1 |
Signed-off-by: Michał Górny <mgorny@g.o> |
2 |
--- |
3 |
eclass/verify-sig.eclass | 55 ++++++++++++++++++++++++++++++++++++++++ |
4 |
1 file changed, 55 insertions(+) |
5 |
|
6 |
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass |
7 |
index 8445f4e26440..b6dd31fa83a1 100644 |
8 |
--- a/eclass/verify-sig.eclass |
9 |
+++ b/eclass/verify-sig.eclass |
10 |
@@ -143,6 +143,61 @@ verify-sig_verify_message() { |
11 |
die "PGP signature verification failed" |
12 |
} |
13 |
|
14 |
+# @FUNCTION: verify-sig_verify_signed_checksums |
15 |
+# @USAGE: <checksum-file> <algo> <files> [<key-file>] |
16 |
+# @DESCRIPTION: |
17 |
+# Verify the checksums for all files listed in the space-separated list |
18 |
+# <files> (akin to ${A}) using a PGP-signed <checksum-file>. <algo> |
19 |
+# specified the checksum algorithm (e.g. sha256). <key-file> can either |
20 |
+# be passed directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH. |
21 |
+# |
22 |
+# The function dies if PGP verification fails, the checksum file |
23 |
+# contains unsigned data, one of the files do not match checksums |
24 |
+# or are missing from the checksum file. |
25 |
+verify-sig_verify_signed_checksums() { |
26 |
+ local checksum_file=${1} |
27 |
+ local algo=${2} |
28 |
+ local files=() |
29 |
+ read -r -d '' -a files <<<"${3}" |
30 |
+ local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}} |
31 |
+ |
32 |
+ local chksum_prog chksum_len |
33 |
+ case ${algo} in |
34 |
+ sha256) |
35 |
+ chksum_prog=sha256sum |
36 |
+ chksum_len=64 |
37 |
+ ;; |
38 |
+ *) |
39 |
+ die "${FUNCNAME}: unknown checksum algo ${algo}" |
40 |
+ ;; |
41 |
+ esac |
42 |
+ |
43 |
+ [[ -n ${key} ]] || |
44 |
+ die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset" |
45 |
+ |
46 |
+ verify-sig_verify_message "${checksum_file}" "${key}" |
47 |
+ |
48 |
+ local checksum filename junk ret=0 count=0 |
49 |
+ while read -r checksum filename junk; do |
50 |
+ [[ ${#checksum} -eq ${chksum_len} ]] || continue |
51 |
+ [[ -z ${checksum//[0-9a-f]} ]] || continue |
52 |
+ has "${filename}" "${files[@]}" || continue |
53 |
+ [[ -z ${junk} ]] || continue |
54 |
+ |
55 |
+ "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}" |
56 |
+ if [[ ${?} -eq 0 ]]; then |
57 |
+ (( count++ )) |
58 |
+ else |
59 |
+ ret=1 |
60 |
+ fi |
61 |
+ done <"${checksum_file}" |
62 |
+ |
63 |
+ [[ ${ret} -eq 0 ]] || |
64 |
+ die "${FUNCNAME}: at least one file did not verify successfully" |
65 |
+ [[ ${count} -eq ${#files[@]} ]] || |
66 |
+ die "${FUNCNAME}: checksums for some of the specified files were missing" |
67 |
+} |
68 |
+ |
69 |
# @FUNCTION: verify-sig_src_unpack |
70 |
# @DESCRIPTION: |
71 |
# Default src_unpack override that verifies signatures for all |
72 |
-- |
73 |
2.29.2 |