From dfc93578bcd05edec40becae2f15cb15ce146560 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Mon, 24 Apr 2017 18:07:38 -0700 Subject: [PATCH 1/3] sys-kernel/coreos-sources: Allow revbump.sh srcdir to be relative path --- .../coreos-overlay/sys-kernel/coreos-sources/revbump.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/revbump.sh b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/revbump.sh index 15c8330ffe..7375338e97 100755 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/revbump.sh +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/revbump.sh @@ -5,7 +5,7 @@ set -e new_pvr="$1" -srcdir="$2" +srcdir="$(realpath $2)" if [[ -z "${new_pvr}" || -z "${srcdir}" ]]; then echo "Usage: $0 " From be80585e226ecdab750e88bbdcce1409a62b4896 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Mon, 24 Apr 2017 18:08:53 -0700 Subject: [PATCH 2/3] sys-kernel/coreos-sources: Add kernel signing keys to revbump.sh Linus Torvalds for releases and Greg KH for stable patches. --- .../sys-kernel/coreos-sources/revbump.sh | 2626 +++++++++++++++++ 1 file changed, 2626 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/revbump.sh b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/revbump.sh index 7375338e97..f883e96a1a 100755 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/revbump.sh +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/revbump.sh @@ -4,6 +4,2632 @@ set -e +print_keys() { + # Signing keys for Linux kernel releases. + cat < Date: Mon, 24 Apr 2017 18:15:48 -0700 Subject: [PATCH 3/3] sys-kernel/coreos-sources: Have revbump.sh check sigs and update manifest We now need /usr/bin/ebuild (as well as several others), so it's less practical to run revbump.sh outside the SDK chroot. --- .../sys-kernel/coreos-sources/revbump.sh | 26 ++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/revbump.sh b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/revbump.sh index f883e96a1a..1eec12f5a6 100755 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/revbump.sh +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/revbump.sh @@ -2635,7 +2635,7 @@ srcdir="$(realpath $2)" if [[ -z "${new_pvr}" || -z "${srcdir}" ]]; then echo "Usage: $0 " - echo "Example: $0 4.9.9-r2 ~/coreos/linux" + echo "Example: $0 4.9.9-r2 ~/linux" exit 2 fi @@ -2658,6 +2658,12 @@ if [[ ! -f $(echo "${srcdir}"/0001*.patch) ]]; then echo "${srcdir} contains no patch files." exit 1 fi +for prog in ebuild gpg2 sha256sum wget xz; do + if ! type -P $prog >/dev/null; then + echo "Couldn't find $prog program." + exit 1 + fi +done old_kernrelease=$(echo "${old_ebuild}" | cut -f3 -d- | cut -f1-2 -d.) new_kernrelease=$(echo "${new_pvr}" | cut -f1 -d- | cut -f1-2 -d.) @@ -2677,3 +2683,21 @@ popd >/dev/null echo '"' >> "${new_ebuild}" rm "${old_ebuild}" + +ebuild "${new_ebuild}" manifest +# Download the files ourselves, check signatures, and verify that the hashes +# match the manifest +gpghome=$(mktemp -d gnupghome-XXXXXX) +export GNUPGHOME="${gpghome}" +trap "rm -r $gpghome" EXIT +print_keys | gpg2 -q --import +# Assumes SHA-256 hash is in a fixed field +awk '{print $2, $5}' Manifest | while read filename sha256; do + echo "Checking ${filename}..." + signame="${filename%.xz}.sign" + wget -q "https://cdn.kernel.org/pub/linux/kernel/v4.x/$filename" + wget -q "https://cdn.kernel.org/pub/linux/kernel/v4.x/$signame" + sha256sum --quiet --strict -c - <<<"$sha256 $filename" + xz -dc "$filename" | gpg2 --verify --trust-model always "$signame" - + rm "$filename" "$signame" +done