mirror of
https://github.com/flatcar/scripts.git
synced 2025-12-01 07:22:11 +01:00
eclass/verify-sig: Sync with Gentoo
It's from Gentoo commit 9e9067d309e8b9f8a73b2312d409883f348b0ea5.
This commit is contained in:
Flatcar Buildbot
Krzesimir Nowak
parent
0a13033827
commit
8072521322
@ -55,17 +55,22 @@ IUSE="verify-sig"
|
|||||||
# @DESCRIPTION:
|
# @DESCRIPTION:
|
||||||
# Signature verification method to use. The allowed value are:
|
# Signature verification method to use. The allowed value are:
|
||||||
#
|
#
|
||||||
# - openpgp -- verify PGP signatures using app-crypt/gnupg (the default)
|
# - minisig -- verify signatures with (base64) Ed25519 public key using app-crypt/minisign
|
||||||
# - signify -- verify signatures with Ed25519 public key using app-crypt/signify
|
# - openpgp -- verify PGP signatures using app-crypt/gnupg (the default)
|
||||||
|
# - signify -- verify signatures with Ed25519 public key using app-crypt/signify
|
||||||
: "${VERIFY_SIG_METHOD:=openpgp}"
|
: "${VERIFY_SIG_METHOD:=openpgp}"
|
||||||
|
|
||||||
case ${VERIFY_SIG_METHOD} in
|
case ${VERIFY_SIG_METHOD} in
|
||||||
|
minisig)
|
||||||
|
BDEPEND="verify-sig? ( app-crypt/minisign )"
|
||||||
|
;;
|
||||||
openpgp)
|
openpgp)
|
||||||
BDEPEND="
|
BDEPEND="
|
||||||
verify-sig? (
|
verify-sig? (
|
||||||
app-crypt/gnupg
|
app-crypt/gnupg
|
||||||
>=app-portage/gemato-16
|
>=app-portage/gemato-16
|
||||||
)"
|
)
|
||||||
|
"
|
||||||
;;
|
;;
|
||||||
signify)
|
signify)
|
||||||
BDEPEND="verify-sig? ( app-crypt/signify )"
|
BDEPEND="verify-sig? ( app-crypt/signify )"
|
||||||
@ -139,6 +144,10 @@ verify-sig_verify_detached() {
|
|||||||
[[ ${file} == - ]] && filename='(stdin)'
|
[[ ${file} == - ]] && filename='(stdin)'
|
||||||
einfo "Verifying ${filename} ..."
|
einfo "Verifying ${filename} ..."
|
||||||
case ${VERIFY_SIG_METHOD} in
|
case ${VERIFY_SIG_METHOD} in
|
||||||
|
minisig)
|
||||||
|
minisign -V -P "$(<"${key}")" -x "${sig}" -m "${file}" ||
|
||||||
|
die "minisig signature verification failed"
|
||||||
|
;;
|
||||||
openpgp)
|
openpgp)
|
||||||
# gpg can't handle very long TMPDIR
|
# gpg can't handle very long TMPDIR
|
||||||
# https://bugs.gentoo.org/854492
|
# https://bugs.gentoo.org/854492
|
||||||
@ -198,6 +207,10 @@ verify-sig_verify_message() {
|
|||||||
[[ ${file} == - ]] && filename='(stdin)'
|
[[ ${file} == - ]] && filename='(stdin)'
|
||||||
einfo "Verifying ${filename} ..."
|
einfo "Verifying ${filename} ..."
|
||||||
case ${VERIFY_SIG_METHOD} in
|
case ${VERIFY_SIG_METHOD} in
|
||||||
|
minisig)
|
||||||
|
minisign -V -P "$(<"${key}")" -x "${sig}" -o "${output_file}" -m "${file}" ||
|
||||||
|
die "minisig signature verification failed"
|
||||||
|
;;
|
||||||
openpgp)
|
openpgp)
|
||||||
# gpg can't handle very long TMPDIR
|
# gpg can't handle very long TMPDIR
|
||||||
# https://bugs.gentoo.org/854492
|
# https://bugs.gentoo.org/854492
|
||||||
@ -214,12 +227,15 @@ verify-sig_verify_message() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# @FUNCTION: verify-sig_verify_unsigned_checksums
|
# @FUNCTION: verify-sig_verify_unsigned_checksums
|
||||||
# @USAGE: <checksum-file> <algo> <files>
|
# @USAGE: <checksum-file> <format> <files>
|
||||||
# @DESCRIPTION:
|
# @DESCRIPTION:
|
||||||
# Verify the checksums for all files listed in the space-separated list
|
# Verify the checksums for all files listed in the space-separated list
|
||||||
# <files> (akin to ${A}) using a <checksum-file>. <algo> specifies
|
# <files> (akin to ${A}) using a <checksum-file>. <format> specifies
|
||||||
# the checksum algorithm (e.g. sha256). <checksum-file> can be "-"
|
# the checksum file format. <checksum-file> can be "-" for stdin.
|
||||||
# for stdin.
|
#
|
||||||
|
# The following formats are supported:
|
||||||
|
# - sha256 -- sha256sum (<hash> <filename>)
|
||||||
|
# - openssl-dgst -- openssl dgst (<algo>(<filename>)=<hash>)
|
||||||
#
|
#
|
||||||
# The function dies if one of the files does not match checksums or
|
# The function dies if one of the files does not match checksums or
|
||||||
# is missing from the checksum file.
|
# is missing from the checksum file.
|
||||||
@ -231,36 +247,52 @@ verify-sig_verify_message() {
|
|||||||
# verify-sig_verify_signed_checksums instead.
|
# verify-sig_verify_signed_checksums instead.
|
||||||
verify-sig_verify_unsigned_checksums() {
|
verify-sig_verify_unsigned_checksums() {
|
||||||
local checksum_file=${1}
|
local checksum_file=${1}
|
||||||
local algo=${2}
|
local format=${2}
|
||||||
local files=()
|
local files=()
|
||||||
read -r -d '' -a files <<<"${3}"
|
read -r -d '' -a files <<<"${3}"
|
||||||
local chksum_prog chksum_len
|
local chksum_prog chksum_len algo=${format}
|
||||||
|
|
||||||
case ${algo} in
|
case ${format} in
|
||||||
sha256)
|
sha256)
|
||||||
chksum_prog=sha256sum
|
|
||||||
chksum_len=64
|
chksum_len=64
|
||||||
;;
|
;;
|
||||||
|
openssl-dgst)
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
die "${FUNCNAME}: unknown checksum algo ${algo}"
|
die "${FUNCNAME}: unknown checksum format ${format}"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
[[ ${checksum_file} == - ]] && checksum_file=/dev/stdin
|
[[ ${checksum_file} == - ]] && checksum_file=/dev/stdin
|
||||||
local checksum filename junk ret=0 count=0
|
local line checksum filename junk ret=0 count=0
|
||||||
while read -r checksum filename junk; do
|
local -A verified
|
||||||
if [[ ${checksum} == "-----BEGIN" ]]; then
|
while read -r line; do
|
||||||
|
if [[ ${line} == "-----BEGIN"* ]]; then
|
||||||
die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead"
|
die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[[ ${#checksum} -eq ${chksum_len} ]] || continue
|
case ${format} in
|
||||||
[[ -z ${checksum//[0-9a-f]} ]] || continue
|
sha256)
|
||||||
has "${filename}" "${files[@]}" || continue
|
read -r checksum filename junk <<<"${line}"
|
||||||
[[ -z ${junk} ]] || continue
|
[[ ${#checksum} -ne ${chksum_len} ]] && continue
|
||||||
|
[[ -n ${checksum//[0-9a-f]} ]] && continue
|
||||||
|
[[ -n ${junk} ]] && continue
|
||||||
|
;;
|
||||||
|
openssl-dgst)
|
||||||
|
[[ ${line} != *"("*")="* ]] && continue
|
||||||
|
checksum=${line##*)=}
|
||||||
|
algo=${line%%(*}
|
||||||
|
filename=${line#*(}
|
||||||
|
filename=${filename%)=*}
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
"${chksum_prog}" -c --strict - <<<"${checksum} ${filename}"
|
if ! has "${filename}" "${files[@]}"; then
|
||||||
if [[ ${?} -eq 0 ]]; then
|
continue
|
||||||
(( count++ ))
|
fi
|
||||||
|
|
||||||
|
if "${algo,,}sum" -c --strict - <<<"${checksum} ${filename}"; then
|
||||||
|
verified["${filename}"]=1
|
||||||
else
|
else
|
||||||
ret=1
|
ret=1
|
||||||
fi
|
fi
|
||||||
@ -268,7 +300,7 @@ verify-sig_verify_unsigned_checksums() {
|
|||||||
|
|
||||||
[[ ${ret} -eq 0 ]] ||
|
[[ ${ret} -eq 0 ]] ||
|
||||||
die "${FUNCNAME}: at least one file did not verify successfully"
|
die "${FUNCNAME}: at least one file did not verify successfully"
|
||||||
[[ ${count} -eq ${#files[@]} ]] ||
|
[[ ${#verified[@]} -eq ${#files[@]} ]] ||
|
||||||
die "${FUNCNAME}: checksums for some of the specified files were missing"
|
die "${FUNCNAME}: checksums for some of the specified files were missing"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -337,7 +369,7 @@ verify-sig_src_unpack() {
|
|||||||
# find all distfiles and signatures, and combine them
|
# find all distfiles and signatures, and combine them
|
||||||
for f in ${A}; do
|
for f in ${A}; do
|
||||||
found=
|
found=
|
||||||
for suffix in .asc .sig; do
|
for suffix in .asc .sig .minisig; do
|
||||||
if [[ ${f} == *${suffix} ]]; then
|
if [[ ${f} == *${suffix} ]]; then
|
||||||
signatures+=( "${f}" )
|
signatures+=( "${f}" )
|
||||||
found=sig
|
found=sig
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user