* [gentoo-dev] [PATCH v2 1/2] verify-sig.eclass: Add a function to verify PGP signed messages
@ 2020-11-05 16:48 Michał Górny
2020-11-05 16:48 ` [gentoo-dev] [PATCH v2 2/2] verify-sig.eclass: Support verifying checksum lists Michał Górny
0 siblings, 1 reply; 2+ messages in thread
From: Michał Górny @ 2020-11-05 16:48 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Add a function to verify files containing PGP signed messages (i.e. not
using detached signatures). This will be used for projects that publish
signed checksum lists.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/verify-sig.eclass | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
Changed in v2: actually, 'gemato openpgp-verify' does not fail
on unsigned data, Manifest loading algorithm checks for that. Use 'gpg
--output' instead.
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index d16181f3bf0a..a499dd3c6c2a 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -111,6 +111,42 @@ verify-sig_verify_detached() {
die "PGP signature verification failed"
}
+# @FUNCTION: verify-sig_verify_message
+# @USAGE: <file> <output-file> [<key-file>]
+# @DESCRIPTION:
+# Verify that the file ('-' for stdin) contains a valid, signed PGP
+# message and write the message into <output-file> ('-' for stdout).
+# <key-file> can either be passed directly, or it defaults
+# to VERIFY_SIG_OPENPGP_KEY_PATH. The function dies if verification
+# fails. Note that using output from <output-file> is important as it
+# prevents the injection of unsigned data.
+verify-sig_verify_message() {
+ local file=${1}
+ local output_file=${2}
+ local key=${3:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
+
+ [[ -n ${key} ]] ||
+ die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
+
+ local extra_args=()
+ [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
+ [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
+ --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
+ )
+
+ # GPG upstream knows better than to follow the spec, so we can't
+ # override this directory. However, there is a clean fallback
+ # to GNUPGHOME.
+ addpredict /run/user
+
+ local filename=${file##*/}
+ [[ ${file} == - ]] && filename='(stdin)'
+ einfo "Verifying ${filename} ..."
+ gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
+ gpg --verify --output="${output_file}" "${sig}" "${file}" ||
+ die "PGP signature verification failed"
+}
+
# @FUNCTION: verify-sig_src_unpack
# @DESCRIPTION:
# Default src_unpack override that verifies signatures for all
--
2.29.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-dev] [PATCH v2 2/2] verify-sig.eclass: Support verifying checksum lists
2020-11-05 16:48 [gentoo-dev] [PATCH v2 1/2] verify-sig.eclass: Add a function to verify PGP signed messages Michał Górny
@ 2020-11-05 16:48 ` Michał Górny
0 siblings, 0 replies; 2+ messages in thread
From: Michał Górny @ 2020-11-05 16:48 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/verify-sig.eclass | 55 +++++++++++++++++++++++++++++++++++++++-
1 file changed, 54 insertions(+), 1 deletion(-)
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index a499dd3c6c2a..e3ef7f240283 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -143,10 +143,63 @@ verify-sig_verify_message() {
[[ ${file} == - ]] && filename='(stdin)'
einfo "Verifying ${filename} ..."
gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
- gpg --verify --output="${output_file}" "${sig}" "${file}" ||
+ gpg --verify --output="${output_file}" "${file}" ||
die "PGP signature verification failed"
}
+# @FUNCTION: verify-sig_verify_signed_checksums
+# @USAGE: <checksum-file> <algo> <files> [<key-file>]
+# @DESCRIPTION:
+# Verify the checksums for all files listed in the space-separated list
+# <files> (akin to ${A}) using a PGP-signed <checksum-file>. <algo>
+# specified the checksum algorithm (e.g. sha256). <key-file> can either
+# be passed directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH.
+#
+# The function dies if PGP verification fails, the checksum file
+# contains unsigned data, one of the files do not match checksums
+# or are missing from the checksum file.
+verify-sig_verify_signed_checksums() {
+ local checksum_file=${1}
+ local algo=${2}
+ local files=()
+ read -r -d '' -a files <<<"${3}"
+ local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
+
+ local chksum_prog chksum_len
+ case ${algo} in
+ sha256)
+ chksum_prog=sha256sum
+ chksum_len=64
+ ;;
+ *)
+ die "${FUNCNAME}: unknown checksum algo ${algo}"
+ ;;
+ esac
+
+ [[ -n ${key} ]] ||
+ die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
+
+ local checksum filename junk ret=0 count=0
+ while read -r checksum filename junk; do
+ [[ ${#checksum} -eq ${chksum_len} ]] || continue
+ [[ -z ${checksum//[0-9a-f]} ]] || continue
+ has "${filename}" "${files[@]}" || continue
+ [[ -z ${junk} ]] || continue
+
+ "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}"
+ if [[ ${?} -eq 0 ]]; then
+ (( count++ ))
+ else
+ ret=1
+ fi
+ done < <(verify-sig_verify_message "${checksum_file}" - "${key}")
+
+ [[ ${ret} -eq 0 ]] ||
+ die "${FUNCNAME}: at least one file did not verify successfully"
+ [[ ${count} -eq ${#files[@]} ]] ||
+ die "${FUNCNAME}: checksums for some of the specified files were missing"
+}
+
# @FUNCTION: verify-sig_src_unpack
# @DESCRIPTION:
# Default src_unpack override that verifies signatures for all
--
2.29.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-11-05 16:48 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-11-05 16:48 [gentoo-dev] [PATCH v2 1/2] verify-sig.eclass: Add a function to verify PGP signed messages Michał Górny
2020-11-05 16:48 ` [gentoo-dev] [PATCH v2 2/2] verify-sig.eclass: Support verifying checksum lists Michał Górny
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox