From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-96148-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by finch.gentoo.org (Postfix) with ESMTPS id DEF97158086
for <garchives@archives.gentoo.org>; Wed, 8 Dec 2021 12:54:53 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id DFB732BC02A;
Wed, 8 Dec 2021 12:54:47 +0000 (UTC)
Received: from cloudsdale.the-delta.net.eu.org (cloudsdale.the-delta.net.eu.org [IPv6:2a01:4f8:1c17:4b6d::1])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(No client certificate requested)
by pigeon.gentoo.org (Postfix) with ESMTPS id B05532BC00B
for <gentoo-dev@lists.gentoo.org>; Wed, 8 Dec 2021 12:54:45 +0000 (UTC)
Received:
by cloudsdale.the-delta.net.eu.org (OpenSMTPD) with ESMTP id a1498104
for <gentoo-dev@lists.gentoo.org>;
Wed, 8 Dec 2021 12:54:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=hacktivis.me; h=date
:from:to:message-id:references:mime-version:content-type
:in-reply-to; s=20190711_142157; bh=SzQ9+4EaY6NyTIlLLcttznsgtmyv
HxKSsKW32RFwUcw=; b=fVHZXBs9fDzvNAVoFXRsWPHVwDV2ka2vFqEwbMZcxaT8
d5vIzAhRg/y7RWOMocmG36+JU+exbonxVVNlgJJHmmWPuNlg5xqp2X/UM1s1isDb
qUyRCjW7PxKsS03fjGodX5115KkGbzOP15damIqZ6RD8AB6J4SyRuUL2OrWJJqUB
qJ3ToU3ycoKLZ1EX0iDUQ9t90UJNk0vqJYLmEEYSU85LjKhTw/Ja/3aJwhoekZRr
YJt5p/5vSlp5wA391ECFDi5QIvVbNhO1GNqYiKYXd1cD42AZvwMx3GQ6t4U0WT9E
2o9bVFPp6kceFHflT/kzmS7jCn7hiK8TUHYAyRhUTki9xNr0NQwer0REAqLidsmO
RA2QNy5CsJ0CCcFRqKnugEhrnSbUnntLFUvSYhsWQHHVAs+yl0qGlduuW2GzpSCT
RnOuw6a7mlrc8GjmyDsbcsvXIvSqfAZG+chgkA0vuQuToyZRQAVOvqsBEMV3ahOY
fLqK+rDv4++SzNCcrIt2108ls9OByEmDwWHqgsFToCHc6V/qK7ewTQMPPCd0aTyg
nmVk6g6gWJ0JtBA2SPtXaxQhnefOLvtRlrTL3K3GYAXWT34o3JnZKm7A8zazeA/u
R+Ezsh2RsLDY1XH52KtaPx7tCnGaavd0D9neAOU1rw4G4XlUBJjf+VzSrtl3860=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=hacktivis.me; h=date:from:to
:message-id:references:mime-version:content-type:in-reply-to; q=
dns; s=20190711_142157; b=n+8uI+3+sAt8Jefj0xrMUh52aObl36KcDqrqvC
sJBqZfdFFdygKzCVvdESEcag+HWAbX2jNURf71TlAZR5uHzswVfy+s8Zpkl/z37/
+W9McEy1/DGY5slbIrv4vAG0fNVbECQVZYMh3NqlW+SKtgWVNNG0tGMjfr+GrL+x
UPOZeiRztJPmL9qERdf9A1cLesbdEFytOVhvzurkA/2c95K2R/AL9oVDiSNlrlXP
8vR4aJFYadSAxDnhodOgZkoku0HyygZdNF6X93facE9xO+Pi+vf9hwHUuuqsh2Sc
1mLKWhEUHG9eVQPB+/gVqVUN2vPd48Nng8GqHY96Js0FNW0uJr7DEVF1lvNJ6X4O
/i3V9KkH3/fi6St2sMhnBy2D/g0JOBJwIliqOHIsML+MpQ2Spx558l6h2OqEVznR
fDozPwFyNSsTAce0reYPb+UDZBncOC5aTkZ+OBHpkOU8za2cIRNS1Kzt7KM/YVs+
9EQ/G4p5VA1ewEfsCG/kAeVDI87fzOaPm6ftgnGz2uNTMbrKT2fmgCVvF0yWJxk+
MD22rjCNUh7hpOgT1gzcWVky4BnBEFQluoWxpMYEOU91WHGlw0o/uX0xI/8eHova
2RYFSA1Rp8TdYMvU8emjetAjiQsIgPQE8HzYW6jaIGF7p1RSVS7S8xEkDCD+1R/W
vLe18=
Received: from localhost (cloudsdale.the-delta.net.eu.org [local])
by cloudsdale.the-delta.net.eu.org (OpenSMTPD) with ESMTPA id bcdc40a5
for <gentoo-dev@lists.gentoo.org>;
Wed, 8 Dec 2021 12:54:41 +0000 (UTC)
Date: Wed, 8 Dec 2021 13:54:41 +0100
From: "Haelwenn (lanodan) Monnier" <contact@hacktivis.me>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] [PATCH] verify-sig.eclass: add app-crypt/signify
support
Message-ID: <YbCrEbA8UL761X3F@cloudsdale.the-delta.net.eu.org>
References: <20211208025403.13319-1-cyber+gentoo@sysrq.in>
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <20211208025403.13319-1-cyber+gentoo@sysrq.in>
X-Archives-Salt: 60ba39b6-2234-45f1-b463-44360a9fad6d
X-Archives-Hash: 227bc43bc986d645f0ff6ce0abf2d9c8
Nice patch, got few things that I think should be changed though:
[2021-12-08 07:54:04+0500] Anna Vyalkova:
>+case ${VERIFY_SIG_IMPL} in
>+ gnupg)
>+ BDEPEND="
>+ verify-sig? (
>+ app-crypt/gnupg
>+ >=app-portage/gemato-16
>+ )"
>+ ;;
>+ signify)
>+ BDEPEND="verify-sig? ( app-crypt/signify )"
Might be worth it to depend on app-crypt/minisign instead or depend on any.
minisign is already stabilized and I slightly prefer it's implementation over
the ported signify as there is no vendoring.
That said minisign could be considered bloated compared to signify.
> verify-sig_verify_detached() {
> local file=${1}
> local sig=${2}
> local key=${3:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
>
> [[ -n ${key} ]] ||
> die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
>
> local extra_args=()
> [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
>- [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
>- --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
>- )
>+ if [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]]; then
>+ [[ ${VERIFY_SIG_IMPL} == gnupg ]] ||
>+ die "${FUNCNAME}: VERIFY_SIG_OPENPGP_KEYSERVER is not supported"
>+
>+ extra_args+=(
>+ --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
>+ )
>+ fi
>
> # GPG upstream knows better than to follow the spec, so we can't
> # override this directory. However, there is a clean fallback
> # to GNUPGHOME.
> addpredict /run/user
>
> local filename=${file##*/}
> [[ ${file} == - ]] && filename='(stdin)'
> einfo "Verifying ${filename} ..."
>- gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
>- gpg --verify "${sig}" "${file}" ||
>- die "PGP signature verification failed"
>+ case ${VERIFY_SIG_IMPL} in
>+ gnupg)
>+ gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
>+ gpg --verify "${sig}" "${file}" ||
>+ die "PGP signature verification failed"
>+ ;;
>+ signify)
>+ signify -V -p "${key}" -m "${file}" -x "${sig}" ||
>+ die "PGP signature verification failed"
Should be something like "Signify signature verification failed".
>+ ;;
>+ esac
> }
>
> # @FUNCTION: verify-sig_verify_message
> # @USAGE: <file> <output-file> [<key-file>]
> # @DESCRIPTION:
> # Verify that the file ('-' for stdin) contains a valid, signed PGP
> # message and write the message into <output-file> ('-' for stdout).
> # <key-file> can either be passed directly, or it defaults
> # to VERIFY_SIG_OPENPGP_KEY_PATH. The function dies if verification
> # fails. Note that using output from <output-file> is important as it
> # prevents the injection of unsigned data.
> verify-sig_verify_message() {
> local file=${1}
> local output_file=${2}
> local key=${3:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
>
> [[ -n ${key} ]] ||
> die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
>
> local extra_args=()
> [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
>- [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
>- --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
>- )
>+ if [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]]; then
>+ [[ ${VERIFY_SIG_IMPL} == gnupg ]] ||
>+ die "${FUNCNAME}: VERIFY_SIG_OPENPGP_KEYSERVER is not supported"
>+
>+ extra_args+=(
>+ --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
>+ )
>+ fi
>
> # GPG upstream knows better than to follow the spec, so we can't
> # override this directory. However, there is a clean fallback
> # to GNUPGHOME.
> addpredict /run/user
>
> local filename=${file##*/}
> [[ ${file} == - ]] && filename='(stdin)'
> einfo "Verifying ${filename} ..."
>- gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
>- gpg --verify --output="${output_file}" "${file}" ||
>- die "PGP signature verification failed"
>+ case ${VERIFY_SIG_IMPL} in
>+ gnupg)
>+ gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
>+ gpg --verify --output="${output_file}" "${file}" ||
>+ die "PGP signature verification failed"
>+ ;;
>+ signify)
>+ signify -V -e -p "${key}" -m "${output_file}" -x "${file}" ||
>+ die "PGP signature verification failed"
Should be something like "Signify signature verification failed".
>+# @FUNCTION: verify-sig_verify_signed_checksums
>+# @USAGE: <checksum-file> <algo> <files> [<key-file>]
>+# @DESCRIPTION:
>+# Verify the checksums for all files listed in the space-separated list
>+# <files> (akin to ${A}) using a PGP-signed <checksum-file>. <algo>
>+# specified the checksum algorithm (e.g. sha256). <key-file> can either
>+# be passed directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH.
>+#
>+# The function dies if PGP verification fails, the checksum file
>+# contains unsigned data, one of the files do not match checksums
>+# or are missing from the checksum file.
>+verify-sig_verify_signed_checksums() {
>+ local checksum_file=${1}
>+ local algo=${2}
>+ local files=()
>+ read -r -d '' -a files <<<"${3}"
>+ local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
>+
>+ [[ -n ${key} ]] ||
>+ die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
>+
>+ case ${VERIFY_SIG_IMPL} in
>+ gnupg)
>+ _gpg_verify_signed_checksums \
>+ "${checksum_file}" "${algo}" "${files[@]}" "${key}"
>+ ;;
>+ signify)
>+ signify -C -p "${key}" \
>+ -x "${checksum_file}" "${files[@]}" ||
>+ die "PGP signature verification failed"
Should be something like "Signify signature verification failed".