diff options
Diffstat (limited to 'scripts/libmakepkg/integrity/verify_signature.sh.in')
-rw-r--r-- | scripts/libmakepkg/integrity/verify_signature.sh.in | 131 |
1 files changed, 92 insertions, 39 deletions
diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in index 6df62727..b5577523 100644 --- a/scripts/libmakepkg/integrity/verify_signature.sh.in +++ b/scripts/libmakepkg/integrity/verify_signature.sh.in @@ -2,7 +2,7 @@ # # verify_signature.sh - functions for checking PGP signatures # -# Copyright (c) 2011-2016 Pacman Development Team <pacman-dev@archlinux.org> +# Copyright (c) 2011-2017 Pacman Development Team <pacman-dev@archlinux.org> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -32,7 +32,7 @@ check_pgpsigs() { msg "$(gettext "Verifying source file signatures with %s...")" "gpg" - local file ext decompress found pubkey success status fingerprint trusted + local netfile proto pubkey success status fingerprint trusted local warning=0 local errors=0 local statusfile=$(mktemp) @@ -46,44 +46,15 @@ check_pgpsigs() { get_all_sources_for_arch 'all_sources' ;; esac - for file in "${all_sources[@]}"; do - file="$(get_filename "$file")" - if [[ $file != *.@(sig?(n)|asc) ]]; then - continue - fi - - printf " %s ... " "${file%.*}" >&2 - - if ! file="$(get_filepath "$file")"; then - printf '%s\n' "$(gettext "SIGNATURE NOT FOUND")" >&2 - errors=1 - continue - fi + for netfile in "${all_sources[@]}"; do + proto="$(get_protocol "$netfile")" - found=0 - for ext in "" gz bz2 xz lrz lzo Z; do - if sourcefile="$(get_filepath "${file%.*}${ext:+.$ext}")"; then - found=1 - break; - fi - done - if (( ! found )); then - printf '%s\n' "$(gettext "SOURCE FILE NOT FOUND")" >&2 - errors=1 - continue + if [[ $proto = git* ]]; then + verify_git_signature "$netfile" "$statusfile" || continue + else + verify_file_signature "$netfile" "$statusfile" || continue fi - case "$ext" in - gz) decompress="gzip -c -d -f" ;; - bz2) decompress="bzip2 -c -d -f" ;; - xz) decompress="xz -c -d" ;; - lrz) decompress="lrzip -q -d" ;; - lzo) decompress="lzop -c -d -q" ;; - Z) decompress="uncompress -c -f" ;; - "") decompress="cat" ;; - esac - - $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null # these variables are assigned values in parse_gpg_statusfile success=0 status= @@ -145,6 +116,85 @@ check_pgpsigs() { fi } +verify_file_signature() { + local netfile="$1" statusfile="$2" + local file ext decompress found sourcefile + + file="$(get_filename "$netfile")" + if [[ $file != *.@(sig?(n)|asc) ]]; then + return 1 + fi + + printf " %s ... " "${file%.*}" >&2 + + if ! file="$(get_filepath "$netfile")"; then + printf '%s\n' "$(gettext "SIGNATURE NOT FOUND")" >&2 + errors=1 + return 1 + fi + + found=0 + for ext in "" gz bz2 xz lrz lzo Z; do + if sourcefile="$(get_filepath "${file%.*}${ext:+.$ext}")"; then + found=1 + break; + fi + done + if (( ! found )); then + printf '%s\n' "$(gettext "SOURCE FILE NOT FOUND")" >&2 + errors=1 + return 1 + fi + + case "$ext" in + gz) decompress="gzip -c -d -f" ;; + bz2) decompress="bzip2 -c -d -f" ;; + xz) decompress="xz -c -d" ;; + lrz) decompress="lrzip -q -d" ;; + lzo) decompress="lzop -c -d -q" ;; + Z) decompress="uncompress -c -f" ;; + "") decompress="cat" ;; + esac + + $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null +} + +verify_git_signature() { + local netfile=$1 statusfile=$2 + local dir fragment query fragtype fragval + + dir=$(get_filepath "$netfile") + fragment=$(get_uri_fragment "$netfile") + query=$(get_uri_query "$netfile") + + if [[ $query != signed ]]; then + return 1 + fi + + case ${fragment%%=*} in + tag) + fragtype=tag + fragval=${fragment##*=} + ;; + commit|branch) + fragtype=commit + fragval=${fragment##*=} + ;; + '') + fragtype=commit + fragval=HEAD + esac + + printf " %s git repo ... " "${dir##*/}" >&2 + + git -C "$dir" verify-$fragtype --raw "$fragval" > "$statusfile" 2>&1 + if ! grep -qs NEWSIG "$statusfile"; then + printf '%s\n' "$(gettext "SIGNATURE NOT FOUND")" >&2 + errors=1 + return 1 + fi +} + parse_gpg_statusfile() { local type arg1 arg6 arg10 @@ -204,11 +254,14 @@ parse_gpg_statusfile() { } source_has_signatures() { - local file all_sources + local file all_sources proto get_all_sources_for_arch 'all_sources' for file in "${all_sources[@]}"; do - if [[ ${file%%::*} = *.@(sig?(n)|asc) ]]; then + proto="$(get_protocol "$file")" + query=$(get_uri_query "$netfile") + + if [[ ${file%%::*} = *.@(sig?(n)|asc) || ( $proto = git* && $query = signed ) ]]; then return 0 fi done |