Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: "Michał Górny" <mgorny@g.o>
To: gentoo-dev@l.g.o
Cc: "Michał Górny" <mgorny@g.o>
Subject: [gentoo-dev] [PATCH v2 2/2] verify-sig.eclass: Support verifying checksum lists
Date: Thu, 05 Nov 2020 16:48:36
Message-Id: 20201105164803.2846262-2-mgorny@gentoo.org
In Reply to: [gentoo-dev] [PATCH v2 1/2] verify-sig.eclass: Add a function to verify PGP signed messages by "Michał Górny"
1 Signed-off-by: Michał Górny <mgorny@g.o>
2 ---
3 eclass/verify-sig.eclass | 55 +++++++++++++++++++++++++++++++++++++++-
4 1 file changed, 54 insertions(+), 1 deletion(-)
5
6 diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
7 index a499dd3c6c2a..e3ef7f240283 100644
8 --- a/eclass/verify-sig.eclass
9 +++ b/eclass/verify-sig.eclass
10 @@ -143,10 +143,63 @@ verify-sig_verify_message() {
11 [[ ${file} == - ]] && filename='(stdin)'
12 einfo "Verifying ${filename} ..."
13 gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
14 - gpg --verify --output="${output_file}" "${sig}" "${file}" ||
15 + gpg --verify --output="${output_file}" "${file}" ||
16 die "PGP signature verification failed"
17 }
18
19 +# @FUNCTION: verify-sig_verify_signed_checksums
20 +# @USAGE: <checksum-file> <algo> <files> [<key-file>]
21 +# @DESCRIPTION:
22 +# Verify the checksums for all files listed in the space-separated list
23 +# <files> (akin to ${A}) using a PGP-signed <checksum-file>. <algo>
24 +# specified the checksum algorithm (e.g. sha256). <key-file> can either
25 +# be passed directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH.
26 +#
27 +# The function dies if PGP verification fails, the checksum file
28 +# contains unsigned data, one of the files do not match checksums
29 +# or are missing from the checksum file.
30 +verify-sig_verify_signed_checksums() {
31 + local checksum_file=${1}
32 + local algo=${2}
33 + local files=()
34 + read -r -d '' -a files <<<"${3}"
35 + local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
36 +
37 + local chksum_prog chksum_len
38 + case ${algo} in
39 + sha256)
40 + chksum_prog=sha256sum
41 + chksum_len=64
42 + ;;
43 + *)
44 + die "${FUNCNAME}: unknown checksum algo ${algo}"
45 + ;;
46 + esac
47 +
48 + [[ -n ${key} ]] ||
49 + die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
50 +
51 + local checksum filename junk ret=0 count=0
52 + while read -r checksum filename junk; do
53 + [[ ${#checksum} -eq ${chksum_len} ]] || continue
54 + [[ -z ${checksum//[0-9a-f]} ]] || continue
55 + has "${filename}" "${files[@]}" || continue
56 + [[ -z ${junk} ]] || continue
57 +
58 + "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}"
59 + if [[ ${?} -eq 0 ]]; then
60 + (( count++ ))
61 + else
62 + ret=1
63 + fi
64 + done < <(verify-sig_verify_message "${checksum_file}" - "${key}")
65 +
66 + [[ ${ret} -eq 0 ]] ||
67 + die "${FUNCNAME}: at least one file did not verify successfully"
68 + [[ ${count} -eq ${#files[@]} ]] ||
69 + die "${FUNCNAME}: checksums for some of the specified files were missing"
70 +}
71 +
72 # @FUNCTION: verify-sig_src_unpack
73 # @DESCRIPTION:
74 # Default src_unpack override that verifies signatures for all
75 --
76 2.29.2
Report Message
Find on MARC Find on Google Groups