commit checkmedia for openSUSE:Factory

Fri, 26 Jul 2019 03:24:28 -0700 

Hello community,

here is the log from the commit of package checkmedia for openSUSE:Factory 
checked in at 2019-07-26 12:24:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/checkmedia (Old)
 and      /work/SRC/openSUSE:Factory/.checkmedia.new.4126 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "checkmedia"

Fri Jul 26 12:24:12 2019 rev:32 rq:716036 version:5.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/checkmedia/checkmedia.changes    2018-12-03 
10:09:22.499765243 +0100
+++ /work/SRC/openSUSE:Factory/.checkmedia.new.4126/checkmedia.changes  
2019-07-26 12:24:22.610459810 +0200
@@ -1,0 +2,37 @@
+Wed Jul 17 11:46:06 UTC 2019 - [email protected]
+
+- merge gh#openSUSE/checkmedia#12
+- fix compat issue with older gcc
+- 5.2
+
+--------------------------------------------------------------------
+Wed Jul 17 10:03:51 UTC 2019 - [email protected]
+
+- merge gh#openSUSE/checkmedia#11
+- work also with older gpg versions
+- 5.1
+
+-------------------------------------------------------------------
+Wed Jul 17 08:29:09 UTC 2019 - Jan Engelhardt <[email protected]>
+
+- Use noun phrase in summaries.
+- Drop redundant ldconfig PreReq.
+
+--------------------------------------------------------------------
+Tue Jul 16 14:43:12 UTC 2019 - [email protected]
+
+- merge gh#openSUSE/checkmedia#10
+- add support for signed media (bsc#1139561)
+- adjust tagmedia script
+- update doc
+- adjust test cases
+- add links to signature magic value origins
+- allow to set specific gpg key for signature verification
+- rearrange data structure to provide some compatibility
+- check for empty signature
+- better error log
+- added tests for signature verification
+- signature test results reference
+- 5.0
+
+--------------------------------------------------------------------

Old:
----
  checkmedia-4.1.tar.xz

New:
----
  checkmedia-5.2.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ checkmedia.spec ++++++
--- /var/tmp/diff_new_pack.saOiOz/_old  2019-07-26 12:24:23.258459543 +0200
+++ /var/tmp/diff_new_pack.saOiOz/_new  2019-07-26 12:24:23.266459540 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package checkmedia
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,25 +16,27 @@
 #
 
 
-%define libversion 4
-
 Name:           checkmedia
 Summary:        Check SUSE installation media
 License:        GPL-3.0-or-later
 Group:          System/Management
-Version:        4.1
+Version:        5.2
 Release:        0
 Url:            https://github.com/openSUSE/checkmedia
 Source:         %{name}-%{version}.tar.xz
+BuildRequires:  gpg
+BuildRequires:  xz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
-Check SUSE installation media for errors.
+The program checks SUSE installation media for errors.
+
+%define libversion %(echo %version | cut -d. -f1)
 
 %package -n     libmediacheck%{libversion}
 Summary:        Library for checking SUSE installation media
 Group:          System/Libraries
-PreReq:         /sbin/ldconfig
+Requires:       gpg
 
 %description -n libmediacheck%{libversion}
 Library for checking SUSE installation media. Used by checkmedia and linuxrc.
@@ -58,11 +60,11 @@
 
 %install
 install -d -m 755 %{buildroot}/usr/bin
-make install DESTDIR=%{buildroot}
+%make_install
 
-%post -n libmediacheck4 -p /sbin/ldconfig
+%post -n libmediacheck%{libversion} -p /sbin/ldconfig
 
-%postun -n libmediacheck4 -p /sbin/ldconfig
+%postun -n libmediacheck%{libversion} -p /sbin/ldconfig
 
 %files
 %defattr(-,root,root)
@@ -74,7 +76,11 @@
 %{_libdir}/*.so.*
 %doc README.md
 %doc mediacheck.md
+%if %suse_version >= 1500
+%license COPYING
+%else
 %doc COPYING
+%endif
 
 %files -n libmediacheck-devel
 %defattr(-,root,root)

++++++ checkmedia-4.1.tar.xz -> checkmedia-5.2.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/checkmedia-4.1/README.md new/checkmedia-5.2/README.md
--- old/checkmedia-4.1/README.md        2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/README.md        2019-07-17 13:46:06.000000000 +0200
@@ -22,28 +22,58 @@
 To avoid problems with isohybrid images, `checkmedia` also does not check the
 first 512 bytes of the iso image (isohybrid writes an MBR there).
 
+If a signature block is present the block itself is also exluded from
+digest calculation.
+
 The actual verification process is done by a separate 
[libmediacheck](mediacheck.md) library.
 
+## Signing media
+
+On the latest SUSE media the application_data block with the tags described
+above can be signed. This allows checkmedia to ensure the media integrity by
+also verifying this signature.
+
+For this, a tag 'signature' is added pointing to a 2 kiB block to be used
+for the gpg signature of the 512 bytes application_data block. The tag is
+automatically added during digest calculation (`tagmedia --digest`). But you 
need to
+add the actual signature later.
+
+To create signed media, use `tagmedia --export-tags foo` to export the tag
+block to file `foo`. Then create a detached signature with gpg (`foo.asc`)
+and add the signature to the medium with `tagmedia --import-signature foo.asc`.
+
+For the verification, the public keys in `/usr/lib/rpm/gnupg/keys` are used. Or
+specify the public gpg key to use with the `--key-file` option to checkmedia.
+
 ## Examples
 
+Calulate sha256 digest and store in `foo.iso`. Assume 150 sectors (of 2 kiB) 
padding in iso image:
+
 ```sh
 tagmedia --digest sha256 --pad 150 foo.iso
 ```
 
-Calulate sha256 digest and store in `foo.iso`. Assume 150 sectors (of 2 kB) 
padding in iso image.
+Verify signed Tumbleweed iso, with output:
 
 ```sh
-checkmedia foo.iso
+checkmedia openSUSE-Tumbleweed-NET-x86_64-Snapshot20190708-Media.iso
+        app: openSUSE-Tumbleweed-NET-x86_64-Build1406.1-Media
+   iso size: 132056 kB
+        pad: 300 kB
+  partition: start 4038 kB, size 128058 kB
+   checking: 100%
+     result: iso sha256 ok, partition sha256 ok
+     sha256: 62b15f25b231f22ee93d576a6c9527ff7209ff715628a43b265fd61837f412e4
+  signature: ok
 ```
 
-Verify `foo.iso`.
+Verify `foo.iso` and show more detailed information, including the actual gpg 
output from
+signature verification:
 
 ```sh
 checkmedia --verbose foo.iso
 ```
 
-Verify `foo.iso` and show more detailed information.
-
 
 ## Downloads
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/checkmedia-4.1/VERSION new/checkmedia-5.2/VERSION
--- old/checkmedia-4.1/VERSION  2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/VERSION  2019-07-17 13:46:06.000000000 +0200
@@ -1 +1 @@
-4.1
+5.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/checkmedia-4.1/changelog new/checkmedia-5.2/changelog
--- old/checkmedia-4.1/changelog        2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/changelog        2019-07-17 13:46:06.000000000 +0200
@@ -1,3 +1,25 @@
+2019-07-17:    5.2
+       - merge gh#openSUSE/checkmedia#12
+       - fix compat issue with older gcc
+
+2019-07-17:    5.1
+       - merge gh#openSUSE/checkmedia#11
+       - work also with older gpg versions
+
+2019-07-16:    5.0
+       - merge gh#openSUSE/checkmedia#10
+       - add support for signed media (bsc#1139561)
+       - adjust tagmedia script
+       - update doc
+       - adjust test cases
+       - add links to signature magic value origins
+       - allow to set specific gpg key for signature verification
+       - rearrange data structure to provide some compatibility
+       - check for empty signature
+       - better error log
+       - added tests for signature verification
+       - signature test results reference
+
 2018-11-28:    4.1
        - merge gh#openSUSE/checkmedia#8
        - fix digest calculation in tagmedia (bsc#1117499)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/checkmedia-4.1/checkmedia.c 
new/checkmedia-5.2/checkmedia.c
--- old/checkmedia-4.1/checkmedia.c     2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/checkmedia.c     2019-07-17 13:46:06.000000000 +0200
@@ -11,12 +11,14 @@
   unsigned help:1;
   unsigned version:1;
   char *file_name;
+  char *key_file;
 } opt;
 
 struct option options[] = {
   { "help", 0, NULL, 'h' },
   { "verbose", 0, NULL, 'v' },
   { "version", 0, NULL, 1 },
+  { "key-file", 1, NULL, 2 },
   { }
 };
 
@@ -34,6 +36,10 @@
         opt.version = 1;
         break;
 
+      case 2:
+        opt.key_file = optarg;
+        break;
+
       case 'v':
         opt.verbose = 1;
         break;
@@ -60,6 +66,8 @@
 
   media = mediacheck_init(opt.file_name, progress);
 
+  if(opt.key_file) mediacheck_set_public_key(media, opt.key_file);
+
   if(opt.verbose) {
     for(i = 0; i < sizeof media->tags / sizeof *media->tags; i++) {
       if(!media->tags[i].key) break;
@@ -112,6 +120,10 @@
       );
     }
 
+    if(media->signature.start) {
+      printf(" sign block: %d\n", media->signature.start);
+    }
+
     if(mediacheck_digest_valid(media->digest.iso)) {
       printf("    iso ref: %s\n", 
mediacheck_digest_hex_ref(media->digest.iso));
     }
@@ -164,6 +176,20 @@
     printf("%11s: %s\n", mediacheck_digest_name(media->digest.full), 
mediacheck_digest_hex(media->digest.full));
   }
 
+  if(opt.verbose) {
+    if(media->signature.gpg_keys_log) {
+      printf("# -- gpg key import log\n%s", media->signature.gpg_keys_log);
+    }
+    if(media->signature.gpg_sign_log) {
+      printf("# -- gpg signature check log\n%s", 
media->signature.gpg_sign_log);
+    }
+    if(media->signature.gpg_keys_log || media->signature.gpg_sign_log) {
+      printf("# --\n");
+    }
+  }
+
+  printf("  signature: %s\n", media->signature.state.str);
+
   int result = mediacheck_digest_ok(media->digest.iso) || 
mediacheck_digest_ok(media->digest.part) ? 0 : 1;
 
   mediacheck_done(media);
@@ -183,6 +209,7 @@
     "Check SUSE installation media.\n"
    "\n"
     "Options:\n"
+    "      --key-file FILE   Use public key in FILE for signature check.\n"
     "      --version         Show checkmedia version.\n"
     "  -v, --verbose         Show more detailed info.\n"
     "  -h, --help            Show this text.\n"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/checkmedia-4.1/mediacheck.c 
new/checkmedia-5.2/mediacheck.c
--- old/checkmedia-4.1/mediacheck.c     2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/mediacheck.c     2019-07-17 13:46:06.000000000 +0200
@@ -44,6 +44,9 @@
 // application specific data length
 #define ISO9660_APP_DATA_LENGTH        0x200
 
+// signature block starts with this string
+#define SIGNATURE_MAGIC "7984fc91-a43f-4e45-bf27-6d3aa08b24cf"
+
 #define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
 
 typedef enum {
@@ -59,7 +62,7 @@
   struct sha512_ctx sha512;
 } digest_ctx_t;
 
-typedef struct mediacheck_digest_s {
+struct mediacheck_digest_s {
   digest_type_t type;                          /* digest type */
   char *name;                                  /* digest name */
   int size;                                    /* (binary) digest size, not 
bigger than MAX_DIGEST_SIZE */
@@ -72,7 +75,7 @@
   char hex[MAX_DIGEST_SIZE*2 + 1];             /* hex digest */
   unsigned char ref[MAX_DIGEST_SIZE];          /* expected binary digest */
   char hex_ref[MAX_DIGEST_SIZE*2 + 1];         /* expected hex digest */
-} mediacheck_digest_t;
+};
 
 typedef struct {
   unsigned start, blocks;
@@ -80,6 +83,11 @@
 
 #include "mediacheck.h"
 
+// corresponds to sign_state_t
+static char *sign_states[] = {
+  "not signed", "not checked", "ok", "bad", "bad (no matching key)"
+};
+
 static void digest_ctx_init(mediacheck_digest_t *digest);
 static void digest_finish(mediacheck_digest_t *digest);
 static void digest_data_to_hex(mediacheck_digest_t *digest);
@@ -88,7 +96,9 @@
 static char *no_extra_spaces(char *str);
 static void update_progress(mediacheck_t *media, unsigned blocks);
 static void process_chunk(mediacheck_digest_t *digest, chunk_region_t *region, 
unsigned chunk, unsigned chunk_blocks, unsigned char *buffer);
-
+static void normalize_chunk(mediacheck_t *media, unsigned chunk, unsigned 
chunk_blocks, unsigned char *buffer);
+static void set_signature_state(mediacheck_t *media, sign_state_t state);
+extern void verify_signature(mediacheck_t *media);
 
 /*
  * Read image file and gather info about it.
@@ -105,6 +115,8 @@
   media->file_name = file_name;
   media->progress = progress;
 
+  set_signature_state(media, sig_not_signed);
+
   get_info(media);
 
   return media;
@@ -130,18 +142,36 @@
   mediacheck_digest_done(media->digest.part);
   mediacheck_digest_done(media->digest.full);
 
+  free(media->signature.gpg_keys_log);
+  free(media->signature.gpg_sign_log);
+  free(media->signature.key_file);
+
   free(media);
 }
 
 
 /*
+ * Set a specific public key to use for signature checking.
+ *
+ * If nothing is set, all keys from /usr/lib/rpm/gnupg/keys/ are used.
+ */
+API_SYM void mediacheck_set_public_key(mediacheck_t *media, char *key_file)
+{
+  if(!media) return;
+
+  free(media->signature.key_file);
+  media->signature.key_file = NULL;
+
+  if(key_file) {
+    media->signature.key_file = strdup(key_file);
+  }
+}
+
+
+/*
  * Calculate digest over image.
  *
  * Call mediacheck_init() before doing this.
- *
- * Normal digest, except that we assume
- *   - 0x0000 - 0x01ff (mbr) is filled with zeros (0)
- *   - 0x8373 - 0x8572 (iso9660 app data) is filled with spaces (' ').
  */
 API_SYM void mediacheck_calculate_digest(mediacheck_t *media)
 {
@@ -187,12 +217,7 @@
      */
     process_chunk(media->digest.full, &full_region, chunk, chunk_blocks, 
buffer);
 
-    if(chunk == 0) {
-      // mbr
-      memset(buffer, 0, 0x200);
-      // app data block
-      memset(buffer + ISO9660_APP_DATA_START, ' ', ISO9660_APP_DATA_LENGTH);
-    }
+    normalize_chunk(media, chunk, chunk_blocks, buffer);
 
     process_chunk(media->digest.iso, &iso_region, chunk, chunk_blocks, buffer);
     process_chunk(media->digest.part, &part_region, chunk, chunk_blocks, 
buffer);
@@ -218,6 +243,8 @@
   }
 
   close(fd);
+
+  verify_signature(media);
 }
 
 
@@ -598,12 +625,15 @@
     read(fd, media->app_data, sizeof media->app_data - 1) == sizeof 
media->app_data - 1
   ) {
     media->app_data[sizeof media->app_data - 1] = 0;
+    memcpy(media->signature.blob, media->app_data, sizeof 
media->signature.blob);
     if(sanitize_data(media->app_data, sizeof media->app_data - 1)) ok++;
   }
 
-  close(fd);
+  if(ok != 2) {
+    close(fd);
 
-  if(ok != 2) return;
+    return;
+  }
 
   media->err = 0;
 
@@ -655,6 +685,24 @@
         media->pad_blocks = strtoul(value, NULL, 0) << 2;
       }
     }
+    else if(!strcasecmp(key, "signature")) {
+      if(value && isdigit(*value)) {
+        media->signature.start = strtoul(value, NULL, 0);
+
+        if(
+          media->signature.start &&
+          lseek(fd, media->signature.start * 0x200, SEEK_SET) == 
media->signature.start * 0x200 &&
+          read(fd, media->signature.magic, sizeof media->signature.magic) == 
sizeof media->signature.magic &&
+          read(fd, media->signature.data, sizeof media->signature.data) == 
sizeof media->signature.data &&
+          !memcmp(media->signature.magic, SIGNATURE_MAGIC, sizeof 
SIGNATURE_MAGIC - 1) &&
+          media->signature.data[0]
+        ) {
+          media->signature.magic[sizeof media->signature.magic - 1] = 0;
+          media->signature.data[sizeof media->signature.data - 1] = 0;
+          set_signature_state(media, sig_not_checked);
+        }
+      }
+    }
   }
 
   // if we didn't get the image size via stat() above, try other ways
@@ -662,6 +710,8 @@
     media->full_blocks = media->part_start + media->part_blocks;
     if(!media->full_blocks) media->full_blocks = media->iso_blocks;
   }
+
+  close(fd);
 }
 
 
@@ -769,3 +819,163 @@
     mediacheck_digest_process(digest, buffer, chunk_blocks << 9);
   }
 }
+
+
+/*
+ * Normalize (clear) some data in buffer.
+ *
+ * buffer size is chunk_blocks * 0x200 bytes
+ * buffer size is guaranteed to be >= 64 kiB
+ *
+ * Normalized data assumes
+ *   - 0x0000 - 0x01ff (mbr) is filled with zeros (0)
+ *   - 0x8373 - 0x8572 (iso9660 app data) is filled with spaces (' ').
+ *   - signature block (2 kiB) contains only magic id + zeros (0)
+ */
+void normalize_chunk(mediacheck_t *media, unsigned chunk, unsigned 
chunk_blocks, unsigned char *buffer)
+{
+  unsigned pos, ofs, u;
+
+  if(chunk == 0) {
+    // mbr
+    memset(buffer, 0, 0x200);
+    // app data block
+    memset(buffer + ISO9660_APP_DATA_START, ' ', ISO9660_APP_DATA_LENGTH);
+  }
+
+  if(!media->signature.start) return;
+
+  pos = chunk * chunk_blocks;
+
+  if(media->signature.start < pos || media->signature.start >= pos + 
chunk_blocks) return;
+
+  ofs = media->signature.start - pos;
+
+  for(u = 0; u < 4 && ofs + u < chunk_blocks; u++) {
+    if(u == 0) {
+      memset(buffer + ((u + ofs) << 9) + 0x40, 0, 0x200 - 0x40);
+    }
+    else {
+      memset(buffer + ((u + ofs) << 9), 0, 0x200);
+    }
+  }
+}
+
+
+/*
+ * Set signature state.
+ *
+ * Sets both signature.state & signature.state_str.
+ */
+void set_signature_state(mediacheck_t *media, sign_state_t state)
+{
+  media->signature.state.id = state;
+  if(state < sizeof sign_states / sizeof *sign_states) {
+    media->signature.state.str = sign_states[state];
+  }
+}
+
+
+/*
+ * Verify signature.
+ *
+ * Call mediacheck_init() before doing this.
+ *
+ * The is function imports all keys from /usr/lib/rpm/gnupg/keys into a
+ * temporary key ring and then runs gpg to verify the signature.
+ */
+void verify_signature(mediacheck_t *media)
+{
+  char tmp_dir[] = "/tmp/mediacheck.XXXXXX";
+  char *buf;
+  int cmd_err;
+  FILE *f;
+
+  if(!media->signature.start || media->signature.state.id == sig_not_signed) 
return;
+
+  if(!mkdtemp(tmp_dir)) return;
+
+  asprintf(&buf, "%s/foo", tmp_dir);
+
+  if((f = fopen(buf, "w"))) {
+    fwrite(media->signature.blob, 1, sizeof media->signature.blob, f);
+    fclose(f);
+  }
+
+  free(buf);
+
+  asprintf(&buf, "%s/foo.asc", tmp_dir);
+
+  if((f = fopen(buf, "w"))) {
+    fprintf(f, "%s", media->signature.data);
+    fclose(f);
+  }
+
+  free(buf);
+
+  asprintf(&buf,
+    "/usr/bin/gpg --batch --homedir %s --no-default-keyring 
--ignore-time-conflict --ignore-valid-from "
+    "--keyring %s/sign.gpg --import %s >%s/gpg_keys.log 2>&1",
+    tmp_dir,
+    tmp_dir,
+    media->signature.key_file ?: "/usr/lib/rpm/gnupg/keys/*",
+    tmp_dir
+  );
+
+  cmd_err = WEXITSTATUS(system(buf));
+
+  free(buf);
+
+  asprintf(&buf, "%s/gpg_keys.log", tmp_dir);
+
+  if((f = fopen(buf, "r"))) {
+    char txt[4096] = {};       // just big enough
+    fread(txt, 1, sizeof txt - 1, f);
+    fclose(f);
+    free(media->signature.gpg_keys_log);
+    asprintf(&media->signature.gpg_keys_log, "%sgpg: exit code: %d\n", txt, 
cmd_err);
+  }
+
+  free(buf);
+
+  if(!cmd_err) {
+    asprintf(&buf,
+      "/usr/bin/gpg --batch --homedir %s --no-default-keyring 
--ignore-time-conflict --ignore-valid-from "
+      "--keyring %s/sign.gpg --verify %s/foo.asc %s/foo >%s/gpg_sign.log 2>&1",
+      tmp_dir, tmp_dir, tmp_dir, tmp_dir, tmp_dir
+    );
+
+    cmd_err = WEXITSTATUS(system(buf));
+
+    free(buf);
+
+    asprintf(&buf, "%s/gpg_sign.log", tmp_dir);
+
+    if((f = fopen(buf, "r"))) {
+      char txt[4096] = {};     // just big enough
+      fread(txt, 1, sizeof txt - 1, f);
+      fclose(f);
+      free(media->signature.gpg_sign_log);
+      asprintf(&media->signature.gpg_sign_log, "%sgpg: exit code: %d\n", txt, 
cmd_err);
+    }
+
+    free(buf);
+
+    set_signature_state(media, sig_bad);
+
+    if(media->signature.gpg_sign_log) {
+      if(strstr(media->signature.gpg_sign_log, "gpg: Good signature ")) {
+        set_signature_state(media, sig_ok);
+      }
+      if(strstr(media->signature.gpg_sign_log, "gpg: Can't check signature: No 
public key")) {
+        set_signature_state(media, sig_bad_no_key);
+      }
+    }
+  }
+
+  asprintf(&buf, "/usr/bin/rm -r %s", tmp_dir);
+
+  system(buf);
+
+  free(buf);
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/checkmedia-4.1/mediacheck.h 
new/checkmedia-5.2/mediacheck.h
--- old/checkmedia-4.1/mediacheck.h     2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/mediacheck.h     2019-07-17 13:46:06.000000000 +0200
@@ -13,6 +13,8 @@
 
 typedef int (* mediacheck_progress_t)(unsigned percent);
 
+typedef enum { sig_not_signed, sig_not_checked, sig_ok, sig_bad, 
sig_bad_no_key } sign_state_t;
+
 typedef struct {
   char *file_name;                             /* file to check */
   mediacheck_progress_t progress;              /* progress function */
@@ -38,9 +40,23 @@
   unsigned err_block;                          /* read error position (in 0.5 
kB units) */
 
   char app_id[ISO9660_APP_ID_LENGTH + 1];      /* application id */
-  char app_data[ISO9660_APP_DATA_LENGTH + 1];  /* app specific data*/
+  char app_data[ISO9660_APP_DATA_LENGTH + 1];  /* app specific data */
 
   int last_percent;                            /* last percentage shown by 
progress function */
+
+  struct {
+    unsigned start;                            /* start block of signature (if 
any), in 0.5 kB units */
+    struct {                                   /* signature state */
+      sign_state_t id;                         /* ... numerical */
+      char *str;                               /* ... as string (static, don't 
free) */
+    } state;
+    char magic[0x40];                          /* 64 bytes */
+    char data[0x800 - 0x40];                   /* 2k block - 64 bytes */
+    char blob[ISO9660_APP_DATA_LENGTH];                /* data the signature 
applies to */
+    char *gpg_keys_log;                                /* gpg output from key 
import */
+    char *gpg_sign_log;                                /* gpg output from 
signature check */
+    char *key_file;                            /* gpg public key to use for 
signature check */
+  } signature;
 } mediacheck_t;
 
 
@@ -67,6 +83,11 @@
 void mediacheck_done(mediacheck_t *media);
 
 /*
+ * Set specific public key for signature checking.
+ */
+void mediacheck_set_public_key(mediacheck_t *media, char *key_file);
+
+/*
  * Run the actual media check.
  *
  * During the check the 'progress' function that has been passed to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/checkmedia-4.1/mediacheck.md 
new/checkmedia-5.2/mediacheck.md
--- old/checkmedia-4.1/mediacheck.md    2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/mediacheck.md    2019-07-17 13:46:06.000000000 +0200
@@ -46,6 +46,15 @@
 
 Free resources associated with `media`.
 
+### Set public gpg key for signature verification
+
+```
+void mediacheck_set_public_key(mediacheck_t *media, char *key_file);
+
+```
+
+If no key is set, all keys from `/usr/lib/rpm/gnupg/keys` are used.
+
 ### Run the actual media check
 
 ```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/checkmedia-4.1/tagmedia new/checkmedia-5.2/tagmedia
--- old/checkmedia-4.1/tagmedia 2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/tagmedia 2019-07-17 13:46:06.000000000 +0200
@@ -59,6 +59,17 @@
   MBR_LENGTH => 0x200,
 };
 
+# Some SUSE specific constants.
+#
+# see
+#   https://github.com/openSUSE/mksusecd/blob/master/mksusecd
+#   https://github.com/OSInside/kiwi/blob/master/kiwi/iso_tools/iso.py
+#
+use constant {
+  # signature block starts with this string
+  SIGNATURE_MAGIC => "7984fc91-a43f-4e45-bf27-6d3aa08b24cf"
+};
+
 sub usage;
 sub read_image_blob;
 sub get_image_type;
@@ -72,6 +83,10 @@
 sub prepare_buffer;
 sub add_to_digest;
 sub calculate_digest;
+sub export_tags;
+sub export_signature;
+sub import_signature;
+sub normalize_buffer;
 
 my $opt_digest = undef;
 my $opt_check = 0;
@@ -81,18 +96,24 @@
 my @opt_add_tag;
 my @opt_remove_tag;
 my $opt_verbose;
+my $opt_tags_export;
+my $opt_signature_export;
+my $opt_signature_import;
 
 GetOptions(
-  'show'             => \$opt_show,
-  'md5|md5sum'       => sub { $opt_digest = 'md5' },
-  'digest=s'         => \$opt_digest,
-  'check'            => \$opt_check,
-  'pad=i'            => \$opt_pad,
-  'add-tag=s'        => \@opt_add_tag,
-  'remove-tag=s'     => \@opt_remove_tag,
-  'clean'            => \$opt_clean,
-  'verbose|v'        => \$opt_verbose,
-  'help'             => sub { usage 0 },
+  'show'               => \$opt_show,
+  'md5|md5sum'         => sub { $opt_digest = 'md5' },
+  'digest=s'           => \$opt_digest,
+  'check'              => \$opt_check,
+  'pad=i'              => \$opt_pad,
+  'add-tag=s'          => \@opt_add_tag,
+  'remove-tag=s'       => \@opt_remove_tag,
+  'export-tags=s'      => \$opt_tags_export,
+  'export-signature=s' => \$opt_signature_export,
+  'import-signature=s' => \$opt_signature_import,
+  'clean'              => \$opt_clean,
+  'verbose|v'          => \$opt_verbose,
+  'help'               => sub { usage 0 },
 );
 
 my $image_data;                        # hash ref with image related data
@@ -137,6 +158,28 @@
 
 get_padding $image_data, $current_tags;
 
+if($opt_tags_export) {
+  export_tags $image_data, $opt_tags_export;
+
+  exit 0;
+}
+
+if($opt_signature_export) {
+  export_signature $image_data, $opt_signature_export;
+
+  exit 0;
+}
+
+if($opt_signature_import) {
+  import_signature $image_data, $opt_signature_import;
+
+  exit 0;
+}
+
+if(my $sig = get_tag $current_tags, "signature") {
+  $image_data->{signature_start} = $sig->{value} + 0;
+}
+
 prepare_buffer $image_data;
 
 # print Dumper $image_data;
@@ -148,6 +191,10 @@
 # finally close file handle (had been opened in read_image_blob())
 close $image_data->{fh};
 
+if($image_data->{signature_start}) {
+  set_tag $current_tags, { key => "signature", value => 
$image_data->{signature_start} };
+}
+
 for (@opt_add_tag) {
   set_tag $current_tags, parse_tag($_);
 }
@@ -187,6 +234,9 @@
       --check                   Tell installer to run media check at startup.
       --add-tag foo=bar         Add tag foo with value bar.
       --remove-tag foo          Remove tag foo.
+      --export-tags FILE        Export raw tag data to FILE.
+      --export-signature FILE   Export image signature to FILE.
+      --import-signature FILE   Import image signature from FILE.
       --clean                   Remove all tags.
       --help                    Write this help text.
 
@@ -555,6 +605,8 @@
     my $read_len = sysread $image->{fh}, $buf, $to_read << 9;
     die "$image->{name}: read error: $to_read blocks @ $pos\n" if $read_len != 
$to_read << 9;
 
+    normalize_buffer $image, $pos, \$buf;
+
     process_digest $digest_iso, $iso_start, $iso_blocks, $pos, $to_read, $buf;
     process_digest $digest_part, $part_start, $part_blocks, $pos, $to_read, 
$buf;
 
@@ -581,3 +633,153 @@
     }
   }
 }
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# export_tags(image, file)
+#
+# Export raw tag data from image to file.
+#
+# image: hash with image related data
+# file: file name
+#
+sub export_tags
+{
+  my ($image, $file) = @_;
+
+  my $buf = substr($image->{blob}, ISO9660_APP_DATA_START, 
ISO9660_APP_DATA_LENGTH);
+
+  if(open my $f, ">", $file) {
+    print $f $buf;
+    close $f;
+  }
+  else {
+    die "$file: $!\n";
+  }
+}
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# export_signature(image, file)
+#
+# Export signature data from image to file.
+#
+# image: hash with image related data
+# file: file name
+#
+sub export_signature
+{
+  my ($image, $file) = @_;
+  my $sig = get_tag $current_tags, "signature";
+
+  my $buf;
+
+  die "$image->{name}: no signature location found\n" if !$sig || 
$sig->{value} == 0;
+  die "$image->{name}: $!\n" unless seek $image->{fh}, $sig->{value} * 0x200, 
0;
+  die "$image->{name}: $!\n" unless 0x800 == sysread $image->{fh}, $buf, 0x800;
+
+  die "$image->{name}: invalid signature block\n" if SIGNATURE_MAGIC ne 
substr($buf, 0, length SIGNATURE_MAGIC);
+
+  substr($buf, 0, 0x40) = "";
+
+  $buf =~ s/\x00*$//;
+
+  if(open my $f, ">", $file) {
+    print $f $buf;
+    close $f;
+  }
+  else {
+    die "$file: $!\n";
+  }
+}
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# import_signature(image, file)
+#
+# Import signature data from file to image.
+#
+# image: hash with image related data
+# file: file name
+#
+sub import_signature
+{
+  my ($image, $file) = @_;
+  my $sig = get_tag $current_tags, "signature";
+
+  my $buf;
+
+  die "$image->{name}: no signature location found\n" if !$sig || 
$sig->{value} == 0;
+  die "$image->{name}: $!\n" unless seek $image->{fh}, $sig->{value} * 0x200, 
0;
+  die "$image->{name}: $!\n" unless 0x800 == sysread $image->{fh}, $buf, 0x800;
+
+  die "$image->{name}: invalid signature block\n" if SIGNATURE_MAGIC ne 
substr($buf, 0, length SIGNATURE_MAGIC);
+
+  my $buf2;
+
+  if(open my $f, "<", $file) {
+    local $/;
+    $buf2 = <$f>;
+    close $f;
+  }
+  else {
+    die "$file: $!\n";
+  }
+
+  if(length($buf2) > 0x800 - 0x40) {
+    die "$file: signature too large\n";
+  }
+
+  $buf = substr($buf, 0, 0x40) . $buf2;
+  $buf .= "\x00" x (0x800 - length($buf));
+
+  die "$image->{name}: $!\n" unless open $image->{fh}, "+<", $image->{name};
+  die "$image->{name}: $!\n" unless seek $image->{fh}, $sig->{value} * 0x200, 
0;
+  die "$image->{name}: $!\n" unless 0x800 == syswrite $image->{fh}, $buf, 
0x800;
+  close $image->{fh};
+}
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# normalize_buffer(image, pos, buffer_ref)
+#
+# If buffer contains signature block (2 kiB), clear signature block.
+# A cleared signature block containts 0x40 bytes magic header, the rest is
+# all zeros (0).
+#
+# This function looks for a signature block and returns its position in
+# $image->{signature_start} if $image->{signature_start} is unset.
+#
+# image: hash with image related data
+# pos: block number of buffer start
+# buffer_ref: reference to buffer; buffer may get modified
+#
+sub normalize_buffer
+{
+  my ($image, $pos, $buf_ref) = @_;
+  my $blocks = length($$buf_ref) >> 9;
+
+  if(!$image->{signature_start}) {
+    for (my $i = 0; $i < $blocks; $i++) {
+      if(SIGNATURE_MAGIC eq substr($$buf_ref, $i << 9, length 
SIGNATURE_MAGIC)) {
+        $image->{signature_start} = $pos + $i;
+      }
+    }
+  }
+
+  if($image->{signature_start}) {
+    my $signature_len = 4;     # 2 kiB
+    my $x = $image->{signature_start} - $pos;
+    if($x >= 0 && $x < $blocks) {
+      for (my $i = 0; $i < $signature_len && $x + $i < $blocks; $i++) {
+        if($i == 0) {
+          # leave 0x40 bytes intact in first block
+          substr($$buf_ref, ($x << 9) + 0x40, 0x200 - 0x40) = "\x00" x (0x200 
- 0x40);
+        }
+        else {
+          substr($$buf_ref, ($x + $i) << 9, 0x200) = "\x00" x 0x200;
+        }
+      }
+    }
+  }
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/checkmedia-4.1/testmediacheck 
new/checkmedia-5.2/testmediacheck
--- old/checkmedia-4.1/testmediacheck   2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/testmediacheck   2019-07-17 13:46:06.000000000 +0200
@@ -2,13 +2,18 @@
 
 use strict;
 
+use File::Temp;
 use Getopt::Long;
 
 sub verify_test;
 sub run_test;
 sub create_image;
+sub gpg_init;
+sub sign_image;
 
 my $testdir = "tests";
+my $gpg_dir1;
+my $gpg_dir2;
 
 # store reference output, don't do checks
 my $opt_create_reference;
@@ -174,7 +179,49 @@
     part_blocks => 300,
   },
 
+  {
+    name => "iso_and_partition_not_signed",
+    digest => "sha256",
+    full_blocks => 1000,
+    iso_blocks => 900,
+    pad_blocks => 100,
+    part_start => 100,
+    part_blocks => 900,
+    sign => 1,
+  },
+
+  {
+    name => "iso_and_partition_signed_ok",
+    digest => "sha256",
+    full_blocks => 1000,
+    iso_blocks => 900,
+    pad_blocks => 100,
+    part_start => 100,
+    part_blocks => 900,
+    sign => 2,
+  },
 
+  {
+    name => "iso_and_partition_signed_bad",
+    digest => "sha256",
+    full_blocks => 1000,
+    iso_blocks => 900,
+    pad_blocks => 100,
+    part_start => 100,
+    part_blocks => 900,
+    sign => 3,
+  },
+
+  {
+    name => "iso_and_partition_signed_wrong_key",
+    digest => "sha256",
+    full_blocks => 1000,
+    iso_blocks => 900,
+    pad_blocks => 100,
+    part_start => 100,
+    part_blocks => 900,
+    sign => 4,
+  },
 ];
 
 
@@ -184,6 +231,9 @@
 my $count = 0;
 my $failed = 0;
 
+$gpg_dir1 = gpg_init;
+$gpg_dir2 = gpg_init;
+
 for my $test (@$tests) {
   $count++;
   create_image $test;
@@ -246,7 +296,27 @@
   }
 
   system "./tagmedia --digest $digest $pad $config->{tag_options} $base.img 
>$base.$digest.tag$ref";
-  system "./checkmedia -v $base.img >$base.$digest.check$ref";
+
+  sign_image "$base.img", $config->{sign};
+
+  my $verbose;
+  $verbose = "-v" if $config->{sign} <= 1;     # avoid gpg log
+
+  system "./checkmedia $verbose --key-file $gpg_dir1/test.pub $base.img 
>$base.$digest.check$ref";
+
+  # patch out actual checksum as it varies for each run
+  if(!$verbose) {
+    if(open my $f, "$base.$digest.check$ref") {
+      local $/;
+      my $log = <$f>;
+      close $f;
+      if(open my $f, ">$base.$digest.check$ref") {
+        $log =~ s/(sha256: )(\S+)/${1}*/g;
+        print $f $log;
+        close $f;
+      }
+    }
+  }
 }
 
 
@@ -329,5 +399,73 @@
     syswrite $f, "qrst";
   }
 
+  # reserve signature block
+  if($config->{sign} && $config->{part_blocks} > 164) {
+    seek $f, (($config->{part_start} + 160)<< 9), 0;
+    syswrite $f, "7984fc91-a43f-4e45-bf27-6d3aa08b24cf";
+  }
+
   close $f;
 }
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Setup gpg dir and create key pair.
+#
+sub gpg_init
+{
+  my $gpg_dir = File::Temp::tempdir("/tmp/testmediacheck.XXXXXXXX", CLEANUP => 
1);
+
+  (my $c = <<"  = = = = = = = =") =~ s/^ {4}//mg;
+    %no-ask-passphrase
+    %no-protection
+    %transient-key
+    Key-Type: RSA
+    Key-Length: 2048
+    Name-Real: test Signing Key
+    Name-Comment: transient key
+    %pubring test.pub
+    %secring test.sec
+    %commit
+  = = = = = = = =
+
+  if(open my $p, "| cd $gpg_dir ; /usr/bin/gpg --homedir=$gpg_dir --batch 
--armor --debug-quick-random --gen-key - 2>/dev/null") {
+    print $p $c;
+    close $p;
+  }
+
+  # older gpg versions use the secret key file here
+  my $key = "$gpg_dir/test.sec";
+  $key = "$gpg_dir/test.pub" unless -f $key;
+
+  system "gpg --homedir=$gpg_dir --import $key >/dev/null 2>&1";
+
+  return $gpg_dir;
+}
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Sign image.
+#
+# type:
+#   0: no signature (no signature block)
+#   1: no signature (empty signature block)
+#   2: signature ok
+#   3: signature bad
+#   4: signature with wrong key
+#
+sub sign_image
+{
+  my ($file, $type) = @_;
+
+  return if $type <= 1;
+
+  my $gpg_dir = $gpg_dir1;
+
+  $gpg_dir = $gpg_dir2 if $type == 4;  # wrong key
+
+  system "./tagmedia --export-tags $gpg_dir/foo $file";
+  system "echo foo >>$gpg_dir/foo" if $type == 3;      # bad signature
+  system "/usr/bin/gpg --homedir=$gpg_dir --batch --yes --armor --detach-sign 
$gpg_dir/foo";
+  system "./tagmedia --import-signature $gpg_dir/foo.asc $file";
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_no_partition.sha224.check.ref 
new/checkmedia-5.2/tests/iso_and_no_partition.sha224.check.ref
--- old/checkmedia-4.1/tests/iso_and_no_partition.sha224.check.ref      
2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/tests/iso_and_no_partition.sha224.check.ref      
2019-07-17 13:46:06.000000000 +0200
@@ -9,3 +9,4 @@
      result: iso sha224 ok
  iso sha224: e421b915f39bb7497b822b6c8afc73d3e38d09d0b1c5c6a6a6013d93
      sha224: 3d71020ccbeeb40f9cf42d481fede64ab6649a338f20c67275a874e7
+  signature: not signed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_low_partition_start.sha256.check.ref 
new/checkmedia-5.2/tests/iso_and_partition_low_partition_start.sha256.check.ref
--- 
old/checkmedia-4.1/tests/iso_and_partition_low_partition_start.sha256.check.ref 
    2018-11-28 16:35:46.000000000 +0100
+++ 
new/checkmedia-5.2/tests/iso_and_partition_low_partition_start.sha256.check.ref 
    2019-07-17 13:46:06.000000000 +0200
@@ -13,3 +13,4 @@
  iso sha256: 05ac5da5b7171b63700c4b7e75477908fedc7956a08df90f7e6f711c1fdddd86
 part sha256: 983c8904e4a5c71f6e9f6d5d8d73f29f046191acd65dc0cf12a1def8db7ec1fe
      sha256: 1d9245d4c9d3d5888a0b8fd1ddca630eaf687b75d4c04f3acb3845ab50c8c6a8
+  signature: not signed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_no_isodigest.sha256.check.ref 
new/checkmedia-5.2/tests/iso_and_partition_no_isodigest.sha256.check.ref
--- old/checkmedia-4.1/tests/iso_and_partition_no_isodigest.sha256.check.ref    
2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/tests/iso_and_partition_no_isodigest.sha256.check.ref    
2019-07-17 13:46:06.000000000 +0200
@@ -10,3 +10,4 @@
      result: partition sha256 ok
 part sha256: a893c13db982ff064318d1e588c5c040dd06d2d6cd99b2112317b97d950c2276
      sha256: 456ea4741503c20280b9e77588a75707edf9c66b6180faf689a3d28cb30dde14
+  signature: not signed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_no_isomagic.sha224.check.ref 
new/checkmedia-5.2/tests/iso_and_partition_no_isomagic.sha224.check.ref
--- old/checkmedia-4.1/tests/iso_and_partition_no_isomagic.sha224.check.ref     
2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/tests/iso_and_partition_no_isomagic.sha224.check.ref     
2019-07-17 13:46:06.000000000 +0200
@@ -7,3 +7,4 @@
      result: partition sha224 ok
 part sha224: 537b8f7d6b86fc36e3c14b447884be48471738bc90eec924c724a915
      sha224: 9ebc68a1ef6fabcfff6f7986be9f6e68bb3a5a6cb7eb0e00b59264dd
+  signature: not signed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_no_padding.md5.check.ref 
new/checkmedia-5.2/tests/iso_and_partition_no_padding.md5.check.ref
--- old/checkmedia-4.1/tests/iso_and_partition_no_padding.md5.check.ref 
2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/tests/iso_and_partition_no_padding.md5.check.ref 
2019-07-17 13:46:06.000000000 +0200
@@ -11,3 +11,4 @@
  iso    md5: dbfc197e6d7f9370de4dc4840c81a783
 part    md5: efda83d92d219c2ee805364cb9902db2
         md5: 22a6326b9deba5ad6563cbacb6cc676a
+  signature: not signed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_no_partitiondigest.sha384.check.ref 
new/checkmedia-5.2/tests/iso_and_partition_no_partitiondigest.sha384.check.ref
--- 
old/checkmedia-4.1/tests/iso_and_partition_no_partitiondigest.sha384.check.ref  
    2018-11-28 16:35:46.000000000 +0100
+++ 
new/checkmedia-5.2/tests/iso_and_partition_no_partitiondigest.sha384.check.ref  
    2019-07-17 13:46:06.000000000 +0200
@@ -9,3 +9,4 @@
      result: iso sha384 ok
  iso sha384: 
0468c1ed873d9ceec9a462004a67b344bcb1769bcb90089652364e64963292448adc1f00eab088a4a92305292d72c1f9
      sha384: 
a6988efcab24f7ce2c5b4fea4cee9a4aa02ecbc2843ff1a5b991b80d6cbcdab0cd117801aa112b1c7010be585b8a5951
+  signature: not signed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_not_signed.sha256.check.ref 
new/checkmedia-5.2/tests/iso_and_partition_not_signed.sha256.check.ref
--- old/checkmedia-4.1/tests/iso_and_partition_not_signed.sha256.check.ref      
1970-01-01 01:00:00.000000000 +0100
+++ new/checkmedia-5.2/tests/iso_and_partition_not_signed.sha256.check.ref      
2019-07-17 13:46:06.000000000 +0200
@@ -0,0 +1,18 @@
+       tags: key = "pad", value = "25"
+       tags: key = "sha256sum", value = 
"d7df919f9d008b94ee51dadd312c6a0bda2607de8bc6fe84d2869096795c8a26"
+       tags: key = "partition", value = 
"100,900,0d16f5a21c763c3bf5a2f32d3fffd27811942e500ee95b8541443599ea6fd726"
+       tags: key = "signature", value = "260"
+        app: iso_and_partition_not_signed
+   iso size: 450 kB
+        pad: 50 kB
+  partition: start 50 kB, size 450 kB
+  full size: 500 kB
+ sign block: 260
+    iso ref: d7df919f9d008b94ee51dadd312c6a0bda2607de8bc6fe84d2869096795c8a26
+   part ref: 0d16f5a21c763c3bf5a2f32d3fffd27811942e500ee95b8541443599ea6fd726
+   checking:       0% 12% 25% 38% 51% 64% 76% 
89%100%
+     result: iso sha256 ok, partition sha256 ok
+ iso sha256: d7df919f9d008b94ee51dadd312c6a0bda2607de8bc6fe84d2869096795c8a26
+part sha256: 0d16f5a21c763c3bf5a2f32d3fffd27811942e500ee95b8541443599ea6fd726
+     sha256: d0b7be6a29907ea906109be1e5bb9fb316031af8c0aea3d3982d5ad28f2b4a11
+  signature: not signed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_not_signed.sha256.tag.ref 
new/checkmedia-5.2/tests/iso_and_partition_not_signed.sha256.tag.ref
--- old/checkmedia-4.1/tests/iso_and_partition_not_signed.sha256.tag.ref        
1970-01-01 01:00:00.000000000 +0100
+++ new/checkmedia-5.2/tests/iso_and_partition_not_signed.sha256.tag.ref        
2019-07-17 13:46:06.000000000 +0200
@@ -0,0 +1,4 @@
+pad = 25
+sha256sum = d7df919f9d008b94ee51dadd312c6a0bda2607de8bc6fe84d2869096795c8a26
+partition = 
100,900,0d16f5a21c763c3bf5a2f32d3fffd27811942e500ee95b8541443599ea6fd726
+signature = 260
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_odd_partition_size.md5.check.ref 
new/checkmedia-5.2/tests/iso_and_partition_odd_partition_size.md5.check.ref
--- old/checkmedia-4.1/tests/iso_and_partition_odd_partition_size.md5.check.ref 
2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/tests/iso_and_partition_odd_partition_size.md5.check.ref 
2019-07-17 13:46:06.000000000 +0200
@@ -13,3 +13,4 @@
  iso    md5: 20852af4e13314bea792807d9ac9103d
 part    md5: 2c01b6e930492a698b8bee67a92cc936
         md5: 8199bfbac826cbfb935701023a3c1cb1
+  signature: not signed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_odd_sizes.sha1.check.ref 
new/checkmedia-5.2/tests/iso_and_partition_odd_sizes.sha1.check.ref
--- old/checkmedia-4.1/tests/iso_and_partition_odd_sizes.sha1.check.ref 
2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/tests/iso_and_partition_odd_sizes.sha1.check.ref 
2019-07-17 13:46:06.000000000 +0200
@@ -13,3 +13,4 @@
  iso   sha1: 70550a259ba07c61455d3871dec325201cf0970b
 part   sha1: f0ce48e9df03dbed3da06c22996f19ab2f4db3e7
        sha1: 55085c4a6a45058f942756dc06b41e49b4755411
+  signature: not signed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_signed_bad.sha256.check.ref 
new/checkmedia-5.2/tests/iso_and_partition_signed_bad.sha256.check.ref
--- old/checkmedia-4.1/tests/iso_and_partition_signed_bad.sha256.check.ref      
1970-01-01 01:00:00.000000000 +0100
+++ new/checkmedia-5.2/tests/iso_and_partition_signed_bad.sha256.check.ref      
2019-07-17 13:46:06.000000000 +0200
@@ -0,0 +1,8 @@
+        app: iso_and_partition_signed_bad
+   iso size: 450 kB
+        pad: 50 kB
+  partition: start 50 kB, size 450 kB
+   checking:       0% 12% 25% 38% 51% 64% 76% 
89%100%
+     result: iso sha256 ok, partition sha256 ok
+     sha256: *
+  signature: bad
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_signed_bad.sha256.tag.ref 
new/checkmedia-5.2/tests/iso_and_partition_signed_bad.sha256.tag.ref
--- old/checkmedia-4.1/tests/iso_and_partition_signed_bad.sha256.tag.ref        
1970-01-01 01:00:00.000000000 +0100
+++ new/checkmedia-5.2/tests/iso_and_partition_signed_bad.sha256.tag.ref        
2019-07-17 13:46:06.000000000 +0200
@@ -0,0 +1,4 @@
+pad = 25
+sha256sum = a2bfcfd47c42b4109d55c4a7b05233002a9b058b2c6d3ee61562f487b1e760ae
+partition = 
100,900,0d16f5a21c763c3bf5a2f32d3fffd27811942e500ee95b8541443599ea6fd726
+signature = 260
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_signed_ok.sha256.check.ref 
new/checkmedia-5.2/tests/iso_and_partition_signed_ok.sha256.check.ref
--- old/checkmedia-4.1/tests/iso_and_partition_signed_ok.sha256.check.ref       
1970-01-01 01:00:00.000000000 +0100
+++ new/checkmedia-5.2/tests/iso_and_partition_signed_ok.sha256.check.ref       
2019-07-17 13:46:06.000000000 +0200
@@ -0,0 +1,8 @@
+        app: iso_and_partition_signed_ok
+   iso size: 450 kB
+        pad: 50 kB
+  partition: start 50 kB, size 450 kB
+   checking:       0% 12% 25% 38% 51% 64% 76% 
89%100%
+     result: iso sha256 ok, partition sha256 ok
+     sha256: *
+  signature: ok
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_signed_ok.sha256.tag.ref 
new/checkmedia-5.2/tests/iso_and_partition_signed_ok.sha256.tag.ref
--- old/checkmedia-4.1/tests/iso_and_partition_signed_ok.sha256.tag.ref 
1970-01-01 01:00:00.000000000 +0100
+++ new/checkmedia-5.2/tests/iso_and_partition_signed_ok.sha256.tag.ref 
2019-07-17 13:46:06.000000000 +0200
@@ -0,0 +1,4 @@
+pad = 25
+sha256sum = 34f031e14fd82278b76a397e1700b1680474d7088d2214d7a9f010bc5aa94d74
+partition = 
100,900,0d16f5a21c763c3bf5a2f32d3fffd27811942e500ee95b8541443599ea6fd726
+signature = 260
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_signed_wrong_key.sha256.check.ref 
new/checkmedia-5.2/tests/iso_and_partition_signed_wrong_key.sha256.check.ref
--- 
old/checkmedia-4.1/tests/iso_and_partition_signed_wrong_key.sha256.check.ref    
    1970-01-01 01:00:00.000000000 +0100
+++ 
new/checkmedia-5.2/tests/iso_and_partition_signed_wrong_key.sha256.check.ref    
    2019-07-17 13:46:06.000000000 +0200
@@ -0,0 +1,8 @@
+        app: iso_and_partition_signed_wrong_key
+   iso size: 450 kB
+        pad: 50 kB
+  partition: start 50 kB, size 450 kB
+   checking:       0% 12% 25% 38% 51% 64% 76% 
89%100%
+     result: iso sha256 ok, partition sha256 ok
+     sha256: *
+  signature: bad (no matching key)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_signed_wrong_key.sha256.tag.ref 
new/checkmedia-5.2/tests/iso_and_partition_signed_wrong_key.sha256.tag.ref
--- old/checkmedia-4.1/tests/iso_and_partition_signed_wrong_key.sha256.tag.ref  
1970-01-01 01:00:00.000000000 +0100
+++ new/checkmedia-5.2/tests/iso_and_partition_signed_wrong_key.sha256.tag.ref  
2019-07-17 13:46:06.000000000 +0200
@@ -0,0 +1,4 @@
+pad = 25
+sha256sum = 8deeb8d18e4a83bdd2a9f004a08819744ae89023a5237b202bd54cdf0eb3ba1c
+partition = 
100,900,0d16f5a21c763c3bf5a2f32d3fffd27811942e500ee95b8541443599ea6fd726
+signature = 260
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_with_padding.sha1.check.ref 
new/checkmedia-5.2/tests/iso_and_partition_with_padding.sha1.check.ref
--- old/checkmedia-4.1/tests/iso_and_partition_with_padding.sha1.check.ref      
2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/tests/iso_and_partition_with_padding.sha1.check.ref      
2019-07-17 13:46:06.000000000 +0200
@@ -13,3 +13,4 @@
  iso   sha1: 0f56f7a21eee671fe8b97a5dfb6b2f9bab0dcd06
 part   sha1: a893357313150e9db98e4cfe81107f06db88dd63
        sha1: 1ef3f25b2e4efb3f155d4f56034ab8bab270b03b
+  signature: not signed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_and_partition_wrong_padding.sha512.check.ref 
new/checkmedia-5.2/tests/iso_and_partition_wrong_padding.sha512.check.ref
--- old/checkmedia-4.1/tests/iso_and_partition_wrong_padding.sha512.check.ref   
2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/tests/iso_and_partition_wrong_padding.sha512.check.ref   
2019-07-17 13:46:06.000000000 +0200
@@ -13,3 +13,4 @@
  iso sha512: 
1e7d6d3200db253e6944cc00c7237390b6e7d0299843a8542b7068c084c4858ad047cca163b5a9b7520133372fbe7dc0cd12e85f5556398785a81d0b82c71cc7
 part sha512: 
9f9aa238d3c024e82b1b8ee900dc372498da42614e15a75a65605a786b108dad954758d8e47d6ecf217222541374433c3537ee578624915846c7893dc8f84f93
      sha512: 
ef9efc21065844786e60c12609ce64ef1175cb5e78ed1bcb1a05fc1af86d9b0c3c04b8090fa0acbf0606a936bef1c64803eead4ab5146967108e6577c28412d0
+  signature: not signed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_too_small_ends_after_partition_start.sha256.check.ref
 
new/checkmedia-5.2/tests/iso_too_small_ends_after_partition_start.sha256.check.ref
--- 
old/checkmedia-4.1/tests/iso_too_small_ends_after_partition_start.sha256.check.ref
  2018-11-28 16:35:46.000000000 +0100
+++ 
new/checkmedia-5.2/tests/iso_too_small_ends_after_partition_start.sha256.check.ref
  2019-07-17 13:46:06.000000000 +0200
@@ -13,3 +13,4 @@
  iso sha256: 624430d33fff980caf6e9801e119719419932f7399e9a73169d60ca61268ba6e
 part sha256: a4e0d25439ddfc8f8e353fc94f02688bf86ea6987872d034e884dd3125b47ef6
      sha256: 0305e1d8b51dd38285f36990a615f4d7229a2862a0d901e4107900ddf5212919
+  signature: not signed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_too_small_ends_at_partition_start.sha256.check.ref 
new/checkmedia-5.2/tests/iso_too_small_ends_at_partition_start.sha256.check.ref
--- 
old/checkmedia-4.1/tests/iso_too_small_ends_at_partition_start.sha256.check.ref 
    2018-11-28 16:35:46.000000000 +0100
+++ 
new/checkmedia-5.2/tests/iso_too_small_ends_at_partition_start.sha256.check.ref 
    2019-07-17 13:46:06.000000000 +0200
@@ -13,3 +13,4 @@
  iso sha256: b19501e0668c87a857877c84d1514e3c73393fd97f371903d1555e21b4582359
 part sha256: 5e54749a2cd7cf135d8469df48f3047124527e21c138049980941c3153e5e0d8
      sha256: d5bbdb09b68c6be36b030a1cf9551fde826881d337290b37de67f3a5877c1896
+  signature: not signed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/iso_too_small_ends_before_partition_start.sha256.check.ref
 
new/checkmedia-5.2/tests/iso_too_small_ends_before_partition_start.sha256.check.ref
--- 
old/checkmedia-4.1/tests/iso_too_small_ends_before_partition_start.sha256.check.ref
 2018-11-28 16:35:46.000000000 +0100
+++ 
new/checkmedia-5.2/tests/iso_too_small_ends_before_partition_start.sha256.check.ref
 2019-07-17 13:46:06.000000000 +0200
@@ -13,3 +13,4 @@
  iso sha256: 670a5364e2dbd0353bfdcc4fd285b345366e55eb66708b1f3d728f9a31c30b6f
 part sha256: 5e54749a2cd7cf135d8469df48f3047124527e21c138049980941c3153e5e0d8
      sha256: 9c84b2c850265959879166902195d88853ffc4ffe71559833ecde1be64805b3d
+  signature: not signed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/checkmedia-4.1/tests/no_iso_and_partition.sha384.check.ref 
new/checkmedia-5.2/tests/no_iso_and_partition.sha384.check.ref
--- old/checkmedia-4.1/tests/no_iso_and_partition.sha384.check.ref      
2018-11-28 16:35:46.000000000 +0100
+++ new/checkmedia-5.2/tests/no_iso_and_partition.sha384.check.ref      
2019-07-17 13:46:06.000000000 +0200
@@ -7,3 +7,4 @@
      result: partition sha384 ok
 part sha384: 
72f62d11e63b32275d80b44ab4456415b2496e27bedfffd577f8acb2f4e09abcb108001cb11b36c0195479203b6fcda5
      sha384: 
79d255e8b575743750385ed3c8f6d0054afd494df1d2c36dbbafb502ad43b2c1aae4a0310cdb30ec9b75c0f227076f62
+  signature: not signed

Reply via email to