Add cert verification function

4 years ago · 23799f1a6f
parent f3a1729558
commit 23799f1a6f
2 changed files with 59 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -87,6 +87,8 @@ That's it! If it tells you that some dependency is missing, install it.
 You can pass update.sh several perl-style regexes as arguments to only download specific files.
 You can pass build.sh a specific pack's conf name instead of all to build only the specific pack.

+If you have the Java SDK and openssl tool installed, the update script will dump the signing certificates of all downloaded APKs and repo jars to resdl/util/certs. It will compare all future downloads with those certs, and in case of any signature errors or mismatches, will warn you.
+
 To build your own custom pack, refer to custom-pack.md in the conf directory.

 ### Credits
--- a/conf/resdl-download.txt
+++ b/conf/resdl-download.txt
@ -70,6 +70,7 @@ post_update_actions() {
  unzipmaps;
  getzipsigner;
  updatedelta;
+  verifycerts;
  return 0;

 }
@ -135,3 +136,59 @@ updatedelta() {
  done;

 }
+
+verifycerts() {
+
+  [ "$(which jarsigner)" ] && [ "$(which openssl)" ] || {
+    echo " ";
+    echo " !! Not checking certificates (missing jarsigner or openssl)";
+    return 0;
+  }
+
+  certdir="$resdldir/util/certs";
+
+  echo " ";
+  echo " - Checking certs for repos...";
+
+  for repo in $(echo "$stuff_repo" | select_word 1); do
+    certobject="repo/$repo.cer";
+     jarsigner verify "$tmpdir/repos/$repo.jar" > /dev/null || {
+      echo "  !! Verification failed for repo ($repo)" >&2;
+      continue;
+    }
+    [ -f "$certdir/$certobject" ] || {
+      echo "  -- Adding cert for new repo ($repo)";
+      mkdir -p "$certdir/$(dirname "$certobject")";
+      unzip -p "$tmpdir/repos/$repo.jar" "META-INF/*.RSA" | openssl pkcs7 -inform der -print_certs > "$certdir/$certobject";
+      continue;
+    }
+    unzip -p "$tmpdir/repos/$repo.jar" "META-INF/*.RSA" | openssl pkcs7 -inform der -print_certs > "$tmpdir/tmp.cer";
+    [ "$(diff -w "$tmpdir/tmp.cer" "$certdir/$certobject")" ] && {
+      echo "  !! Cert mismatch for repo ($repo)" >&2;
+      cp -f "$tmpdir/tmp.cer" "$certdir/$certobject.new";
+    }
+  done;
+
+  echo " ";
+  echo " - Checking certs for APKs...";
+
+  for object in $(echo "$stuff_download" | grep -P "^[ \t]*[^ \t]+.apk[ \t]+" | select_word 1); do
+    certobject="$(dirname "$object")/$(basename "$object" .apk).cer";
+    jarsigner verify "$resdldir/$object" > /dev/null || {
+      echo "  !! Verification failed for APK ($object)" >&2;
+      continue;
+    }
+    [ -f "$certdir/$certobject" ] || {
+      echo "  -- Adding cert for new APK ($object)";
+      mkdir -p "$certdir/$(dirname "$certobject")";
+      unzip -p "$resdldir/$object" "META-INF/*.RSA" | openssl pkcs7 -inform der -print_certs > "$certdir/$certobject";
+      continue;
+    }
+    unzip -p "$resdldir/$object" "META-INF/*.RSA" | openssl pkcs7 -inform der -print_certs > "$tmpdir/tmp.cer";
+    [ "$(diff -w "$tmpdir/tmp.cer" "$certdir/$certobject")" ] && {
+      echo "  !! Cert mismatch for APK ($object)" >&2;
+      cp -f "$tmpdir/tmp.cer" "$certdir/$certobject.new";
+    }
+  done;
+
+}