mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-11-28 14:01:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

eclass/verify-sig: Sync with Gentoo

Browse Source 
It's from Gentoo commit 115181ac99d8d65fba3d4cb33270e02f609b8fc4.
This commit is contained in:
Flatcar Buildbot 2024-10-21 07:07:35 +00:00
parent a63a7d86c6
commit 87c1157870
1 changed files with 66 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
sdk_container/src/third_party/portage-stable/eclass/verify-sig.eclass vendored
View File

@ -57,6 +57,7 @@ IUSE="verify-sig"
# #
# - minisig -- verify signatures with (base64) Ed25519 public key using app-crypt/minisign # - minisig -- verify signatures with (base64) Ed25519 public key using app-crypt/minisign
# - openpgp -- verify PGP signatures using app-crypt/gnupg (the default) # - openpgp -- verify PGP signatures using app-crypt/gnupg (the default)
# - sigstore -- verify signatures using dev-python/sigstore
# - signify -- verify signatures with Ed25519 public key using app-crypt/signify # - signify -- verify signatures with Ed25519 public key using app-crypt/signify
: "${VERIFY_SIG_METHOD:=openpgp}" : "${VERIFY_SIG_METHOD:=openpgp}"
@ -75,6 +76,14 @@ case ${VERIFY_SIG_METHOD} in
signify) signify)
BDEPEND="verify-sig? ( app-crypt/signify )" BDEPEND="verify-sig? ( app-crypt/signify )"
;; ;;
sigstore)
BDEPEND="
verify-sig? (
dev-python/sigstore
sec-keys/sigstore-trusted-root
)
"
;;
*) *)
die "${ECLASS}: unknown method '${VERIFY_SIG_METHOD}'" die "${ECLASS}: unknown method '${VERIFY_SIG_METHOD}'"
;; ;;
@ -89,8 +98,19 @@ esac
# #
# The value of BROOT will be prepended to this path automatically. # The value of BROOT will be prepended to this path automatically.
# #
# NB: this variable is also used for non-OpenPGP signatures. The name # This variable is also used for non-OpenPGP signatures. The name
# contains "OPENPGP" for historical reasons. # contains "OPENPGP" for historical reasons. It is not used
# for sigstore, since it uses a single trusted root.
# @ECLASS_VARIABLE: VERIFY_SIG_CERT_IDENTITY
# @DEFAULT_UNSET
# @DESCRIPTION:
# --cert-identity passed to sigstore invocation.
# @ECLASS_VARIABLE: VERIFY_SIG_CERT_OIDC_ISSUER
# @DEFAULT_UNSET
# @DESCRIPTION:
# --cert-oidc-issuer passed to sigstore invocation.
# @ECLASS_VARIABLE: VERIFY_SIG_OPENPGP_KEYSERVER # @ECLASS_VARIABLE: VERIFY_SIG_OPENPGP_KEYSERVER
# @DEFAULT_UNSET # @DEFAULT_UNSET
@ -108,7 +128,7 @@ esac
# in make.conf to enable. Note that this requires working Internet # in make.conf to enable. Note that this requires working Internet
# connection. # connection.
# #
# Supported for OpenPGP only. # Supported for OpenPGP and sigstore.
: "${VERIFY_SIG_OPENPGP_KEY_REFRESH:=no}" : "${VERIFY_SIG_OPENPGP_KEY_REFRESH:=no}"
# @FUNCTION: verify-sig_verify_detached # @FUNCTION: verify-sig_verify_detached
@ -123,7 +143,17 @@ verify-sig_verify_detached() {
local sig=${2} local sig=${2}
local key=${3} local key=${3}
if [[ -z ${key} ]]; then if [[ ${VERIFY_SIG_METHOD} == sigstore ]]; then
if [[ -n ${key:-${VERIFY_SIG_OPENPGP_KEY_PATH}} ]]; then
die "${FUNCNAME}: key unexpectedly specified for sigstore"
fi
if [[ -z ${VERIFY_SIG_CERT_IDENTITY} ]]; then
die "${FUNCNAME}: VERIFY_SIG_CERT_IDENTITY must be specified for sigstore"
fi
if [[ -z ${VERIFY_SIG_CERT_OIDC_ISSUER} ]]; then
die "${FUNCNAME}: VERIFY_SIG_CERT_OIDC_ISSUER must be specified for sigstore"
fi
elif [[ -z ${key} ]]; then
if [[ -z ${VERIFY_SIG_OPENPGP_KEY_PATH} ]]; then if [[ -z ${VERIFY_SIG_OPENPGP_KEY_PATH} ]]; then
die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset" die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
else else
@ -132,7 +162,6 @@ verify-sig_verify_detached() {
fi fi
local extra_args=() local extra_args=()
[[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
if [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]]; then if [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]]; then
[[ ${VERIFY_SIG_METHOD} == openpgp ]] || [[ ${VERIFY_SIG_METHOD} == openpgp ]] ||
die "${FUNCNAME}: VERIFY_SIG_OPENPGP_KEYSERVER is not supported" die "${FUNCNAME}: VERIFY_SIG_OPENPGP_KEYSERVER is not supported"
@ -152,10 +181,15 @@ verify-sig_verify_detached() {
einfo "Verifying ${filename} ..." einfo "Verifying ${filename} ..."
case ${VERIFY_SIG_METHOD} in case ${VERIFY_SIG_METHOD} in
minisig) minisig)
minisign -V -P "$(<"${key}")" -x "${sig}" -m "${file}" || minisign "${extra_args[@]}" \
-V -P "$(<"${key}")" -x "${sig}" -m "${file}" ||
die "minisig signature verification failed" die "minisig signature verification failed"
;; ;;
openpgp) openpgp)
if [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} != yes ]]; then
extra_args+=( -R )
fi
# gpg can't handle very long TMPDIR # gpg can't handle very long TMPDIR
# https://bugs.gentoo.org/854492 # https://bugs.gentoo.org/854492
local -x TMPDIR=/tmp local -x TMPDIR=/tmp
@ -165,9 +199,27 @@ verify-sig_verify_detached() {
die "PGP signature verification failed" die "PGP signature verification failed"
;; ;;
signify) signify)
signify -V -p "${key}" -m "${file}" -x "${sig}" || signify "${extra_args[@]}" \
-V -p "${key}" -m "${file}" -x "${sig}" ||
die "Signify signature verification failed" die "Signify signature verification failed"
;; ;;
sigstore)
if [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} != yes ]]; then
extra_args+=( --offline )
fi
cp -r "${BROOT}"/usr/share/sigstore-gentoo/{.cache,.local} \
"${HOME}"/ || die
sigstore verify identity "${extra_args[@]}" \
--bundle "${sig}" \
--cert-identity "${VERIFY_SIG_CERT_IDENTITY}" \
--cert-oidc-issuer "${VERIFY_SIG_CERT_OIDC_ISSUER}" \
"${file}" ||
die "Sigstore signature verification failed"
;;
*)
die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}"
;;
esac esac
} }
@ -229,6 +281,9 @@ verify-sig_verify_message() {
signify -V -e -p "${key}" -m "${output_file}" -x "${file}" || signify -V -e -p "${key}" -m "${output_file}" -x "${file}" ||
die "Signify signature verification failed" die "Signify signature verification failed"
;; ;;
*)
die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}"
;;
esac esac
} }
@ -362,6 +417,9 @@ verify-sig_verify_signed_checksums() {
-x "${checksum_file}" "${files[@]}" || -x "${checksum_file}" "${files[@]}" ||
die "Signify signature verification failed" die "Signify signature verification failed"
;; ;;
*)
die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}"
;;
esac esac
} }
@ -380,7 +438,7 @@ verify-sig_src_unpack() {
# find all distfiles and signatures, and combine them # find all distfiles and signatures, and combine them
for f in ${A}; do for f in ${A}; do
found= found=
for suffix in .asc .sig .minisig; do for suffix in .asc .sig .minisig .sigstore; do
if [[ ${f} == *${suffix} ]]; then if [[ ${f} == *${suffix} ]]; then
signatures+=( "${f}" ) signatures+=( "${f}" )
found=sig found=sig