summaryrefslogtreecommitdiffstats
path: root/scripts/libmakepkg/integrity
diff options
context:
space:
mode:
authorAshley Whetter <ashley@awhetter.co.uk>2016-05-08 18:28:28 +0200
committerAllan McRae <allan@archlinux.org>2016-05-18 07:45:56 +0200
commit4f114f38178aeaffcc571aa42e2f930ca916f79d (patch)
tree4952ff8c80728d2dba04bfe05b64907110a7ccc2 /scripts/libmakepkg/integrity
parent892a1076c00a2b0097145c35f5d8ef590216dac0 (diff)
downloadpacman-4f114f38178aeaffcc571aa42e2f930ca916f79d.tar.gz
pacman-4f114f38178aeaffcc571aa42e2f930ca916f79d.tar.xz
libmakepkg: extract functions for integrity checking
Signed-off-by: Ashley Whetter <ashley@awhetter.co.uk> Signed-off-by: Allan McRae <allan@archlinux.org>
Diffstat (limited to 'scripts/libmakepkg/integrity')
-rw-r--r--scripts/libmakepkg/integrity/generate_checksum.sh.in107
-rw-r--r--scripts/libmakepkg/integrity/generate_signature.sh.in49
-rw-r--r--scripts/libmakepkg/integrity/verify_checksum.sh.in130
-rw-r--r--scripts/libmakepkg/integrity/verify_signature.sh.in216
4 files changed, 502 insertions, 0 deletions
diff --git a/scripts/libmakepkg/integrity/generate_checksum.sh.in b/scripts/libmakepkg/integrity/generate_checksum.sh.in
new file mode 100644
index 00000000..7a567100
--- /dev/null
+++ b/scripts/libmakepkg/integrity/generate_checksum.sh.in
@@ -0,0 +1,107 @@
+#!/bin/bash
+#
+# generate_checksum.sh - functions for generating source checksums
+#
+# Copyright (c) 2014-2016 Pacman Development Team <pacman-dev@archlinux.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+[[ -n "$LIBMAKEPKG_INTEGRITY_GENERATE_CHECKSUM_SH" ]] && return
+LIBMAKEPKG_INTEGRITY_GENERATE_CHECKSUM_SH=1
+
+LIBRARY=${LIBRARY:-'@libmakepkgdir@'}
+
+source "$LIBRARY/util/message.sh"
+source "$LIBRARY/util/pkgbuild.sh"
+
+generate_one_checksum() {
+ local integ=$1 arch=$2 sources numsrc indentsz idx
+
+ if [[ $arch ]]; then
+ array_build sources "source_$arch"
+ else
+ array_build sources 'source'
+ fi
+
+ numsrc=${#sources[*]}
+ if (( numsrc == 0 )); then
+ return
+ fi
+
+ if [[ $arch ]]; then
+ printf "%ssums_%s=(%n" "$integ" "$arch" indentsz
+ else
+ printf "%ssums=(%n" "$integ" indentsz
+ fi
+
+ for (( idx = 0; idx < numsrc; ++idx )); do
+ local netfile=${sources[idx]}
+ local proto sum
+ proto="$(get_protocol "$netfile")"
+
+ case $proto in
+ bzr*|git*|hg*|svn*)
+ sum="SKIP"
+ ;;
+ *)
+ if [[ $netfile != *.@(sig?(n)|asc) ]]; then
+ local file
+ file="$(get_filepath "$netfile")" || missing_source_file "$netfile"
+ sum="$(openssl dgst -${integ} "$file")"
+ sum=${sum##* }
+ else
+ sum="SKIP"
+ fi
+ ;;
+ esac
+
+ # indent checksum on lines after the first
+ printf "%*s%s" $(( idx ? indentsz : 0 )) '' "'$sum'"
+
+ # print a newline on lines before the last
+ (( idx < (numsrc - 1) )) && echo
+ done
+
+ echo ")"
+}
+
+generate_checksums() {
+ msg "$(gettext "Generating checksums for source files...")"
+
+ if ! type -p openssl >/dev/null; then
+ error "$(gettext "Cannot find the %s binary required for generating sourcefile checksums.")" "openssl"
+ exit 1 # $E_MISSING_PROGRAM
+ fi
+
+ local integlist
+ if (( $# == 0 )); then
+ IFS=$'\n' read -rd '' -a integlist < <(get_integlist)
+ else
+ integlist=("$@")
+ fi
+
+ local integ
+ for integ in "${integlist[@]}"; do
+ if ! in_array "$integ" "${known_hash_algos[@]}"; then
+ error "$(gettext "Invalid integrity algorithm '%s' specified.")" "$integ"
+ exit 1 # $E_CONFIG_ERROR
+ fi
+
+ generate_one_checksum "$integ"
+ for a in "${arch[@]}"; do
+ generate_one_checksum "$integ" "$a"
+ done
+ done
+}
diff --git a/scripts/libmakepkg/integrity/generate_signature.sh.in b/scripts/libmakepkg/integrity/generate_signature.sh.in
new file mode 100644
index 00000000..d7f7cb14
--- /dev/null
+++ b/scripts/libmakepkg/integrity/generate_signature.sh.in
@@ -0,0 +1,49 @@
+#!/bin/bash
+#
+# generate_signature.sh - functions for generating PGP signatures
+#
+# Copyright (c) 2008-2016 Pacman Development Team <pacman-dev@archlinux.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+[[ -n "$LIBMAKEPKG_INTEGRITY_GENERATE_SIGNATURE_SH" ]] && return
+LIBMAKEPKG_INTEGRITY_GENERATE_SIGNATURE_SH=1
+
+LIBRARY=${LIBRARY:-'@libmakepkgdir@'}
+
+source "$LIBRARY/util/message.sh"
+
+create_signature() {
+ if [[ $SIGNPKG != 'y' ]]; then
+ return
+ fi
+ local ret=0
+ local filename="$1"
+ msg "$(gettext "Signing package...")"
+
+ local SIGNWITHKEY=""
+ if [[ -n $GPGKEY ]]; then
+ SIGNWITHKEY="-u ${GPGKEY}"
+ fi
+
+ gpg --detach-sign --use-agent ${SIGNWITHKEY} --no-armor "$filename" &>/dev/null || ret=$?
+
+
+ if (( ! ret )); then
+ msg2 "$(gettext "Created signature file %s.")" "$filename.sig"
+ else
+ warning "$(gettext "Failed to sign package file.")"
+ fi
+}
diff --git a/scripts/libmakepkg/integrity/verify_checksum.sh.in b/scripts/libmakepkg/integrity/verify_checksum.sh.in
new file mode 100644
index 00000000..44a2b2e1
--- /dev/null
+++ b/scripts/libmakepkg/integrity/verify_checksum.sh.in
@@ -0,0 +1,130 @@
+#!/bin/bash
+#
+# verify_checksum.sh - functions for checking source checksums
+#
+# Copyright (c) 2014-2016 Pacman Development Team <pacman-dev@archlinux.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+[[ -n "$LIBMAKEPKG_INTEGRITY_VERIFY_CHECKSUM_SH" ]] && return
+LIBMAKEPKG_INTEGRITY_CHECKSUM_SH=1
+
+LIBRARY=${LIBRARY:-'@libmakepkgdir@'}
+
+source "$LIBRARY/util/message.sh"
+source "$LIBRARY/util/pkgbuild.sh"
+
+check_checksums() {
+ local integ a
+ declare -A correlation
+ (( SKIPCHECKSUMS )) && return 0
+
+ # Initialize a map which we'll use to verify that every source array has at
+ # least some kind of checksum array associated with it.
+ (( ${#source[*]} )) && correlation['source']=1
+ case $1 in
+ all)
+ for a in "${arch[@]}"; do
+ array_build _ source_"$a" && correlation["source_$a"]=1
+ done
+ ;;
+ *)
+ array_build _ source_"$CARCH" && correlation["source_$CARCH"]=1
+ ;;
+ esac
+
+ for integ in "${known_hash_algos[@]}"; do
+ verify_integrity_sums "$integ" && unset "correlation[source]"
+
+ case $1 in
+ all)
+ for a in "${arch[@]}"; do
+ verify_integrity_sums "$integ" "$a" && unset "correlation[source_$a]"
+ done
+ ;;
+ *)
+ verify_integrity_sums "$integ" "$CARCH" && unset "correlation[source_$CARCH]"
+ ;;
+ esac
+ done
+
+ if (( ${#correlation[*]} )); then
+ error "$(gettext "Integrity checks are missing for: %s")" "${!correlation[*]}"
+ exit 1 # TODO: error code
+ fi
+}
+
+verify_integrity_one() {
+ local source_name=$1 integ=$2 expectedsum=$3
+
+ local file="$(get_filename "$source_name")"
+ printf ' %s ... ' "$file" >&2
+
+ if [[ $expectedsum = 'SKIP' ]]; then
+ printf '%s\n' "$(gettext "Skipped")" >&2
+ return
+ fi
+
+ if ! file="$(get_filepath "$file")"; then
+ printf '%s\n' "$(gettext "NOT FOUND")" >&2
+ return 1
+ fi
+
+ local realsum="$(openssl dgst -${integ} "$file")"
+ realsum="${realsum##* }"
+ if [[ ${expectedsum,,} = "$realsum" ]]; then
+ printf '%s\n' "$(gettext "Passed")" >&2
+ else
+ printf '%s\n' "$(gettext "FAILED")" >&2
+ return 1
+ fi
+
+ return 0
+}
+
+verify_integrity_sums() {
+ local integ=$1 arch=$2 integrity_sums=() sources=() srcname
+
+ if [[ $arch ]]; then
+ array_build integrity_sums "${integ}sums_$arch"
+ srcname=source_$arch
+ else
+ array_build integrity_sums "${integ}sums"
+ srcname=source
+ fi
+
+ array_build sources "$srcname"
+ if (( ${#integrity_sums[@]} == 0 && ${#sources[@]} == 0 )); then
+ return 1
+ fi
+
+ if (( ${#integrity_sums[@]} == ${#sources[@]} )); then
+ msg "$(gettext "Validating %s files with %s...")" "$srcname" "${integ}sums"
+ local idx errors=0
+ for (( idx = 0; idx < ${#sources[*]}; idx++ )); do
+ verify_integrity_one "${sources[idx]}" "$integ" "${integrity_sums[idx]}" || errors=1
+ done
+
+ if (( errors )); then
+ error "$(gettext "One or more files did not pass the validity check!")"
+ exit 1 # TODO: error code
+ fi
+ elif (( ${#integrity_sums[@]} )); then
+ error "$(gettext "Integrity checks (%s) differ in size from the source array.")" "$integ"
+ exit 1 # TODO: error code
+ else
+ return 1
+ fi
+}
diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in
new file mode 100644
index 00000000..6df62727
--- /dev/null
+++ b/scripts/libmakepkg/integrity/verify_signature.sh.in
@@ -0,0 +1,216 @@
+#!/bin/bash
+#
+# verify_signature.sh - functions for checking PGP signatures
+#
+# Copyright (c) 2011-2016 Pacman Development Team <pacman-dev@archlinux.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+[[ -n "$LIBMAKEPKG_INTEGRITY_VERIFY_SIGNATURE_SH" ]] && return
+LIBMAKEPKG_INTEGRITY_VERIFY_SIGNATURE_SH=1
+
+LIBRARY=${LIBRARY:-'@libmakepkgdir@'}
+
+source "$LIBRARY/util/message.sh"
+source "$LIBRARY/util/pkgbuild.sh"
+
+check_pgpsigs() {
+ (( SKIPPGPCHECK )) && return 0
+ ! source_has_signatures && return 0
+
+ msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
+
+ local file ext decompress found pubkey success status fingerprint trusted
+ local warning=0
+ local errors=0
+ local statusfile=$(mktemp)
+ local all_sources
+
+ case $1 in
+ all)
+ get_all_sources 'all_sources'
+ ;;
+ *)
+ get_all_sources_for_arch 'all_sources'
+ ;;
+ esac
+ for file in "${all_sources[@]}"; do
+ file="$(get_filename "$file")"
+ if [[ $file != *.@(sig?(n)|asc) ]]; then
+ continue
+ fi
+
+ printf " %s ... " "${file%.*}" >&2
+
+ if ! file="$(get_filepath "$file")"; then
+ printf '%s\n' "$(gettext "SIGNATURE NOT FOUND")" >&2
+ errors=1
+ continue
+ fi
+
+ found=0
+ for ext in "" gz bz2 xz lrz lzo Z; do
+ if sourcefile="$(get_filepath "${file%.*}${ext:+.$ext}")"; then
+ found=1
+ break;
+ fi
+ done
+ if (( ! found )); then
+ printf '%s\n' "$(gettext "SOURCE FILE NOT FOUND")" >&2
+ errors=1
+ continue
+ fi
+
+ case "$ext" in
+ gz) decompress="gzip -c -d -f" ;;
+ bz2) decompress="bzip2 -c -d -f" ;;
+ xz) decompress="xz -c -d" ;;
+ lrz) decompress="lrzip -q -d" ;;
+ lzo) decompress="lzop -c -d -q" ;;
+ Z) decompress="uncompress -c -f" ;;
+ "") decompress="cat" ;;
+ esac
+
+ $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null
+ # these variables are assigned values in parse_gpg_statusfile
+ success=0
+ status=
+ pubkey=
+ fingerprint=
+ trusted=
+ parse_gpg_statusfile "$statusfile"
+ if (( ! $success )); then
+ printf '%s' "$(gettext "FAILED")" >&2
+ case "$status" in
+ "missingkey")
+ printf ' (%s)' "$(gettext "unknown public key") $pubkey" >&2
+ ;;
+ "revokedkey")
+ printf " ($(gettext "public key %s has been revoked"))" "$pubkey" >&2
+ ;;
+ "bad")
+ printf ' (%s)' "$(gettext "bad signature from public key") $pubkey" >&2
+ ;;
+ "error")
+ printf ' (%s)' "$(gettext "error during signature verification")" >&2
+ ;;
+ esac
+ errors=1
+ else
+ if (( ${#validpgpkeys[@]} == 0 && !trusted )); then
+ printf "%s ($(gettext "the public key %s is not trusted"))" $(gettext "FAILED") "$fingerprint" >&2
+ errors=1
+ elif (( ${#validpgpkeys[@]} > 0 )) && ! in_array "$fingerprint" "${validpgpkeys[@]}"; then
+ printf "%s (%s %s)" "$(gettext "FAILED")" "$(gettext "invalid public key")" "$fingerprint"
+ errors=1
+ else
+ printf '%s' "$(gettext "Passed")" >&2
+ case "$status" in
+ "expired")
+ printf ' (%s)' "$(gettext "WARNING:") $(gettext "the signature has expired.")" >&2
+ warnings=1
+ ;;
+ "expiredkey")
+ printf ' (%s)' "$(gettext "WARNING:") $(gettext "the key has expired.")" >&2
+ warnings=1
+ ;;
+ esac
+ fi
+ fi
+ printf '\n' >&2
+ done
+
+ rm -f "$statusfile"
+
+ if (( errors )); then
+ error "$(gettext "One or more PGP signatures could not be verified!")"
+ exit 1
+ fi
+
+ if (( warnings )); then
+ warning "$(gettext "Warnings have occurred while verifying the signatures.")"
+ plain "$(gettext "Please make sure you really trust them.")"
+ fi
+}
+
+parse_gpg_statusfile() {
+ local type arg1 arg6 arg10
+
+ while read -r _ type arg1 _ _ _ _ arg6 _ _ _ arg10 _; do
+ case "$type" in
+ GOODSIG)
+ pubkey=$arg1
+ success=1
+ status="good"
+ ;;
+ EXPSIG)
+ pubkey=$arg1
+ success=1
+ status="expired"
+ ;;
+ EXPKEYSIG)
+ pubkey=$arg1
+ success=1
+ status="expiredkey"
+ ;;
+ REVKEYSIG)
+ pubkey=$arg1
+ success=0
+ status="revokedkey"
+ ;;
+ BADSIG)
+ pubkey=$arg1
+ success=0
+ status="bad"
+ ;;
+ ERRSIG)
+ pubkey=$arg1
+ success=0
+ if [[ $arg6 == 9 ]]; then
+ status="missingkey"
+ else
+ status="error"
+ fi
+ ;;
+ VALIDSIG)
+ if [[ $arg10 ]]; then
+ # If the file was signed with a subkey, arg10 contains
+ # the fingerprint of the primary key
+ fingerprint=$arg10
+ else
+ fingerprint=$arg1
+ fi
+ ;;
+ TRUST_UNDEFINED|TRUST_NEVER)
+ trusted=0
+ ;;
+ TRUST_MARGINAL|TRUST_FULLY|TRUST_ULTIMATE)
+ trusted=1
+ ;;
+ esac
+ done < "$1"
+}
+
+source_has_signatures() {
+ local file all_sources
+
+ get_all_sources_for_arch 'all_sources'
+ for file in "${all_sources[@]}"; do
+ if [[ ${file%%::*} = *.@(sig?(n)|asc) ]]; then
+ return 0
+ fi
+ done
+ return 1
+}