Initialize public key for online repo only when needed

This commit is contained in:
Disassembler 2020-04-03 15:57:10 +02:00
parent d3455b5dcd
commit 261f237dc7
No known key found for this signature in database
GPG Key ID: 524BD33A0EE29499

View File

@ -15,11 +15,14 @@ from cryptography.hazmat.primitives.serialization import load_pem_public_key
from .exceptions import AppNotFoundError, ImageNotFoundError
from .config import ONLINE_PUBKEY, ONLINE_REPO_URL, ONLINE_SIG_URL, TYPE_APP, TYPE_IMAGE
def get_pubkey():
pubkey = f'-----BEGIN PUBLIC KEY-----\n{ONLINE_PUBKEY}\n-----END PUBLIC KEY-----'
return load_pem_public_key(pubkey.encode(), default_backend())
public_key = None
PUBLIC_KEY = get_pubkey()
def get_public_key():
global public_key
if not public_key:
pem = f'-----BEGIN PUBLIC KEY-----\n{ONLINE_PUBKEY}\n-----END PUBLIC KEY-----'
public_key = load_pem_public_key(pem.encode(), default_backend())
return public_key
def verify_fileobj(fileobj, expected_hash):
hasher = hashes.Hash(hashes.SHA512(), default_backend())
@ -28,7 +31,7 @@ def verify_fileobj(fileobj, expected_hash):
if not data:
break
hasher.update(data)
PUBLIC_KEY.verify(bytes.fromhex(expected_hash), hasher.finalize(), ec.ECDSA(utils.Prehashed(hashes.SHA512())))
get_public_key().verify(bytes.fromhex(expected_hash), hasher.finalize(), ec.ECDSA(utils.Prehashed(hashes.SHA512())))
def download_archive(archive_url, archive_path, expected_hash, observer=None):
# Check if an archive needs to be downloaded via http(s)
@ -97,7 +100,7 @@ def load():
resource = session.get(ONLINE_SIG_URL, timeout=5)
resource.raise_for_status()
packages_sig = resource.content
PUBLIC_KEY.verify(packages_sig, packages, ec.ECDSA(hashes.SHA512()))
get_public_key().verify(packages_sig, packages, ec.ECDSA(hashes.SHA512()))
data = json.loads(packages.decode())
mtime = time.time()