1 |
Hi there, |
2 |
|
3 |
Here is my patch for the emerge-webrsync script. If anyone has any |
4 |
problems with it, please let me know. |
5 |
|
6 |
You'll need to import the key that Kurt announced yesterday into a public |
7 |
keyring somewhere on your system, then add the following line to your |
8 |
/etc/make.conf file: |
9 |
|
10 |
PORTAGE_KEYRING=/etc/pubring.gpg |
11 |
|
12 |
Or wherever you keep it. |
13 |
|
14 |
If the signature does not verify successfully, the script will delete |
15 |
the files it downloaded (i.e. the files that failed will not be left on |
16 |
your system to be accidentally used later). |
17 |
|
18 |
Enjoy, |
19 |
- Chris |
20 |
|
21 |
|
22 |
|
23 |
--- /usr/sbin/emerge-webrsync 2004-09-02 16:21:52.000000000 -0400 |
24 |
+++ emerge-webrsync 2004-11-17 23:54:45.000000000 -0500 |
25 |
@@ -7,8 +7,15 @@ |
26 |
|
27 |
GENTOO_MIRRORS="$(/usr/lib/portage/bin/portageq gentoo_mirrors)" |
28 |
PORTDIR="$(/usr/lib/portage/bin/portageq portdir)" |
29 |
+KEYRING="$(grep "^PORTAGE_KEYRING=" /etc/make.conf | sed "s/^.*=//")" |
30 |
syncpath="/var/tmp/emerge-webrsync" |
31 |
|
32 |
+if [ -z "$KEYRING" ] ; then |
33 |
+ echo "Please set PORTAGE_KEYRING in /etc/make.conf to the location" |
34 |
+ echo "of your public keyring." |
35 |
+ exit 1 |
36 |
+fi |
37 |
+ |
38 |
if [ ! -d $syncpath ] ; then |
39 |
mkdir -p $syncpath |
40 |
fi |
41 |
@@ -28,6 +35,17 @@ |
42 |
download=0 |
43 |
fi |
44 |
|
45 |
+verify_sig() { |
46 |
+ echo Verifying signature... |
47 |
+ if gpg --keyring "$KEYRING" --verify $file.gpgsig $file ; then |
48 |
+ echo "Good signature." |
49 |
+ else |
50 |
+ echo "Bad signature! Deleting suspect file." |
51 |
+ rm -f $file $file.gpgsig |
52 |
+ exit 1 |
53 |
+ fi |
54 |
+} |
55 |
+ |
56 |
sync_local() { |
57 |
echo Syncing local tree... |
58 |
tar jxf $file |
59 |
@@ -36,7 +54,10 @@ |
60 |
chown -R root:root portage |
61 |
cd portage |
62 |
rsync -av --progress --stats --delete --delete-after \ |
63 |
- --exclude='distfiles/*' --exclude='packages/*' . ${PORTDIR%%/} |
64 |
+ --exclude='distfiles/*' \ |
65 |
+ --exclude='packages/*' \ |
66 |
+ --exclude='local/*' \ |
67 |
+ . ${PORTDIR%%/} |
68 |
cd .. |
69 |
rm -rf portage |
70 |
} |
71 |
@@ -58,9 +79,10 @@ |
72 |
|
73 |
for i in $GENTOO_MIRRORS ; do |
74 |
url="${i}/snapshots/$file" |
75 |
- rm -f $file |
76 |
+ rm -f $file $file.gpgsig |
77 |
|
78 |
- if (wget $wgetops $url) && [ -s $file ] ; then |
79 |
+ if (wget $wgetops $url $url.gpgsig) && [ -s $file ] ; then |
80 |
+ verify_sig |
81 |
sync_local |
82 |
echo |
83 |
echo " *** Completed websync, please now perform a normal rsync if possible." |
84 |
|
85 |
|
86 |
-- |
87 |
gentoo-security@g.o mailing list |