tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: veriexec: read from stdin

On Sat, 27 Apr 2019, Alexander Nasonov wrote:

It's a bit surprising that after many years of use, veriexecgen can't
read a list of files from stdin/input-file and calculate checksums of
those files.

It can be useful, e.g. when recalculating checksums of existing
fingerprintdb entries:

	# awk '{print $1}' /etc/signatures | veriexecgen -i

or to read entries from /etc/mtree/set.* files:

	# cd /
	# awk '/type=dir/{next} {print $1}' /etc/mtree/set.comp | veriexecgen

The latter could probably be done during the build and checksums could
be placed to /etc/veriexec/sha256.{base,comp,...}.

I wrote a patch that adds the -i option to read from stdin but I don't
want to rush things before I hear opinions. Is it a good approach, does
precalculating checksums at build time make sense, etc.

Insteasd of

	-i        read from stdin

why not have

	-f file   read from file, or if file is "-" read from stdin

| Paul Goyette       | PGP Key fingerprint:     | E-mail addresses:     |
| (Retired)          | FA29 0E3B 35AF E8AE 6651 |     |
| Software Developer | 0786 F758 55DE 53BA 7731 |   |

Home | Main Index | Thread Index | Old Index