[gentoo-dev] [PATCH 0/3] verify-sig.eclass: `openssl dgst` format support

[gentoo-dev] [PATCH 0/3] verify-sig.eclass: `openssl dgst` format support

[Michał Górny]

Hi,

Here's a small patch series that adds support for `opendst dgst` format
to verify-sig.eclass.  This format uses roughly the following syntax:

  HASH-NAME(FILENAME)=CHECKSUM

Since the function has gotten complex, I'm also adding tests for it,
and fixing support for "duplicate" hashes.  The latter primarily means
`openssl dgst` files with multiple hashes but also could mean shaXsum
files with actual duplicate entries.

This is going to be used for wireshark:
https://github.com/gentoo/gentoo/pull/32575

-- 
Best regards,
Michał Górny


Michał Górny (3):
  eclass/tests: Add initial tests for verify-sig
  verify-sig.eclass: Support `openssl dgst` format checksums
  verify-sig.eclass: Fix handling multiple/duplicate signatures

 eclass/tests/verify-sig.sh | 94 ++++++++++++++++++++++++++++++++++++++
 eclass/verify-sig.eclass   | 56 +++++++++++++++--------
 2 files changed, 131 insertions(+), 19 deletions(-)
 create mode 100755 eclass/tests/verify-sig.sh

-- 
2.42.0

[gentoo-dev] [PATCH 1/3] eclass/tests: Add initial tests for verify-sig

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/tests/verify-sig.sh | 65 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100755 eclass/tests/verify-sig.sh

diff --git a/eclass/tests/verify-sig.sh b/eclass/tests/verify-sig.sh
new file mode 100755
index 000000000000..fcd2ee7480a2
--- /dev/null
+++ b/eclass/tests/verify-sig.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+# Copyright 2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+source tests-common.sh || exit
+
+inherit verify-sig
+
+TMP=$(mktemp -d)
+trap 'rm -rf "${TMP}"' EXIT
+cd "${TMP}" || die
+> empty || die
+> fail || die
+echo "The quick brown fox jumps over the lazy dog." > text || die
+
+testit() {
+	local expect=${1}
+	shift
+
+	tbegin "${*@Q}"
+	( "${@}" )
+	[[ ${?} -eq ${expect} ]]
+	tend "${?}"
+}
+
+test_verify_unsigned_checksums() {
+	local format=${1}
+
+	testit 0 verify-sig_verify_unsigned_checksums checksums.txt "${format}" empty
+	testit 0 verify-sig_verify_unsigned_checksums checksums.txt "${format}" "empty text"
+	testit 1 verify-sig_verify_unsigned_checksums checksums.txt "${format}" other
+	testit 1 verify-sig_verify_unsigned_checksums checksums.txt "${format}" "empty other"
+	testit 1 verify-sig_verify_unsigned_checksums checksums.txt "${format}" fail
+	testit 1 verify-sig_verify_unsigned_checksums checksums.txt "${format}" "empty fail"
+}
+
+einfo "Testing coreutils format."
+eindent
+
+cat > checksums.txt <<-EOF || die
+	# some junk to test junk protection
+	b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380 empty junk line
+	b47cc0f104b62d4c7c30bcd68gd8e67613e287dc4ad8c310ef10cbadea9c4380 empty
+
+	# sha1sums
+	da39a3ee5e6b4b0d3255bfef95601890afd80709 empty
+	9c04cd6372077e9b11f70ca111c9807dc7137e4b	text
+	9c04cd6372077e9b11f70ca111c9807dc7137e4b fail
+
+	# sha256sums
+	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 empty
+	b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380	text
+	b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380 fail
+
+	# sha512sums
+	cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e empty
+	020da0f4d8a4c8bfbc98274027740061d7df52ee07091ed6595a083e0f45327bbe59424312d86f218b74ed2e25507abaf5c7a5fcf4cafcf9538b705808fd55ec	text
+	020da0f4d8a4c8bfbc98274027740061d7df52ee07091ed6595a083e0f45327bbe59424312d86f218b74ed2e25507abaf5c7a5fcf4cafcf9538b705808fd55ec fail
+EOF
+
+test_verify_unsigned_checksums sha256
+eoutdent
+
+texit
-- 
2.42.0

[gentoo-dev] [PATCH 2/3] verify-sig.eclass: Support `openssl dgst` format checksums

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/tests/verify-sig.sh | 18 ++++++++++++++
 eclass/verify-sig.eclass   | 51 +++++++++++++++++++++++++-------------
 2 files changed, 52 insertions(+), 17 deletions(-)

diff --git a/eclass/tests/verify-sig.sh b/eclass/tests/verify-sig.sh
index fcd2ee7480a2..fb7f2cdb2a5d 100755
--- a/eclass/tests/verify-sig.sh
+++ b/eclass/tests/verify-sig.sh
@@ -62,4 +62,22 @@ EOF
 test_verify_unsigned_checksums sha256
 eoutdent
 
+einfo "Testing openssl-dgst format."
+eindent
+
+> "annoying ( filename )= yes ).txt" || die
+
+cat > checksums.txt <<-EOF || die
+	junk text that ought to be ignored
+
+	SHA256(empty)=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+	SHA256(text)= b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380
+	SHA256(fail)=b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380
+
+	SHA256(annoying ( filename )= yes )= e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+EOF
+
+test_verify_unsigned_checksums openssl-dgst
+eoutdent
+
 texit
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index d99dc3461858..ee80167c7924 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -214,12 +214,15 @@ verify-sig_verify_message() {
 }
 
 # @FUNCTION: verify-sig_verify_unsigned_checksums
-# @USAGE: <checksum-file> <algo> <files>
+# @USAGE: <checksum-file> <format> <files>
 # @DESCRIPTION:
 # Verify the checksums for all files listed in the space-separated list
-# <files> (akin to ${A}) using a <checksum-file>.  <algo> specifies
-# the checksum algorithm (e.g. sha256).  <checksum-file> can be "-"
-# for stdin.
+# <files> (akin to ${A}) using a <checksum-file>.  <format> specifies
+# the checksum file format.  <checksum-file> can be "-" for stdin.
+#
+# The following formats are supported:
+# - sha256 -- sha256sum (<hash> <filename>)
+# - openssl-dgst -- openssl dgst (<algo>(<filename>)=<hash>)
 #
 # The function dies if one of the files does not match checksums or
 # is missing from the checksum file.
@@ -234,32 +237,46 @@ verify-sig_verify_unsigned_checksums() {
 	local algo=${2}
 	local files=()
 	read -r -d '' -a files <<<"${3}"
-	local chksum_prog chksum_len
+	local chksum_prog chksum_len format=coreutils
 
 	case ${algo} in
 		sha256)
-			chksum_prog=sha256sum
 			chksum_len=64
 			;;
+		openssl-dgst)
+			format=${algo}
+			;;
 		*)
-			die "${FUNCNAME}: unknown checksum algo ${algo}"
+			die "${FUNCNAME}: unknown checksum format ${algo}"
 			;;
 	esac
 
 	[[ ${checksum_file} == - ]] && checksum_file=/dev/stdin
-	local checksum filename junk ret=0 count=0
-	while read -r checksum filename junk; do
-		if [[ ${checksum} == "-----BEGIN" ]]; then
+	local line checksum filename junk ret=0 count=0
+	while read -r line; do
+		if [[ ${line} == "-----BEGIN"* ]]; then
 			die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead"
 		fi
 
-		[[ ${#checksum} -eq ${chksum_len} ]] || continue
-		[[ -z ${checksum//[0-9a-f]} ]] || continue
-		has "${filename}" "${files[@]}" || continue
-		[[ -z ${junk} ]] || continue
-
-		"${chksum_prog}" -c --strict - <<<"${checksum} ${filename}"
-		if [[ ${?} -eq 0 ]]; then
+		case ${format} in
+			coreutils)
+				read -r checksum filename junk <<<"${line}"
+				[[ ${#checksum} -ne ${chksum_len} ]] && continue
+				[[ -n ${checksum//[0-9a-f]} ]] && continue
+				[[ -n ${junk} ]] && continue
+				;;
+			openssl-dgst)
+				[[ ${line} != *"("*")="* ]] && continue
+				checksum=${line##*)=}
+				algo=${line%%(*}
+				filename=${line#*(}
+				filename=${filename%)=*}
+				;;
+		esac
+
+		! has "${filename}" "${files[@]}" && continue
+
+		if "${algo,,}sum" -c --strict - <<<"${checksum} ${filename}"; then
 			(( count++ ))
 		else
 			ret=1
-- 
2.42.0

[gentoo-dev] [PATCH 3/3] verify-sig.eclass: Fix handling multiple/duplicate signatures

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/tests/verify-sig.sh | 11 +++++++++++
 eclass/verify-sig.eclass   |  5 +++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/eclass/tests/verify-sig.sh b/eclass/tests/verify-sig.sh
index fb7f2cdb2a5d..a87e2c7703d7 100755
--- a/eclass/tests/verify-sig.sh
+++ b/eclass/tests/verify-sig.sh
@@ -57,6 +57,9 @@ cat > checksums.txt <<-EOF || die
 	cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e empty
 	020da0f4d8a4c8bfbc98274027740061d7df52ee07091ed6595a083e0f45327bbe59424312d86f218b74ed2e25507abaf5c7a5fcf4cafcf9538b705808fd55ec	text
 	020da0f4d8a4c8bfbc98274027740061d7df52ee07091ed6595a083e0f45327bbe59424312d86f218b74ed2e25507abaf5c7a5fcf4cafcf9538b705808fd55ec fail
+
+	# duplicate checksum
+	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 empty
 EOF
 
 test_verify_unsigned_checksums sha256
@@ -70,11 +73,19 @@ eindent
 cat > checksums.txt <<-EOF || die
 	junk text that ought to be ignored
 
+	SHA1(empty)=da39a3ee5e6b4b0d3255bfef95601890afd80709
+	SHA1(text)= 9c04cd6372077e9b11f70ca111c9807dc7137e4b
+	SHA1(fail)=9c04cd6372077e9b11f70ca111c9807dc7137e4b
+
 	SHA256(empty)=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 	SHA256(text)= b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380
 	SHA256(fail)=b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380
 
 	SHA256(annoying ( filename )= yes )= e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+
+	SHA512(empty)=cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
+	SHA512(text)= 020da0f4d8a4c8bfbc98274027740061d7df52ee07091ed6595a083e0f45327bbe59424312d86f218b74ed2e25507abaf5c7a5fcf4cafcf9538b705808fd55ec
+	SHA512(fail)=020da0f4d8a4c8bfbc98274027740061d7df52ee07091ed6595a083e0f45327bbe59424312d86f218b74ed2e25507abaf5c7a5fcf4cafcf9538b705808fd55ec
 EOF
 
 test_verify_unsigned_checksums openssl-dgst
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index ee80167c7924..722d3442b08f 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -253,6 +253,7 @@ verify-sig_verify_unsigned_checksums() {
 
 	[[ ${checksum_file} == - ]] && checksum_file=/dev/stdin
 	local line checksum filename junk ret=0 count=0
+	local -A verified
 	while read -r line; do
 		if [[ ${line} == "-----BEGIN"* ]]; then
 			die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead"
@@ -277,7 +278,7 @@ verify-sig_verify_unsigned_checksums() {
 		! has "${filename}" "${files[@]}" && continue
 
 		if "${algo,,}sum" -c --strict - <<<"${checksum} ${filename}"; then
-			(( count++ ))
+			verified["${filename}"]=1
 		else
 			ret=1
 		fi
@@ -285,7 +286,7 @@ verify-sig_verify_unsigned_checksums() {
 
 	[[ ${ret} -eq 0 ]] ||
 		die "${FUNCNAME}: at least one file did not verify successfully"
-	[[ ${count} -eq ${#files[@]} ]] ||
+	[[ ${#verified[@]} -eq ${#files[@]} ]] ||
 		die "${FUNCNAME}: checksums for some of the specified files were missing"
 }
 
-- 
2.42.0

Re: [gentoo-dev] [PATCH 2/3] verify-sig.eclass: Support `openssl dgst` format checksums

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 3622 bytes --]

>>>>> On Mon, 04 Sep 2023, Michał Górny wrote:

> --- a/eclass/verify-sig.eclass
> +++ b/eclass/verify-sig.eclass
> @@ -214,12 +214,15 @@ verify-sig_verify_message() {
>  }
 
>  # @FUNCTION: verify-sig_verify_unsigned_checksums
> -# @USAGE: <checksum-file> <algo> <files>
> +# @USAGE: <checksum-file> <format> <files>

Below, verify-sig_verify_signed_checksums() still says "algo", change
that too for consistency?

>  # @DESCRIPTION:
>  # Verify the checksums for all files listed in the space-separated list
> -# <files> (akin to ${A}) using a <checksum-file>.  <algo> specifies
> -# the checksum algorithm (e.g. sha256).  <checksum-file> can be "-"
> -# for stdin.
> +# <files> (akin to ${A}) using a <checksum-file>.  <format> specifies
> +# the checksum file format.  <checksum-file> can be "-" for stdin.
> +#
> +# The following formats are supported:
> +# - sha256 -- sha256sum (<hash> <filename>)
> +# - openssl-dgst -- openssl dgst (<algo>(<filename>)=<hash>)

This won't be rendered as a list in the man page, but will be rewrapped
as a paragraph. (Putting a space before the "-" will help.)

The existing variable documentation of VERIFY_SIG_METHOD suffers from
the same problem, BTW.

>  #
>  # The function dies if one of the files does not match checksums or
>  # is missing from the checksum file.
> @@ -234,32 +237,46 @@ verify-sig_verify_unsigned_checksums() {
>  	local algo=${2}

Maybe rename the variable to "format", when the documentation now says
that the second parameter specifies the format?

>  	local files=()
>  	read -r -d '' -a files <<<"${3}"
> -	local chksum_prog chksum_len
> +	local chksum_prog chksum_len format=coreutils

And rename this one too. (I don't find it intuitive for a checksum
format to be named "coreutils", when coreutils provides cksum, md5sum,
b2sum, etc.)

> 
>  	case ${algo} in
>  		sha256)
> -			chksum_prog=sha256sum
>  			chksum_len=64
>  			;;
> +		openssl-dgst)
> +			format=${algo}
> +			;;
>  		*)
> -			die "${FUNCNAME}: unknown checksum algo ${algo}"
> +			die "${FUNCNAME}: unknown checksum format ${algo}"
>  			;;
>  	esac
> 
>  	[[ ${checksum_file} == - ]] && checksum_file=/dev/stdin
> -	local checksum filename junk ret=0 count=0
> -	while read -r checksum filename junk; do
> -		if [[ ${checksum} == "-----BEGIN" ]]; then
> +	local line checksum filename junk ret=0 count=0
> +	while read -r line; do
> +		if [[ ${line} == "-----BEGIN"* ]]; then
>  			die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead"
>  		fi
> 
> -		[[ ${#checksum} -eq ${chksum_len} ]] || continue
> -		[[ -z ${checksum//[0-9a-f]} ]] || continue
> -		has "${filename}" "${files[@]}" || continue
> -		[[ -z ${junk} ]] || continue
> -
> -		"${chksum_prog}" -c --strict - <<<"${checksum} ${filename}"
> -		if [[ ${?} -eq 0 ]]; then
> +		case ${format} in
> +			coreutils)
> +				read -r checksum filename junk <<<"${line}"
> +				[[ ${#checksum} -ne ${chksum_len} ]] && continue
> +				[[ -n ${checksum//[0-9a-f]} ]] && continue
> +				[[ -n ${junk} ]] && continue
> +				;;
> +			openssl-dgst)
> +				[[ ${line} != *"("*")="* ]] && continue
> +				checksum=${line##*)=}
> +				algo=${line%%(*}
> +				filename=${line#*(}
> +				filename=${filename%)=*}
> +				;;
> +		esac
> +
> +		! has "${filename}" "${files[@]}" && continue

This might be clearer if it was written as:

		has "${filename}" "${files[@]}" || continue

> +
> +		if "${algo,,}sum" -c --strict - <<<"${checksum} ${filename}"; then
>  			(( count++ ))
>  		else
>  			ret=1

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]

Re: [gentoo-dev] [PATCH 2/3] verify-sig.eclass: Support `openssl dgst` format checksums

[Michał Górny]

On Mon, 2023-09-04 at 08:42 +0200, Ulrich Mueller wrote:
> > > > > > On Mon, 04 Sep 2023, Michał Górny wrote:
> 
> > --- a/eclass/verify-sig.eclass
> > +++ b/eclass/verify-sig.eclass
> > @@ -214,12 +214,15 @@ verify-sig_verify_message() {
> >  }
>  
> 
> 
> 
> >  # @FUNCTION: verify-sig_verify_unsigned_checksums
> > -# @USAGE: <checksum-file> <algo> <files>
> > +# @USAGE: <checksum-file> <format> <files>
> 
> Below, verify-sig_verify_signed_checksums() still says "algo", change
> that too for consistency?

If I must.

> 
> >  # @DESCRIPTION:
> >  # Verify the checksums for all files listed in the space-separated list
> > -# <files> (akin to ${A}) using a <checksum-file>.  <algo> specifies
> > -# the checksum algorithm (e.g. sha256).  <checksum-file> can be "-"
> > -# for stdin.
> > +# <files> (akin to ${A}) using a <checksum-file>.  <format> specifies
> > +# the checksum file format.  <checksum-file> can be "-" for stdin.
> > +#
> > +# The following formats are supported:
> > +# - sha256 -- sha256sum (<hash> <filename>)
> > +# - openssl-dgst -- openssl dgst (<algo>(<filename>)=<hash>)
> 
> This won't be rendered as a list in the man page, but will be rewrapped
> as a paragraph. (Putting a space before the "-" will help.)
> 
> The existing variable documentation of VERIFY_SIG_METHOD suffers from
> the same problem, BTW.

Hmm, I can't get it to work with the space either.  Whatever I do,
eclass-to-manpage.awk seems to copy it verbatim.

> 
> >  #
> >  # The function dies if one of the files does not match checksums or
> >  # is missing from the checksum file.
> > @@ -234,32 +237,46 @@ verify-sig_verify_unsigned_checksums() {
> >  	local algo=${2}
> 
> Maybe rename the variable to "format", when the documentation now says
> that the second parameter specifies the format?
> 
> >  	local files=()
> >  	read -r -d '' -a files <<<"${3}"
> > -	local chksum_prog chksum_len
> > +	local chksum_prog chksum_len format=coreutils
> 
> And rename this one too. (I don't find it intuitive for a checksum
> format to be named "coreutils", when coreutils provides cksum, md5sum,
> b2sum, etc.)
> 
> > 
> >  	case ${algo} in
> >  		sha256)
> > -			chksum_prog=sha256sum
> >  			chksum_len=64
> >  			;;
> > +		openssl-dgst)
> > +			format=${algo}
> > +			;;
> >  		*)
> > -			die "${FUNCNAME}: unknown checksum algo ${algo}"
> > +			die "${FUNCNAME}: unknown checksum format ${algo}"
> >  			;;
> >  	esac
> > 
> >  	[[ ${checksum_file} == - ]] && checksum_file=/dev/stdin
> > -	local checksum filename junk ret=0 count=0
> > -	while read -r checksum filename junk; do
> > -		if [[ ${checksum} == "-----BEGIN" ]]; then
> > +	local line checksum filename junk ret=0 count=0
> > +	while read -r line; do
> > +		if [[ ${line} == "-----BEGIN"* ]]; then
> >  			die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead"
> >  		fi
> > 
> > -		[[ ${#checksum} -eq ${chksum_len} ]] || continue
> > -		[[ -z ${checksum//[0-9a-f]} ]] || continue
> > -		has "${filename}" "${files[@]}" || continue
> > -		[[ -z ${junk} ]] || continue
> > -
> > -		"${chksum_prog}" -c --strict - <<<"${checksum} ${filename}"
> > -		if [[ ${?} -eq 0 ]]; then
> > +		case ${format} in
> > +			coreutils)
> > +				read -r checksum filename junk <<<"${line}"
> > +				[[ ${#checksum} -ne ${chksum_len} ]] && continue
> > +				[[ -n ${checksum//[0-9a-f]} ]] && continue
> > +				[[ -n ${junk} ]] && continue
> > +				;;
> > +			openssl-dgst)
> > +				[[ ${line} != *"("*")="* ]] && continue
> > +				checksum=${line##*)=}
> > +				algo=${line%%(*}
> > +				filename=${line#*(}
> > +				filename=${filename%)=*}
> > +				;;
> > +		esac
> > +
> > +		! has "${filename}" "${files[@]}" && continue
> 
> This might be clearer if it was written as:
> 
> 		has "${filename}" "${files[@]}" || continue

Negative logic is never clearer.

> 
> > +
> > +		if "${algo,,}sum" -c --strict - <<<"${checksum} ${filename}"; then
> >  			(( count++ ))
> >  		else
> >  			ret=1

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [PATCH 2/3] verify-sig.eclass: Support `openssl dgst` format checksums

[Michał Górny]

On Fri, 2023-09-08 at 12:03 +0200, Michał Górny wrote:
> On Mon, 2023-09-04 at 08:42 +0200, Ulrich Mueller wrote:
> > > > > > > On Mon, 04 Sep 2023, Michał Górny wrote:
> > 
> > > --- a/eclass/verify-sig.eclass
> > > +++ b/eclass/verify-sig.eclass
> > > @@ -214,12 +214,15 @@ verify-sig_verify_message() {
> > >  }
> >  
> > 
> > 
> > 
> > >  # @FUNCTION: verify-sig_verify_unsigned_checksums
> > > -# @USAGE: <checksum-file> <algo> <files>
> > > +# @USAGE: <checksum-file> <format> <files>
> > 
> > Below, verify-sig_verify_signed_checksums() still says "algo", change
> > that too for consistency?
> 
> If I must.
> 
> > 
> > >  # @DESCRIPTION:
> > >  # Verify the checksums for all files listed in the space-separated list
> > > -# <files> (akin to ${A}) using a <checksum-file>.  <algo> specifies
> > > -# the checksum algorithm (e.g. sha256).  <checksum-file> can be "-"
> > > -# for stdin.
> > > +# <files> (akin to ${A}) using a <checksum-file>.  <format> specifies
> > > +# the checksum file format.  <checksum-file> can be "-" for stdin.
> > > +#
> > > +# The following formats are supported:
> > > +# - sha256 -- sha256sum (<hash> <filename>)
> > > +# - openssl-dgst -- openssl dgst (<algo>(<filename>)=<hash>)
> > 
> > This won't be rendered as a list in the man page, but will be rewrapped
> > as a paragraph. (Putting a space before the "-" will help.)
> > 
> > The existing variable documentation of VERIFY_SIG_METHOD suffers from
> > the same problem, BTW.
> 
> Hmm, I can't get it to work with the space either.  Whatever I do,
> eclass-to-manpage.awk seems to copy it verbatim.
> 

Nevermind, now I see that it's meaningful to groff.  For some reason, I
thought eclass-to-manpage will use some magical sequences.

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [PATCH 2/3] verify-sig.eclass: Support `openssl dgst` format checksums

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 340 bytes --]

>>>>> On Fri, 08 Sep 2023, Michał Górny wrote:

>> > +		! has "${filename}" "${files[@]}" && continue
>> 
>> This might be clearer if it was written as:
>> 
>> has "${filename}" "${files[@]}" || continue

> Negative logic is never clearer.

Exactly. That's why we generally do "command || die" rather than
"! command && die".

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]