions(-) create mode 100644 src/lib/fedora-cert.py create mode 100644 src/rpmbuild-md5 diff --git a/ChangeLog b/ChangeLog index 9d38cfd..4109a14 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ -* Dennis Gilmore - 0.4.0 +* Dennis Gilmore - 0.3.5 - script for doing svn checkouts +- add rpmbuild-md5 - download usercerts * Dennis Gilmore - 0.3.1 - allow annonymouse cvs checkouts diff --git a/Makefile.am b/Makefile.am index d068c70..f694402 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,6 +1,6 @@ -bin_SCRIPTS = fedora-cvs fedora-packager-setup fedoradev-pkgowners fedora-cert fedora-getsvn +bin_SCRIPTS = fedora-cvs fedora-packager-setup fedoradev-pkgowners fedora-cert fedora-getsvn rpmbuild-md5 CLEANFILES = $(bin_SCRIPTS) -EXTRA_DIST = src/fedora-cvs.py src/fedora-packager-setup.py src/fedoradev-pkgowners src/fedora-cert.py src/fedora-getsvn +EXTRA_DIST = src/fedora-cvs.py src/fedora-packager-setup.py src/fedoradev-pkgowners src/fedora-cert.py src/fedora-getsvn src/rpmbuild-md5 fedora-cvs: $(srcdir)/src/fedora-cvs.py rm -f fedora-cvs @@ -26,3 +26,8 @@ fedora-getsvn: $(srcdir)/src/fedora-getsvn rm -f fedora-getsvn cp -p $(srcdir)/src/fedora-getsvn fedora-getsvn chmod ugo+x fedora-getsvn + +rpmbuild-md5: $(srcdir)/src/rpmbuild-md5 + rm -f rpmbuild-md5 + cp -p $(srcdir)/src/rpmbuild-md5 rpmbuild-md5 + chmod ugo+x rpmbuild-md5 diff --git a/NEWS b/NEWS index 2b886b6..6dd9604 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,6 @@ +Jul 13 2009 +add rpmbuild-md5 it creates rpms with old style hashes + Jun 21 2009 add hppa configs. fix bug in fedora-packager-setup trying to unlink non existant file diff --git a/README b/README index e69de29..6db691f 100644 --- a/README +++ b/README @@ -0,0 +1 @@ +Added a wrapper for old style hashes in rpm rpmbuild-md5 diff --git a/configure.ac b/configure.ac index dad94fe..30cb903 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([fedora-packager], [0.3.4]) +AC_INIT([fedora-packager], [0.3.5]) AM_INIT_AUTOMAKE([dist-bzip2 no-dist-gzip]) AC_PATH_PROGS(PYTHON, python) AC_PATH_PROGS(BASH, sh bash) diff --git a/src/fedora-cert.py b/src/fedora-cert.py index 8d8223f..dc4b6d3 100755 --- a/src/fedora-cert.py +++ b/src/fedora-cert.py @@ -3,41 +3,72 @@ import optparse import os import sys import getpass -from fedora.accounts.fas2 import AccountSystem -from fedora.accounts.fas2 import CLAError -from fedora.tg.client import AuthError, ServerError +from fedora.client.fas2 import AccountSystem +from fedora.client.fas2 import CLAError +from fedora.client import AuthError, ServerError from OpenSSL import crypto +import urlgrabber -def read_cert_user(): - """ - Figure out the Fedora user name from ~/.fedora.cert +def _open_cert(): + """ + Read in the certificate so we dont duplicate the code """ - # Make sure we can even read the thing. + # Make sure we can even read the thing. cert_file = os.path.join(os.path.expanduser('~'), ".fedora.cert") if not os.access(cert_file, os.R_OK): print "!!! cannot read your ~/.fedora.cert file !!!" print "!!! Ensure the file is readable and try again !!!" sys.exit(1) - FILE = open(cert_file) - my_buf = FILE.read() - FILE.close() - my_cert = crypto.load_certificate(crypto.FILETYPE_PEM, my_buf) + raw_cert = open(cert_file).read() + my_cert = crypto.load_certificate(crypto.FILETYPE_PEM, raw_cert) + return my_cert + +def verify_cert(): + """ + Check that the user cert is valid. + things to check/return + not revoked + Expiry time warn if less than 21 days + """ + my_cert = _open_cert() + serial_no = my_cert.get_serial_number() + valid_until = my_cert.get_notAfter() + crl = urlgrabber.urlread("https://admin.fedoraproject.org/ca/crl.pem") + + +def certificate_expired(): + """ + Check to see if ~/.fedora.cert is expired + Returns True or False + + """ + my_cert = _open_cert() + + if my_cert.has_expired(): + return True + else: + return False + +def read_user_cert(): + """ + Figure out the Fedora user name from ~/.fedora.cert + + """ + my_cert = _open_cert() subject = str(my_cert.get_subject()) subject_line = subject.split("CN=") cn_parts = subject_line[1].split("/") username = cn_parts[0] - - if my_cert.has_expired(): + if certificate_expired(): print "Certificate expired; Lets get a new one." create_user_cert(username) return username - def create_user_cert(username): - if not username is None: + if not username: username = raw_input('FAS Username: ') password = getpass.getpass('FAS Password: ') try: @@ -56,7 +87,9 @@ def create_user_cert(username): sys.exit(1) cert_file = os.path.join(os.path.expanduser('~'), ".fedora.cert") if not os.access(cert_file, os.W_OK): - print "Can not open cert file for writing" + print """Can not open cert file for writing. +Please paste certificate into ~/.fedora.cert""" + print cert sys.exit(1) else: @@ -77,7 +110,7 @@ def main(opts): else: username = opts.username #has cert expired? do we force a new cert? get a new one - if opts.new_cert: + if opts.newcert: print "Getting a new User Certificate" create_user_cert(username) sys.exit(0) @@ -85,19 +118,19 @@ def main(opts): print "Certificate has expired, getting a new one" create_user_cert(username) sys.exit(0) - if opts.verify-cert: + if opts.verifycert: print "Verifying Certificate" if __name__ == '__main__': opt_p = optparse.OptionParser(usage="%prog [OPTIONS] ") opt_p.add_option('-u', '--username', action='store_true', dest='username', - help="FAS Username.") + default=False, help="FAS Username.") opt_p.add_option('-n', '--new-cert', action='store_true', dest='newcert', - help="Generate a new Fedora Certificate.") + default=False, help="Generate a new Fedora Certificate.") opt_p.add_option('-v', '--verify-cert', action='store_true', dest='verifycert', - help="Verify Certificate.") + default=False, help="Verify Certificate.") - opts = opt_p.parse_args() + (opts, args) = opt_p.parse_args() main(opts) diff --git a/src/lib/fedora-cert.py b/src/lib/fedora-cert.py new file mode 100644 index 0000000..21cea9d --- /dev/null +++ b/src/lib/fedora-cert.py @@ -0,0 +1,104 @@ +#!/usr/bin/python +import optparse +import os +import sys +import getpass +from fedora.client.fas2 import AccountSystem +from fedora.client.fas2 import CLAError +from fedora.client import AuthError, ServerError +from OpenSSL import crypto + +def read_cert_user(): + """ + Figure out the Fedora user name from ~/.fedora.cert + + """ + # Make sure we can even read the thing. + cert_file = os.path.join(os.path.expanduser('~'), ".fedora.cert") + if not os.access(cert_file, os.R_OK): + print "!!! cannot read your ~/.fedora.cert file !!!" + print "!!! Ensure the file is readable and try again !!!" + sys.exit(1) + FILE = open(cert_file) + my_buf = FILE.read() + FILE.close() + my_cert = crypto.load_certificate(crypto.FILETYPE_PEM, my_buf) + + subject = str(my_cert.get_subject()) + subject_line = subject.split("CN=") + cn_parts = subject_line[1].split("/") + username = cn_parts[0] + + if my_cert.has_expired(): + print "Certificate expired; Lets get a new one." + create_user_cert(username) + + return username + + +def create_user_cert(username): + if not username is None: + username = raw_input('FAS Username: ') + password = getpass.getpass('FAS Password: ') + try: + fas = AccountSystem('https://admin.fedoraproject.org/', username, password) + except AuthError: + print "Invalid username/password." + sys.exit(1) + + try: + cert = fas.user_gencert() + fas.logout() + except CLAError: + print "You must sign the CLA before you can generate your certificate.\n" \ + "To do this, go to https://admin.fedoraproject.org/accounts/cla/" + fas.logout() + sys.exit(1) + cert_file = os.path.join(os.path.expanduser('~'), ".fedora.cert") + if not os.access(cert_file, os.W_OK): + print "Can not open cert file for writing" + print cert + sys.exit(1) + else: + FILE = open(cert_file,"w") + FILE.write(cert) + FILE.close() + +def main(opts): + # lets read in the existing cert if it exists. + # gets us existing acc info + print opts + if not opts.username: + try: + username = read_user_cert() + except : + print "Can't determine fas name, lets get a new cert" + create_user_cert(None) + sys.exit(0) + else: + username = opts.username + #has cert expired? do we force a new cert? get a new one + if opts.new_cert: + print "Getting a new User Certificate" + create_user_cert(username) + sys.exit(0) + if certificate_expired(): + print "Certificate has expired, getting a new one" + create_user_cert(username) + sys.exit(0) + if opts.verify-cert: + print "Verifying Certificate" + + +if __name__ == '__main__': + opt_p = optparse.OptionParser(usage="%prog [OPTIONS] ") + opt_p.add_option('-u', '--username', action='store_true', dest='username', + default=False, help="FAS Username.") + opt_p.add_option('-n', '--new-cert', action='store_true', dest='newcert', + help="Generate a new Fedora Certificate.") + opt_p.add_option('-v', '--verify-cert', action='store_true', dest='verifycert', + help="Verify Certificate.") + + opts = opt_p.parse_args() + + main(opts) diff --git a/src/rpmbuild-md5 b/src/rpmbuild-md5 new file mode 100644 index 0000000..11fdb21 --- /dev/null +++ b/src/rpmbuild-md5 @@ -0,0 +1,2 @@ +#!/bin/bash +rpmbuild --define "_source_filedigest_algorithm md5" --define "_binary_filedigest_algorithm md5" $@ -- cgit