* [gentoo-dev] [PATCH v2 1/6] verify-sig.eclass: New eclass to verify OpenPGP sigs
@ 2020-10-06 12:10 Michał Górny
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 2/6] use.desc: Add verify-sig flag Michał Górny
` (5 more replies)
0 siblings, 6 replies; 11+ messages in thread
From: Michał Górny @ 2020-10-06 12:10 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
verify-sig eclass provides a streamlined approach to verifying upstream
signatures on distfiles. Its primary purpose is to permit developers
to easily verify signatures while bumping packages. The eclass removes
the risk of developer forgetting to perform the verification,
or performing it incorrectly, e.g. due to additional keys in the local
keyring. It also permits users to verify the developer's work.
---
eclass/verify-sig.eclass | 177 +++++++++++++++++++++++++++++++++++++++
1 file changed, 177 insertions(+)
create mode 100644 eclass/verify-sig.eclass
Changes in v2:
- verify-sig is no longer enabled by default, except in developer
profiles
- added missing BROOT to ebuild
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
new file mode 100644
index 000000000000..c075ff66217d
--- /dev/null
+++ b/eclass/verify-sig.eclass
@@ -0,0 +1,177 @@
+# Copyright 2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# @ECLASS: verify-sig.eclass
+# @MAINTAINER:
+# Michał Górny <mgorny@gentoo.org>
+# @SUPPORTED_EAPIS: 7
+# @AUTHOR:
+# Michał Górny <mgorny@gentoo.org>
+# @BLURB: Eclass to verify upstream signatures on distfiles
+# @DESCRIPTION:
+# verify-sig eclass provides a streamlined approach to verifying
+# upstream signatures on distfiles. Its primary purpose is to permit
+# developers to easily verify signatures while bumping packages.
+# The eclass removes the risk of developer forgetting to perform
+# the verification, or performing it incorrectly, e.g. due to additional
+# keys in the local keyring. It also permits users to verify
+# the developer's work.
+#
+# To use the eclass, start by packaging the upstream's key
+# as app-crypt/openpgp-keys-*. Then inherit the eclass, add detached
+# signatures to SRC_URI and set VERIFY_SIG_OPENPGP_KEY_PATH. The eclass
+# provides verify-sig USE flag to toggle the verification.
+#
+# Example use:
+# @CODE
+# inherit verify-sig
+#
+# SRC_URI="https://example.org/${P}.tar.gz
+# verify-sig? ( https://example.org/${P}.tar.gz.sig )"
+# BDEPEND="
+# verify-sig? ( app-crypt/openpgp-keys-example )"
+#
+# VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/example.asc
+# @CODE
+
+case "${EAPI:-0}" in
+ 0|1|2|3|4|5|6)
+ die "Unsupported EAPI=${EAPI} (obsolete) for ${ECLASS}"
+ ;;
+ 7)
+ ;;
+ *)
+ die "Unsupported EAPI=${EAPI} (unknown) for ${ECLASS}"
+ ;;
+esac
+
+EXPORT_FUNCTIONS src_unpack
+
+if [[ ! ${_VERIFY_SIG_ECLASS} ]]; then
+
+IUSE="verify-sig"
+
+BDEPEND="
+ verify-sig? (
+ app-crypt/gnupg
+ >=app-portage/gemato-16
+ )"
+
+# @ECLASS-VARIABLE: VERIFY_SIG_OPENPGP_KEY_PATH
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Path to key bundle used to perform the verification. This is required
+# when using default src_unpack. Alternatively, the key path can be
+# passed directly to the verification functions.
+
+# @ECLASS-VARIABLE: VERIFY_SIG_OPENPGP_KEYSERVER
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Keyserver used to refresh keys. If not specified, the keyserver
+# preference from the key will be respected. If no preference
+# is specified by the key, the GnuPG default will be used.
+
+# @ECLASS-VARIABLE: VERIFY_SIG_OPENPGP_KEY_REFRESH
+# @USER_VARIABLE
+# @DESCRIPTION:
+# Attempt to refresh keys via WKD/keyserver. Set it to "yes"
+# in make.conf to enable. Note that this requires working Internet
+# connection.
+: ${VERIFY_SIG_OPENPGP_KEY_REFRESH:=no}
+
+# @FUNCTION: verify-sig_verify_detached
+# @USAGE: <file> <sig-file> [<key-file>]
+# @DESCRIPTION:
+# Read the detached signature from <sig-file> and verify <file> against
+# it. <key-file> can either be passed directly, or it defaults
+# to VERIFY_SIG_OPENPGP_KEY_PATH. The function dies if verification
+# fails.
+verify-sig_verify_detached() {
+ local file=${1}
+ local sig=${2}
+ local key=${3:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
+
+ [[ -n ${key} ]] ||
+ die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
+
+ local extra_args=()
+ [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
+ [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
+ --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
+ )
+
+ einfo "Verifying ${file##*/} ..."
+ gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
+ gpg --verify "${sig}" "${file}" ||
+ die "PGP signature verification failed"
+}
+
+# @FUNCTION: verify-sig_src_unpack
+# @DESCRIPTION:
+# Default src_unpack override that verifies signatures for all
+# distfiles if 'verify-sig' flag is enabled. The function dies if any
+# of the signatures fails to verify or if any distfiles are not signed.
+# Please write src_unpack() yourself if you need to perform partial
+# verification.
+verify-sig_src_unpack() {
+ if use verify-sig; then
+ local f suffix found
+ local distfiles=() signatures=() nosigfound=() straysigs=()
+
+ # find all distfiles and signatures, and combine them
+ for f in ${A}; do
+ found=
+ for suffix in .sig; do
+ if [[ ${f} == *${suffix} ]]; then
+ signatures+=( "${f}" )
+ found=sig
+ break
+ else
+ if has "${f}${suffix}" ${A}; then
+ distfiles+=( "${f}" )
+ found=dist+sig
+ break
+ fi
+ fi
+ done
+ if [[ ! ${found} ]]; then
+ nosigfound+=( "${f}" )
+ fi
+ done
+
+ # check if all distfiles are signed
+ if [[ ${#nosigfound[@]} -gt 0 ]]; then
+ eerror "The following distfiles lack detached signatures:"
+ for f in "${nosigfound[@]}"; do
+ eerror " ${f}"
+ done
+ die "Unsigned distfiles found"
+ fi
+
+ # check if there are no stray signatures
+ for f in "${signatures[@]}"; do
+ if ! has "${f%.*}" "${distfiles[@]}"; then
+ straysigs+=( "${f}" )
+ fi
+ done
+ if [[ ${#straysigs[@]} -gt 0 ]]; then
+ eerror "The following signatures do not match any distfiles:"
+ for f in "${straysigs[@]}"; do
+ eerror " ${f}"
+ done
+ die "Unused signatures found"
+ fi
+
+ # now perform the verification
+ for f in "${signatures[@]}"; do
+ verify-sig_verify_detached \
+ "${DISTDIR}/${f%.*}" "${DISTDIR}/${f}"
+ done
+ fi
+
+ # finally, unpack the distfiles
+ default_src_unpack
+}
+
+_VERIFY_SIG_ECLASS=1
+fi
--
2.28.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-dev] [PATCH v2 2/6] use.desc: Add verify-sig flag
2020-10-06 12:10 [gentoo-dev] [PATCH v2 1/6] verify-sig.eclass: New eclass to verify OpenPGP sigs Michał Górny
@ 2020-10-06 12:10 ` Michał Górny
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 3/6] profiles/targets/developer: Enable verify-sig by default Michał Górny
` (4 subsequent siblings)
5 siblings, 0 replies; 11+ messages in thread
From: Michał Górny @ 2020-10-06 12:10 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
profiles/use.desc | 1 +
1 file changed, 1 insertion(+)
diff --git a/profiles/use.desc b/profiles/use.desc
index a0104c8a2f76..ef9f4da57215 100644
--- a/profiles/use.desc
+++ b/profiles/use.desc
@@ -334,6 +334,7 @@ vala - Enable bindings for dev-lang/vala
vanilla - Do not add extra patches which change default behaviour; DO NOT USE THIS ON A GLOBAL SCALE as the severity of the meaning changes drastically
vcd - Video CD support
vdpau - Enable the Video Decode and Presentation API for Unix acceleration interface
+verify-sig - Verify upstream signatures on distfiles
vhosts - Add support for installing web-based applications into a virtual-hosting environment
videos - Install optional video files (used in some games)
vim-syntax - Pulls in related vim syntax scripts
--
2.28.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-dev] [PATCH v2 3/6] profiles/targets/developer: Enable verify-sig by default
2020-10-06 12:10 [gentoo-dev] [PATCH v2 1/6] verify-sig.eclass: New eclass to verify OpenPGP sigs Michał Górny
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 2/6] use.desc: Add verify-sig flag Michał Górny
@ 2020-10-06 12:10 ` Michał Górny
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 4/6] app-crypt/openpgp-keys-miniupnp: Package keys used by miniupnp upst Michał Górny
` (3 subsequent siblings)
5 siblings, 0 replies; 11+ messages in thread
From: Michał Górny @ 2020-10-06 12:10 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
profiles/targets/developer/make.defaults | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/profiles/targets/developer/make.defaults b/profiles/targets/developer/make.defaults
index 94e10bef0180..99e2bd68f554 100644
--- a/profiles/targets/developer/make.defaults
+++ b/profiles/targets/developer/make.defaults
@@ -18,4 +18,7 @@ PORTAGE_ELOG_CLASSES="${PORTAGE_ELOG_CLASSES} qa"
# USE="-perl -python snmp truetype xml"
# perl and python are now disabled by default anyway, truetype and xml are enabled
# by the also inherited desktop profile
-USE="snmp"
+USE="${USE} snmp"
+
+# Verify upstream signatures by default.
+USE="${USE} verify-sig"
--
2.28.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-dev] [PATCH v2 4/6] app-crypt/openpgp-keys-miniupnp: Package keys used by miniupnp upst
2020-10-06 12:10 [gentoo-dev] [PATCH v2 1/6] verify-sig.eclass: New eclass to verify OpenPGP sigs Michał Górny
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 2/6] use.desc: Add verify-sig flag Michał Górny
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 3/6] profiles/targets/developer: Enable verify-sig by default Michał Górny
@ 2020-10-06 12:10 ` Michał Górny
2020-10-06 18:17 ` Robin H. Johnson
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 5/6] net-libs/miniupnpc: Use verify-sig.eclass Michał Górny
` (2 subsequent siblings)
5 siblings, 1 reply; 11+ messages in thread
From: Michał Górny @ 2020-10-06 12:10 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
app-crypt/openpgp-keys-miniupnp/Manifest | 2 ++
app-crypt/openpgp-keys-miniupnp/metadata.xml | 9 ++++++++
.../openpgp-keys-miniupnp-20201006.ebuild | 23 +++++++++++++++++++
3 files changed, 34 insertions(+)
create mode 100644 app-crypt/openpgp-keys-miniupnp/Manifest
create mode 100644 app-crypt/openpgp-keys-miniupnp/metadata.xml
create mode 100644 app-crypt/openpgp-keys-miniupnp/openpgp-keys-miniupnp-20201006.ebuild
diff --git a/app-crypt/openpgp-keys-miniupnp/Manifest b/app-crypt/openpgp-keys-miniupnp/Manifest
new file mode 100644
index 000000000000..c8f82da42fa6
--- /dev/null
+++ b/app-crypt/openpgp-keys-miniupnp/Manifest
@@ -0,0 +1,2 @@
+DIST A31ACAAF.asc 3139 BLAKE2B 4574c3f37965fafa4e2d703276a585d1f17b0da862042620681bac591062b3b70c52cbe5481da543d3c3193a640c06e9d86c3cef1568ae3a3f62901a6ad200ab SHA512 ecad52850fdcc7c21bab81917b3cea85c48b751534427d3db5750c43cbce73916ec4879e4f5535d4b87b7eca927ad249e384c5597702a0052afa89c23c5719b9
+DIST A5C0863C.asc 3098 BLAKE2B fdbc8629fd462b9cc72c568b0af5607951055abc03a1e344e4c1b411fb87bfa285c2e29d2781f9e9b02ec0bc63eacf55e5dc19198056a417ba3358dba445cc0c SHA512 adebff655374dbc8a045f9ab148f9fc343b043e80cb7e4e14c66aa56bfb2f0f5521e294c7600ca708893efc84679f788116d82ef5818370f1425f03dea0a77b9
diff --git a/app-crypt/openpgp-keys-miniupnp/metadata.xml b/app-crypt/openpgp-keys-miniupnp/metadata.xml
new file mode 100644
index 000000000000..5a5a3aaf4299
--- /dev/null
+++ b/app-crypt/openpgp-keys-miniupnp/metadata.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer type="person">
+ <email>mgorny@gentoo.org</email>
+ <name>Michał Górny</name>
+ </maintainer>
+ <stabilize-allarches/>
+</pkgmetadata>
diff --git a/app-crypt/openpgp-keys-miniupnp/openpgp-keys-miniupnp-20201006.ebuild b/app-crypt/openpgp-keys-miniupnp/openpgp-keys-miniupnp-20201006.ebuild
new file mode 100644
index 000000000000..4b07eeca6024
--- /dev/null
+++ b/app-crypt/openpgp-keys-miniupnp/openpgp-keys-miniupnp-20201006.ebuild
@@ -0,0 +1,23 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+DESCRIPTION="OpenPGP keys used to sign miniupnp* packages"
+HOMEPAGE="http://miniupnp.free.fr/files/"
+SRC_URI="
+ http://miniupnp.free.fr/A31ACAAF.asc
+ http://miniupnp.free.fr/A5C0863C.asc
+"
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86"
+
+S=${WORKDIR}
+
+src_install() {
+ local files=( ${A} )
+ insinto /usr/share/openpgp-keys
+ newins - miniupnp.asc < <(cat "${files[@]/#/${DISTDIR}/}")
+}
--
2.28.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-dev] [PATCH v2 5/6] net-libs/miniupnpc: Use verify-sig.eclass
2020-10-06 12:10 [gentoo-dev] [PATCH v2 1/6] verify-sig.eclass: New eclass to verify OpenPGP sigs Michał Górny
` (2 preceding siblings ...)
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 4/6] app-crypt/openpgp-keys-miniupnp: Package keys used by miniupnp upst Michał Górny
@ 2020-10-06 12:10 ` Michał Górny
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 6/6] dev-python/miniupnpc: " Michał Górny
2020-10-06 14:36 ` [gentoo-dev] [PATCH v2 1/6] verify-sig.eclass: New eclass to verify OpenPGP sigs William Hubbs
5 siblings, 0 replies; 11+ messages in thread
From: Michał Górny @ 2020-10-06 12:10 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
net-libs/miniupnpc/Manifest | 1 +
net-libs/miniupnpc/miniupnpc-2.1.20191224.ebuild | 11 ++++++++---
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/net-libs/miniupnpc/Manifest b/net-libs/miniupnpc/Manifest
index 955881a8af5a..5341c95b6ff0 100644
--- a/net-libs/miniupnpc/Manifest
+++ b/net-libs/miniupnpc/Manifest
@@ -1 +1,2 @@
DIST miniupnpc-2.1.20191224.tar.gz 94740 BLAKE2B 85c0b3eb678685bc7192dbee9440ec5f5be80cbac4d6a4e0a6473662c66f05ef512322cd535a142ffe16d3099a86f78ea70645a7eb2979c373e7a486aeab0cd5 SHA512 d362f914ce9177c1bc46f1f3ae59069c61c0c9c1b6ea7e78003d6b46445d3550835ffc541c2649b5fbc997d035357b461148edb3648135f33d0ce98b54961917
+DIST miniupnpc-2.1.20191224.tar.gz.sig 543 BLAKE2B ddbde04faa7bce62fdbb5b555bda9dc9ff69f09cc97442049adc787a03ec91824f14cdddaef6e577cf8d08fa96202fc792333b8dab7e6e8c30847fa9302a35d0 SHA512 b8885d2002259c95ede7ab57aaf82db83c2bd7ace3d0986179efac4245ffd42161049e0167a9ac1ff18de6c8df4d39356f0fb6aa6dada7523a238b4db4838887
diff --git a/net-libs/miniupnpc/miniupnpc-2.1.20191224.ebuild b/net-libs/miniupnpc/miniupnpc-2.1.20191224.ebuild
index 7c74096859fc..939ae17cc4ef 100644
--- a/net-libs/miniupnpc/miniupnpc-2.1.20191224.ebuild
+++ b/net-libs/miniupnpc/miniupnpc-2.1.20191224.ebuild
@@ -3,11 +3,12 @@
EAPI=7
-inherit toolchain-funcs
+inherit toolchain-funcs verify-sig
DESCRIPTION="UPnP client library and a simple UPnP client"
HOMEPAGE="http://miniupnp.free.fr/"
-SRC_URI="http://miniupnp.free.fr/files/${P}.tar.gz"
+SRC_URI="http://miniupnp.free.fr/files/${P}.tar.gz
+ verify-sig? ( http://miniupnp.free.fr/files/${P}.tar.gz.sig )"
LICENSE="BSD"
SLOT="0/17"
@@ -15,7 +16,11 @@ KEYWORDS="amd64 arm arm64 hppa ~mips ppc ppc64 s390 sparc x86"
IUSE="ipv6 kernel_linux static-libs"
RDEPEND=""
-DEPEND="kernel_linux? ( sys-apps/lsb-release sys-apps/which )"
+BDEPEND="
+ kernel_linux? ( sys-apps/lsb-release sys-apps/which )
+ verify-sig? ( app-crypt/openpgp-keys-miniupnp )"
+
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/miniupnp.asc
src_prepare() {
eapply_user
--
2.28.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-dev] [PATCH v2 6/6] dev-python/miniupnpc: Use verify-sig.eclass
2020-10-06 12:10 [gentoo-dev] [PATCH v2 1/6] verify-sig.eclass: New eclass to verify OpenPGP sigs Michał Górny
` (3 preceding siblings ...)
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 5/6] net-libs/miniupnpc: Use verify-sig.eclass Michał Górny
@ 2020-10-06 12:10 ` Michał Górny
2020-10-06 14:36 ` [gentoo-dev] [PATCH v2 1/6] verify-sig.eclass: New eclass to verify OpenPGP sigs William Hubbs
5 siblings, 0 replies; 11+ messages in thread
From: Michał Górny @ 2020-10-06 12:10 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
dev-python/miniupnpc/Manifest | 1 +
dev-python/miniupnpc/miniupnpc-2.1.20191224.ebuild | 11 +++++++----
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/dev-python/miniupnpc/Manifest b/dev-python/miniupnpc/Manifest
index 955881a8af5a..5341c95b6ff0 100644
--- a/dev-python/miniupnpc/Manifest
+++ b/dev-python/miniupnpc/Manifest
@@ -1 +1,2 @@
DIST miniupnpc-2.1.20191224.tar.gz 94740 BLAKE2B 85c0b3eb678685bc7192dbee9440ec5f5be80cbac4d6a4e0a6473662c66f05ef512322cd535a142ffe16d3099a86f78ea70645a7eb2979c373e7a486aeab0cd5 SHA512 d362f914ce9177c1bc46f1f3ae59069c61c0c9c1b6ea7e78003d6b46445d3550835ffc541c2649b5fbc997d035357b461148edb3648135f33d0ce98b54961917
+DIST miniupnpc-2.1.20191224.tar.gz.sig 543 BLAKE2B ddbde04faa7bce62fdbb5b555bda9dc9ff69f09cc97442049adc787a03ec91824f14cdddaef6e577cf8d08fa96202fc792333b8dab7e6e8c30847fa9302a35d0 SHA512 b8885d2002259c95ede7ab57aaf82db83c2bd7ace3d0986179efac4245ffd42161049e0167a9ac1ff18de6c8df4d39356f0fb6aa6dada7523a238b4db4838887
diff --git a/dev-python/miniupnpc/miniupnpc-2.1.20191224.ebuild b/dev-python/miniupnpc/miniupnpc-2.1.20191224.ebuild
index 5e1d489b2e1e..e2122994dfda 100644
--- a/dev-python/miniupnpc/miniupnpc-2.1.20191224.ebuild
+++ b/dev-python/miniupnpc/miniupnpc-2.1.20191224.ebuild
@@ -5,11 +5,12 @@ EAPI=7
PYTHON_COMPAT=( python3_{6,7,8} pypy3 )
-inherit distutils-r1
+inherit distutils-r1 verify-sig
DESCRIPTION="Python bindings for UPnP client library"
HOMEPAGE="http://miniupnp.free.fr/"
-SRC_URI="http://miniupnp.free.fr/files/${P}.tar.gz"
+SRC_URI="http://miniupnp.free.fr/files/${P}.tar.gz
+ verify-sig? ( http://miniupnp.free.fr/files/${P}.tar.gz.sig )"
LICENSE="BSD"
SLOT="0"
@@ -17,8 +18,10 @@ KEYWORDS="amd64 ppc ppc64 x86"
IUSE=""
RDEPEND=">=net-libs/miniupnpc-${PV}:0="
-DEPEND="${RDEPEND}
- dev-python/setuptools[${PYTHON_USEDEP}]"
+DEPEND="${RDEPEND}"
+BDEPEND="verify-sig? ( app-crypt/openpgp-keys-miniupnp )"
+
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/miniupnp.asc
PATCHES=(
"${FILESDIR}"/miniupnpc-2.0.20171102-shared-lib.patch
--
2.28.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [gentoo-dev] [PATCH v2 1/6] verify-sig.eclass: New eclass to verify OpenPGP sigs
2020-10-06 12:10 [gentoo-dev] [PATCH v2 1/6] verify-sig.eclass: New eclass to verify OpenPGP sigs Michał Górny
` (4 preceding siblings ...)
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 6/6] dev-python/miniupnpc: " Michał Górny
@ 2020-10-06 14:36 ` William Hubbs
2020-10-07 8:14 ` [gentoo-dev] Re: EAPI conditional in eclasses (was: [PATCH v2 1/6] verify-sig.eclass: New eclass to verify OpenPGP sigs) Ulrich Mueller
5 siblings, 1 reply; 11+ messages in thread
From: William Hubbs @ 2020-10-06 14:36 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
[-- Attachment #1: Type: text/plain, Size: 759 bytes --]
Hey all,
I'm just picking an eclass to respond to because I see this pretty
often, so I'm definitely not picking on mgorny with this question.
On Tue, Oct 06, 2020 at 02:10:45PM +0200, Michał Górny wrote:
*snip*
> +case "${EAPI:-0}" in
> + 0|1|2|3|4|5|6)
> + die "Unsupported EAPI=${EAPI} (obsolete) for ${ECLASS}"
> + ;;
> + 7)
> + ;;
> + *)
> + die "Unsupported EAPI=${EAPI} (unknown) for ${ECLASS}"
> + ;;
> +esac
Does it really matter that an EAPI is unsupported because it is obsolete
vs unknown? Can we simplify this case statement to the following or
something similar for all of our eclasses?
case "${EAPI:-0}" in
7)
;;
*)
die "Unsupported EAPI=${EAPI} (unknown) for ${ECLASS}"
;;
esac
William
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-dev] [PATCH v2 4/6] app-crypt/openpgp-keys-miniupnp: Package keys used by miniupnp upst
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 4/6] app-crypt/openpgp-keys-miniupnp: Package keys used by miniupnp upst Michał Górny
@ 2020-10-06 18:17 ` Robin H. Johnson
2020-10-06 19:55 ` Michał Górny
2020-10-08 5:47 ` Eray Aslan
0 siblings, 2 replies; 11+ messages in thread
From: Robin H. Johnson @ 2020-10-06 18:17 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 993 bytes --]
While I'm absolutely in favour of the overall intent here, I'm not so
sure of the design.
I'm worried about the proliferation of tiny packages just to convey the
keys; and how versioning should work if upstream rotates their keys.
I picked this message in the thread to respond to, because it was
clearest that this could break when the keys are rotated. The old
releases might not be verifiable with the new keys.
Additionally:
- not all upstream providers ship .asc files of their keys
- some upstreams use signed DIGESTS files rather than directly signing
the distfiles (esp. where distfiles are larger)
Can we instead:
Inside the ebuild and/or metadata.xml: convey:
1. URL(s) to fetch keys, incl a keyserver support
2. Full key fingerprint
--
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1113 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-dev] [PATCH v2 4/6] app-crypt/openpgp-keys-miniupnp: Package keys used by miniupnp upst
2020-10-06 18:17 ` Robin H. Johnson
@ 2020-10-06 19:55 ` Michał Górny
2020-10-08 5:47 ` Eray Aslan
1 sibling, 0 replies; 11+ messages in thread
From: Michał Górny @ 2020-10-06 19:55 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 959 bytes --]
On Tue, 2020-10-06 at 18:17 +0000, Robin H. Johnson wrote:
> While I'm absolutely in favour of the overall intent here, I'm not so
> sure of the design.
>
> I'm worried about the proliferation of tiny packages just to convey the
> keys; and how versioning should work if upstream rotates their keys.
> I picked this message in the thread to respond to, because it was
> clearest that this could break when the keys are rotated. The old
> releases might not be verifiable with the new keys.
>
> Additionally:
> - not all upstream providers ship .asc files of their keys
> - some upstreams use signed DIGESTS files rather than directly signing
> the distfiles (esp. where distfiles are larger)
>
> Can we instead:
> Inside the ebuild and/or metadata.xml: convey:
> 1. URL(s) to fetch keys, incl a keyserver support
> 2. Full key fingerprint
It won't work inside network-isolated environments.
--
Best regards,
Michał Górny
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 618 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* [gentoo-dev] Re: EAPI conditional in eclasses (was: [PATCH v2 1/6] verify-sig.eclass: New eclass to verify OpenPGP sigs)
2020-10-06 14:36 ` [gentoo-dev] [PATCH v2 1/6] verify-sig.eclass: New eclass to verify OpenPGP sigs William Hubbs
@ 2020-10-07 8:14 ` Ulrich Mueller
0 siblings, 0 replies; 11+ messages in thread
From: Ulrich Mueller @ 2020-10-07 8:14 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 793 bytes --]
>>>>> On Tue, 06 Oct 2020, William Hubbs wrote:
>> +case "${EAPI:-0}" in
>> + 0|1|2|3|4|5|6)
>> + die "Unsupported EAPI=${EAPI} (obsolete) for ${ECLASS}"
>> + ;;
>> + 7)
>> + ;;
>> + *)
>> + die "Unsupported EAPI=${EAPI} (unknown) for ${ECLASS}"
>> + ;;
>> +esac
> Does it really matter that an EAPI is unsupported because it is
> obsolete vs unknown? Can we simplify this case statement to the
> following or something similar for all of our eclasses?
> case "${EAPI:-0}" in
> 7)
> ;;
> *)
> die "Unsupported EAPI=${EAPI} (unknown) for ${ECLASS}"
> ;;
> esac
I am with you there, at least for a new eclass that never supported
these old EAPIs.
It may be somewhat useful when removing existing support for an EAPI,
but even there things should be clear from context?
Ulrich
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-dev] [PATCH v2 4/6] app-crypt/openpgp-keys-miniupnp: Package keys used by miniupnp upst
2020-10-06 18:17 ` Robin H. Johnson
2020-10-06 19:55 ` Michał Górny
@ 2020-10-08 5:47 ` Eray Aslan
1 sibling, 0 replies; 11+ messages in thread
From: Eray Aslan @ 2020-10-08 5:47 UTC (permalink / raw
To: gentoo-dev
On Tue, Oct 06, 2020 at 06:17:23PM +0000, Robin H. Johnson wrote:
> I'm worried about the proliferation of tiny packages just to convey the
> keys; and how versioning should work if upstream rotates their keys.
That was my initial reaction as well. The app-crypt/openpgp-keys-* will
potentially double the number of packages in the tree. We can probably
come up with a better design.
I agree with the need to make it easier for developers to check sigs
before signing the manifest btw. Thanks for that
--
Eray
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2020-10-08 5:47 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-06 12:10 [gentoo-dev] [PATCH v2 1/6] verify-sig.eclass: New eclass to verify OpenPGP sigs Michał Górny
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 2/6] use.desc: Add verify-sig flag Michał Górny
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 3/6] profiles/targets/developer: Enable verify-sig by default Michał Górny
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 4/6] app-crypt/openpgp-keys-miniupnp: Package keys used by miniupnp upst Michał Górny
2020-10-06 18:17 ` Robin H. Johnson
2020-10-06 19:55 ` Michał Górny
2020-10-08 5:47 ` Eray Aslan
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 5/6] net-libs/miniupnpc: Use verify-sig.eclass Michał Górny
2020-10-06 12:10 ` [gentoo-dev] [PATCH v2 6/6] dev-python/miniupnpc: " Michał Górny
2020-10-06 14:36 ` [gentoo-dev] [PATCH v2 1/6] verify-sig.eclass: New eclass to verify OpenPGP sigs William Hubbs
2020-10-07 8:14 ` [gentoo-dev] Re: EAPI conditional in eclasses (was: [PATCH v2 1/6] verify-sig.eclass: New eclass to verify OpenPGP sigs) Ulrich Mueller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox