diff options
-rw-r--r-- | Kconfig | 5 | ||||
-rw-r--r-- | lib/plugin/Kconfig | 29 | ||||
-rw-r--r-- | linux/.config | 10 | ||||
-rw-r--r-- | linux/makepkg/PKGBUILD | 39 | ||||
-rwxr-xr-x | tools/hexdump.py | 34 |
5 files changed, 104 insertions, 13 deletions
@@ -7,7 +7,10 @@ menu "Application" default ":/icons/poi.svg" endmenu -source lib/configuration/Kconfig +source 'lib/configuration/Kconfig' + +# Plugin loading +source 'lib/plugin/Kconfig' config USEPLASMA bool "Enable KDE Frameworks integration" diff --git a/lib/plugin/Kconfig b/lib/plugin/Kconfig new file mode 100644 index 0000000..1de9403 --- /dev/null +++ b/lib/plugin/Kconfig @@ -0,0 +1,29 @@ +config USEPLUGINS + bool "Enable plugins" + default y + +menu "Plugin Settings" + depends on USEPLUGINS + + choice PLUGIN_SIGNATURE_CHECK + bool "Plugin Signature enforcement" + default PLUGIN_SIGNATURE_CHECKED + + config PLUGIN_SIGNATURE_IGNORED + bool "Don't check plugin signatures" + + config PLUGIN_SIGNATURE_NONFATAL + bool "Check signature validity, but always load plugins" + + config PLUGIN_SIGNATURE_CHECKED + bool "Don't load plugins with invalid signatures" + + config PLUGIN_SIGNATURE_ENFORCED + bool "Only load plugins with valid signatures" + + endchoice + + config PLUGIN_SIGNATURE_HASH + string "Hashing algorithm used by the signature" + default "SHA256" +endmenu diff --git a/linux/.config b/linux/.config index b483d41..6ba6018 100644 --- a/linux/.config +++ b/linux/.config @@ -70,6 +70,16 @@ CONFIG_PROFILE_DEFAULT="" CONFIG_PROFILE_DEFAULT_SEARCH="https://duckduckgo.com/?q=%1&ia=web" CONFIG_PROFILE_DEFAULT_HOMEPAGE="about:blank" CONFIG_PROFILE_DEFAULT_NEWTAB="about:blank" +CONFIG_USEPLUGINS=y + +# +# Plugin Settings +# +# CONFIG_PLUGIN_SIGNATURE_IGNORED is not set +# CONFIG_PLUGIN_SIGNATURE_NONFATAL is not set +CONFIG_PLUGIN_SIGNATURE_CHECKED=y +# CONFIG_PLUGIN_SIGNATURE_ENFORCED is not set +CONFIG_PLUGIN_SIGNATURE_HASH="SHA256" # CONFIG_USEPLASMA is not set # CONFIG_USEBREAKPAD is not set diff --git a/linux/makepkg/PKGBUILD b/linux/makepkg/PKGBUILD index 3907ff8..badf319 100644 --- a/linux/makepkg/PKGBUILD +++ b/linux/makepkg/PKGBUILD @@ -26,6 +26,18 @@ sha512sums=('SKIP' #validgpgkeys=(# Aqua-sama <aqua@iserlohn-fortress.net> # BB1C090188E3E32B375C13FD095DE26BC16D2E98) +## Build Options + +# Run menuconfig +#_menuconfig= + +# Enable plugin signing: +# - generate a 4096-bit RSA key and embed the public key into the binary +# - apply the plugin signing patch to the config, enabling PluginLoader::verify +# - sign the plugins with the private key, and install the signatures +# Because this embeds the public key into the executable, enabling this option will break reproducible builds. +_signPlugins= + prepare() { cd $srcdir/smolbote @@ -33,16 +45,18 @@ prepare() { git config submodule.3rd-party/SingleApplication/SingleApplication.git.url $srcdir/SingleApplication git submodule update 3rd-party/SingleApplication/SingleApplication.git - msg "Creating OpenSSL signing key" - mkdir $srcdir/signing - cd $srcdir/signing - # generate rsa keypair - openssl genrsa -out privateKey.pem 4096 - msg2 "RSA/4096 key created in $srcdir/signing/privateKey.pem. Keep this key if you want to sign additional plugins." - - openssl rsa -in privateKey.pem -pubout -out publicKey.pem - xxd -i publicKey.pem $srcdir/smolbote/src/plugin/publicKey.h - msg2 "Public key exported, and will be embedded into the resulting application. This will break reproducible builds." + if [ -n $_signPlugins ]; then + msg "Creating OpenSSL signing key" + mkdir $srcdir/signing + cd $srcdir/signing + # generate rsa keypair + openssl genrsa -out privateKey.pem 4096 + msg2 "Keypair written to $srcdir/signing/privateKey.pem." + + openssl rsa -in privateKey.pem -pubout -out publicKey.pem + ./tools/hexdump.py --name='publicKey_pem' publicKey.pem $srcdir/smolbote/src/plugin/publicKey.h + msg2 "Public key exported to $srcdir/signing/publicKey.pem." + fi } pkgver() { @@ -71,7 +85,7 @@ build() { # b_lto: Use link time optimization meson --buildtype=plain --prefix=/usr/local --auto-features=disabled \ -Db_pie=true -Db_lto=true -Dcpp_link_args="-fuse-ld=gold" \ - -DPlasma=enabled -Dmanpage=enabled \ + -Dmanpage=enabled \ $srcdir/build # Run menuconfig @@ -87,9 +101,10 @@ package() { cd $srcdir/build DESTDIR="$pkgdir" ninja install - msg Signing plugins + msg "Signing plugins" for so in $pkgdir/usr/local/lib/smolbote/plugins/*.so; do openssl dgst -sha256 -sign $srcdir/signing/privateKey.pem -out $so.sig $so + install -m644 $so.sig $pkgdir/usr/lib/smolbote/plugins/$so.sig done } diff --git a/tools/hexdump.py b/tools/hexdump.py new file mode 100755 index 0000000..f79fc5f --- /dev/null +++ b/tools/hexdump.py @@ -0,0 +1,34 @@ +#!/usr/bin/env python3 + +import argparse +from functools import partial + +parser = argparse.ArgumentParser(description='Convert a file to C array') +parser.add_argument('input', type=str, help='Input file') +parser.add_argument('output', type=str, help='Output file') +parser.add_argument('--array-type', type=str, default='const unsigned char', help='Array type') +parser.add_argument('--length-type', type=str, default='const unsigned int', help='Length type') +parser.add_argument('--name', type=str, default='a', help='Array name') + +args=parser.parse_args() + +print("{} {}[] = {{".format(args.array_type, args.name)) + +n = 0 + +with open(args.input, "rb") as in_file: + for c in iter(partial(in_file.read, 1), b''): + if n % 16 == 0: + print(" ", end='') + + print("0x%02X," % ord(c), end='') + + n += 1 + if n % 16 == 0: + print("") + else: + print(" ", end='') + +print("\n};") +print("{} {}_len = {};".format(args.length_type, args.name, n)) + |