* [gentoo-dev] [PATCH v2 1/4] eclass/tests: Add initial tests for verify-sig
@ 2023-09-08 10:10 Michał Górny
2023-09-08 10:10 ` [gentoo-dev] [PATCH v2 2/4] verify-sig.eclass: Support `openssl dgst` format checksums Michał Górny
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Michał Górny @ 2023-09-08 10:10 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/tests/verify-sig.sh | 65 ++++++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+)
create mode 100755 eclass/tests/verify-sig.sh
diff --git a/eclass/tests/verify-sig.sh b/eclass/tests/verify-sig.sh
new file mode 100755
index 000000000000..fcd2ee7480a2
--- /dev/null
+++ b/eclass/tests/verify-sig.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+# Copyright 2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+source tests-common.sh || exit
+
+inherit verify-sig
+
+TMP=$(mktemp -d)
+trap 'rm -rf "${TMP}"' EXIT
+cd "${TMP}" || die
+> empty || die
+> fail || die
+echo "The quick brown fox jumps over the lazy dog." > text || die
+
+testit() {
+ local expect=${1}
+ shift
+
+ tbegin "${*@Q}"
+ ( "${@}" )
+ [[ ${?} -eq ${expect} ]]
+ tend "${?}"
+}
+
+test_verify_unsigned_checksums() {
+ local format=${1}
+
+ testit 0 verify-sig_verify_unsigned_checksums checksums.txt "${format}" empty
+ testit 0 verify-sig_verify_unsigned_checksums checksums.txt "${format}" "empty text"
+ testit 1 verify-sig_verify_unsigned_checksums checksums.txt "${format}" other
+ testit 1 verify-sig_verify_unsigned_checksums checksums.txt "${format}" "empty other"
+ testit 1 verify-sig_verify_unsigned_checksums checksums.txt "${format}" fail
+ testit 1 verify-sig_verify_unsigned_checksums checksums.txt "${format}" "empty fail"
+}
+
+einfo "Testing coreutils format."
+eindent
+
+cat > checksums.txt <<-EOF || die
+ # some junk to test junk protection
+ b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380 empty junk line
+ b47cc0f104b62d4c7c30bcd68gd8e67613e287dc4ad8c310ef10cbadea9c4380 empty
+
+ # sha1sums
+ da39a3ee5e6b4b0d3255bfef95601890afd80709 empty
+ 9c04cd6372077e9b11f70ca111c9807dc7137e4b text
+ 9c04cd6372077e9b11f70ca111c9807dc7137e4b fail
+
+ # sha256sums
+ e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 empty
+ b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380 text
+ b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380 fail
+
+ # sha512sums
+ cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e empty
+ 020da0f4d8a4c8bfbc98274027740061d7df52ee07091ed6595a083e0f45327bbe59424312d86f218b74ed2e25507abaf5c7a5fcf4cafcf9538b705808fd55ec text
+ 020da0f4d8a4c8bfbc98274027740061d7df52ee07091ed6595a083e0f45327bbe59424312d86f218b74ed2e25507abaf5c7a5fcf4cafcf9538b705808fd55ec fail
+EOF
+
+test_verify_unsigned_checksums sha256
+eoutdent
+
+texit
--
2.42.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-dev] [PATCH v2 2/4] verify-sig.eclass: Support `openssl dgst` format checksums
2023-09-08 10:10 [gentoo-dev] [PATCH v2 1/4] eclass/tests: Add initial tests for verify-sig Michał Górny
@ 2023-09-08 10:10 ` Michał Górny
2023-09-08 10:10 ` [gentoo-dev] [PATCH v2 3/4] verify-sig.eclass: Fix handling multiple/duplicate signatures Michał Górny
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Michał Górny @ 2023-09-08 10:10 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/tests/verify-sig.sh | 18 +++++++++++++
eclass/verify-sig.eclass | 54 +++++++++++++++++++++++++-------------
2 files changed, 54 insertions(+), 18 deletions(-)
Changes:
- referring to the var as `format` consistently
- fixed eclassdoc
- used explicit if;fi
diff --git a/eclass/tests/verify-sig.sh b/eclass/tests/verify-sig.sh
index fcd2ee7480a2..fb7f2cdb2a5d 100755
--- a/eclass/tests/verify-sig.sh
+++ b/eclass/tests/verify-sig.sh
@@ -62,4 +62,22 @@ EOF
test_verify_unsigned_checksums sha256
eoutdent
+einfo "Testing openssl-dgst format."
+eindent
+
+> "annoying ( filename )= yes ).txt" || die
+
+cat > checksums.txt <<-EOF || die
+ junk text that ought to be ignored
+
+ SHA256(empty)=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+ SHA256(text)= b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380
+ SHA256(fail)=b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380
+
+ SHA256(annoying ( filename )= yes )= e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+EOF
+
+test_verify_unsigned_checksums openssl-dgst
+eoutdent
+
texit
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index d99dc3461858..815299b419ed 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -214,12 +214,15 @@ verify-sig_verify_message() {
}
# @FUNCTION: verify-sig_verify_unsigned_checksums
-# @USAGE: <checksum-file> <algo> <files>
+# @USAGE: <checksum-file> <format> <files>
# @DESCRIPTION:
# Verify the checksums for all files listed in the space-separated list
-# <files> (akin to ${A}) using a <checksum-file>. <algo> specifies
-# the checksum algorithm (e.g. sha256). <checksum-file> can be "-"
-# for stdin.
+# <files> (akin to ${A}) using a <checksum-file>. <format> specifies
+# the checksum file format. <checksum-file> can be "-" for stdin.
+#
+# The following formats are supported:
+# - sha256 -- sha256sum (<hash> <filename>)
+# - openssl-dgst -- openssl dgst (<algo>(<filename>)=<hash>)
#
# The function dies if one of the files does not match checksums or
# is missing from the checksum file.
@@ -231,35 +234,50 @@ verify-sig_verify_message() {
# verify-sig_verify_signed_checksums instead.
verify-sig_verify_unsigned_checksums() {
local checksum_file=${1}
- local algo=${2}
+ local format=${2}
local files=()
read -r -d '' -a files <<<"${3}"
- local chksum_prog chksum_len
+ local chksum_prog chksum_len algo=${format}
- case ${algo} in
+ case ${format} in
sha256)
- chksum_prog=sha256sum
chksum_len=64
;;
+ openssl-dgst)
+ ;;
*)
- die "${FUNCNAME}: unknown checksum algo ${algo}"
+ die "${FUNCNAME}: unknown checksum format ${format}"
;;
esac
[[ ${checksum_file} == - ]] && checksum_file=/dev/stdin
- local checksum filename junk ret=0 count=0
- while read -r checksum filename junk; do
- if [[ ${checksum} == "-----BEGIN" ]]; then
+ local line checksum filename junk ret=0 count=0
+ while read -r line; do
+ if [[ ${line} == "-----BEGIN"* ]]; then
die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead"
fi
- [[ ${#checksum} -eq ${chksum_len} ]] || continue
- [[ -z ${checksum//[0-9a-f]} ]] || continue
- has "${filename}" "${files[@]}" || continue
- [[ -z ${junk} ]] || continue
+ case ${format} in
+ sha256)
+ read -r checksum filename junk <<<"${line}"
+ [[ ${#checksum} -ne ${chksum_len} ]] && continue
+ [[ -n ${checksum//[0-9a-f]} ]] && continue
+ [[ -n ${junk} ]] && continue
+ ;;
+ openssl-dgst)
+ [[ ${line} != *"("*")="* ]] && continue
+ checksum=${line##*)=}
+ algo=${line%%(*}
+ filename=${line#*(}
+ filename=${filename%)=*}
+ ;;
+ esac
+
+ if ! has "${filename}" "${files[@]}"; then
+ continue
+ fi
- "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}"
- if [[ ${?} -eq 0 ]]; then
+ if "${algo,,}sum" -c --strict - <<<"${checksum} ${filename}"; then
(( count++ ))
else
ret=1
--
2.42.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-dev] [PATCH v2 3/4] verify-sig.eclass: Fix handling multiple/duplicate signatures
2023-09-08 10:10 [gentoo-dev] [PATCH v2 1/4] eclass/tests: Add initial tests for verify-sig Michał Górny
2023-09-08 10:10 ` [gentoo-dev] [PATCH v2 2/4] verify-sig.eclass: Support `openssl dgst` format checksums Michał Górny
@ 2023-09-08 10:10 ` Michał Górny
2023-09-08 10:10 ` [gentoo-dev] [PATCH v2 4/4] verify-sig.eclass: Fix list formatting for VERIFY_SIG_METHOD Michał Górny
2023-09-08 10:23 ` [gentoo-dev] [PATCH v2 1/4] eclass/tests: Add initial tests for verify-sig Sam James
3 siblings, 0 replies; 5+ messages in thread
From: Michał Górny @ 2023-09-08 10:10 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/tests/verify-sig.sh | 11 +++++++++++
eclass/verify-sig.eclass | 5 +++--
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/eclass/tests/verify-sig.sh b/eclass/tests/verify-sig.sh
index fb7f2cdb2a5d..a87e2c7703d7 100755
--- a/eclass/tests/verify-sig.sh
+++ b/eclass/tests/verify-sig.sh
@@ -57,6 +57,9 @@ cat > checksums.txt <<-EOF || die
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e empty
020da0f4d8a4c8bfbc98274027740061d7df52ee07091ed6595a083e0f45327bbe59424312d86f218b74ed2e25507abaf5c7a5fcf4cafcf9538b705808fd55ec text
020da0f4d8a4c8bfbc98274027740061d7df52ee07091ed6595a083e0f45327bbe59424312d86f218b74ed2e25507abaf5c7a5fcf4cafcf9538b705808fd55ec fail
+
+ # duplicate checksum
+ e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 empty
EOF
test_verify_unsigned_checksums sha256
@@ -70,11 +73,19 @@ eindent
cat > checksums.txt <<-EOF || die
junk text that ought to be ignored
+ SHA1(empty)=da39a3ee5e6b4b0d3255bfef95601890afd80709
+ SHA1(text)= 9c04cd6372077e9b11f70ca111c9807dc7137e4b
+ SHA1(fail)=9c04cd6372077e9b11f70ca111c9807dc7137e4b
+
SHA256(empty)=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA256(text)= b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380
SHA256(fail)=b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380
SHA256(annoying ( filename )= yes )= e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+
+ SHA512(empty)=cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
+ SHA512(text)= 020da0f4d8a4c8bfbc98274027740061d7df52ee07091ed6595a083e0f45327bbe59424312d86f218b74ed2e25507abaf5c7a5fcf4cafcf9538b705808fd55ec
+ SHA512(fail)=020da0f4d8a4c8bfbc98274027740061d7df52ee07091ed6595a083e0f45327bbe59424312d86f218b74ed2e25507abaf5c7a5fcf4cafcf9538b705808fd55ec
EOF
test_verify_unsigned_checksums openssl-dgst
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 815299b419ed..010361bfbc98 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -252,6 +252,7 @@ verify-sig_verify_unsigned_checksums() {
[[ ${checksum_file} == - ]] && checksum_file=/dev/stdin
local line checksum filename junk ret=0 count=0
+ local -A verified
while read -r line; do
if [[ ${line} == "-----BEGIN"* ]]; then
die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead"
@@ -278,7 +279,7 @@ verify-sig_verify_unsigned_checksums() {
fi
if "${algo,,}sum" -c --strict - <<<"${checksum} ${filename}"; then
- (( count++ ))
+ verified["${filename}"]=1
else
ret=1
fi
@@ -286,7 +287,7 @@ verify-sig_verify_unsigned_checksums() {
[[ ${ret} -eq 0 ]] ||
die "${FUNCNAME}: at least one file did not verify successfully"
- [[ ${count} -eq ${#files[@]} ]] ||
+ [[ ${#verified[@]} -eq ${#files[@]} ]] ||
die "${FUNCNAME}: checksums for some of the specified files were missing"
}
--
2.42.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-dev] [PATCH v2 4/4] verify-sig.eclass: Fix list formatting for VERIFY_SIG_METHOD
2023-09-08 10:10 [gentoo-dev] [PATCH v2 1/4] eclass/tests: Add initial tests for verify-sig Michał Górny
2023-09-08 10:10 ` [gentoo-dev] [PATCH v2 2/4] verify-sig.eclass: Support `openssl dgst` format checksums Michał Górny
2023-09-08 10:10 ` [gentoo-dev] [PATCH v2 3/4] verify-sig.eclass: Fix handling multiple/duplicate signatures Michał Górny
@ 2023-09-08 10:10 ` Michał Górny
2023-09-08 10:23 ` [gentoo-dev] [PATCH v2 1/4] eclass/tests: Add initial tests for verify-sig Sam James
3 siblings, 0 replies; 5+ messages in thread
From: Michał Górny @ 2023-09-08 10:10 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Thanks to ulm for reporting.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/verify-sig.eclass | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 010361bfbc98..49557b633c87 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -55,8 +55,8 @@ IUSE="verify-sig"
# @DESCRIPTION:
# Signature verification method to use. The allowed value are:
#
-# - openpgp -- verify PGP signatures using app-crypt/gnupg (the default)
-# - signify -- verify signatures with Ed25519 public key using app-crypt/signify
+# - openpgp -- verify PGP signatures using app-crypt/gnupg (the default)
+# - signify -- verify signatures with Ed25519 public key using app-crypt/signify
: "${VERIFY_SIG_METHOD:=openpgp}"
case ${VERIFY_SIG_METHOD} in
--
2.42.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [gentoo-dev] [PATCH v2 1/4] eclass/tests: Add initial tests for verify-sig
2023-09-08 10:10 [gentoo-dev] [PATCH v2 1/4] eclass/tests: Add initial tests for verify-sig Michał Górny
` (2 preceding siblings ...)
2023-09-08 10:10 ` [gentoo-dev] [PATCH v2 4/4] verify-sig.eclass: Fix list formatting for VERIFY_SIG_METHOD Michał Górny
@ 2023-09-08 10:23 ` Sam James
3 siblings, 0 replies; 5+ messages in thread
From: Sam James @ 2023-09-08 10:23 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Michał Górny <mgorny@gentoo.org> writes:
> Signed-off-by: Michał Górny <mgorny@gentoo.org>
The lot lgtm with Bug/Closes tags for https://bugs.gentoo.org/913394.
> ---
> eclass/tests/verify-sig.sh | 65 ++++++++++++++++++++++++++++++++++++++
> 1 file changed, 65 insertions(+)
> create mode 100755 eclass/tests/verify-sig.sh
>
> diff --git a/eclass/tests/verify-sig.sh b/eclass/tests/verify-sig.sh
> new file mode 100755
> index 000000000000..fcd2ee7480a2
> --- /dev/null
> +++ b/eclass/tests/verify-sig.sh
> @@ -0,0 +1,65 @@
> +#!/bin/bash
> +# Copyright 2023 Gentoo Authors
> +# Distributed under the terms of the GNU General Public License v2
> +
> +EAPI=8
> +source tests-common.sh || exit
> +
> +inherit verify-sig
> +
> +TMP=$(mktemp -d)
> +trap 'rm -rf "${TMP}"' EXIT
> +cd "${TMP}" || die
> +> empty || die
> +> fail || die
> +echo "The quick brown fox jumps over the lazy dog." > text || die
> +
> +testit() {
> + local expect=${1}
> + shift
> +
> + tbegin "${*@Q}"
> + ( "${@}" )
> + [[ ${?} -eq ${expect} ]]
> + tend "${?}"
> +}
> +
> +test_verify_unsigned_checksums() {
> + local format=${1}
> +
> + testit 0 verify-sig_verify_unsigned_checksums checksums.txt "${format}" empty
> + testit 0 verify-sig_verify_unsigned_checksums checksums.txt "${format}" "empty text"
> + testit 1 verify-sig_verify_unsigned_checksums checksums.txt "${format}" other
> + testit 1 verify-sig_verify_unsigned_checksums checksums.txt "${format}" "empty other"
> + testit 1 verify-sig_verify_unsigned_checksums checksums.txt "${format}" fail
> + testit 1 verify-sig_verify_unsigned_checksums checksums.txt "${format}" "empty fail"
> +}
> +
> +einfo "Testing coreutils format."
> +eindent
> +
> +cat > checksums.txt <<-EOF || die
> + # some junk to test junk protection
> + b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380 empty junk line
> + b47cc0f104b62d4c7c30bcd68gd8e67613e287dc4ad8c310ef10cbadea9c4380 empty
> +
> + # sha1sums
> + da39a3ee5e6b4b0d3255bfef95601890afd80709 empty
> + 9c04cd6372077e9b11f70ca111c9807dc7137e4b text
> + 9c04cd6372077e9b11f70ca111c9807dc7137e4b fail
> +
> + # sha256sums
> + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 empty
> + b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380 text
> + b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380 fail
> +
> + # sha512sums
> + cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e empty
> + 020da0f4d8a4c8bfbc98274027740061d7df52ee07091ed6595a083e0f45327bbe59424312d86f218b74ed2e25507abaf5c7a5fcf4cafcf9538b705808fd55ec text
> + 020da0f4d8a4c8bfbc98274027740061d7df52ee07091ed6595a083e0f45327bbe59424312d86f218b74ed2e25507abaf5c7a5fcf4cafcf9538b705808fd55ec fail
> +EOF
> +
> +test_verify_unsigned_checksums sha256
> +eoutdent
> +
> +texit
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-09-08 10:24 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-08 10:10 [gentoo-dev] [PATCH v2 1/4] eclass/tests: Add initial tests for verify-sig Michał Górny
2023-09-08 10:10 ` [gentoo-dev] [PATCH v2 2/4] verify-sig.eclass: Support `openssl dgst` format checksums Michał Górny
2023-09-08 10:10 ` [gentoo-dev] [PATCH v2 3/4] verify-sig.eclass: Fix handling multiple/duplicate signatures Michał Górny
2023-09-08 10:10 ` [gentoo-dev] [PATCH v2 4/4] verify-sig.eclass: Fix list formatting for VERIFY_SIG_METHOD Michał Górny
2023-09-08 10:23 ` [gentoo-dev] [PATCH v2 1/4] eclass/tests: Add initial tests for verify-sig Sam James
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox