1 |
Signed-off-by: Michał Górny <mgorny@g.o> |
2 |
--- |
3 |
eclass/verify-sig.eclass | 55 +++++++++++++++++++++++++++++++++++++++- |
4 |
1 file changed, 54 insertions(+), 1 deletion(-) |
5 |
|
6 |
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass |
7 |
index a499dd3c6c2a..e3ef7f240283 100644 |
8 |
--- a/eclass/verify-sig.eclass |
9 |
+++ b/eclass/verify-sig.eclass |
10 |
@@ -143,10 +143,63 @@ verify-sig_verify_message() { |
11 |
[[ ${file} == - ]] && filename='(stdin)' |
12 |
einfo "Verifying ${filename} ..." |
13 |
gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \ |
14 |
- gpg --verify --output="${output_file}" "${sig}" "${file}" || |
15 |
+ gpg --verify --output="${output_file}" "${file}" || |
16 |
die "PGP signature verification failed" |
17 |
} |
18 |
|
19 |
+# @FUNCTION: verify-sig_verify_signed_checksums |
20 |
+# @USAGE: <checksum-file> <algo> <files> [<key-file>] |
21 |
+# @DESCRIPTION: |
22 |
+# Verify the checksums for all files listed in the space-separated list |
23 |
+# <files> (akin to ${A}) using a PGP-signed <checksum-file>. <algo> |
24 |
+# specified the checksum algorithm (e.g. sha256). <key-file> can either |
25 |
+# be passed directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH. |
26 |
+# |
27 |
+# The function dies if PGP verification fails, the checksum file |
28 |
+# contains unsigned data, one of the files do not match checksums |
29 |
+# or are missing from the checksum file. |
30 |
+verify-sig_verify_signed_checksums() { |
31 |
+ local checksum_file=${1} |
32 |
+ local algo=${2} |
33 |
+ local files=() |
34 |
+ read -r -d '' -a files <<<"${3}" |
35 |
+ local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}} |
36 |
+ |
37 |
+ local chksum_prog chksum_len |
38 |
+ case ${algo} in |
39 |
+ sha256) |
40 |
+ chksum_prog=sha256sum |
41 |
+ chksum_len=64 |
42 |
+ ;; |
43 |
+ *) |
44 |
+ die "${FUNCNAME}: unknown checksum algo ${algo}" |
45 |
+ ;; |
46 |
+ esac |
47 |
+ |
48 |
+ [[ -n ${key} ]] || |
49 |
+ die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset" |
50 |
+ |
51 |
+ local checksum filename junk ret=0 count=0 |
52 |
+ while read -r checksum filename junk; do |
53 |
+ [[ ${#checksum} -eq ${chksum_len} ]] || continue |
54 |
+ [[ -z ${checksum//[0-9a-f]} ]] || continue |
55 |
+ has "${filename}" "${files[@]}" || continue |
56 |
+ [[ -z ${junk} ]] || continue |
57 |
+ |
58 |
+ "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}" |
59 |
+ if [[ ${?} -eq 0 ]]; then |
60 |
+ (( count++ )) |
61 |
+ else |
62 |
+ ret=1 |
63 |
+ fi |
64 |
+ done < <(verify-sig_verify_message "${checksum_file}" - "${key}") |
65 |
+ |
66 |
+ [[ ${ret} -eq 0 ]] || |
67 |
+ die "${FUNCNAME}: at least one file did not verify successfully" |
68 |
+ [[ ${count} -eq ${#files[@]} ]] || |
69 |
+ die "${FUNCNAME}: checksums for some of the specified files were missing" |
70 |
+} |
71 |
+ |
72 |
# @FUNCTION: verify-sig_src_unpack |
73 |
# @DESCRIPTION: |
74 |
# Default src_unpack override that verifies signatures for all |
75 |
-- |
76 |
2.29.2 |