Player software: verify package (#2893)

* Player software: verify chromeos package on upload. xibosignageltd/xibo-private#926
xibosignage · Feb 6, 2025 · 5fab6aa · 5fab6aa
1 parent 58bfa79
commit 5fab6aa
Show file tree

Hide file tree

Showing 10 changed files with 84 additions and 12 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -70,6 +70,7 @@ RUN LC_ALL=C.UTF-8 DEBIAN_FRONTEND=noninteractive apt update && apt upgrade -y &
     libapache2-mod-xsendfile \
     netcat \
     iputils-ping \
+    gnupg \
     php8.2 \
     libapache2-mod-php8.2 \
     php8.2-gd \
@@ -90,6 +91,7 @@ RUN LC_ALL=C.UTF-8 DEBIAN_FRONTEND=noninteractive apt update && apt upgrade -y &
     php8.2-phar \
     php8.2-opcache \
     php8.2-mongodb \
+    php8.2-gnupg \
     tzdata \
     msmtp \
     openssl \
@@ -173,7 +175,8 @@ ENV CMS_DEV_MODE=false \
     MEMCACHED_PORT=11211 \
     CMS_USAGE_REPORT=true \
     XTR_ENABLED=true \
-    GIT_COMMIT=$GIT_COMMIT
+    GIT_COMMIT=$GIT_COMMIT \
+    GNUPGHOME=/var/www/.gnupg
 
 # Expose port 80
 EXPOSE 80
@@ -228,7 +231,8 @@ RUN mkdir -p /var/www/cms/library/temp &&  \
     /etc/periodic/15min/cms-db-backup && \
     mkdir -p /run/apache2 && \
     ln -sf /usr/bin/msmtp /usr/sbin/sendmail && \
-    chmod 777 /tmp
+    chmod 777 /tmp && \
+    chown -R www-data:www-data /var/www/.gnupg
 
 # Expose volume mount points
 VOLUME /var/www/cms/library

diff --git a/Dockerfile.ci b/Dockerfile.ci
@@ -55,6 +55,7 @@ RUN LC_ALL=C.UTF-8 DEBIAN_FRONTEND=noninteractive apt update && apt upgrade -y &
     libapache2-mod-xsendfile \
     netcat \
     iputils-ping \
+    gnupg \
     php8.2 \
     libapache2-mod-php8.2 \
     php8.2-gd \
@@ -75,6 +76,7 @@ RUN LC_ALL=C.UTF-8 DEBIAN_FRONTEND=noninteractive apt update && apt upgrade -y &
     php8.2-phar \
     php8.2-opcache \
     php8.2-mongodb \
+    php8.2-gnupg \
     tzdata \
     msmtp \
     openssl \
@@ -98,7 +100,8 @@ ADD docker/ /
 # Adjust file permissions as appropriate
 RUN chmod +x /entrypoint.sh /usr/local/bin/httpd-foreground /usr/local/bin/wait-for-command.sh \
     /etc/periodic/15min/cms-db-backup && \
-    chmod 777 /tmp
+    chmod 777 /tmp && \
+    chown -R www-data:www-data /var/www/.gnupg
 
 # Update the PHP.ini file
 RUN sed -i "s/error_reporting = .*$/error_reporting = E_ERROR | E_WARNING | E_PARSE/" /etc/php/8.2/apache2/php.ini && \
@@ -152,7 +155,8 @@ ENV CMS_DEV_MODE=true \
     MEMCACHED_PORT=11211 \
     CMS_USAGE_REPORT=false \
     XTR_ENABLED=true \
-    GIT_COMMIT=$GIT_COMMIT
+    GIT_COMMIT=$GIT_COMMIT \
+    GNUPGHOME=/var/www/.gnupg
 
 # Expose port 80
 EXPOSE 80

diff --git a/Dockerfile.dev b/Dockerfile.dev
@@ -22,6 +22,7 @@ RUN LC_ALL=C.UTF-8 DEBIAN_FRONTEND=noninteractive apt update && apt upgrade -y &
     libapache2-mod-xsendfile \
     netcat \
     iputils-ping \
+    gnupg \
     php8.2 \
     libapache2-mod-php8.2 \
     php8.2-gd \
@@ -42,6 +43,7 @@ RUN LC_ALL=C.UTF-8 DEBIAN_FRONTEND=noninteractive apt update && apt upgrade -y &
     php8.2-phar \
     php8.2-opcache \
     php8.2-mongodb \
+    php8.2-gnupg \
     tzdata \
     msmtp \
     openssl \
@@ -65,7 +67,8 @@ ADD docker/ /
 # Adjust file permissions as appropriate
 RUN chmod +x /entrypoint.sh /usr/local/bin/httpd-foreground /usr/local/bin/wait-for-command.sh \
     /etc/periodic/15min/cms-db-backup && \
-    chmod 777 /tmp
+    chmod 777 /tmp && \
+    chown -R www-data:www-data /var/www/.gnupg
 
 # Update the PHP.ini file
 RUN sed -i "s/error_reporting = .*$/error_reporting = E_ERROR | E_WARNING | E_PARSE/" /etc/php/8.2/apache2/php.ini && \
@@ -121,7 +124,8 @@ ENV CMS_DEV_MODE=true \
     MEMCACHED_PORT=11211 \
     CMS_USAGE_REPORT=true \
     XTR_ENABLED=false \
-    GIT_COMMIT=$GIT_COMMIT
+    GIT_COMMIT=$GIT_COMMIT \
+    GNUPGHOME=/var/www/.gnupg
 
 # Expose port 80
 EXPOSE 80

diff --git a/composer.json b/composer.json
@@ -32,7 +32,7 @@
         "ext-json": "1",
         "ext-soap": "1",
         "ext-zip": "1",
-        "ext-fileinfo": "*"
+        "ext-fileinfo": "1"
       }
   },
   "minimum-stability": "dev",
@@ -66,7 +66,6 @@
     "james-heinrich/getid3": "^1.9",
     "onelogin/php-saml": "4.1.*",
     "infostars/picofeed": "dev-westphal/php8",
-    "xibosignage/xibo-xmr": "0.*",
     "tedivm/stash": "^v0.17.6",
     "phenx/php-font-lib": "^0.5.0",
     "symfony/event-dispatcher": "^4.1",

diff --git a/docker/var/www/.gnupg/private-keys-v1.d/.gitkeep b/docker/var/www/.gnupg/private-keys-v1.d/.gitkeep
diff --git a/docker/var/www/.gnupg/pubring.kbx b/docker/var/www/.gnupg/pubring.kbx
diff --git a/docker/var/www/.gnupg/trustdb.gpg b/docker/var/www/.gnupg/trustdb.gpg
diff --git a/lib/Entity/PlayerVersion.php b/lib/Entity/PlayerVersion.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (C) 2024 Xibo Signage Ltd
+ * Copyright (C) 2025 Xibo Signage Ltd
  *
  * Xibo - Digital Signage - https://xibosignage.com
  *
@@ -32,7 +32,9 @@
 use Xibo\Service\LogServiceInterface;
 use Xibo\Storage\StorageServiceInterface;
 use Xibo\Support\Exception\DuplicateEntityException;
+use Xibo\Support\Exception\GeneralException;
 use Xibo\Support\Exception\InvalidArgumentException;
+use Xibo\Support\Exception\NotFoundException;
 
 /**
  * Class PlayerVersion
@@ -223,10 +225,53 @@ public function unpack(string $libraryFolder): static
         if ($this->type === 'chromeOS') {
             $this->getLog()->debug('add: handling chromeOS upload');
 
-            // TODO: check the signature of the file to make sure it comes from a verified source.
+            $fullFileName = $libraryFolder . 'playersoftware/' . $this->fileName;
+
+            // Check the signature of the file to make sure it comes from a verified source.
+            try {
+                $this->getLog()->debug('unpack: loading gnupg to verify the signature');
+
+                $gpg = new \gnupg();
+                $gpg->seterrormode(\gnupg::ERROR_EXCEPTION);
+                $info = $gpg->verify(
+                    file_get_contents($fullFileName),
+                    false,
+                );
+
+                if ($info === false
+                    || $info[0]['fingerprint'] !== '10415C506BE63E70BAF1D58BC1EF165A0F880F75'
+                    || $info[0]['status'] !== 0
+                    || $info[0]['summary'] !== 0
+                ) {
+                    $this->getLog()->error('unpack: unable to verify GPG. file = ' . $this->fileName);
+                    throw new GeneralException();
+                }
+
+                $this->getLog()->debug('unpack: signature verified');
+
+                // Signature verified, move the file, so we can decrypt it.
+                rename($fullFileName, $libraryFolder . 'playersoftware/' . $this->versionId . '.gpg');
+
+                $this->getLog()->debug('unpack: using the shell to decrypt the file');
+
+                // Go to the shell to decrypt it.
+                shell_exec('gpg --decrypt --output ' . $libraryFolder . 'playersoftware/' . $this->versionId
+                    . ' ' . $libraryFolder . 'playersoftware/' . $this->versionId . '.gpg');
+
+                // Was this successful?
+                if (!file_exists($libraryFolder . 'playersoftware/' . $this->versionId)) {
+                    throw new NotFoundException('Not found after decryption');
+                }
+
+                // Rename the GPG file back to its original name.
+                rename($libraryFolder . 'playersoftware/' . $this->versionId . '.gpg', $fullFileName);
+            } catch (\Exception $e) {
+                $this->getLog()->error('unpack: ' . $e->getMessage());
+                throw new InvalidArgumentException(__('Package file unsupported or invalid'));
+            }
 
             $zip = new \ZipArchive();
-            if (!$zip->open($libraryFolder . 'playersoftware/' . $this->fileName)) {
+            if (!$zip->open($libraryFolder . 'playersoftware/' . $this->versionId)) {
                 throw new InvalidArgumentException(__('Unable to open ZIP'));
             }
 
@@ -273,6 +318,9 @@ public function unpack(string $libraryFolder): static
             $manifest = Str::replace('assets/icons/192x192.png', $this->config->uri('img/192x192.png'), $manifest);
 
             file_put_contents($folder . '/manifest.json', $manifest);
+
+            // Unlink our decrypted file
+            unlink($libraryFolder . 'playersoftware/' . $this->versionId);
         }
 
         return $this;

diff --git a/lib/Helper/Environment.php b/lib/Helper/Environment.php
@@ -319,6 +319,14 @@ public static function checkSimpleXml()
         return extension_loaded('simplexml');
     }
 
+    /**
+     * @return bool
+     */
+    public static function checkGnu()
+    {
+        return extension_loaded('gnupg');
+    }
+
     /**
      * @param $url
      * @return bool

diff --git a/lib/Service/ConfigService.php b/lib/Service/ConfigService.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (C) 2024 Xibo Signage Ltd
+ * Copyright (C) 2025 Xibo Signage Ltd
  *
  * Xibo - Digital Signage - https://xibosignage.com
  *
@@ -743,6 +743,11 @@ public function checkEnvironment()
             __('SimpleXML is used to parse RSS feeds and other XML data sources')
         );
 
+        $this->testItem($rows, __('GNUPG'),
+            Environment::checkGnu(),
+            __('checkGnu is used to verify the integrity of Player Software versions uploaded to the CMS')
+        );
+
         $this->envTested = true;
 
         return $rows;