summaryrefslogtreecommitdiff
path: root/eclass
diff options
context:
space:
mode:
authorMichał Górny <mgorny@gentoo.org>2020-11-05 16:21:59 +0100
committerMichał Górny <mgorny@gentoo.org>2020-11-08 01:12:14 +0100
commitf491de69ca18bd8b5a485e39e15cf07a2e8b3395 (patch)
tree874d02fce25e0911557ef6f7ccee8dccb4f10a28 /eclass
parentverify-sig.eclass: Add a function to verify PGP signed messages (diff)
downloadgentoo-f491de69ca18bd8b5a485e39e15cf07a2e8b3395.tar.gz
gentoo-f491de69ca18bd8b5a485e39e15cf07a2e8b3395.tar.bz2
gentoo-f491de69ca18bd8b5a485e39e15cf07a2e8b3395.zip
verify-sig.eclass: Support verifying checksum lists
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Diffstat (limited to 'eclass')
-rw-r--r--eclass/verify-sig.eclass55
1 files changed, 54 insertions, 1 deletions
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index a499dd3c6c2..e3ef7f24028 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -143,10 +143,63 @@ verify-sig_verify_message() {
[[ ${file} == - ]] && filename='(stdin)'
einfo "Verifying ${filename} ..."
gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
- gpg --verify --output="${output_file}" "${sig}" "${file}" ||
+ gpg --verify --output="${output_file}" "${file}" ||
die "PGP signature verification failed"
}
+# @FUNCTION: verify-sig_verify_signed_checksums
+# @USAGE: <checksum-file> <algo> <files> [<key-file>]
+# @DESCRIPTION:
+# Verify the checksums for all files listed in the space-separated list
+# <files> (akin to ${A}) using a PGP-signed <checksum-file>. <algo>
+# specified the checksum algorithm (e.g. sha256). <key-file> can either
+# be passed directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH.
+#
+# The function dies if PGP verification fails, the checksum file
+# contains unsigned data, one of the files do not match checksums
+# or are missing from the checksum file.
+verify-sig_verify_signed_checksums() {
+ local checksum_file=${1}
+ local algo=${2}
+ local files=()
+ read -r -d '' -a files <<<"${3}"
+ local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
+
+ local chksum_prog chksum_len
+ case ${algo} in
+ sha256)
+ chksum_prog=sha256sum
+ chksum_len=64
+ ;;
+ *)
+ die "${FUNCNAME}: unknown checksum algo ${algo}"
+ ;;
+ esac
+
+ [[ -n ${key} ]] ||
+ die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
+
+ local checksum filename junk ret=0 count=0
+ while read -r checksum filename junk; do
+ [[ ${#checksum} -eq ${chksum_len} ]] || continue
+ [[ -z ${checksum//[0-9a-f]} ]] || continue
+ has "${filename}" "${files[@]}" || continue
+ [[ -z ${junk} ]] || continue
+
+ "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}"
+ if [[ ${?} -eq 0 ]]; then
+ (( count++ ))
+ else
+ ret=1
+ fi
+ done < <(verify-sig_verify_message "${checksum_file}" - "${key}")
+
+ [[ ${ret} -eq 0 ]] ||
+ die "${FUNCNAME}: at least one file did not verify successfully"
+ [[ ${count} -eq ${#files[@]} ]] ||
+ die "${FUNCNAME}: checksums for some of the specified files were missing"
+}
+
# @FUNCTION: verify-sig_src_unpack
# @DESCRIPTION:
# Default src_unpack override that verifies signatures for all