Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: "Michał Górny" <mgorny@g.o>
To: gentoo-dev@l.g.o
Cc: "Michał Górny" <mgorny@g.o>
Subject: [gentoo-dev] [PATCH 1/2] verify-sig.eclass: Add a function to verify PGP signed messages
Date: Thu, 05 Nov 2020 15:22:53
Message-Id: 20201105152239.2180944-1-mgorny@gentoo.org
1 Add a function to verify files containing PGP signed messages (i.e. not
2 using detached signatures). This will be used for projects that publish
3 signed checksum lists.
4
5 Signed-off-by: Michał Górny <mgorny@g.o>
6 ---
7 eclass/verify-sig.eclass | 32 ++++++++++++++++++++++++++++++++
8 1 file changed, 32 insertions(+)
9
10 diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
11 index d16181f3bf0a..8445f4e26440 100644
12 --- a/eclass/verify-sig.eclass
13 +++ b/eclass/verify-sig.eclass
14 @@ -111,6 +111,38 @@ verify-sig_verify_detached() {
15 die "PGP signature verification failed"
16 }
17
18 +# @FUNCTION: verify-sig_verify_message
19 +# @USAGE: <file> [<key-file>]
20 +# @DESCRIPTION:
21 +# Verify that the file ('-' for stdin) contains a valid, signed PGP
22 +# message. <key-file> can either be passed directly, or it defaults
23 +# to VERIFY_SIG_OPENPGP_KEY_PATH. The function dies if verification
24 +# fails, or if the file contains unsigned data.
25 +verify-sig_verify_message() {
26 + local file=${1}
27 + local key=${2:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
28 +
29 + [[ -n ${key} ]] ||
30 + die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
31 +
32 + local extra_args=()
33 + [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
34 + [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
35 + --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
36 + )
37 +
38 + # GPG upstream knows better than to follow the spec, so we can't
39 + # override this directory. However, there is a clean fallback
40 + # to GNUPGHOME.
41 + addpredict /run/user
42 +
43 + local filename=${file##*/}
44 + [[ ${file} == - ]] && filename='(stdin)'
45 + einfo "Verifying ${filename} ..."
46 + gemato openpgp-verify -K "${key}" "${extra_args[@]}" -- "${file}" ||
47 + die "PGP signature verification failed"
48 +}
49 +
50 # @FUNCTION: verify-sig_src_unpack
51 # @DESCRIPTION:
52 # Default src_unpack override that verifies signatures for all
53 --
54 2.29.2

Replies

Subject Author
[gentoo-dev] [PATCH 2/2] verify-sig.eclass: Support verifying checksum lists "Michał Górny" <mgorny@g.o>
Report Message
Find on MARC Find on Google Groups