|
Lines 96-103
Link Here
|
| 96 |
BEGIN { |
96 |
BEGIN { |
| 97 |
# Deal with optional modules |
97 |
# Deal with optional modules |
| 98 |
|
98 |
|
| 99 |
eval { require Digest::SHA; import Digest::SHA qw(sha1_hex sha256_hex sha512_hex); 1 } and do { $have_sha256=1; $have_sha512=1 } |
99 |
eval { require Digest::SHA; import Digest::SHA qw(sha256_hex sha512_hex); 1 } and do { $have_sha256=1; $have_sha512=1 } |
| 100 |
or do { require Digest::SHA1; import Digest::SHA1 qw(sha1_hex) }; |
100 |
or die "Unable to verify file hashes! You must install a modern version of Digest::SHA."; |
| 101 |
|
101 |
|
| 102 |
$have_lwp = eval { |
102 |
$have_lwp = eval { |
| 103 |
require LWP::UserAgent; |
103 |
require LWP::UserAgent; |
|
Lines 598-612
Link Here
|
| 598 |
my $content; |
598 |
my $content; |
| 599 |
my $SHA512; |
599 |
my $SHA512; |
| 600 |
my $SHA256; |
600 |
my $SHA256; |
| 601 |
my $SHA1; |
|
|
| 602 |
my $GPG; |
601 |
my $GPG; |
| 603 |
|
602 |
|
| 604 |
if ($instfile) { |
603 |
if ($instfile) { |
| 605 |
dbg("channel: using --install files $instfile\{,.sha1,.sha256,.sha512,.asc\}"); |
604 |
dbg("channel: using --install files $instfile\{,.sha256,.sha512,.asc\}"); |
| 606 |
$content = read_install_file($instfile); |
605 |
$content = read_install_file($instfile); |
| 607 |
if ( -s "$instfile.sha512" ) { $SHA512 = read_install_file($instfile.".sha512"); } |
606 |
if ( -s "$instfile.sha512" ) { $SHA512 = read_install_file($instfile.".sha512"); } |
| 608 |
if ( -s "$instfile.sha256" ) { $SHA256 = read_install_file($instfile.".sha256"); } |
607 |
if ( -s "$instfile.sha256" ) { $SHA256 = read_install_file($instfile.".sha256"); } |
| 609 |
if ( -s "$instfile.sha1" ) { $SHA1 = read_install_file($instfile.".sha1"); } |
|
|
| 610 |
$GPG = read_install_file($instfile.".asc") if $GPG_ENABLED; |
608 |
$GPG = read_install_file($instfile.".asc") if $GPG_ENABLED; |
| 611 |
|
609 |
|
| 612 |
} else { # not an install file, obtain fresh rules from network |
610 |
} else { # not an install file, obtain fresh rules from network |
|
Lines 740-746
Link Here
|
| 740 |
|
738 |
|
| 741 |
# Loop through all available mirrors, choose from them randomly |
739 |
# Loop through all available mirrors, choose from them randomly |
| 742 |
# if the archive get fails, choose another mirror, |
740 |
# if the archive get fails, choose another mirror, |
| 743 |
# if the get for the sha1 or gpg signature files, the channel fails |
741 |
# if the get for the hash or gpg signature files fails, the channel fails |
| 744 |
while (my $mirror = choose_mirror(\%mirrors)) { |
742 |
while (my $mirror = choose_mirror(\%mirrors)) { |
| 745 |
my $result_fname; |
743 |
my $result_fname; |
| 746 |
# Grab the data hash for this mirror, then remove it from the list |
744 |
# Grab the data hash for this mirror, then remove it from the list |
|
Lines 787-804
Link Here
|
| 787 |
dbg("channel: No sha256 file available from $mirror"); |
785 |
dbg("channel: No sha256 file available from $mirror"); |
| 788 |
} |
786 |
} |
| 789 |
|
787 |
|
| 790 |
|
|
|
| 791 |
# SHA1 of the archive file |
| 792 |
$result_fname = http_get("$mirror/$newV.tar.gz.sha1", $UPDDir); |
| 793 |
if ( -s $result_fname) { |
| 794 |
$SHA1 = read_content($result_fname, 0); |
| 795 |
last unless $SHA1; |
| 796 |
$preserve_files{$result_fname} = 1; |
| 797 |
} else { |
| 798 |
undef $SHA1; |
| 799 |
dbg("channel: No sha1 file available from $mirror"); |
| 800 |
} |
| 801 |
|
| 802 |
# if GPG is enabled, the GPG detached signature of the archive file |
788 |
# if GPG is enabled, the GPG detached signature of the archive file |
| 803 |
if ($GPG_ENABLED) { |
789 |
if ($GPG_ENABLED) { |
| 804 |
$result_fname = http_get("$mirror/$newV.tar.gz.asc", $UPDDir); |
790 |
$result_fname = http_get("$mirror/$newV.tar.gz.asc", $UPDDir); |
|
Lines 806-837
Link Here
|
| 806 |
last unless $GPG; |
792 |
last unless $GPG; |
| 807 |
$preserve_files{$result_fname} = 1; |
793 |
$preserve_files{$result_fname} = 1; |
| 808 |
} |
794 |
} |
| 809 |
|
|
|
| 810 |
last; |
795 |
last; |
| 811 |
} |
796 |
} |
| 812 |
|
797 |
|
| 813 |
} |
798 |
} |
| 814 |
|
799 |
|
| 815 |
unless ($content && ( $SHA512 || $SHA256 || $SHA1 ) && (!$GPG_ENABLED || $GPG)) { |
800 |
unless ($content && ( $SHA512 || $SHA256 ) && (!$GPG_ENABLED || $GPG)) { |
| 816 |
channel_failed("channel: could not find working mirror"); |
801 |
channel_failed("channel: could not find working mirror"); |
| 817 |
next; |
802 |
next; |
| 818 |
} |
803 |
} |
| 819 |
if ( $SHA1 ) { |
|
|
| 820 |
# Validate the SHA1 signature before going forward with more complicated |
| 821 |
# operations. |
| 822 |
# The SHA1 file may be "signature filename" ala sha1sum, just use the signature |
| 823 |
{ local($1); |
| 824 |
$SHA1 =~ /^([a-fA-F0-9]{40})/; |
| 825 |
$SHA1 = $1 || 'INVALID'; |
| 826 |
} |
| 827 |
my $digest = sha1_hex($content); |
| 828 |
dbg("sha1: verification wanted: $SHA1"); |
| 829 |
dbg("sha1: verification result: $digest"); |
| 830 |
unless ($digest eq $SHA1) { |
| 831 |
channel_failed("channel: SHA1 verification failed"); |
| 832 |
next; |
| 833 |
} |
| 834 |
} |
| 835 |
|
804 |
|
| 836 |
if ( $SHA512 ) { |
805 |
if ( $SHA512 ) { |
| 837 |
# Validate the SHA512 signature |
806 |
# Validate the SHA512 signature |
|
Lines 1151-1157
Link Here
|
| 1151 |
return 0; |
1120 |
return 0; |
| 1152 |
} |
1121 |
} |
| 1153 |
|
1122 |
|
| 1154 |
# if all went fine, remove the .tar.gz, .sha1 and .asc files |
1123 |
# if all went fine, remove the .tar.gz, .sha* and .asc files |
| 1155 |
delete_files( grep(!m{/\QMIRRORED.BY\E\z}, keys %preserve_files) ); |
1124 |
delete_files( grep(!m{/\QMIRRORED.BY\E\z}, keys %preserve_files) ); |
| 1156 |
|
1125 |
|
| 1157 |
$channel_successes++; |
1126 |
$channel_successes++; |
|
Lines 1897-1903
Link Here
|
| 1897 |
--channelfile file Retrieve updates from the channels in the file |
1866 |
--channelfile file Retrieve updates from the channels in the file |
| 1898 |
--checkonly Check for update availability, do not install |
1867 |
--checkonly Check for update availability, do not install |
| 1899 |
--install filename Install updates directly from this file. Signature |
1868 |
--install filename Install updates directly from this file. Signature |
| 1900 |
verification will use "file.asc" and "file.sha1" |
1869 |
verification will use "file.asc", "file.sha256", |
|
|
1870 |
and "file.sha512". |
| 1901 |
--allowplugins Allow updates to load plugin code |
1871 |
--allowplugins Allow updates to load plugin code |
| 1902 |
--gpgkey key Trust the key id to sign releases |
1872 |
--gpgkey key Trust the key id to sign releases |
| 1903 |
Use multiple times for multiple keys |
1873 |
Use multiple times for multiple keys |
|
Lines 1927-1933
Link Here
|
| 1927 |
I<updates.spamassassin.org>, which has updated rules since the previous |
1897 |
I<updates.spamassassin.org>, which has updated rules since the previous |
| 1928 |
release. |
1898 |
release. |
| 1929 |
|
1899 |
|
| 1930 |
Update archives are verified using SHA1 hashes and GPG signatures, by default. |
1900 |
Update archives are verified using SHA256 and SHA512 hashes and GPG signatures, |
|
|
1901 |
by default. |
| 1931 |
|
1902 |
|
| 1932 |
Note that C<sa-update> will not restart C<spamd> or otherwise cause |
1903 |
Note that C<sa-update> will not restart C<spamd> or otherwise cause |
| 1933 |
a scanner to reload the now-updated ruleset automatically. Instead, |
1904 |
a scanner to reload the now-updated ruleset automatically. Instead, |
|
Lines 1975-1984
Link Here
|
| 1975 |
Install updates "offline", from the named tar.gz file, instead of performing |
1946 |
Install updates "offline", from the named tar.gz file, instead of performing |
| 1976 |
DNS lookups and HTTP invocations. |
1947 |
DNS lookups and HTTP invocations. |
| 1977 |
|
1948 |
|
| 1978 |
Files named B<file>.sha1 and B<file>.asc will be used for the SHA-1 and GPG |
1949 |
Files named B<file>.sha256, B<file>.sha512, and B<file>.asc will be used for |
| 1979 |
signature, respectively. The filename provided must contain a version number |
1950 |
the SHA256 and SHA512 hashes and the GPG signature, respectively. The filename |
| 1980 |
of at least 3 digits, which will be used as the channel's update version |
1951 |
provided must contain a version number of at least 3 digits, which will be used |
| 1981 |
number. |
1952 |
as the channel's update version number. |
| 1982 |
|
1953 |
|
| 1983 |
Multiple B<--channel> switches cannot be used with B<--install>. To install |
1954 |
Multiple B<--channel> switches cannot be used with B<--install>. To install |
| 1984 |
multiple channels from tarballs, run C<sa-update> multiple times with different |
1955 |
multiple channels from tarballs, run C<sa-update> multiple times with different |
|
Lines 1995-2005
Link Here
|
| 1995 |
|
1966 |
|
| 1996 |
=item B<--gpg>, B<--nogpg> |
1967 |
=item B<--gpg>, B<--nogpg> |
| 1997 |
|
1968 |
|
| 1998 |
sa-update by default will verify update archives by use of a SHA1 checksum |
1969 |
sa-update by default will verify update archives by use of SHA256 and SHA512 |
| 1999 |
and GPG signature. SHA1 hashes can verify whether or not the downloaded |
1970 |
checksums and GPG signature. SHA* hashes can verify whether or not the |
| 2000 |
archive has been corrupted, but it does not offer any form of security |
1971 |
downloaded archive has been corrupted, but it does not offer any form of |
| 2001 |
regarding whether or not the downloaded archive is legitimate (aka: |
1972 |
security regarding whether or not the downloaded archive is legitimate |
| 2002 |
non-modifed by evildoers). GPG verification of the archive is used to |
1973 |
(aka: non-modifed by evildoers). GPG verification of the archive is used to |
| 2003 |
solve that problem. |
1974 |
solve that problem. |
| 2004 |
|
1975 |
|
| 2005 |
If you wish to skip GPG verification, you can use the B<--nogpg> option |
1976 |
If you wish to skip GPG verification, you can use the B<--nogpg> option |
