diff options
| author |   Michał Górny <mgorny@gentoo.org> | 2022-02-13 16:08:58 +0100 |
|---|---|---|
| committer |   Anthony G. Basile <blueness@gentoo.org> | 2022-02-16 14:19:26 -0500 |
| commit | c82111883b4b0d11ef119a11a2bc43b10e31408a (patch) | |
| tree | f002d865559e75d338010391b21a47be73bca7e3 /eclass | |
| parent | dev-php/PEAR-Crypt_GPG: Drop old unstable (diff) | |
| download | gentoo-c82111883b4b0d11ef119a11a2bc43b10e31408a.tar.gz gentoo-c82111883b4b0d11ef119a11a2bc43b10e31408a.tar.bz2 gentoo-c82111883b4b0d11ef119a11a2bc43b10e31408a.zip | |
verify-sig.eclass: Add a function to verify pure checksums
Split the logic for verifying checksums into a dedicated functions
that can also be used directly when dealing with a checksum file
that uses a detached signature.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
Diffstat (limited to 'eclass')
| -rw-r--r-- | eclass/verify-sig.eclass | 45 |
1 files changed, 38 insertions, 7 deletions
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass index 3693eb16ff41..9121d85bbeaf 100644 --- a/eclass/verify-sig.eclass +++ b/eclass/verify-sig.eclass @@ -197,17 +197,27 @@ verify-sig_verify_message() { esac } -# @FUNCTION: _gpg_verify_signed_checksums -# @INTERNAL -# @USAGE: <checksum-file> <algo> <files> [<key-file>] +# @FUNCTION: verify-sig_verify_unsigned_checksums +# @USAGE: <checksum-file> <algo> <files> # @DESCRIPTION: -# GnuPG-specific function to verify a signed checksums list. -_gpg_verify_signed_checksums() { +# Verify the checksums for all files listed in the space-separated list +# <files> (akin to ${A}) using a <checksum-file>. <algo> specifies +# the checksum algorithm (e.g. sha256). <checksum-file> can be "-" +# for stdin. +# +# The function dies if one of the files does not match checksums or +# is missing from the checksum file. +# +# Note that this function itself can only verify integrity of the files. +# In order to verify their authenticity, the <checksum-file> must +# be verified against a signature first, e.g. using +# verify-sig_verify_detached. If it contains inline signature, use +# verify-sig_verify_signed_checksums instead. +verify-sig_verify_unsigned_checksums() { local checksum_file=${1} local algo=${2} local files=() read -r -d '' -a files <<<"${3}" - local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}} local chksum_prog chksum_len case ${algo} in @@ -220,8 +230,13 @@ _gpg_verify_signed_checksums() { ;; esac + [[ ${checksum_file} == - ]] && checksum_file=/dev/stdin local checksum filename junk ret=0 count=0 while read -r checksum filename junk; do + if [[ ${checksum} == "-----BEGIN" ]]; then + die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead" + fi + [[ ${#checksum} -eq ${chksum_len} ]] || continue [[ -z ${checksum//[0-9a-f]} ]] || continue has "${filename}" "${files[@]}" || continue @@ -233,7 +248,7 @@ _gpg_verify_signed_checksums() { else ret=1 fi - done < <(verify-sig_verify_message "${checksum_file}" - "${key}") + done < "${checksum_file}" [[ ${ret} -eq 0 ]] || die "${FUNCNAME}: at least one file did not verify successfully" @@ -241,6 +256,22 @@ _gpg_verify_signed_checksums() { die "${FUNCNAME}: checksums for some of the specified files were missing" } +# @FUNCTION: _gpg_verify_signed_checksums +# @INTERNAL +# @USAGE: <checksum-file> <algo> <files> [<key-file>] +# @DESCRIPTION: +# GnuPG-specific function to verify a signed checksums list. +_gpg_verify_signed_checksums() { + local checksum_file=${1} + local algo=${2} + local files=${3} + local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}} + + verify-sig_verify_unsigned_checksums - "${algo}" "${files}" < <( + verify-sig_verify_message "${checksum_file}" - "${key}" + ) +} + # @FUNCTION: verify-sig_verify_signed_checksums # @USAGE: <checksum-file> <algo> <files> [<key-file>] # @DESCRIPTION: |