From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 6C37B158089 for ; Mon, 4 Sep 2023 01:58:53 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id ADCD12BC058; Mon, 4 Sep 2023 01:58:14 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 70C822BC055 for ; Mon, 4 Sep 2023 01:58:14 +0000 (UTC) From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Cc: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= Subject: [gentoo-dev] [PATCH 2/3] verify-sig.eclass: Support `openssl dgst` format checksums Date: Mon, 4 Sep 2023 03:55:16 +0200 Message-ID: <20230904015806.6883-3-mgorny@gentoo.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20230904015806.6883-1-mgorny@gentoo.org> References: <20230904015806.6883-1-mgorny@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: efd4488e-3e1e-478c-a746-6d80bca06c44 X-Archives-Hash: cac3caaf6070d602a841124f3c50503c Signed-off-by: Michał Górny --- eclass/tests/verify-sig.sh | 18 ++++++++++++++ eclass/verify-sig.eclass | 51 +++++++++++++++++++++++++------------- 2 files changed, 52 insertions(+), 17 deletions(-) diff --git a/eclass/tests/verify-sig.sh b/eclass/tests/verify-sig.sh index fcd2ee7480a2..fb7f2cdb2a5d 100755 --- a/eclass/tests/verify-sig.sh +++ b/eclass/tests/verify-sig.sh @@ -62,4 +62,22 @@ EOF test_verify_unsigned_checksums sha256 eoutdent +einfo "Testing openssl-dgst format." +eindent + +> "annoying ( filename )= yes ).txt" || die + +cat > checksums.txt <<-EOF || die + junk text that ought to be ignored + + SHA256(empty)=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + SHA256(text)= b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380 + SHA256(fail)=b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380 + + SHA256(annoying ( filename )= yes )= e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 +EOF + +test_verify_unsigned_checksums openssl-dgst +eoutdent + texit diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass index d99dc3461858..ee80167c7924 100644 --- a/eclass/verify-sig.eclass +++ b/eclass/verify-sig.eclass @@ -214,12 +214,15 @@ verify-sig_verify_message() { } # @FUNCTION: verify-sig_verify_unsigned_checksums -# @USAGE: +# @USAGE: # @DESCRIPTION: # Verify the checksums for all files listed in the space-separated list -# (akin to ${A}) using a . specifies -# the checksum algorithm (e.g. sha256). can be "-" -# for stdin. +# (akin to ${A}) using a . specifies +# the checksum file format. can be "-" for stdin. +# +# The following formats are supported: +# - sha256 -- sha256sum ( ) +# - openssl-dgst -- openssl dgst (()=) # # The function dies if one of the files does not match checksums or # is missing from the checksum file. @@ -234,32 +237,46 @@ verify-sig_verify_unsigned_checksums() { local algo=${2} local files=() read -r -d '' -a files <<<"${3}" - local chksum_prog chksum_len + local chksum_prog chksum_len format=coreutils case ${algo} in sha256) - chksum_prog=sha256sum chksum_len=64 ;; + openssl-dgst) + format=${algo} + ;; *) - die "${FUNCNAME}: unknown checksum algo ${algo}" + die "${FUNCNAME}: unknown checksum format ${algo}" ;; esac [[ ${checksum_file} == - ]] && checksum_file=/dev/stdin - local checksum filename junk ret=0 count=0 - while read -r checksum filename junk; do - if [[ ${checksum} == "-----BEGIN" ]]; then + local line checksum filename junk ret=0 count=0 + while read -r line; do + if [[ ${line} == "-----BEGIN"* ]]; then die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead" fi - [[ ${#checksum} -eq ${chksum_len} ]] || continue - [[ -z ${checksum//[0-9a-f]} ]] || continue - has "${filename}" "${files[@]}" || continue - [[ -z ${junk} ]] || continue - - "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}" - if [[ ${?} -eq 0 ]]; then + case ${format} in + coreutils) + read -r checksum filename junk <<<"${line}" + [[ ${#checksum} -ne ${chksum_len} ]] && continue + [[ -n ${checksum//[0-9a-f]} ]] && continue + [[ -n ${junk} ]] && continue + ;; + openssl-dgst) + [[ ${line} != *"("*")="* ]] && continue + checksum=${line##*)=} + algo=${line%%(*} + filename=${line#*(} + filename=${filename%)=*} + ;; + esac + + ! has "${filename}" "${files[@]}" && continue + + if "${algo,,}sum" -c --strict - <<<"${checksum} ${filename}"; then (( count++ )) else ret=1 -- 2.42.0