�

p��g[��<
�dd
lZdd
l
Z
dd
lZdd
lZdd
lZdd
lZdd
lZ	dg
Zddi
ZdZed�
Zed�
Zed�
ZGd�d	e�Z dd
�
Z!d�Z"dd�
Z#d
�Z$d�Z%d�Z&d�Z'd�Z(d�Z)ejTd��Z+ejTd��Z,d�Z-d�Z.dd�
Z/dd�
Z0dd�
Z1y
)�N�rsa4096�gpg)�type�kind�role�serial�keyz/dev/shm��c
��eZ
dZy
)�ErrorN)�__name__�
__module__�__qualname__�r
�)/usr/libexec/kcare/python/kcsig_verify.pyr
r
s��r
r
c���t
|�
}|tur|S|tur|j|
�
S|turtt
|�
�
Std
t
|�
z�
�
)NzUnsupported pae type )r�btype�utype�encode�int�to_bytes�str�
ValueError)�data�encoding�dtypes   rrrsX����J�E���~���	�%���{�{�8�$�$�	�#����D�	�"�"�
�,�s�5�z�9�
:�:r
c
��t
|�
}
|
tur|S|
tur|jd
�
S|
tur|jd
�
St�
)Nzutf-8)r�ntyper�decoderr�NotImplementedError)rrs  r�nstrr"'sI����J�E���~���	�%���{�{�7�#�#�	�%���{�{�7�#�#�
�r
c��|d
z}t
||�5}|j|
�

ddd�
tj||�
y#1s
w
Y

� xYw
)Nz.tmp)�open�write�os�rename)�fname�content�mode�	tmp_fname�
fs     r�atomic_writer-2sF�����I�	
�i��	�
�!�	�����
��I�I�i���
�
�s�A�Ac
�d�t
|�
5}
|
j�cddd�
S#1s
w
Y

yxYw
�
N)r$�read)r(r,s  r�	read_filer1:s)��	
�e��
�
��v�v�x�
�
�
�s�&�/c
�>�t
jt|�
�
Sr/)�json�loadsr1)
r(s
 r�	read_jsonr5?s���:�:�i��&�'�'r
c�l�d
t
|�
z}
|D] }t|�
}|
dt
|�
|fzz
}
�"|
S)Ns%ds%d%s)�lenr)�parts�result�
p�bps    r�paer<CsF��
�S��Z�
�F�
�*�
�
�a�[���'�S��W�b�M�)�)��*��Mr
c�>�t
|
D�cgc]}||��	c}�Sc
c}wr/)
r<)r�fieldsr,s   r�
pae_fieldsr?Ls���&�)�Q��a��)�*�*��)s�c
�.�t
|t|d
�S)Nr)r?�
PAE_FIELDS�
rs
 r�pae_typerCQs���d�J�t�F�|�4�5�5r
c
�N�|d
tv
rtdt|d
�
z�
�
y)Nrzinvalid key type: )rArr")
r	s
 r�	check_keyrEUs-��
�6�{�*�$��-��S��[�0A�A�B�B�%r
c#��K
�|
r|�
�

yt
jtd
��5}|jt	|�
�

|j�
|j��

ddd�
y#1s
w
Y

yxYw
�w
)Nzkcsig-data-��dir�prefix)�tempfile�NamedTemporaryFile�TMPDIRr%r�flush�name)r�data_is_filer,s   r�
temp_datafilerPZsV������
�
�
(�
(�V�M�
J�	�a�
�G�G�H�T�N�#�
�G�G�I��&�&�L�	�	�	�s�#A3
�9A'�	A3
�'A0�,A3
c#�K
�t
j||
�
�}	|��

tj|�

y#tj|�

wxYw
�w
)N)rIrH)rJ�mkdtemp�shutil�rmtree)rIrH�temp_dirs   r�temp_directoryrVes:�������v�3�7�H� ����
�
�h����
�
�h��s�A
�5�A
�A�A
c	�~
�t
td
��5}dd|d|dd|
g}tj|tjtjtj��}|j|�
\}}|jd	k7r&td
t|�
zdzt|�
z�
�
	ddd�
y#1s
w
Y

yxYw
)Nz
kcsig-gpgtmp-rGrz	--homedirz	--keyringz--verify�
-)�stdin�stdout�stderrrzVerify error: �

)	rVrL�
subprocess�Popen�PIPE�communicate�
returncode�	Exceptionr")�keyfile�datafile�sigdata�tmp_dir�cmdr:rZr[s        r�run_gpg_verifyrhns���	�F�?�	;�S
�w��k�7�K��*�c�S[�\�����S�
���
���Xb�Xg�Xg�h�
����w�/�����<�<�1���,�t�F�|�;�d�B�T�&�\�Q�R�R��	S
�S
�S
�s�BB3�3B<c	�
�t
|
�

tjtd
��5}|j	tjt|
d�
�
�

|j�
t||�5}tjt|�
�
}t|j||�
ddd�
ddd�
y#1s
w
Y

�xYw
#1s
w
Y

yxYw
)Nz
kcsig-key-rGr	)rErJrKrLr%�base64�	b64decoderrMrPrhrN)�	signaturer	rrO�key_filerdres       r�
verify_keyrnxs���
�c�N�	�	$�	$���	E�=�����v�'�'���U��(<�=�>�����
�4��
.�	=�(��&�&�x�	�':�;�G��8�=�=�(�G�<�	=�=�=�	=�	=��=�=�s$�A
C�46B;�*C�;C	�C�Cc���d
}i}|j
�D]&\}}||
v
rd||<�	t||
|||�
|dz
}�(||fS#t$r}t|�
||<Yd}~�Id}~w
wxYw
)Nrzno corresponding root key�
)�itemsrnrbr)	�
signatures�keysrrO�count�errors�keyid�sig�
es	         r�verify_country�s���
�E�
�F� �&�&�(�
�
��s����7�F�5�M��	��s�D��K��|�<�
�Q�J�E�
��&�=����
	#��
�F�F�5�M��
	#�s�A�	A#�A�A#c��|j
d
d�}|j
dd�}i}|x
s
t}i}|dj�D]W\}}		t|	�

|	d|v
rdj	|	d|�||<n&|	d|krd	j	|	d|�||<n|	||<�Yi}|j�D]5\}}	t|	d
|dt|	�
��\}}
||kr|
||<�1|	||<�7d}|j�D] \}}		t|d
||	|
d
��
|dz
}�"|s!tdtj|�
z�
�
y#t
$r}
t
|
�
||<Yd}
~
�
�d}
~
w
wxYw
#t
$r}
t
|
�
||<Yd}
~
��d}
~
w
wxYw
)N�	thresholdi'�
min_seriali��rsrz&invalid kind {0}, accepted list is {1}rz"invalid serial {0}, current is {1}rrrBrT)rrOrpz!Error validating file signature: )
�get�AVAILABLE_KINDSrqrE�formatrbrryrCrnr
r3�dumps)rerd�	root_keys�kindsr{r|ru�applicable_keysrvr	rx�
verified_keysrt�root_errorss              r�_verifyr��s�
���
�
�k�4�0�I����|�X�6�J�
�F��$�_�E��O��f�o�+�+�-��
��s�
	��c�N��6�{�%�'� H� O� O�PS�TZ�P[�]b� c��u�
��X���+� D� K� K�C�PX�M�[e� f��u�
�),���&����M�%�+�+�-�'�
��s�)�#�l�*;�Y�v�=N�U]�^a�Ub�c���{��9��'�F�5�M�#&�M�%� �'�
�E�#�)�)�+��
��s�	��w�|�,�U�3�S�x�VZ�[�
�Q�J�E�
���7�$�*�*�V�:L�L�M�M���+�	��
�F�F�5�M���	�� �
	#��
�F�F�5�M��
	#�s1�
AE�E(�	E%�E � E%�(	F	�1F�F	c�N�t
|�
}t
|�
}t||
||�
�
y)N)
r�)r5r�)�sigfilerd�rootfiler�rer�s      r�verifyr��s$���� �G��(�#�I��G�X�y��6r
)
�latin1)
�
w)
Fr/)2r&rjrJr]r3rS�
contextlib�typing�Union�List�Mapping�Any�Sequence�Optional�Tuple�Dict�Iterator�types�
ReleaseKey�AnyKey�RootKey�anystr�	Signature�RootKeysr~rArLrrrrrbr
rr"r-r1r5r<r?rCrE�contextmanagerrPrVrhrnryr�r�rr
r�<module>r�
s��


�	�
����
����+���>�
?�
�	���S�	���S�	���R���

	�I�

	�	
;�
�
 �
�


(�
�
+�


6�
C
�
�
�
�
��
��
�
�
 ��
 �
S
�
=�
�&(
N
�V

7r