[gentoo-dev] [PATCH 1/3] verify-sig.eclass: minisig support

[gentoo-dev] [PATCH 1/3] verify-sig.eclass: minisig support

[Sam James]

Closes: https://bugs.gentoo.org/783066
Signed-off-by: Sam James <sam@gentoo.org>
---
 eclass/verify-sig.eclass | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 49557b633c87f..bb847bb80cc64 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -55,17 +55,22 @@ IUSE="verify-sig"
 # @DESCRIPTION:
 # Signature verification method to use.  The allowed value are:
 #
+#  - minisig -- verify signatures with (base64) Ed25519 public key using app-crypt/minisign
 #  - openpgp -- verify PGP signatures using app-crypt/gnupg (the default)
 #  - signify -- verify signatures with Ed25519 public key using app-crypt/signify
 : "${VERIFY_SIG_METHOD:=openpgp}"
 
 case ${VERIFY_SIG_METHOD} in
+	minisig)
+		BDEPEND="verify-sig? ( app-crypt/minisign )"
+		;;
 	openpgp)
 		BDEPEND="
 			verify-sig? (
 				app-crypt/gnupg
 				>=app-portage/gemato-16
-			)"
+			)
+		"
 		;;
 	signify)
 		BDEPEND="verify-sig? ( app-crypt/signify )"
@@ -139,6 +144,10 @@ verify-sig_verify_detached() {
 	[[ ${file} == - ]] && filename='(stdin)'
 	einfo "Verifying ${filename} ..."
 	case ${VERIFY_SIG_METHOD} in
+		minisig)
+			minisign -V -P "$(<"${key}")" -x "${sig}" -m "${file}" ||
+				die "minisig signature verification failed"
+			;;
 		openpgp)
 			# gpg can't handle very long TMPDIR
 			# https://bugs.gentoo.org/854492
@@ -198,6 +207,10 @@ verify-sig_verify_message() {
 	[[ ${file} == - ]] && filename='(stdin)'
 	einfo "Verifying ${filename} ..."
 	case ${VERIFY_SIG_METHOD} in
+		minisig)
+			minisign -V -P "$(<"${key}")" -x "${sig}" -o "${output_file}" -m "${file}" ||
+				die "minisig signature verification failed"
+			;;
 		openpgp)
 			# gpg can't handle very long TMPDIR
 			# https://bugs.gentoo.org/854492
@@ -356,7 +369,7 @@ verify-sig_src_unpack() {
 		# find all distfiles and signatures, and combine them
 		for f in ${A}; do
 			found=
-			for suffix in .asc .sig; do
+			for suffix in .asc .sig .minisig; do
 				if [[ ${f} == *${suffix} ]]; then
 					signatures+=( "${f}" )
 					found=sig
-- 
2.42.0

[gentoo-dev] [PATCH 2/3] sec-keys/minisig-keys-libsodium: new package, add 20230914

[Sam James]

Signed-off-by: Sam James <sam@gentoo.org>
---
 .../metadata.xml                                      |  0
 .../minisig-keys-libsodium-20230914.ebuild}           | 11 +++++------
 2 files changed, 5 insertions(+), 6 deletions(-)
 copy sec-keys/{openpgp-keys-adamspiers => minisig-keys-libsodium}/metadata.xml (100%)
 copy sec-keys/{openpgp-keys-karelzak/openpgp-keys-karelzak-20230517.ebuild => minisig-keys-libsodium/minisig-keys-libsodium-20230914.ebuild} (51%)

diff --git a/sec-keys/openpgp-keys-adamspiers/metadata.xml b/sec-keys/minisig-keys-libsodium/metadata.xml
similarity index 100%
copy from sec-keys/openpgp-keys-adamspiers/metadata.xml
copy to sec-keys/minisig-keys-libsodium/metadata.xml
diff --git a/sec-keys/openpgp-keys-karelzak/openpgp-keys-karelzak-20230517.ebuild b/sec-keys/minisig-keys-libsodium/minisig-keys-libsodium-20230914.ebuild
similarity index 51%
copy from sec-keys/openpgp-keys-karelzak/openpgp-keys-karelzak-20230517.ebuild
copy to sec-keys/minisig-keys-libsodium/minisig-keys-libsodium-20230914.ebuild
index 524e114f27746..27bc79712eae6 100644
--- a/sec-keys/openpgp-keys-karelzak/openpgp-keys-karelzak-20230517.ebuild
+++ b/sec-keys/minisig-keys-libsodium/minisig-keys-libsodium-20230914.ebuild
@@ -3,10 +3,8 @@
 
 EAPI=8
 
-DESCRIPTION="OpenPGP keys used by Karel Zak"
-HOMEPAGE="https://kzak.redcrew.org/doku.php?id=me"
-# Grabbed from HOMEPAGE but it's HTML
-SRC_URI="https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${P}.asc"
+DESCRIPTION="OpenPGP keys used for libsodium"
+HOMEPAGE="https://doc.libsodium.org/installation#integrity-checking"
 S="${WORKDIR}"
 
 LICENSE="public-domain"
@@ -14,7 +12,8 @@ SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 
 src_install() {
-	local files=( ${A} )
 	insinto /usr/share/openpgp-keys
-	newins - karelzak.asc < <(cat "${files[@]/#/${DISTDIR}/}" || die)
+	newins - libsodium.minisig <<-EOF
+		RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3
+	EOF
 }
-- 
2.42.0

[gentoo-dev] [PATCH 3/3] dev-libs/libsodium: use new verify-sig minisign support

[Sam James]

Closes: https://bugs.gentoo.org/783066
Signed-off-by: Sam James <sam@gentoo.org>
---
 dev-libs/libsodium/libsodium-1.0.19-r1.ebuild | 20 +++----------------
 1 file changed, 3 insertions(+), 17 deletions(-)

diff --git a/dev-libs/libsodium/libsodium-1.0.19-r1.ebuild b/dev-libs/libsodium/libsodium-1.0.19-r1.ebuild
index cb3ef0373a0fa..d175a5ffc7f5a 100644
--- a/dev-libs/libsodium/libsodium-1.0.19-r1.ebuild
+++ b/dev-libs/libsodium/libsodium-1.0.19-r1.ebuild
@@ -3,7 +3,9 @@
 
 EAPI=8
 
-inherit autotools multilib-minimal
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/libsodium.key
+VERIFY_SIG_METHOD=minisig
+inherit autotools multilib-minimal verify-sig
 
 DESCRIPTION="Portable fork of NaCl, a higher-level cryptographic library"
 HOMEPAGE="https://libsodium.org"
@@ -41,22 +43,6 @@ PATCHES=(
 	"${FILESDIR}"/${PN}-1.0.10-cpuflags.patch
 )
 
-src_unpack() {
-	# TODO: Could verify-sig.eclass support minisig? bug #783066
-	MINISIGN_KEY="RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"
-
-	if use verify-sig ; then
-		ebegin "Verifying signature using app-crypt/minisign"
-		minisign -V \
-			-P ${MINISIGN_KEY} \
-			-x "${DISTDIR}"/${P}.tar.gz.minisig \
-			-m "${DISTDIR}"/${P}.tar.gz
-		eend $? || die "Failed to verify distfile using minisign!"
-	fi
-
-	default
-}
-
 src_prepare() {
 	default
 
-- 
2.42.0