From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id DA0E6138359 for ; Thu, 5 Nov 2020 16:48:36 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 55F6CE08AD; Thu, 5 Nov 2020 16:48:13 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 206C9E089C for ; Thu, 5 Nov 2020 16:48:13 +0000 (UTC) From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Cc: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= Subject: [gentoo-dev] [PATCH v2 2/2] verify-sig.eclass: Support verifying checksum lists Date: Thu, 5 Nov 2020 17:48:03 +0100 Message-Id: <20201105164803.2846262-2-mgorny@gentoo.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201105164803.2846262-1-mgorny@gentoo.org> References: <20201105164803.2846262-1-mgorny@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: 080454b3-0f61-46df-a9b9-c956eb4877be X-Archives-Hash: 8cdcb5f03183f7acbf638278fd536d56 Signed-off-by: Michał Górny --- eclass/verify-sig.eclass | 55 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass index a499dd3c6c2a..e3ef7f240283 100644 --- a/eclass/verify-sig.eclass +++ b/eclass/verify-sig.eclass @@ -143,10 +143,63 @@ verify-sig_verify_message() { [[ ${file} == - ]] && filename='(stdin)' einfo "Verifying ${filename} ..." gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \ - gpg --verify --output="${output_file}" "${sig}" "${file}" || + gpg --verify --output="${output_file}" "${file}" || die "PGP signature verification failed" } +# @FUNCTION: verify-sig_verify_signed_checksums +# @USAGE: [] +# @DESCRIPTION: +# Verify the checksums for all files listed in the space-separated list +# (akin to ${A}) using a PGP-signed . +# specified the checksum algorithm (e.g. sha256). can either +# be passed directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH. +# +# The function dies if PGP verification fails, the checksum file +# contains unsigned data, one of the files do not match checksums +# or are missing from the checksum file. +verify-sig_verify_signed_checksums() { + local checksum_file=${1} + local algo=${2} + local files=() + read -r -d '' -a files <<<"${3}" + local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}} + + local chksum_prog chksum_len + case ${algo} in + sha256) + chksum_prog=sha256sum + chksum_len=64 + ;; + *) + die "${FUNCNAME}: unknown checksum algo ${algo}" + ;; + esac + + [[ -n ${key} ]] || + die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset" + + local checksum filename junk ret=0 count=0 + while read -r checksum filename junk; do + [[ ${#checksum} -eq ${chksum_len} ]] || continue + [[ -z ${checksum//[0-9a-f]} ]] || continue + has "${filename}" "${files[@]}" || continue + [[ -z ${junk} ]] || continue + + "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}" + if [[ ${?} -eq 0 ]]; then + (( count++ )) + else + ret=1 + fi + done < <(verify-sig_verify_message "${checksum_file}" - "${key}") + + [[ ${ret} -eq 0 ]] || + die "${FUNCNAME}: at least one file did not verify successfully" + [[ ${count} -eq ${#files[@]} ]] || + die "${FUNCNAME}: checksums for some of the specified files were missing" +} + # @FUNCTION: verify-sig_src_unpack # @DESCRIPTION: # Default src_unpack override that verifies signatures for all -- 2.29.2