Extended metadata signature checking

Author

Michael Andres ma@su.nosp@m.se.d.nosp@m.e

---

Introduction

A stateful plugin to perform an extended metadata verification. Unlike the Repository metadata verification plugin which unconditionally processes all repos, this type of plugin can be used to perform an extended metadata verification in different supported contexts. Being a stateful plugin, it is able to request additional files - like key and signature files - which libzypp will try to retrieve.

When a plugin is assigned to verify metadata, its presence on the system is mandatory. If the assigned plugin is not installed or metadata verification fails, the repository metadata is rejected and will not be used.

Plugins of this type need to be executable and installed in the /usr/lib/zypp/plugins/sigcheck directory.

libzypp versions supporting this type of plugin provide plugin:sigcheck (see Testing for provided features.)

Repo metadata verification

To assign a plugin to verify a repositories master index file (repodata/repomd.xml), assign the plugin's name to the repo_sigcheck_plugin= tag in the repositories .repo-file.

# Assign repo TWP7S to be verified by the pqcverification plugin
# (/usr/lib/zypp/plugins/sigcheck/pqcverification)
[TWP7S]
enabled=1
autorefresh=1
repo_sigcheck_plugin=pqcverification
baseurl=https://...

You may define multiple plugins separated by ';'. The plugins are executed in the specified order. All plugins must succeed.

A plugin's name may be followed by arguments which are passed through to the plugin upon its execution. Arguments are separated by ' '.

Literal '\', ';' or ' ' must be '\'-escaped.

The verification workflow

---

PLUGINBEGIN

After the plugin is launched it will receive a PLUGINBEGIN frame telling the version of the protocol.

PLUGINBEGIN
version:0

^@

---

PLUGINSETUP

The plugin answers with:

PLUGINSETUP
sig_extension:.sig
key_extension:.key

^@

The optional sig_extension and key_extension header define the extensions for the datafile's signature and key files. If extensions are defined, ZYPP will download these files together with the data file and pass them to the verification frame.

If neither a signature nor a key file is needed, you can also answer sending an ACK frame.

---

SIGCHECK

To verify a datafile ZYPP will send a SIGCHECK frame:

SIGCHECK
data:/path/to/datafile
sig:/path/to/signature
key:/path/to/key

^@

The optional sig and key header tell the path to the downloaded files if they were requested by PLUGINSETUP.

If the verification succeeded, the plugin must send an ACK frame. Otherwise send an ERROR frame. Additional text sent in the ERROR frames body is forwarded to the user.

---

_DISCONNECT

The plugin should run and serve SIGCHECK requests until it receives a _DISCONNECT frame. The plugin should send an ACK frame in return.

See also

Writing plugins