Lines 96-103
Link Here
|
96 |
BEGIN { |
96 |
BEGIN { |
97 |
# Deal with optional modules |
97 |
# Deal with optional modules |
98 |
|
98 |
|
99 |
eval { require Digest::SHA; import Digest::SHA qw(sha1_hex sha256_hex sha512_hex); 1 } and do { $have_sha256=1; $have_sha512=1 } |
99 |
eval { require Digest::SHA; import Digest::SHA qw(sha256_hex sha512_hex); 1 } and do { $have_sha256=1; $have_sha512=1 } |
100 |
or do { require Digest::SHA1; import Digest::SHA1 qw(sha1_hex) }; |
100 |
or die "Unable to verify file hashes! You must install a modern version of Digest::SHA."; |
101 |
|
101 |
|
102 |
$have_lwp = eval { |
102 |
$have_lwp = eval { |
103 |
require LWP::UserAgent; |
103 |
require LWP::UserAgent; |
Lines 598-612
Link Here
|
598 |
my $content; |
598 |
my $content; |
599 |
my $SHA512; |
599 |
my $SHA512; |
600 |
my $SHA256; |
600 |
my $SHA256; |
601 |
my $SHA1; |
|
|
602 |
my $GPG; |
601 |
my $GPG; |
603 |
|
602 |
|
604 |
if ($instfile) { |
603 |
if ($instfile) { |
605 |
dbg("channel: using --install files $instfile\{,.sha1,.sha256,.sha512,.asc\}"); |
604 |
dbg("channel: using --install files $instfile\{,.sha256,.sha512,.asc\}"); |
606 |
$content = read_install_file($instfile); |
605 |
$content = read_install_file($instfile); |
607 |
if ( -s "$instfile.sha512" ) { $SHA512 = read_install_file($instfile.".sha512"); } |
606 |
if ( -s "$instfile.sha512" ) { $SHA512 = read_install_file($instfile.".sha512"); } |
608 |
if ( -s "$instfile.sha256" ) { $SHA256 = read_install_file($instfile.".sha256"); } |
607 |
if ( -s "$instfile.sha256" ) { $SHA256 = read_install_file($instfile.".sha256"); } |
609 |
if ( -s "$instfile.sha1" ) { $SHA1 = read_install_file($instfile.".sha1"); } |
|
|
610 |
$GPG = read_install_file($instfile.".asc") if $GPG_ENABLED; |
608 |
$GPG = read_install_file($instfile.".asc") if $GPG_ENABLED; |
611 |
|
609 |
|
612 |
} else { # not an install file, obtain fresh rules from network |
610 |
} else { # not an install file, obtain fresh rules from network |
Lines 740-746
Link Here
|
740 |
|
738 |
|
741 |
# Loop through all available mirrors, choose from them randomly |
739 |
# Loop through all available mirrors, choose from them randomly |
742 |
# if the archive get fails, choose another mirror, |
740 |
# if the archive get fails, choose another mirror, |
743 |
# if the get for the sha1 or gpg signature files, the channel fails |
741 |
# if the get for the hash or gpg signature files fails, the channel fails |
744 |
while (my $mirror = choose_mirror(\%mirrors)) { |
742 |
while (my $mirror = choose_mirror(\%mirrors)) { |
745 |
my $result_fname; |
743 |
my $result_fname; |
746 |
# Grab the data hash for this mirror, then remove it from the list |
744 |
# Grab the data hash for this mirror, then remove it from the list |
Lines 787-804
Link Here
|
787 |
dbg("channel: No sha256 file available from $mirror"); |
785 |
dbg("channel: No sha256 file available from $mirror"); |
788 |
} |
786 |
} |
789 |
|
787 |
|
790 |
|
|
|
791 |
# SHA1 of the archive file |
792 |
$result_fname = http_get("$mirror/$newV.tar.gz.sha1", $UPDDir); |
793 |
if ( -s $result_fname) { |
794 |
$SHA1 = read_content($result_fname, 0); |
795 |
last unless $SHA1; |
796 |
$preserve_files{$result_fname} = 1; |
797 |
} else { |
798 |
undef $SHA1; |
799 |
dbg("channel: No sha1 file available from $mirror"); |
800 |
} |
801 |
|
802 |
# if GPG is enabled, the GPG detached signature of the archive file |
788 |
# if GPG is enabled, the GPG detached signature of the archive file |
803 |
if ($GPG_ENABLED) { |
789 |
if ($GPG_ENABLED) { |
804 |
$result_fname = http_get("$mirror/$newV.tar.gz.asc", $UPDDir); |
790 |
$result_fname = http_get("$mirror/$newV.tar.gz.asc", $UPDDir); |
Lines 806-837
Link Here
|
806 |
last unless $GPG; |
792 |
last unless $GPG; |
807 |
$preserve_files{$result_fname} = 1; |
793 |
$preserve_files{$result_fname} = 1; |
808 |
} |
794 |
} |
809 |
|
|
|
810 |
last; |
795 |
last; |
811 |
} |
796 |
} |
812 |
|
797 |
|
813 |
} |
798 |
} |
814 |
|
799 |
|
815 |
unless ($content && ( $SHA512 || $SHA256 || $SHA1 ) && (!$GPG_ENABLED || $GPG)) { |
800 |
unless ($content && ( $SHA512 || $SHA256 ) && (!$GPG_ENABLED || $GPG)) { |
816 |
channel_failed("channel: could not find working mirror"); |
801 |
channel_failed("channel: could not find working mirror"); |
817 |
next; |
802 |
next; |
818 |
} |
803 |
} |
819 |
if ( $SHA1 ) { |
|
|
820 |
# Validate the SHA1 signature before going forward with more complicated |
821 |
# operations. |
822 |
# The SHA1 file may be "signature filename" ala sha1sum, just use the signature |
823 |
{ local($1); |
824 |
$SHA1 =~ /^([a-fA-F0-9]{40})/; |
825 |
$SHA1 = $1 || 'INVALID'; |
826 |
} |
827 |
my $digest = sha1_hex($content); |
828 |
dbg("sha1: verification wanted: $SHA1"); |
829 |
dbg("sha1: verification result: $digest"); |
830 |
unless ($digest eq $SHA1) { |
831 |
channel_failed("channel: SHA1 verification failed"); |
832 |
next; |
833 |
} |
834 |
} |
835 |
|
804 |
|
836 |
if ( $SHA512 ) { |
805 |
if ( $SHA512 ) { |
837 |
# Validate the SHA512 signature |
806 |
# Validate the SHA512 signature |
Lines 1151-1157
Link Here
|
1151 |
return 0; |
1120 |
return 0; |
1152 |
} |
1121 |
} |
1153 |
|
1122 |
|
1154 |
# if all went fine, remove the .tar.gz, .sha1 and .asc files |
1123 |
# if all went fine, remove the .tar.gz, .sha* and .asc files |
1155 |
delete_files( grep(!m{/\QMIRRORED.BY\E\z}, keys %preserve_files) ); |
1124 |
delete_files( grep(!m{/\QMIRRORED.BY\E\z}, keys %preserve_files) ); |
1156 |
|
1125 |
|
1157 |
$channel_successes++; |
1126 |
$channel_successes++; |
Lines 1897-1903
Link Here
|
1897 |
--channelfile file Retrieve updates from the channels in the file |
1866 |
--channelfile file Retrieve updates from the channels in the file |
1898 |
--checkonly Check for update availability, do not install |
1867 |
--checkonly Check for update availability, do not install |
1899 |
--install filename Install updates directly from this file. Signature |
1868 |
--install filename Install updates directly from this file. Signature |
1900 |
verification will use "file.asc" and "file.sha1" |
1869 |
verification will use "file.asc", "file.sha256", |
|
|
1870 |
and "file.sha512". |
1901 |
--allowplugins Allow updates to load plugin code |
1871 |
--allowplugins Allow updates to load plugin code |
1902 |
--gpgkey key Trust the key id to sign releases |
1872 |
--gpgkey key Trust the key id to sign releases |
1903 |
Use multiple times for multiple keys |
1873 |
Use multiple times for multiple keys |
Lines 1927-1933
Link Here
|
1927 |
I<updates.spamassassin.org>, which has updated rules since the previous |
1897 |
I<updates.spamassassin.org>, which has updated rules since the previous |
1928 |
release. |
1898 |
release. |
1929 |
|
1899 |
|
1930 |
Update archives are verified using SHA1 hashes and GPG signatures, by default. |
1900 |
Update archives are verified using SHA256 and SHA512 hashes and GPG signatures, |
|
|
1901 |
by default. |
1931 |
|
1902 |
|
1932 |
Note that C<sa-update> will not restart C<spamd> or otherwise cause |
1903 |
Note that C<sa-update> will not restart C<spamd> or otherwise cause |
1933 |
a scanner to reload the now-updated ruleset automatically. Instead, |
1904 |
a scanner to reload the now-updated ruleset automatically. Instead, |
Lines 1975-1984
Link Here
|
1975 |
Install updates "offline", from the named tar.gz file, instead of performing |
1946 |
Install updates "offline", from the named tar.gz file, instead of performing |
1976 |
DNS lookups and HTTP invocations. |
1947 |
DNS lookups and HTTP invocations. |
1977 |
|
1948 |
|
1978 |
Files named B<file>.sha1 and B<file>.asc will be used for the SHA-1 and GPG |
1949 |
Files named B<file>.sha256, B<file>.sha512, and B<file>.asc will be used for |
1979 |
signature, respectively. The filename provided must contain a version number |
1950 |
the SHA256 and SHA512 hashes and the GPG signature, respectively. The filename |
1980 |
of at least 3 digits, which will be used as the channel's update version |
1951 |
provided must contain a version number of at least 3 digits, which will be used |
1981 |
number. |
1952 |
as the channel's update version number. |
1982 |
|
1953 |
|
1983 |
Multiple B<--channel> switches cannot be used with B<--install>. To install |
1954 |
Multiple B<--channel> switches cannot be used with B<--install>. To install |
1984 |
multiple channels from tarballs, run C<sa-update> multiple times with different |
1955 |
multiple channels from tarballs, run C<sa-update> multiple times with different |
Lines 1995-2005
Link Here
|
1995 |
|
1966 |
|
1996 |
=item B<--gpg>, B<--nogpg> |
1967 |
=item B<--gpg>, B<--nogpg> |
1997 |
|
1968 |
|
1998 |
sa-update by default will verify update archives by use of a SHA1 checksum |
1969 |
sa-update by default will verify update archives by use of SHA256 and SHA512 |
1999 |
and GPG signature. SHA1 hashes can verify whether or not the downloaded |
1970 |
checksums and GPG signature. SHA* hashes can verify whether or not the |
2000 |
archive has been corrupted, but it does not offer any form of security |
1971 |
downloaded archive has been corrupted, but it does not offer any form of |
2001 |
regarding whether or not the downloaded archive is legitimate (aka: |
1972 |
security regarding whether or not the downloaded archive is legitimate |
2002 |
non-modifed by evildoers). GPG verification of the archive is used to |
1973 |
(aka: non-modifed by evildoers). GPG verification of the archive is used to |
2003 |
solve that problem. |
1974 |
solve that problem. |
2004 |
|
1975 |
|
2005 |
If you wish to skip GPG verification, you can use the B<--nogpg> option |
1976 |
If you wish to skip GPG verification, you can use the B<--nogpg> option |