| 1 |
Signed-off-by: Michał Górny <mgorny@g.o> |
| 2 |
--- |
| 3 |
eclass/verify-sig.eclass | 55 ++++++++++++++++++++++++++++++++++++++++ |
| 4 |
1 file changed, 55 insertions(+) |
| 5 |
|
| 6 |
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass |
| 7 |
index 8445f4e26440..b6dd31fa83a1 100644 |
| 8 |
--- a/eclass/verify-sig.eclass |
| 9 |
+++ b/eclass/verify-sig.eclass |
| 10 |
@@ -143,6 +143,61 @@ verify-sig_verify_message() { |
| 11 |
die "PGP signature verification failed" |
| 12 |
} |
| 13 |
|
| 14 |
+# @FUNCTION: verify-sig_verify_signed_checksums |
| 15 |
+# @USAGE: <checksum-file> <algo> <files> [<key-file>] |
| 16 |
+# @DESCRIPTION: |
| 17 |
+# Verify the checksums for all files listed in the space-separated list |
| 18 |
+# <files> (akin to ${A}) using a PGP-signed <checksum-file>. <algo> |
| 19 |
+# specified the checksum algorithm (e.g. sha256). <key-file> can either |
| 20 |
+# be passed directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH. |
| 21 |
+# |
| 22 |
+# The function dies if PGP verification fails, the checksum file |
| 23 |
+# contains unsigned data, one of the files do not match checksums |
| 24 |
+# or are missing from the checksum file. |
| 25 |
+verify-sig_verify_signed_checksums() { |
| 26 |
+ local checksum_file=${1} |
| 27 |
+ local algo=${2} |
| 28 |
+ local files=() |
| 29 |
+ read -r -d '' -a files <<<"${3}" |
| 30 |
+ local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}} |
| 31 |
+ |
| 32 |
+ local chksum_prog chksum_len |
| 33 |
+ case ${algo} in |
| 34 |
+ sha256) |
| 35 |
+ chksum_prog=sha256sum |
| 36 |
+ chksum_len=64 |
| 37 |
+ ;; |
| 38 |
+ *) |
| 39 |
+ die "${FUNCNAME}: unknown checksum algo ${algo}" |
| 40 |
+ ;; |
| 41 |
+ esac |
| 42 |
+ |
| 43 |
+ [[ -n ${key} ]] || |
| 44 |
+ die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset" |
| 45 |
+ |
| 46 |
+ verify-sig_verify_message "${checksum_file}" "${key}" |
| 47 |
+ |
| 48 |
+ local checksum filename junk ret=0 count=0 |
| 49 |
+ while read -r checksum filename junk; do |
| 50 |
+ [[ ${#checksum} -eq ${chksum_len} ]] || continue |
| 51 |
+ [[ -z ${checksum//[0-9a-f]} ]] || continue |
| 52 |
+ has "${filename}" "${files[@]}" || continue |
| 53 |
+ [[ -z ${junk} ]] || continue |
| 54 |
+ |
| 55 |
+ "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}" |
| 56 |
+ if [[ ${?} -eq 0 ]]; then |
| 57 |
+ (( count++ )) |
| 58 |
+ else |
| 59 |
+ ret=1 |
| 60 |
+ fi |
| 61 |
+ done <"${checksum_file}" |
| 62 |
+ |
| 63 |
+ [[ ${ret} -eq 0 ]] || |
| 64 |
+ die "${FUNCNAME}: at least one file did not verify successfully" |
| 65 |
+ [[ ${count} -eq ${#files[@]} ]] || |
| 66 |
+ die "${FUNCNAME}: checksums for some of the specified files were missing" |
| 67 |
+} |
| 68 |
+ |
| 69 |
# @FUNCTION: verify-sig_src_unpack |
| 70 |
# @DESCRIPTION: |
| 71 |
# Default src_unpack override that verifies signatures for all |
| 72 |
-- |
| 73 |
2.29.2 |
Archives