1 |
Split the logic for verifying checksums into a dedicated functions |
2 |
that can also be used directly when dealing with a checksum file |
3 |
that uses a detached signature. |
4 |
|
5 |
Signed-off-by: Michał Górny <mgorny@g.o> |
6 |
--- |
7 |
eclass/verify-sig.eclass | 45 +++++++++++++++++++++++++++++++++------- |
8 |
1 file changed, 38 insertions(+), 7 deletions(-) |
9 |
|
10 |
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass |
11 |
index 3693eb16ff41..9121d85bbeaf 100644 |
12 |
--- a/eclass/verify-sig.eclass |
13 |
+++ b/eclass/verify-sig.eclass |
14 |
@@ -197,17 +197,27 @@ verify-sig_verify_message() { |
15 |
esac |
16 |
} |
17 |
|
18 |
-# @FUNCTION: _gpg_verify_signed_checksums |
19 |
-# @INTERNAL |
20 |
-# @USAGE: <checksum-file> <algo> <files> [<key-file>] |
21 |
+# @FUNCTION: verify-sig_verify_unsigned_checksums |
22 |
+# @USAGE: <checksum-file> <algo> <files> |
23 |
# @DESCRIPTION: |
24 |
-# GnuPG-specific function to verify a signed checksums list. |
25 |
-_gpg_verify_signed_checksums() { |
26 |
+# Verify the checksums for all files listed in the space-separated list |
27 |
+# <files> (akin to ${A}) using a <checksum-file>. <algo> specifies |
28 |
+# the checksum algorithm (e.g. sha256). <checksum-file> can be "-" |
29 |
+# for stdin. |
30 |
+# |
31 |
+# The function dies if one of the files does not match checksums or |
32 |
+# is missing from the checksum file. |
33 |
+# |
34 |
+# Note that this function itself can only verify integrity of the files. |
35 |
+# In order to verify their authenticity, the <checksum-file> must |
36 |
+# be verified against a signature first, e.g. using |
37 |
+# verify-sig_verify_detached. If it contains inline signature, use |
38 |
+# verify-sig_verify_signed_checksums instead. |
39 |
+verify-sig_verify_unsigned_checksums() { |
40 |
local checksum_file=${1} |
41 |
local algo=${2} |
42 |
local files=() |
43 |
read -r -d '' -a files <<<"${3}" |
44 |
- local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}} |
45 |
local chksum_prog chksum_len |
46 |
|
47 |
case ${algo} in |
48 |
@@ -220,8 +230,13 @@ _gpg_verify_signed_checksums() { |
49 |
;; |
50 |
esac |
51 |
|
52 |
+ [[ ${checksum_file} == - ]] && checksum_file=/dev/stdin |
53 |
local checksum filename junk ret=0 count=0 |
54 |
while read -r checksum filename junk; do |
55 |
+ if [[ ${checksum} == "-----BEGIN" ]]; then |
56 |
+ die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead" |
57 |
+ fi |
58 |
+ |
59 |
[[ ${#checksum} -eq ${chksum_len} ]] || continue |
60 |
[[ -z ${checksum//[0-9a-f]} ]] || continue |
61 |
has "${filename}" "${files[@]}" || continue |
62 |
@@ -233,7 +248,7 @@ _gpg_verify_signed_checksums() { |
63 |
else |
64 |
ret=1 |
65 |
fi |
66 |
- done < <(verify-sig_verify_message "${checksum_file}" - "${key}") |
67 |
+ done < "${checksum_file}" |
68 |
|
69 |
[[ ${ret} -eq 0 ]] || |
70 |
die "${FUNCNAME}: at least one file did not verify successfully" |
71 |
@@ -241,6 +256,22 @@ _gpg_verify_signed_checksums() { |
72 |
die "${FUNCNAME}: checksums for some of the specified files were missing" |
73 |
} |
74 |
|
75 |
+# @FUNCTION: _gpg_verify_signed_checksums |
76 |
+# @INTERNAL |
77 |
+# @USAGE: <checksum-file> <algo> <files> [<key-file>] |
78 |
+# @DESCRIPTION: |
79 |
+# GnuPG-specific function to verify a signed checksums list. |
80 |
+_gpg_verify_signed_checksums() { |
81 |
+ local checksum_file=${1} |
82 |
+ local algo=${2} |
83 |
+ local files=${3} |
84 |
+ local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}} |
85 |
+ |
86 |
+ verify-sig_verify_unsigned_checksums - "${algo}" "${files}" < <( |
87 |
+ verify-sig_verify_message "${checksum_file}" - "${key}" |
88 |
+ ) |
89 |
+} |
90 |
+ |
91 |
# @FUNCTION: verify-sig_verify_signed_checksums |
92 |
# @USAGE: <checksum-file> <algo> <files> [<key-file>] |
93 |
# @DESCRIPTION: |
94 |
-- |
95 |
2.35.1 |