ó >ìˆUc@s¡ddlZddlZddlZddlZddlZddljjZ ddl j Z ddl j Z ddlZdZd Zdejfd„ƒYZdS( iÿÿÿÿNtsha256tsha384tsha512trsatSignatureActioncBs#eZdZdddddgZdZdZejeZd„Z e d „ƒZ d „Z e d „ƒZd „Zd „Zd„Zd„Zd„Zd„Zd„Zd„Zed„Zed„Zd„Ze d„ƒZdd„Zdejdd„Z d„Z!d„Z"dd„Z#RS(s7Class representing the signature-type packaging object.thashthash_algtsig_algt cert_identtchain_cert_openerst signaturetvaluecKsÑtjj|||d|_g|_y&|j|jdƒ\|_|_ Wn2t k r‚t j j t|ƒtdƒƒ‚nXd|jkr¢d|jdRR1tDEFAULT_HASH_ATTRSt HASH_ALGStupdateRRAR4R)tbasenametshutiltrmtreeRCR2R3RZt enumerateR R?R8RBRGtsig_str(RtaRttmp_atsizettmp_dirRQthashesRRTRURNtcsizest chain_hashest chain_chashestsizestiRaRR((s;/usr/lib/python2.7/vendor-packages/pkg/actions/signature.pyRrÉs|                     cs0djtd„‡‡fd†|DƒDƒƒƒS(sdTransforms a collection of actions into a string that is used to sign those actions.s css!|]}|dk r|VqdS(N(R(t.0Rs((s;/usr/lib/python2.7/vendor-packages/pkg/actions/signature.pys 7sc3s!|]}|jˆˆƒVqdS(N(Rr(R}tb(RR(s;/usr/lib/python2.7/vendor-packages/pkg/actions/signature.pys 8s(RGtsorted(RtactsR((RRs;/usr/lib/python2.7/vendor-packages/pkg/actions/signature.pytactions_to_str0s cCs_tj|dtjƒ\}}}|s+dSx-|jƒD]}|j|dtd|ƒq8WdS(sRRetrieve the chain certificates needed to validate this signature.t hash_typeNt only_retrievet hash_func(R1tget_least_preferred_hashtCHAINRZtget_cert_by_hashR(Rtpubt chain_attrRSR„Ra((s;/usr/lib/python2.7/vendor-packages/pkg/actions/signature.pytretrieve_chain_certs;s cCs_|r*tj|dtjƒ\}}}n!tj|dtjƒ\}}}|sUgS|jƒS(s<Return a list of the chain certificates needed to validate this signature. When retrieving the content from the repository, we use the "least preferred" hash for backwards compatibility, but when verifying the content, we use the "most preferred" hash.R‚(R1R…R†tget_preferred_hashRZ(Rtleast_preferredR‰RSR„((s;/usr/lib/python2.7/vendor-packages/pkg/actions/signature.pytget_chain_certsIs  cCs_|r*tj|dtjƒ\}}}n!tj|dtjƒ\}}}|sUgS|jƒS(sZReturn a list of the chain certificates needed to validate this signature.R‚(R1R…t CHAIN_CHASHR‹RZ(RRŒtchain_chash_attrtchain_chash_valR„((s;/usr/lib/python2.7/vendor-packages/pkg/actions/signature.pytget_chain_certs_chashes\s  cCs|jdk o|jƒ S(sãReturns True if this action is signed using a key, instead of simply being a hash. Since variant tagged signature actions are not handled yet, it also returns False in that case.N(RRtget_variant_template(R((s;/usr/lib/python2.7/vendor-packages/pkg/actions/signature.pyt is_signedlscCssxEtD]=}x4tD],}d||f}||kr||fSqWqWx$tD]}||krOd|fSqOWdS(s6Split the sig_alg attribute up in to something useful.s%s-%sN(NN(tvalid_sig_algstvalid_hash_algsR(tvalR]thtt((s;/usr/lib/python2.7/vendor-packages/pkg/actions/signature.pyRts     c Cs4t|jdƒ}|jƒs;|tjjks;|j r?dSt|ƒ}|j dkr|j dksot ‚t j j|jƒ}|j|j||ƒƒ}|dks»t d|ƒ‚|jƒ} tj|jdƒ| krtj|tdƒ|ƒ‚ntS|j dkrdStj|ƒ\} } } |j| dtd| ƒ} |j|ƒy6dd lm}|j| |d |d |d |ƒWn"tjk r³}||_ ‚nX| j!d |jƒ}|j"ƒ|j#|j||ƒƒ|j$tj|jdƒƒ}|s0tj|tdƒ|ƒ‚ntS(sTry to verify this signature. It can return True or None. None means we didn't know how to verify this signature. If we do know how to verify the signature but it doesn't verify, then an exception is raised. The 'acts' parameter is the iterable of actions against which to verify the signature. The 'pub' parameter is the publisher that published the package this action signed. The 'trust_anchors' parameter contains the trust anchors to use when verifying the signature. The 'required_names' parameter is a set of strings that must be seen as a CN in the chain of trust for the certificate.Ris$Res was expected to be 1, but was %sR s@The signature value did not match the expected value. action: %st verify_hashR„iÿÿÿÿ(tCODE_SIGNING_USEitrequired_namestusagestmds=The signature value did not match the expected value. Res: %sN(%R[RR’RRRRRRDRRtAssertionErrortm2tEVPt MessageDigestRmRtfinalR=t hex_to_binaryRftUnverifiedSignatureRRR1R…R‡RŠtpkg.client.publisherRšt verify_chaintSigningExceptiontactt get_pubkeyt verify_initt verify_updatet verify_final(RR€Rˆt trust_anchorstuse_crlsR›tvertdgstR\t computed_hashRNthash_valR„tcertRšRPtpub_key((s;/usr/lib/python2.7/vendor-packages/pkg/actions/signature.pyt verify_sig‚sT                c Cs€t|ƒ}|dkrž|jdks-t‚tjj|jƒ}|j|j |t j j ƒƒ}|dkstd|ƒ‚t j|jƒƒ|jds