From e111329e222787152b6d99ce4b551c8758349aac Mon Sep 17 00:00:00 2001 From: Michał Górny Date: Sun, 3 Sep 2023 15:21:57 +0200 Subject: verify-sig.eclass: Support `openssl dgst` format checksums MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Górny --- eclass/tests/verify-sig.sh | 18 ++++++++++++++++ eclass/verify-sig.eclass | 54 ++++++++++++++++++++++++++++++---------------- 2 files changed, 54 insertions(+), 18 deletions(-) diff --git a/eclass/tests/verify-sig.sh b/eclass/tests/verify-sig.sh index fcd2ee7480a2..fb7f2cdb2a5d 100755 --- a/eclass/tests/verify-sig.sh +++ b/eclass/tests/verify-sig.sh @@ -62,4 +62,22 @@ EOF test_verify_unsigned_checksums sha256 eoutdent +einfo "Testing openssl-dgst format." +eindent + +> "annoying ( filename )= yes ).txt" || die + +cat > checksums.txt <<-EOF || die + junk text that ought to be ignored + + SHA256(empty)=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + SHA256(text)= b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380 + SHA256(fail)=b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380 + + SHA256(annoying ( filename )= yes )= e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 +EOF + +test_verify_unsigned_checksums openssl-dgst +eoutdent + texit diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass index d99dc3461858..815299b419ed 100644 --- a/eclass/verify-sig.eclass +++ b/eclass/verify-sig.eclass @@ -214,12 +214,15 @@ verify-sig_verify_message() { } # @FUNCTION: verify-sig_verify_unsigned_checksums -# @USAGE: +# @USAGE: # @DESCRIPTION: # Verify the checksums for all files listed in the space-separated list -# (akin to ${A}) using a . specifies -# the checksum algorithm (e.g. sha256). can be "-" -# for stdin. +# (akin to ${A}) using a . specifies +# the checksum file format. can be "-" for stdin. +# +# The following formats are supported: +# - sha256 -- sha256sum ( ) +# - openssl-dgst -- openssl dgst (()=) # # The function dies if one of the files does not match checksums or # is missing from the checksum file. @@ -231,35 +234,50 @@ verify-sig_verify_message() { # verify-sig_verify_signed_checksums instead. verify-sig_verify_unsigned_checksums() { local checksum_file=${1} - local algo=${2} + local format=${2} local files=() read -r -d '' -a files <<<"${3}" - local chksum_prog chksum_len + local chksum_prog chksum_len algo=${format} - case ${algo} in + case ${format} in sha256) - chksum_prog=sha256sum chksum_len=64 ;; + openssl-dgst) + ;; *) - die "${FUNCNAME}: unknown checksum algo ${algo}" + die "${FUNCNAME}: unknown checksum format ${format}" ;; esac [[ ${checksum_file} == - ]] && checksum_file=/dev/stdin - local checksum filename junk ret=0 count=0 - while read -r checksum filename junk; do - if [[ ${checksum} == "-----BEGIN" ]]; then + local line checksum filename junk ret=0 count=0 + while read -r line; do + if [[ ${line} == "-----BEGIN"* ]]; then die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead" fi - [[ ${#checksum} -eq ${chksum_len} ]] || continue - [[ -z ${checksum//[0-9a-f]} ]] || continue - has "${filename}" "${files[@]}" || continue - [[ -z ${junk} ]] || continue + case ${format} in + sha256) + read -r checksum filename junk <<<"${line}" + [[ ${#checksum} -ne ${chksum_len} ]] && continue + [[ -n ${checksum//[0-9a-f]} ]] && continue + [[ -n ${junk} ]] && continue + ;; + openssl-dgst) + [[ ${line} != *"("*")="* ]] && continue + checksum=${line##*)=} + algo=${line%%(*} + filename=${line#*(} + filename=${filename%)=*} + ;; + esac + + if ! has "${filename}" "${files[@]}"; then + continue + fi - "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}" - if [[ ${?} -eq 0 ]]; then + if "${algo,,}sum" -c --strict - <<<"${checksum} ${filename}"; then (( count++ )) else ret=1 -- cgit v1.2.3-65-gdbad