diff options
author | Eli Schwartz <eschwartz93@gmail.com> | 2017-01-03 21:10:18 +0100 |
---|---|---|
committer | Allan McRae <allan@archlinux.org> | 2017-01-04 04:59:15 +0100 |
commit | eaa82b4d0775252856a4e54a6f2a9ea191cf0b8f (patch) | |
tree | 9d974f15a153a11c619ba44e42957aeb70ea7858 /scripts/libmakepkg/integrity | |
parent | 42e7020281d3ae260e1e9693495f527b7f476625 (diff) | |
download | pacman-eaa82b4d0775252856a4e54a6f2a9ea191cf0b8f.tar.gz pacman-eaa82b4d0775252856a4e54a6f2a9ea191cf0b8f.tar.xz |
makepkg: Verify git signatures
A git repository is marked as signed if it contains the query "signed"
as defined by https://tools.ietf.org/html/rfc3986
Adds two utility functions in util/source.sh.in to extract fragments and
queries, and modifies source/git.sh.in to use them.
Signed-off-by: Eli Schwartz <eschwartz93@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Diffstat (limited to 'scripts/libmakepkg/integrity')
-rw-r--r-- | scripts/libmakepkg/integrity/verify_signature.sh.in | 53 |
1 files changed, 49 insertions, 4 deletions
diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in index bbf18e87..b5577523 100644 --- a/scripts/libmakepkg/integrity/verify_signature.sh.in +++ b/scripts/libmakepkg/integrity/verify_signature.sh.in @@ -32,7 +32,7 @@ check_pgpsigs() { msg "$(gettext "Verifying source file signatures with %s...")" "gpg" - local netfile pubkey success status fingerprint trusted + local netfile proto pubkey success status fingerprint trusted local warning=0 local errors=0 local statusfile=$(mktemp) @@ -47,7 +47,13 @@ check_pgpsigs() { ;; esac for netfile in "${all_sources[@]}"; do - verify_file_signature "$netfile" "$statusfile" || continue + proto="$(get_protocol "$netfile")" + + if [[ $proto = git* ]]; then + verify_git_signature "$netfile" "$statusfile" || continue + else + verify_file_signature "$netfile" "$statusfile" || continue + fi # these variables are assigned values in parse_gpg_statusfile success=0 @@ -153,6 +159,42 @@ verify_file_signature() { $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null } +verify_git_signature() { + local netfile=$1 statusfile=$2 + local dir fragment query fragtype fragval + + dir=$(get_filepath "$netfile") + fragment=$(get_uri_fragment "$netfile") + query=$(get_uri_query "$netfile") + + if [[ $query != signed ]]; then + return 1 + fi + + case ${fragment%%=*} in + tag) + fragtype=tag + fragval=${fragment##*=} + ;; + commit|branch) + fragtype=commit + fragval=${fragment##*=} + ;; + '') + fragtype=commit + fragval=HEAD + esac + + printf " %s git repo ... " "${dir##*/}" >&2 + + git -C "$dir" verify-$fragtype --raw "$fragval" > "$statusfile" 2>&1 + if ! grep -qs NEWSIG "$statusfile"; then + printf '%s\n' "$(gettext "SIGNATURE NOT FOUND")" >&2 + errors=1 + return 1 + fi +} + parse_gpg_statusfile() { local type arg1 arg6 arg10 @@ -212,11 +254,14 @@ parse_gpg_statusfile() { } source_has_signatures() { - local file all_sources + local file all_sources proto get_all_sources_for_arch 'all_sources' for file in "${all_sources[@]}"; do - if [[ ${file%%::*} = *.@(sig?(n)|asc) ]]; then + proto="$(get_protocol "$file")" + query=$(get_uri_query "$netfile") + + if [[ ${file%%::*} = *.@(sig?(n)|asc) || ( $proto = git* && $query = signed ) ]]; then return 0 fi done |