Add an API to verify a commit signature explicitly

We have a bunch of APIs to do GPG verification of a commit,
but that doesn't generalize to signapi.  Further, they
require the caller to check the signature status explicitly
which seems like a trap.

This much higher level API works with both GPG and signapi.
The intention is to use this in things that are doing "external
pulls" like the ostree-ext tar import support.  There we will
get the commitmeta from the tarball and we want to verify it
at the same time we import the commit.

10 files changed, 311 insertions, 3 deletions

diff --git a/Makefile-tests.am b/Makefile-tests.am
index 81fe2b76..efbcad9a 100644
--- a/Makefile-tests.am
+++ b/Makefile-tests.am
@@ -391,6 +391,10 @@ tests_test_rfc2616_dates_SOURCES = \
 tests_test_rfc2616_dates_CFLAGS = $(TESTS_CFLAGS)
 tests_test_rfc2616_dates_LDADD = $(TESTS_LDADD)
 
+noinst_PROGRAMS += tests/test-commit-sign-sh-ext
+tests_test_commit_sign_sh_ext_CFLAGS = $(TESTS_CFLAGS)
+tests_test_commit_sign_sh_ext_LDADD = $(TESTS_LDADD)
+
 if USE_GPGME
 tests_test_gpg_verify_result_SOURCES = \
 	src/libostree/ostree-gpg-verify-result-private.h \
diff --git a/apidoc/ostree-sections.txt b/apidoc/ostree-sections.txt
index 4d027555..f0901f21 100644
--- a/apidoc/ostree-sections.txt
+++ b/apidoc/ostree-sections.txt
@@ -474,6 +474,7 @@ ostree_repo_append_gpg_signature
 ostree_repo_add_gpg_signature_summary
 ostree_repo_gpg_sign_data
 ostree_repo_gpg_verify_data
+ostree_repo_signature_verify_commit_data
 ostree_repo_verify_commit
 ostree_repo_verify_commit_ext
 ostree_repo_verify_commit_for_remote
diff --git a/src/libostree/libostree-devel.sym b/src/libostree/libostree-devel.sym
index 75bc4647..7e6f7784 100644
--- a/src/libostree/libostree-devel.sym
+++ b/src/libostree/libostree-devel.sym
@@ -25,6 +25,7 @@
 LIBOSTREE_2021.4 {
 global:
   ostree_repo_remote_get_gpg_keys;
+  ostree_repo_signature_verify_commit_data;
 } LIBOSTREE_2021.3;
 
 /* Stub section for the stable release *after* this development one; don't
diff --git a/src/libostree/ostree-repo-pull-verify.c b/src/libostree/ostree-repo-pull-verify.c
index fa170f94..e469dc0b 100644
--- a/src/libostree/ostree-repo-pull-verify.c
+++ b/src/libostree/ostree-repo-pull-verify.c
@@ -270,6 +270,7 @@ _sign_verify_for_remote (GPtrArray *verifiers,
 
   g_assert (out_success_message == NULL || *out_success_message == NULL);
 
+  g_assert (verifiers);
   g_assert_cmpuint (verifiers->len, >=, 1);
   for (guint i = 0; i < verifiers->len; i++)
     {
@@ -346,6 +347,120 @@ _process_gpg_verify_result (OtPullData            *pull_data,
 }
 #endif /* OSTREE_DISABLE_GPGME */
 
+static gboolean
+validate_metadata_size (const char *prefix, GBytes *buf, GError **error)
+{
+  gsize len = g_bytes_get_size (buf);
+  if (len > OSTREE_MAX_METADATA_SIZE)
+    return glnx_throw (error, "%s is %" G_GUINT64_FORMAT " bytes, exceeding maximum %" G_GUINT64_FORMAT, prefix, (guint64)len, (guint64)OSTREE_MAX_METADATA_SIZE);
+  return TRUE;
+}
+
+/**
+ * ostree_repo_signature_verify_commit_data:
+ * @self: Repo
+ * @remote_name: Name of remote
+ * @commit_data: Commit object data (GVariant)
+ * @commit_metadata: Commit metadata (GVariant `a{sv}`), must contain at least one valid signature
+ * @flags: Optionally disable GPG or signapi
+ * @out_results: (nullable) (out) (transfer full): Textual description of results
+ * @error: Error
+ *
+ * Validate the commit data using the commit metadata which must
+ * contain at least one valid signature.  If GPG and signapi are
+ * both enabled, then both must find at least one valid signature.
+ */
+gboolean 
+ostree_repo_signature_verify_commit_data (OstreeRepo    *self,
+                                          const char    *remote_name,
+                                          GBytes        *commit_data,
+                                          GBytes        *commit_metadata,
+                                          OstreeRepoVerifyFlags flags,
+                                          char         **out_results,
+                                          GError       **error)
+{
+  g_assert (self);
+  g_assert (remote_name);
+  g_assert (commit_data);
+
+  gboolean gpg = !(flags & OSTREE_REPO_VERIFY_FLAGS_NO_GPG);
+  gboolean signapi = !(flags & OSTREE_REPO_VERIFY_FLAGS_NO_SIGNAPI);
+  // Must ask for at least one type of verification
+  if (!(gpg || signapi))
+    return glnx_throw (error, "No commit verification types enabled via API");
+
+  if (!validate_metadata_size ("Commit", commit_data, error))
+    return FALSE;
+  /* Nothing to check if detached metadata is absent */
+  if (commit_metadata == NULL)
+    return glnx_throw (error, "Can't verify commit without detached metadata");
+  if (!validate_metadata_size ("Commit metadata", commit_metadata, error))
+    return FALSE;
+  g_autoptr(GVariant) commit_metadata_v = g_variant_new_from_bytes (G_VARIANT_TYPE_VARDICT, commit_metadata, FALSE);
+
+  g_autoptr(GString) results_buf = g_string_new ("");
+  gboolean verified = FALSE;
+
+  if (gpg)
+    {
+      if (!ostree_repo_remote_get_gpg_verify (self, remote_name,
+                                              &gpg, error))
+        return FALSE;
+    }
+
+  /* TODO - we could cache this in the repo */
+  g_autoptr(GPtrArray) signapi_verifiers = NULL;
+  if (signapi)
+    {
+      if (!_signapi_init_for_remote (self, remote_name, &signapi_verifiers, NULL, error))
+        return FALSE;
+    }
+
+  if (!(gpg || signapi_verifiers))
+    return glnx_throw (error, "Cannot verify commit for remote %s; GPG verification disabled, and no signapi verifiers configured", remote_name);
+
+#ifndef OSTREE_DISABLE_GPGME
+  if (gpg)
+    {
+      g_autoptr(OstreeGpgVerifyResult) result =
+        _ostree_repo_gpg_verify_with_metadata (self, commit_data,
+                                               commit_metadata_v,
+                                               remote_name,
+                                               NULL, NULL, NULL, error);
+      if (!result)
+        return FALSE;
+      if (!ostree_gpg_verify_result_require_valid_signature (result, error))
+        return FALSE;
+
+      const guint n_signatures = ostree_gpg_verify_result_count_all (result);
+      g_assert_cmpuint (n_signatures, >, 0);
+      for (guint jj = 0; jj < n_signatures; jj++)
+        {
+          ostree_gpg_verify_result_describe (result, jj, results_buf, "GPG: ",
+                                             OSTREE_GPG_SIGNATURE_FORMAT_DEFAULT);
+        }
+      verified = TRUE;
+    }
+#endif /* OSTREE_DISABLE_GPGME */
+
+  if (signapi_verifiers)
+    {
+      g_autofree char *success_message = NULL;
+      if (!_sign_verify_for_remote (signapi_verifiers, commit_data, commit_metadata_v, &success_message, error))
+        return glnx_prefix_error (error, "Can't verify commit");
+      if (verified)
+        g_string_append_c (results_buf, '\n');
+      g_string_append (results_buf, success_message);
+      verified = TRUE;
+    }
+
+  /* Must be true since we did g_assert (gpg || signapi) */
+  g_assert (verified);
+  if (out_results)
+    *out_results = g_string_free (g_steal_pointer (&results_buf), FALSE);
+  return TRUE;
+}
+
 gboolean
 _verify_unwritten_commit (OtPullData                 *pull_data,
                           const char                 *checksum,
diff --git a/src/libostree/ostree-repo.h b/src/libostree/ostree-repo.h
index 962fa8cc..522cb034 100644
--- a/src/libostree/ostree-repo.h
+++ b/src/libostree/ostree-repo.h
@@ -1538,6 +1538,29 @@ OstreeGpgVerifyResult * ostree_repo_verify_summary (OstreeRepo    *self,
                                                     GCancellable  *cancellable,
                                                     GError       **error);
 
+/**
+ * OstreeRepoVerifyFlags:
+ * @OSTREE_REPO_VERIFY_FLAGS_NONE: No flags
+ * @OSTREE_REPO_VERIFY_FLAGS_NO_GPG: Skip GPG verification
+ * @OSTREE_REPO_VERIFY_FLAGS_NO_SIGNAPI: Skip all other signature verification methods
+ * 
+ * Since: 2021.4
+ */
+typedef enum {
+  OSTREE_REPO_VERIFY_FLAGS_NONE = 0,
+  OSTREE_REPO_VERIFY_FLAGS_NO_GPG = (1 << 0),
+  OSTREE_REPO_VERIFY_FLAGS_NO_SIGNAPI = (1 << 1),
+} OstreeRepoVerifyFlags;
+
+_OSTREE_PUBLIC
+gboolean ostree_repo_signature_verify_commit_data (OstreeRepo    *self,
+                                                   const char    *remote_name,
+                                                   GBytes        *commit_data,
+                                                   GBytes        *commit_metadata,
+                                                   OstreeRepoVerifyFlags flags,
+                                                   char         **out_results,
+                                                   GError       **error);
+
 _OSTREE_PUBLIC
 gboolean ostree_repo_regenerate_summary (OstreeRepo     *self,
                                          GVariant       *additional_metadata,
diff --git a/src/ostree/ot-admin-builtin-status.c b/src/ostree/ot-admin-builtin-status.c
index c6c52382..8b2325d5 100644
--- a/src/ostree/ot-admin-builtin-status.c
+++ b/src/ostree/ot-admin-builtin-status.c
@@ -31,7 +31,10 @@
 
 #include <glib/gi18n.h>
 
+static gboolean opt_verify;
+
 static GOptionEntry options[] = {
+  { "verify", 'V', 0, G_OPTION_ARG_NONE, &opt_verify, "Print the commit verification status", NULL },
   { NULL }
 };
 
@@ -86,6 +89,12 @@ deployment_print_status (OstreeSysroot    *sysroot,
   g_autoptr(GVariant) commit_metadata = NULL;
   if (commit)
     commit_metadata = g_variant_get_child_value (commit, 0);
+  g_autoptr(GVariant) commit_detached_metadata = NULL;
+  if (commit)
+    {
+      if (!ostree_repo_read_commit_detached_metadata (repo, ref, &commit_detached_metadata, cancellable, error))
+        return FALSE;
+    }
 
   const char *version = NULL;
   const char *source_title = NULL;
@@ -139,7 +148,7 @@ deployment_print_status (OstreeSysroot    *sysroot,
     }
 
 #ifndef OSTREE_DISABLE_GPGME
-  if (deployment_get_gpg_verify (deployment, repo))
+  if (!opt_verify && deployment_get_gpg_verify (deployment, repo))
     {
       g_autoptr(GString) output_buffer = g_string_sized_new (256);
       /* Print any digital signatures on this commit. */
@@ -172,6 +181,31 @@ deployment_print_status (OstreeSysroot    *sysroot,
       g_print ("%s", output_buffer->str);
     }
 #endif /* OSTREE_DISABLE_GPGME */
+  if (opt_verify)
+    {
+      if (!commit)
+        return glnx_throw (error, "Cannot verify, failed to load commit");
+
+      if (origin == NULL)
+        return glnx_throw (error, "Cannot verify deployment with no origin");
+
+      g_autofree char *refspec = g_key_file_get_string (origin, "origin", "refspec", NULL);
+      if (refspec == NULL)
+        return glnx_throw (error, "No origin/refspec, cannot verify");
+      g_autofree char *remote = NULL;
+      if (!ostree_parse_refspec (refspec, &remote, NULL, NULL))
+        return FALSE;
+      if (remote == NULL)
+        return glnx_throw (error, "Cannot verify deployment without remote");
+
+      g_autoptr(GBytes) commit_data = g_variant_get_data_as_bytes (commit);
+      g_autoptr(GBytes) commit_detached_metadata_bytes = 
+        commit_detached_metadata ? g_variant_get_data_as_bytes (commit_detached_metadata) : NULL;
+      g_autofree char *verify_text = NULL;
+      if (!ostree_repo_signature_verify_commit_data (repo, remote, commit_data, commit_detached_metadata_bytes, 0, &verify_text, error))
+        return FALSE;
+      g_print ("%s\n", verify_text);
+    }
 
   return TRUE;
 }
diff --git a/tests/.gitignore b/tests/.gitignore
index 938c169f..6355c8df 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -24,3 +24,4 @@ test-repo-finder-mount
 test-rfc2616-dates
 test-rollsum-cli
 test-kargs
+test-commit-sign-sh-ext
diff --git a/tests/test-admin-gpg.sh b/tests/test-admin-gpg.sh
index 2167f673..bd34aae4 100755
--- a/tests/test-admin-gpg.sh
+++ b/tests/test-admin-gpg.sh
@@ -148,4 +148,9 @@ ${CMD_PREFIX} ostree admin status > status.txt
 test -f status.txt
 assert_file_has_content status.txt "GPG: Signature made"
 assert_not_file_has_content status.txt "GPG: Can't check signature: public key not found"
+rm -f status.txt
+
+${CMD_PREFIX} ostree admin status --verify > status.txt
+assert_file_has_content status.txt "GPG: Signature made"
+rm -f status.txt
 echo 'ok gpg signature'
diff --git a/tests/test-commit-sign-sh-ext.c b/tests/test-commit-sign-sh-ext.c
new file mode 100644
index 00000000..b5c5dcc6
--- /dev/null
+++ b/tests/test-commit-sign-sh-ext.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2021 Red Hat, Inc.
+ *
+ * SPDX-License-Identifier: LGPL-2.0+
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+ * Boston, MA 02111-1307, USA.
+ */
+
+#include "config.h"
+
+#include "libglnx.h"
+#include <ostree.h>
+
+static void
+assert_error_contains (GError **error, const char *msg)
+{
+  g_assert (error != NULL);
+  GError *actual = *error;
+  g_assert (actual != NULL);
+  if (strstr (actual->message, msg) == NULL)
+    g_error ("%s does not contain %s", actual->message, msg);
+  g_clear_error (error);
+}
+
+// Perhaps in the future we hook this up to a fuzzer
+static GBytes *
+corrupt (GBytes *input)
+{
+  gsize len = 0;
+  const guint8 *buf = g_bytes_get_data (input, &len);
+  g_assert_cmpint (len, >, 0);
+  g_assert_cmpint (len, <, G_MAXINT);
+  g_autofree char *newbuf = g_memdup (buf, len);
+  int o = g_random_int_range (0, len);
+  newbuf[o] = (newbuf[0] + 1);
+
+  return g_bytes_new_take (g_steal_pointer (&newbuf), len);
+}
+
+static gboolean
+run (GError **error)
+{
+  g_autoptr(OstreeRepo) repo = ostree_repo_open_at (AT_FDCWD, "repo", NULL, error);
+  if (!repo)
+    return FALSE;
+
+  g_autofree char *rev = NULL;
+  if (!ostree_repo_resolve_rev (repo, "origin:main", FALSE, &rev, error))
+    return FALSE;
+  g_assert (rev);
+  g_autoptr(GVariant) commit = NULL;
+  if (!ostree_repo_load_variant (repo, OSTREE_OBJECT_TYPE_COMMIT, rev, &commit, error))
+    return FALSE;
+  g_assert (commit);
+
+  g_autoptr(GVariant) detached_meta = NULL;
+  if (!ostree_repo_read_commit_detached_metadata (repo, rev, &detached_meta, NULL, error))
+    return FALSE;
+  g_assert (detached_meta);
+
+  g_autoptr(GBytes) commit_bytes = g_variant_get_data_as_bytes (commit);
+  g_autoptr(GBytes) detached_meta_bytes = g_variant_get_data_as_bytes (detached_meta);
+  g_autofree char *verify_report = NULL;
+  if (!ostree_repo_signature_verify_commit_data (repo, "origin", commit_bytes, detached_meta_bytes, 0, 
+                                                 &verify_report, error))
+    return FALSE;
+
+  if (ostree_repo_signature_verify_commit_data (repo, "origin", commit_bytes, detached_meta_bytes, 
+                                                OSTREE_REPO_VERIFY_FLAGS_NO_GPG | OSTREE_REPO_VERIFY_FLAGS_NO_SIGNAPI, 
+                                                &verify_report, error))
+    g_error ("Should not have validated");
+  assert_error_contains (error, "No commit verification types enabled");
+
+  // No signatures
+  g_autoptr(GBytes) empty = g_bytes_new_static ("", 0);
+  if (ostree_repo_signature_verify_commit_data (repo, "origin", commit_bytes, empty, 0, 
+                                                 &verify_report, error))
+    g_error ("Should not have validated");
+  assert_error_contains (error, "no signatures found");
+  // No such remote
+  if (ostree_repo_signature_verify_commit_data (repo, "nosuchremote", commit_bytes, detached_meta_bytes, 0, 
+                                                 &verify_report, error))
+    g_error ("Should not have validated");
+  assert_error_contains (error, "Remote \"nosuchremote\" not found");
+
+  // Corrupted commit
+  g_autoptr(GBytes) corrupted_commit = corrupt (commit_bytes);
+  if (ostree_repo_signature_verify_commit_data (repo, "origin", corrupted_commit, detached_meta_bytes, 0, 
+                                                 &verify_report, error))
+    g_error ("Should not have validated");
+  assert_error_contains (error, "BAD signature");
+
+  return TRUE;
+}
+
+int
+main (int argc, char **argv)
+{
+  g_autoptr(GError) error = NULL;
+  if (!run (&error))
+    {
+      g_printerr ("error: %s\n", error->message);
+      exit (1);
+    }
+}
diff --git a/tests/test-commit-sign.sh b/tests/test-commit-sign.sh
index e9e7a6da..c3f9ce63 100755
--- a/tests/test-commit-sign.sh
+++ b/tests/test-commit-sign.sh
@@ -28,7 +28,7 @@ if ! has_gpgme; then
     exit 0
 fi
 
-echo "1..6"
+echo "1..7"
 
 keyid="472CDAFA"
 oldpwd=`pwd`
@@ -85,9 +85,15 @@ ${CMD_PREFIX} ostree --repo=repo remote add origin $(cat httpd-address)/ostree/g
 ${CMD_PREFIX} ostree --repo=repo pull origin main
 ${CMD_PREFIX} ostree --repo=repo show --gpg-verify-remote=origin main > show.txt
 assert_file_has_content_literal show.txt 'Found 1 signature'
-rm repo -rf
 echo "ok pull verify"
 
+# Run tests written in C
+${OSTREE_UNINSTALLED}/tests/test-commit-sign-sh-ext
+echo "ok extra C tests"
+
+# Clean things up and reinit
+rm repo -rf
+
 # A test with corrupted detached signature
 cd ${test_tmpdir}
 find ${test_tmpdir}/ostree-srv/gnomerepo -name '*.commitmeta' | while read fname; do