summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichał Górny <mgorny@gentoo.org>2022-02-13 16:08:58 +0100
committerAnthony G. Basile <blueness@gentoo.org>2022-02-16 14:19:26 -0500
commitc82111883b4b0d11ef119a11a2bc43b10e31408a (patch)
treef002d865559e75d338010391b21a47be73bca7e3 /eclass/verify-sig.eclass
parentdev-php/PEAR-Crypt_GPG: Drop old unstable (diff)
downloadgentoo-c82111883b4b0d11ef119a11a2bc43b10e31408a.tar.gz
gentoo-c82111883b4b0d11ef119a11a2bc43b10e31408a.tar.bz2
gentoo-c82111883b4b0d11ef119a11a2bc43b10e31408a.zip
verify-sig.eclass: Add a function to verify pure checksums
Split the logic for verifying checksums into a dedicated functions that can also be used directly when dealing with a checksum file that uses a detached signature. Signed-off-by: Michał Górny <mgorny@gentoo.org> Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
Diffstat (limited to 'eclass/verify-sig.eclass')
-rw-r--r--eclass/verify-sig.eclass45
1 files changed, 38 insertions, 7 deletions
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 3693eb16ff41..9121d85bbeaf 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -197,17 +197,27 @@ verify-sig_verify_message() {
esac
}
-# @FUNCTION: _gpg_verify_signed_checksums
-# @INTERNAL
-# @USAGE: <checksum-file> <algo> <files> [<key-file>]
+# @FUNCTION: verify-sig_verify_unsigned_checksums
+# @USAGE: <checksum-file> <algo> <files>
# @DESCRIPTION:
-# GnuPG-specific function to verify a signed checksums list.
-_gpg_verify_signed_checksums() {
+# Verify the checksums for all files listed in the space-separated list
+# <files> (akin to ${A}) using a <checksum-file>. <algo> specifies
+# the checksum algorithm (e.g. sha256). <checksum-file> can be "-"
+# for stdin.
+#
+# The function dies if one of the files does not match checksums or
+# is missing from the checksum file.
+#
+# Note that this function itself can only verify integrity of the files.
+# In order to verify their authenticity, the <checksum-file> must
+# be verified against a signature first, e.g. using
+# verify-sig_verify_detached. If it contains inline signature, use
+# verify-sig_verify_signed_checksums instead.
+verify-sig_verify_unsigned_checksums() {
local checksum_file=${1}
local algo=${2}
local files=()
read -r -d '' -a files <<<"${3}"
- local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
local chksum_prog chksum_len
case ${algo} in
@@ -220,8 +230,13 @@ _gpg_verify_signed_checksums() {
;;
esac
+ [[ ${checksum_file} == - ]] && checksum_file=/dev/stdin
local checksum filename junk ret=0 count=0
while read -r checksum filename junk; do
+ if [[ ${checksum} == "-----BEGIN" ]]; then
+ die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead"
+ fi
+
[[ ${#checksum} -eq ${chksum_len} ]] || continue
[[ -z ${checksum//[0-9a-f]} ]] || continue
has "${filename}" "${files[@]}" || continue
@@ -233,7 +248,7 @@ _gpg_verify_signed_checksums() {
else
ret=1
fi
- done < <(verify-sig_verify_message "${checksum_file}" - "${key}")
+ done < "${checksum_file}"
[[ ${ret} -eq 0 ]] ||
die "${FUNCNAME}: at least one file did not verify successfully"
@@ -241,6 +256,22 @@ _gpg_verify_signed_checksums() {
die "${FUNCNAME}: checksums for some of the specified files were missing"
}
+# @FUNCTION: _gpg_verify_signed_checksums
+# @INTERNAL
+# @USAGE: <checksum-file> <algo> <files> [<key-file>]
+# @DESCRIPTION:
+# GnuPG-specific function to verify a signed checksums list.
+_gpg_verify_signed_checksums() {
+ local checksum_file=${1}
+ local algo=${2}
+ local files=${3}
+ local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
+
+ verify-sig_verify_unsigned_checksums - "${algo}" "${files}" < <(
+ verify-sig_verify_message "${checksum_file}" - "${key}"
+ )
+}
+
# @FUNCTION: verify-sig_verify_signed_checksums
# @USAGE: <checksum-file> <algo> <files> [<key-file>]
# @DESCRIPTION: