cargo: Replace compress-tools with zip crate

Cargo.toml

@@ -19,7 +19,6 @@ actix-web =  { version = "4", default-features = false, features = ["macros", "o
 base64 = "0.21"
 cfg-if = "1"
 clap = { version = "4.3", features = ["derive"] }
-compress-tools = "0.12"
 config = { version = "0.13", default-features = false, features = ["toml"] }
 futures = "0.3.6"
 glob = "0.3"
@@ -44,3 +43,4 @@ thiserror = "1.0"
 tokio = {version = "1.24", features = ["rt", "sync", "macros"]}
 tss-esapi = {version = "7.4.0", features = ["generate-bindings"]}
 uuid = {version = "1.3", features = ["v4"]}
+zip = {version = "0.6", default-features = false, features= ["deflate"]}

README.md

@@ -33,19 +33,17 @@ replaces the Python implementation.
 The following packages are required for building:
 
 * `clang`
-* `libarchive-devel`
 * `openssl-devel`
 * `tpm2-tss-devel`
 * (optional for the `with-zmq` feature): `zeromq-devel`
 
 To install, use the following command:
 ```
-$ dnf install clang libarchive-devel openssl-devel tpm2-tss-devel zeromq-devel
+$ dnf install clang openssl-devel tpm2-tss-devel zeromq-devel
 ```
 
 For runtime, the following packages are required:
 
-* `libarchive`
 * `openssl`
 * `tpm2-tss`
 * `systemd` (to run as systemd service)
@@ -56,7 +54,6 @@ For runtime, the following packages are required:
 
 For Debian and Ubuntu, use the following packages are required:
 
-* `libarchive-dev`
 * `libclang-dev`
 * `libssl-dev`
 * `libtss2-dev`
@@ -66,13 +63,12 @@ For Debian and Ubuntu, use the following packages are required:
 To install, use the following command:
 
 ```
-$ apt-get install libarchive-dev libclang-dev libssl-dev libtss2-dev libzmq3-dev pkg-config
+$ apt-get install libclang-dev libssl-dev libtss2-dev libzmq3-dev pkg-config
 ```
 
 For runtime, the following packages are required:
 
 * `coreutils` (for the `mount` command)
-* `libarchive`
 * `libssl`
 * `libtss2-esys-3.0.2-0`
 * (optional for the `with-zmq` feature): `libzmq3`

docker/fedora/keylime_rust.Dockerfile

@@ -35,7 +35,6 @@ glib2-static \
 gnulib \
 kmod \
 llvm llvm-devel \
-libarchive-devel \
 libselinux-python3 \
 libtool \
 libtpms \

docker/release/Dockerfile.distroless

@@ -20,24 +20,6 @@ RUN ./configure \
 RUN make
 RUN make install
 
-# Install libarchive (dependency for the compress-tools crate) - we need only a minimum feature set here
-WORKDIR /src
-RUN wget https://github.com/libarchive/libarchive/releases/download/v3.6.2/libarchive-3.6.2.tar.gz
-RUN tar xf libarchive-3.6.2.tar.gz
-WORKDIR /src/libarchive-3.6.2
-RUN ./configure \
-    --prefix=/usr \
-    --with-openssl \
-    --without-mbedtls \
-    --without-nettle \
-    --without-xml2 \
-    --without-expat \
-    --disable-static
-RUN make
-RUN make install
-# there is a bug in the libarchive.pc file which wrongly adds iconv
-RUN sed -i "s/iconv //" /usr/lib/pkgconfig/libarchive.pc
-
 # build rust-keylime
 COPY . /src/rust-keylime/
 WORKDIR /src/rust-keylime
@@ -65,11 +47,8 @@ LABEL org.opencontainers.image.vendor="The Keylime Authors"
 # NOTE: the cc base image comes with all C runtime dependencies (libc, libm, libgcc, etc.), so no need to copy those
 # TODO: Unfortunately the COPY directive is following links and not preserving the link file. This slightly bloats the image.
 
-# libarchive is a direct dependency for the compress-tools crate, so we must copy itself and all its dependencies
+# libz is a direct dependency for the zip crate
 COPY --from=builder \
-    /usr/lib/libarchive.so* \
-    /lib/x86_64-linux-gnu/liblzma.so* \
-    /lib/x86_64-linux-gnu/libbz2.so* \
     /lib/x86_64-linux-gnu/libz.so* \
     /usr/lib/x86_64-linux-gnu/
 # tpm2-tss libraries are a dependency (probably not all of them, but we just copy all)
@@ -95,8 +74,5 @@ LABEL install="podman volume create keylime-agent"
 LABEL uninstall="podman volume rm keylime-agent"
 LABEL run="podman run --read-only --name keylime-agent --rm --device /dev/tpm0 --device /dev/tpmrm0 -v keylime-agent:/var/lib/keylime -v /etc/keylime:/etc/keylime:ro --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE"
 
-# Create a system user 'keylime' to allow dropping privileges
-RUN useradd -s /sbin/nologin -r -G tss keylime
-
 # run as root by default
 USER 0:0

docker/release/Dockerfile.fedora

@@ -9,7 +9,6 @@ RUN microdnf install -y \
     clang-devel \
     dnf-plugins-core \
     git \
-    libarchive-devel \
     make \
     openssl-devel \
     rust \
@@ -43,7 +42,7 @@ LABEL vendor="The Keylime Authors"
 # Install all agent runtime dependencies from the builder image
 # NOTE: the fedora base image is "fat" and comes with basically all dependencies that we need out of the box with a few exceptions
 RUN microdnf makecache && \
-    microdnf -y install tpm2-tss libarchive openssl util-linux-core && \
+    microdnf -y install tpm2-tss openssl util-linux-core && \
     microdnf clean all && \
     rm -rf /var/cache/dnf/*
 

docker/release/Dockerfile.wolfi

@@ -10,15 +10,10 @@ RUN apk update
 # - install rust
 # - install gcc and others to compile tpm2-tss
 # - we are using the "generate-bindings" feature for the tss-esapi crate which requires clang/llvm
-# - Install libarchive (dependency for the compress-tools crate)
 RUN apk add --no-cache --update-cache \
     rust \
     make pkgconf gcc glibc glibc-dev openssl openssl-dev posix-libc-utils \
-    clang-15 llvm15 \
-    libarchive libarchive-dev
-
-# there is a bug in the libarchive.pc file which wrongly adds iconv
-RUN sed -i "s/iconv //" /usr/lib/pkgconfig/libarchive.pc
+    clang-17 clang-17-dev wget
 
 # Install tpm2-tss (dependency for the tss-esapi crate)
 WORKDIR /src
@@ -69,19 +64,10 @@ COPY --from=builder \
     /usr/lib/libssl.so* \
     /usr/lib/
 
-# libarchive is a direct dependency for the compress-tools crate, so we must copy itself and all its dependencies
+# libz is a direct dependency for the zip crate
 COPY --from=builder \
-    /lib/libacl.so* \
-    /lib/libattr.so* \
     /lib/libz.so* \
     /lib/
-COPY --from=builder \
-    /usr/lib/libarchive.so* \
-    /usr/lib/libexpat.so* \
-    /usr/lib/liblzma.so* \
-    /usr/lib/libzstd.so* \
-    /usr/lib/libbz2.so* \
-    /usr/lib/
 
 # tpm2-tss libraries are a dependency (probably not all of them, but we just copy all)
 # because we are using the tss-esapi crate which is essentially just a wrapper around those (unfortunately)
@@ -106,8 +92,5 @@ LABEL install="podman volume create keylime-agent"
 LABEL uninstall="podman volume rm keylime-agent"
 LABEL run="podman run --read-only --name keylime-agent --rm --device /dev/tpm0 --device /dev/tpmrm0 -v keylime-agent:/var/lib/keylime -v /etc/keylime:/etc/keylime:ro --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE"
 
-# Create a system user 'keylime' to allow dropping privileges
-RUN useradd -s /sbin/nologin -r -G tss keylime
-
 # run as root by default
 USER 0:0

keylime-agent/Cargo.toml

@@ -12,7 +12,6 @@ actix-web.workspace = true
 base64.workspace = true
 cfg-if.workspace = true
 clap.workspace = true
-compress-tools.workspace = true
 config.workspace = true
 futures.workspace = true
 glob.workspace = true
@@ -34,6 +33,7 @@ tokio.workspace = true
 tss-esapi.workspace = true
 thiserror.workspace = true
 uuid.workspace = true
+zip.workspace = true
 zmq = {version = "0.9.2", optional = true}
 # wiremock was moved to be a regular dependency because optional
 # dev-dependencies are not supported

keylime-agent/src/error.rs

@@ -25,8 +25,6 @@ pub(crate) enum Error {
     Config(#[from] config::ConfigError),
     #[error("Infallible: {0}")]
     Infallible(#[from] std::convert::Infallible),
-    #[error("Compress tools error: {0}")]
-    CompressTools(#[from] compress_tools::Error),
     #[error("Conversion error: {0}")]
     Conversion(String),
     #[error("Configuration error: {0}")]
@@ -91,6 +89,8 @@ pub(crate) enum Error {
     Receiver(String),
     #[error("List parser error: {0}")]
     ListParser(#[from] keylime::list_parser::Error),
+    #[error("Zip error: {0}")]
+    Zip(#[from] zip::result::ZipError),
     #[error("{0}")]
     Other(String),
 }

keylime-agent/src/payloads.rs

@@ -11,7 +11,6 @@ use crate::{
 #[cfg(feature = "with-zmq")]
 use crate::revocation::ZmqMessage;
 
-use compress_tools::*;
 use log::*;
 use serde::{Deserialize, Serialize};
 use serde_json::json;
@@ -25,6 +24,7 @@ use std::{
     sync::{Arc, Condvar, Mutex},
 };
 use tokio::sync::mpsc::{Receiver, Sender};
+use zip::ZipArchive;
 
 #[derive(Debug, Deserialize, Serialize, PartialEq)]
 pub(crate) struct Payload {
@@ -177,7 +177,8 @@ fn optional_unzip_payload(
                 info!("Unzipping payload {} to {:?}", dec_file, unzipped);
 
                 let mut source = fs::File::open(zipped_payload_path)?;
-                uncompress_archive(&mut source, unzipped, Ownership::Ignore)?;
+                let mut zip = ZipArchive::new(source)?;
+                zip.extract(unzipped)?;
             }
         }
     }

rpm/centos/keylime-agent-rust.spec

@@ -59,7 +59,6 @@ Requires: keylime-base
 
 BuildRequires:  systemd
 BuildRequires:  openssl-devel
-BuildRequires:  libarchive-devel
 BuildRequires:  tpm2-tss-devel
 BuildRequires:  clang
 BuildRequires:  rust-toolset

rpm/fedora/keylime-agent-rust.spec

@@ -68,7 +68,6 @@ Requires: keylime-base
 
 BuildRequires:  systemd
 BuildRequires:  openssl-devel
-BuildRequires:  libarchive-devel
 BuildRequires:  tpm2-tss-devel
 BuildRequires:  clang
 BuildRequires:  rust-packaging >= 21-2