Gentoo Archives: gentoo-dev

From: "Michał Górny" <mgorny@g.o>
To: gentoo-dev@l.g.o
Cc: "Michał Górny" <mgorny@g.o>
Subject: [gentoo-dev] [PATCH] verify-sig.eclass: Add a function to verify pure checksums
Date: Wed, 16 Feb 2022 07:53:20
Message-Id: 20220216075304.181965-1-mgorny@gentoo.org
1 Split the logic for verifying checksums into a dedicated functions
2 that can also be used directly when dealing with a checksum file
3 that uses a detached signature.
4
5 Signed-off-by: Michał Górny <mgorny@g.o>
6 ---
7 eclass/verify-sig.eclass | 45 +++++++++++++++++++++++++++++++++-------
8 1 file changed, 38 insertions(+), 7 deletions(-)
9
10 diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
11 index 3693eb16ff41..9121d85bbeaf 100644
12 --- a/eclass/verify-sig.eclass
13 +++ b/eclass/verify-sig.eclass
14 @@ -197,17 +197,27 @@ verify-sig_verify_message() {
15 esac
16 }
17
18 -# @FUNCTION: _gpg_verify_signed_checksums
19 -# @INTERNAL
20 -# @USAGE: <checksum-file> <algo> <files> [<key-file>]
21 +# @FUNCTION: verify-sig_verify_unsigned_checksums
22 +# @USAGE: <checksum-file> <algo> <files>
23 # @DESCRIPTION:
24 -# GnuPG-specific function to verify a signed checksums list.
25 -_gpg_verify_signed_checksums() {
26 +# Verify the checksums for all files listed in the space-separated list
27 +# <files> (akin to ${A}) using a <checksum-file>. <algo> specifies
28 +# the checksum algorithm (e.g. sha256). <checksum-file> can be "-"
29 +# for stdin.
30 +#
31 +# The function dies if one of the files does not match checksums or
32 +# is missing from the checksum file.
33 +#
34 +# Note that this function itself can only verify integrity of the files.
35 +# In order to verify their authenticity, the <checksum-file> must
36 +# be verified against a signature first, e.g. using
37 +# verify-sig_verify_detached. If it contains inline signature, use
38 +# verify-sig_verify_signed_checksums instead.
39 +verify-sig_verify_unsigned_checksums() {
40 local checksum_file=${1}
41 local algo=${2}
42 local files=()
43 read -r -d '' -a files <<<"${3}"
44 - local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
45 local chksum_prog chksum_len
46
47 case ${algo} in
48 @@ -220,8 +230,13 @@ _gpg_verify_signed_checksums() {
49 ;;
50 esac
51
52 + [[ ${checksum_file} == - ]] && checksum_file=/dev/stdin
53 local checksum filename junk ret=0 count=0
54 while read -r checksum filename junk; do
55 + if [[ ${checksum} == "-----BEGIN" ]]; then
56 + die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead"
57 + fi
58 +
59 [[ ${#checksum} -eq ${chksum_len} ]] || continue
60 [[ -z ${checksum//[0-9a-f]} ]] || continue
61 has "${filename}" "${files[@]}" || continue
62 @@ -233,7 +248,7 @@ _gpg_verify_signed_checksums() {
63 else
64 ret=1
65 fi
66 - done < <(verify-sig_verify_message "${checksum_file}" - "${key}")
67 + done < "${checksum_file}"
68
69 [[ ${ret} -eq 0 ]] ||
70 die "${FUNCNAME}: at least one file did not verify successfully"
71 @@ -241,6 +256,22 @@ _gpg_verify_signed_checksums() {
72 die "${FUNCNAME}: checksums for some of the specified files were missing"
73 }
74
75 +# @FUNCTION: _gpg_verify_signed_checksums
76 +# @INTERNAL
77 +# @USAGE: <checksum-file> <algo> <files> [<key-file>]
78 +# @DESCRIPTION:
79 +# GnuPG-specific function to verify a signed checksums list.
80 +_gpg_verify_signed_checksums() {
81 + local checksum_file=${1}
82 + local algo=${2}
83 + local files=${3}
84 + local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
85 +
86 + verify-sig_verify_unsigned_checksums - "${algo}" "${files}" < <(
87 + verify-sig_verify_message "${checksum_file}" - "${key}"
88 + )
89 +}
90 +
91 # @FUNCTION: verify-sig_verify_signed_checksums
92 # @USAGE: <checksum-file> <algo> <files> [<key-file>]
93 # @DESCRIPTION:
94 --
95 2.35.1