From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 40F8E15808C for ; Wed, 16 Feb 2022 19:21:18 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4B8FEE0882; Wed, 16 Feb 2022 19:21:17 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 00192E0882 for ; Wed, 16 Feb 2022 19:21:16 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id A7E66342C63 for ; Wed, 16 Feb 2022 19:21:15 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 3B064D3 for ; Wed, 16 Feb 2022 19:21:12 +0000 (UTC) From: "Anthony G. Basile" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Anthony G. Basile" Message-ID: <1645039166.c82111883b4b0d11ef119a11a2bc43b10e31408a.blueness@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: eclass/ X-VCS-Repository: repo/gentoo X-VCS-Files: eclass/verify-sig.eclass X-VCS-Directories: eclass/ X-VCS-Committer: blueness X-VCS-Committer-Name: Anthony G. Basile X-VCS-Revision: c82111883b4b0d11ef119a11a2bc43b10e31408a X-VCS-Branch: master Date: Wed, 16 Feb 2022 19:21:12 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 9607da08-249b-4fa7-9da2-a65efd88f254 X-Archives-Hash: c6e191a36f99abc7ece7b012e6845cef commit: c82111883b4b0d11ef119a11a2bc43b10e31408a Author: Michał Górny gentoo org> AuthorDate: Sun Feb 13 15:08:58 2022 +0000 Commit: Anthony G. Basile gentoo org> CommitDate: Wed Feb 16 19:19:26 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8211188 verify-sig.eclass: Add a function to verify pure checksums Split the logic for verifying checksums into a dedicated functions that can also be used directly when dealing with a checksum file that uses a detached signature. Signed-off-by: Michał Górny gentoo.org> Signed-off-by: Anthony G. Basile gentoo.org> eclass/verify-sig.eclass | 45 ++++++++++++++++++++++++++++++++++++++------- 1 file changed, 38 insertions(+), 7 deletions(-) diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass index 3693eb16ff41..9121d85bbeaf 100644 --- a/eclass/verify-sig.eclass +++ b/eclass/verify-sig.eclass @@ -197,17 +197,27 @@ verify-sig_verify_message() { esac } -# @FUNCTION: _gpg_verify_signed_checksums -# @INTERNAL -# @USAGE: [] +# @FUNCTION: verify-sig_verify_unsigned_checksums +# @USAGE: # @DESCRIPTION: -# GnuPG-specific function to verify a signed checksums list. -_gpg_verify_signed_checksums() { +# Verify the checksums for all files listed in the space-separated list +# (akin to ${A}) using a . specifies +# the checksum algorithm (e.g. sha256). can be "-" +# for stdin. +# +# The function dies if one of the files does not match checksums or +# is missing from the checksum file. +# +# Note that this function itself can only verify integrity of the files. +# In order to verify their authenticity, the must +# be verified against a signature first, e.g. using +# verify-sig_verify_detached. If it contains inline signature, use +# verify-sig_verify_signed_checksums instead. +verify-sig_verify_unsigned_checksums() { local checksum_file=${1} local algo=${2} local files=() read -r -d '' -a files <<<"${3}" - local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}} local chksum_prog chksum_len case ${algo} in @@ -220,8 +230,13 @@ _gpg_verify_signed_checksums() { ;; esac + [[ ${checksum_file} == - ]] && checksum_file=/dev/stdin local checksum filename junk ret=0 count=0 while read -r checksum filename junk; do + if [[ ${checksum} == "-----BEGIN" ]]; then + die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead" + fi + [[ ${#checksum} -eq ${chksum_len} ]] || continue [[ -z ${checksum//[0-9a-f]} ]] || continue has "${filename}" "${files[@]}" || continue @@ -233,7 +248,7 @@ _gpg_verify_signed_checksums() { else ret=1 fi - done < <(verify-sig_verify_message "${checksum_file}" - "${key}") + done < "${checksum_file}" [[ ${ret} -eq 0 ]] || die "${FUNCNAME}: at least one file did not verify successfully" @@ -241,6 +256,22 @@ _gpg_verify_signed_checksums() { die "${FUNCNAME}: checksums for some of the specified files were missing" } +# @FUNCTION: _gpg_verify_signed_checksums +# @INTERNAL +# @USAGE: [] +# @DESCRIPTION: +# GnuPG-specific function to verify a signed checksums list. +_gpg_verify_signed_checksums() { + local checksum_file=${1} + local algo=${2} + local files=${3} + local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}} + + verify-sig_verify_unsigned_checksums - "${algo}" "${files}" < <( + verify-sig_verify_message "${checksum_file}" - "${key}" + ) +} + # @FUNCTION: verify-sig_verify_signed_checksums # @USAGE: [] # @DESCRIPTION: