Hello, I have some runnable pseudocode outlining a faster tree verification algorithm. Before I create patches I'd like to see if there is any guidance on making the changes as unobtrusive as possible. If the radical change in algorithm is acceptable I can work on adding the changes.
Instead of composing any kind of structured data out of the portage tree my algorithm just lists all files and then optionally batches them out to threads. There is a noticeable speedup by eliding the tree traversal operations which can be seen when running the algorithm with a single thread and comparing it to the current algorithm in gemato (which should still be discussed here?). Some simple tests like counting all objects traversed and verified returns the same(ish). Once it is put into portage it could be tested in detail. There is also my partial attempt at removing the brittle interface to GnuPG (it's not as if the current code is badly designed, just that parsing the output of GnuPG directly is likely not the best idea). Needs gemato, dnspython, and requests. Slightly better than random code because I took inspiration from the existing gemato classes. ```python (veriftree.py) #!/usr/bin/env python3 import os, sys, zlib, hashlib, tempfile, shutil, timeit import subprocess from typing import List from pprint import pprint from gemato.manifest import ( ManifestFile, ManifestFileEntry, ) from wkd import ( check_domain_signature, hash_localpart, build_web_key_uri, stream_to_file ) from fetchmedia import ( OpenPGPEnvironment, setup_verification_environment ) # 0. Top level directory (repository) contains Manifest, a PGP signature of # blake2b and sha512 hashes of Manifest.files.gz. # 1. Manifest.files contains hashes of each category Manifest.gz. # 2. The category Manifest contains hashes of each package Manifest. # 3. The package Manifest contains hashes of each package file. # Must be aware of PMS, e.g. aux tag specifies a file in files/. # 0. Check signature of repo Manifest. # 1. Merge items in Manifest.files, each category Manifest, and each package # Manifest into one big list. The path must be made absolute. # 2. Distribute items to threads. # To check operation compare directory tree to files appearing in all # ManifestRecords. class ManifestTree(object): __slots__ = ['_directory', '_manifest_list', '_manifest_records', '_manifest_results'] def __init__(self, directory: str): self._directory = directory # Tuples of (base_path, full_path). self._manifest_list = [] self._manifest_records = [] self._manifest_results = [] def build_manifest_list(self): for path, dirs, files in os.walk(self._directory): #if 'glsa' in path or 'news' in path: #if 'metadata' in path: # continue # Skip the metadata directory for now. # It contains a repository. Current algo barfs on Manifest # containing only sig. if 'Manifest.files.gz' in files: self._manifest_list += [(path, path + '/Manifest.files.gz')] if 'Manifest.gz' in files: self._manifest_list += [(path, path + '/Manifest.gz')] if path == self._directory: continue # Skip the repo manifest. Order matters, fix eventually. if 'Manifest' in files: self._manifest_list += [(path, path + '/Manifest')] def parse_manifests(self): td = tempfile.TemporaryDirectory(dir='./') for manifest in self._manifest_list: def inner(): if manifest[1].endswith('.gz'): name = 'Manifest.files' # Need to also handle Manifest.gz. path = '{0}/{1}'.format(td.name, name) subprocess.run(['sh', '-c', 'gunzip -c {0} > {1}' .format(manifest[1], path)]) for line in open(path): mr = ManifestRecord(line) mr.make_absolute(manifest[0]) self._manifest_records += [mr] else: for line in open(manifest[1]): if line.startswith('-'): return # Skip the signed manifest. mr = ManifestRecord(line) mr.make_absolute(manifest[0]) self._manifest_records += [mr] inner() def verify_manifests(self): for record in self._manifest_records: self._manifest_results += [record.verify()] class ManifestRecord(object): __slots__ = ['_tag', '_abs_path', '_path', '_size', '_hashes'] def __init__(self, line: str=None): self._tag = None self._abs_path = None self._path = None self._size = None self._hashes = [] if line: self.from_string(line) def from_string(self, line: str) -> None: parts = line.split() if len(parts) == 2: self._tag = 'ignore' return self._tag = parts[0] self._path = parts[1] self._size = parts[2] self._hashes = parts[3:] def make_absolute(self, abs_path: str) -> None: self._abs_path = abs_path try: pass #if 'md5-cache' in abs_path: # print(abs_path + '/' + self._path) except TypeError as exc: return def verify(self) -> bool: if self._tag == 'ignore': return None # Where is best place to do this? Before? if self._tag.lower() == 'aux': self._path = self._abs_path + '/files/' + self._path elif self._abs_path: self._path = self._abs_path + '/' + self._path # Distfiles will not be present. if self._tag.lower() == 'dist': return None if not os.path.exists(self._path): return False fd = open(self._path, 'rb') sha512 = hashlib.sha512() blake2b = hashlib.blake2b() while True: d = fd.read(8192) if not d: break sha512.update(d) blake2b.update(d) rsha512 = sha512.hexdigest() rblake2b = blake2b.hexdigest() if rblake2b != self._hashes[1]: return False if rsha512 != self._hashes[3]: return False return True def __repr__(self) -> str: #return repr(self._hashes) return '\t'.join([self._tag, self._size, self._path]) def main() -> int: # Step 0: verify the repo manifest. #publishers = ['infrastruct...@gentoo.org'] #ev = setup_verification_environment(publishers) #mf = ManifestFile() #mf.load(open('/var/db/repos/gentoo/Manifest'), # verify_openpgp=True, openpgp_env=ev) #pprint(mf) #pprint(mf.openpgp_signed) #pprint(mf.openpgp_signature) # Step 1: merge manifests. #mt = ManifestTree('/var/db/repos/gentoo') #mt.build_manifest_list() #mt.parse_manifests() #mt.verify_manifests() glsa = ManifestTree('/var/db/repos/gentoo') glsa.build_manifest_list() glsa.parse_manifests() start = timeit.default_timer() glsa.verify_manifests() end = timeit.default_timer() pprint(end - start) # Handled by checking for None. #no_ignore = filter(lambda x: x._tag != 'ignore', glsa_manifest_results) #pprint(glsa._manifest_results) real_files = [x for x in filter(lambda x: x is not None, glsa._manifest_results)] #pprint(real_files) pprint(len(glsa._manifest_results)) pprint(len(real_files)) all_files = [] for path, dirs, files in os.walk('/var/db/repos/gentoo'): pass return 0 if __name__ == '__main__': sys.exit(main()) ``` ```python (wkd.py, likely unneeded but I didn't want to redo these files yet) #!/usr/bin/env python3 import sys, hashlib import dns from dns import ( name, query, dnssec, message, resolver, rdatatype ) import shutil, requests def check_domain_signature(domain: str) -> bool: response = dns.resolver.query(domain, dns.rdatatype.NS) nsname = response.rrset[0] response = dns.resolver.query(str(nsname), dns.rdatatype.A) nsaddr = response.rrset[0].to_text() # DNSKEY request = dns.message.make_query(domain, dns.rdatatype.DNSKEY, want_dnssec=True) response = dns.query.udp(request, nsaddr) if response.rcode() != 0: raise Exception('Unable to request dnskey.') answer = response.answer if len(answer) != 2: raise Exception('Malformed answer to dnskey query.') name = dns.name.from_text(domain) try: dns.dnssec.validate(answer[0], answer[1], {name: answer[0]}) except dns.dnssec.ValidationFailure as exc: # Validation failed. The raise causes python to abort with status 1. #raise exc return False except AttributeError as exc: # Validation may have failed; DNSKEY missing signer attribute. dig may report # domain as valid. # # TODO: Additional state where subdomain of valid domain may fail with 3 nested # KeyErrors. Avoid temptation to wildcard catch. Safer to put in process? #raise exc return False else: return True def hash_localpart(incoming: bytes) -> str: '''Z-base32 the localpart of an e-mail address https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-08#section-3.1 describes why this is needed. See https://tools.ietf.org/html/rfc6189#section-5.1.6 for a description of the z-base32 scheme. ''' zb32 = "ybndrfg8ejkmcpqxot1uwisza345h769" b = hashlib.sha1(incoming).digest() ret = "" assert(len(b) * 8 == 160) for i in range(0, 160, 5): byte = i // 8 offset = i - byte * 8 # offset | bits remaining in k+1 | right-shift k+1 # 3 | 0 | x # 4 | 1 | 7 # 5 | 2 | 6 # 6 | 3 | 5 # 7 | 4 | 4 if offset < 4: n = (b[byte] >> (3 - offset)) else: n = (b[byte] << (offset - 3)) + (b[byte + 1] >> (11 - offset)) ret += zb32[n & 0b11111] return ret def build_web_key_uri(address: str) -> str: local, remote = address.split('@') local = hash_localpart(local.encode('utf-8')) return 'https://' + remote + '/.well-known/openpgpkey/hu/' + \ local def stream_to_file(uri: str, fname: str) -> None: with requests.get(uri, verify=True, stream=True) as r: from pprint import pprint pprint(r.headers) with open(fname, 'wb') as f: shutil.copyfileobj(r.raw, f) ```