| 1 |
Hi there, |
| 2 |
|
| 3 |
Here is my patch for the emerge-webrsync script. If anyone has any |
| 4 |
problems with it, please let me know. |
| 5 |
|
| 6 |
You'll need to import the key that Kurt announced yesterday into a public |
| 7 |
keyring somewhere on your system, then add the following line to your |
| 8 |
/etc/make.conf file: |
| 9 |
|
| 10 |
PORTAGE_KEYRING=/etc/pubring.gpg |
| 11 |
|
| 12 |
Or wherever you keep it. |
| 13 |
|
| 14 |
If the signature does not verify successfully, the script will delete |
| 15 |
the files it downloaded (i.e. the files that failed will not be left on |
| 16 |
your system to be accidentally used later). |
| 17 |
|
| 18 |
Enjoy, |
| 19 |
- Chris |
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
--- /usr/sbin/emerge-webrsync 2004-09-02 16:21:52.000000000 -0400 |
| 24 |
+++ emerge-webrsync 2004-11-17 23:54:45.000000000 -0500 |
| 25 |
@@ -7,8 +7,15 @@ |
| 26 |
|
| 27 |
GENTOO_MIRRORS="$(/usr/lib/portage/bin/portageq gentoo_mirrors)" |
| 28 |
PORTDIR="$(/usr/lib/portage/bin/portageq portdir)" |
| 29 |
+KEYRING="$(grep "^PORTAGE_KEYRING=" /etc/make.conf | sed "s/^.*=//")" |
| 30 |
syncpath="/var/tmp/emerge-webrsync" |
| 31 |
|
| 32 |
+if [ -z "$KEYRING" ] ; then |
| 33 |
+ echo "Please set PORTAGE_KEYRING in /etc/make.conf to the location" |
| 34 |
+ echo "of your public keyring." |
| 35 |
+ exit 1 |
| 36 |
+fi |
| 37 |
+ |
| 38 |
if [ ! -d $syncpath ] ; then |
| 39 |
mkdir -p $syncpath |
| 40 |
fi |
| 41 |
@@ -28,6 +35,17 @@ |
| 42 |
download=0 |
| 43 |
fi |
| 44 |
|
| 45 |
+verify_sig() { |
| 46 |
+ echo Verifying signature... |
| 47 |
+ if gpg --keyring "$KEYRING" --verify $file.gpgsig $file ; then |
| 48 |
+ echo "Good signature." |
| 49 |
+ else |
| 50 |
+ echo "Bad signature! Deleting suspect file." |
| 51 |
+ rm -f $file $file.gpgsig |
| 52 |
+ exit 1 |
| 53 |
+ fi |
| 54 |
+} |
| 55 |
+ |
| 56 |
sync_local() { |
| 57 |
echo Syncing local tree... |
| 58 |
tar jxf $file |
| 59 |
@@ -36,7 +54,10 @@ |
| 60 |
chown -R root:root portage |
| 61 |
cd portage |
| 62 |
rsync -av --progress --stats --delete --delete-after \ |
| 63 |
- --exclude='distfiles/*' --exclude='packages/*' . ${PORTDIR%%/} |
| 64 |
+ --exclude='distfiles/*' \ |
| 65 |
+ --exclude='packages/*' \ |
| 66 |
+ --exclude='local/*' \ |
| 67 |
+ . ${PORTDIR%%/} |
| 68 |
cd .. |
| 69 |
rm -rf portage |
| 70 |
} |
| 71 |
@@ -58,9 +79,10 @@ |
| 72 |
|
| 73 |
for i in $GENTOO_MIRRORS ; do |
| 74 |
url="${i}/snapshots/$file" |
| 75 |
- rm -f $file |
| 76 |
+ rm -f $file $file.gpgsig |
| 77 |
|
| 78 |
- if (wget $wgetops $url) && [ -s $file ] ; then |
| 79 |
+ if (wget $wgetops $url $url.gpgsig) && [ -s $file ] ; then |
| 80 |
+ verify_sig |
| 81 |
sync_local |
| 82 |
echo |
| 83 |
echo " *** Completed websync, please now perform a normal rsync if possible." |
| 84 |
|
| 85 |
|
| 86 |
-- |
| 87 |
gentoo-security@g.o mailing list |
Archives