On 01/03/17 at 03:22pm, Allan McRae wrote:
On 17/12/16 04:56, Eli Schwartz wrote:
A git repository is marked as signed if it contains the query "signed" as defined by https://tools.ietf.org/html/rfc3986
Adds two utility functions in util/source.sh.in to extract fragments and queries, and modifies source/git.sh.in to use them.
Needs documentation added. e.g. can the query string occur anywhere relative to the fragment?
Signed-off-by: Eli Schwartz <eschwartz93@gmail.com> --- .../libmakepkg/integrity/verify_signature.sh.in | 56 ++++++++++++++++++---- scripts/libmakepkg/source/git.sh.in | 11 ++--- scripts/libmakepkg/util/source.sh.in | 27 +++++++++++ 3 files changed, 76 insertions(+), 18 deletions(-)
diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in index 6df62727..634958f9 100644 --- a/scripts/libmakepkg/integrity/verify_signature.sh.in +++ b/scripts/libmakepkg/integrity/verify_signature.sh.in @@ -32,11 +32,12 @@ check_pgpsigs() {
msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
- local file ext decompress found pubkey success status fingerprint trusted + local netfile file ext decompress found pubkey success status fingerprint trusted local warning=0 local errors=0 local statusfile=$(mktemp) local all_sources + local proto dir fragment query fragtype fragval
case $1 in all) @@ -46,15 +47,38 @@ check_pgpsigs() { get_all_sources_for_arch 'all_sources' ;; esac - for file in "${all_sources[@]}"; do - file="$(get_filename "$file")" - if [[ $file != *.@(sig?(n)|asc) ]]; then + for netfile in "${all_sources[@]}"; do + file="$(get_filename "$netfile")" + proto="$(get_protocol "$netfile")" + dir=$(get_filepath "$netfile") + fragment=$(get_uri_fragment "$netfile") + query=$(get_uri_query "$netfile") + + if [[ $proto = git* && $query = signed ]]; then + case ${fragment%%=*} in + tag) + fragtype=tag + fragval=${fragment##*=} + ;; + commit|branch) + fragtype=commit + fragval=${fragment##*=} + ;; + '') + fragtype=commit + fragval=HEAD + esac
I'm guessing other modern VCS tools can have signatures verified too? This function will become a mess when they are included. Please split out git and standard file verification to their own functions called within this one.
It seems that SVN does not support signing commits, CVS has no support for it either and mercurial has an extension for it. [1] [1] https://www.mercurial-scm.org/wiki/GpgExtension -- Jelle van der Waa