[pacman-dev] [PATCH] makepkg: Support kernel.org's PGP signature scheme
Files hosted on kernel.org only provide signatures for the uncompress tarball. Support this scheme by transparently uncompressing the archives and piping the data into gpg. --- scripts/makepkg.sh.in | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index b69c071..4f5db99 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1250,7 +1250,7 @@ check_pgpsigs() { msg "$(gettext "Verifying source file signatures with %s...")" "gpg" - local file pubkey + local file pubkey ext decompress found local warning=0 local errors=0 local statusfile=$(mktemp) @@ -1269,13 +1269,30 @@ check_pgpsigs() { continue fi - if ! sourcefile="$(get_filepath "${file%.*}")"; then + found=0 + for ext in "" gz bz2 xz lrz lzo Z; do + if sourcefile="$(get_filepath "${file%.*}${ext:+.$ext}")"; then + found=1 + break; + fi + done + if (( ! found )); then printf '%s\n' "$(gettext "SOURCE FILE NOT FOUND")" >&2 errors=1 continue fi - if ! gpg --quiet --batch --status-file "$statusfile" --verify "$file" "$sourcefile" 2> /dev/null; then + case "$ext" in + gz) decompress="gzip -c -d -f" ;; + bz2) decompress="bzip2 -c -d -f" ;; + xz) decompress="xz -c -d" ;; + lrz) decompress="lrzip -q -d" ;; + lzo) decompress="lzop -c -d -q" ;; + Z) decompress="uncompress -c -f" ;; + "") decompress="cat" ;; + esac + + if ! cat "$sourcefile" | $decompress | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null; then printf '%s' "$(gettext "FAILED")" >&2 if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }' "$statusfile"); then printf ' (%s)' "$(gettext "unknown public key") $pubkey" >&2 -- 1.9.0
On 28/02/14 04:22, Thomas Bächler wrote:
Files hosted on kernel.org only provide signatures for the uncompress tarball. Support this scheme by transparently uncompressing the archives and piping the data into gpg. --- scripts/makepkg.sh.in | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index b69c071..4f5db99 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1250,7 +1250,7 @@ check_pgpsigs() {
msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
- local file pubkey + local file pubkey ext decompress found local warning=0 local errors=0 local statusfile=$(mktemp) @@ -1269,13 +1269,30 @@ check_pgpsigs() { continue fi
- if ! sourcefile="$(get_filepath "${file%.*}")"; then + found=0 + for ext in "" gz bz2 xz lrz lzo Z; do + if sourcefile="$(get_filepath "${file%.*}${ext:+.$ext}")"; then + found=1 + break; + fi + done + if (( ! found )); then printf '%s\n' "$(gettext "SOURCE FILE NOT FOUND")" >&2 errors=1 continue fi
- if ! gpg --quiet --batch --status-file "$statusfile" --verify "$file" "$sourcefile" 2> /dev/null; then + case "$ext" in + gz) decompress="gzip -c -d -f" ;; + bz2) decompress="bzip2 -c -d -f" ;; + xz) decompress="xz -c -d" ;; + lrz) decompress="lrzip -q -d" ;; + lzo) decompress="lzop -c -d -q" ;; + Z) decompress="uncompress -c -f" ;; + "") decompress="cat" ;; + esac + + if ! cat "$sourcefile" | $decompress | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null; then
Looks like an unnecessary cat there. if ! $decompress "$sourcefile" | gpg ...
printf '%s' "$(gettext "FAILED")" >&2 if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }' "$statusfile"); then printf ' (%s)' "$(gettext "unknown public key") $pubkey" >&2
Am 27.02.2014 22:33, schrieb Allan McRae:
- if ! gpg --quiet --batch --status-file "$statusfile" --verify "$file" "$sourcefile" 2> /dev/null; then + case "$ext" in + gz) decompress="gzip -c -d -f" ;; + bz2) decompress="bzip2 -c -d -f" ;; + xz) decompress="xz -c -d" ;; + lrz) decompress="lrzip -q -d" ;; + lzo) decompress="lzop -c -d -q" ;; + Z) decompress="uncompress -c -f" ;; + "") decompress="cat" ;; + esac + + if ! cat "$sourcefile" | $decompress | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null; then
Looks like an unnecessary cat there.
if ! $decompress "$sourcefile" | gpg ...
I thought so too, but the manpage of 'lrzip' lacks all equivalents of a '-c' option like gz, and it does not say what happens to the original file. Everywhere else in makepkg, lrzip is only called with no filenames. So, how exactly do you *know* that your variant won't do anything bad?
On 27 February 2014 22:52, Thomas Bächler <thomas@archlinux.org> wrote:
Am 27.02.2014 22:33, schrieb Allan McRae:
- if ! gpg --quiet --batch --status-file "$statusfile" --verify "$file" "$sourcefile" 2> /dev/null; then + case "$ext" in + gz) decompress="gzip -c -d -f" ;; + bz2) decompress="bzip2 -c -d -f" ;; + xz) decompress="xz -c -d" ;; + lrz) decompress="lrzip -q -d" ;; + lzo) decompress="lzop -c -d -q" ;; + Z) decompress="uncompress -c -f" ;; + "") decompress="cat" ;; + esac + + if ! cat "$sourcefile" | $decompress | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null; then
Looks like an unnecessary cat there.
if ! $decompress "$sourcefile" | gpg ...
I thought so too, but the manpage of 'lrzip' lacks all equivalents of a '-c' option like gz, and it does not say what happens to the original file. Everywhere else in makepkg, lrzip is only called with no filenames.
So, how exactly do you *know* that your variant won't do anything bad?
I’ve never used “lrzip”, but surely you can at least use a redirect instead of a cat pipe: lrzip -q -d < "$sourcefile" | gpg
On Thu, Feb 27, 2014 at 11:52:30PM +0100, Thomas Bächler wrote:
Am 27.02.2014 22:33, schrieb Allan McRae:
- if ! gpg --quiet --batch --status-file "$statusfile" --verify "$file" "$sourcefile" 2> /dev/null; then + case "$ext" in + gz) decompress="gzip -c -d -f" ;; + bz2) decompress="bzip2 -c -d -f" ;; + xz) decompress="xz -c -d" ;; + lrz) decompress="lrzip -q -d" ;; + lzo) decompress="lzop -c -d -q" ;; + Z) decompress="uncompress -c -f" ;; + "") decompress="cat" ;; + esac + + if ! cat "$sourcefile" | $decompress | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null; then
Looks like an unnecessary cat there.
if ! $decompress "$sourcefile" | gpg ...
I thought so too, but the manpage of 'lrzip' lacks all equivalents of a '-c' option like gz, and it does not say what happens to the original file. Everywhere else in makepkg, lrzip is only called with no filenames.
Ok, then: $decompress <"$sourcefile" | gpg ....
So, how exactly do you *know* that your variant won't do anything bad?
Files hosted on kernel.org only provide signatures for the uncompress tarball. Support this scheme by transparently uncompressing the archives and piping the data into gpg. --- scripts/makepkg.sh.in | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index b69c071..7181fa8 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1250,7 +1250,7 @@ check_pgpsigs() { msg "$(gettext "Verifying source file signatures with %s...")" "gpg" - local file pubkey + local file pubkey ext decompress found local warning=0 local errors=0 local statusfile=$(mktemp) @@ -1269,13 +1269,30 @@ check_pgpsigs() { continue fi - if ! sourcefile="$(get_filepath "${file%.*}")"; then + found=0 + for ext in "" gz bz2 xz lrz lzo Z; do + if sourcefile="$(get_filepath "${file%.*}${ext:+.$ext}")"; then + found=1 + break; + fi + done + if (( ! found )); then printf '%s\n' "$(gettext "SOURCE FILE NOT FOUND")" >&2 errors=1 continue fi - if ! gpg --quiet --batch --status-file "$statusfile" --verify "$file" "$sourcefile" 2> /dev/null; then + case "$ext" in + gz) decompress="gzip -c -d -f" ;; + bz2) decompress="bzip2 -c -d -f" ;; + xz) decompress="xz -c -d" ;; + lrz) decompress="lrzip -q -d" ;; + lzo) decompress="lzop -c -d -q" ;; + Z) decompress="uncompress -c -f" ;; + "") decompress="cat" ;; + esac + + if ! $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null; then printf '%s' "$(gettext "FAILED")" >&2 if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }' "$statusfile"); then printf ' (%s)' "$(gettext "unknown public key") $pubkey" >&2 -- 1.9.0
On 28/02/14 10:45, Thomas Bächler wrote:
Files hosted on kernel.org only provide signatures for the uncompress tarball. Support this scheme by transparently uncompressing the archives and piping the data into gpg. ---
==> Validating source files with md5sums... linux-3.13.tar.xz ... Passed linux-3.13.tar.sign ... Skipped patch-3.13.2.xz ... Passed ==> Verifying source file signatures with gpg... linux-3.13.tar ... Passed Great! A
Am 28.02.2014 01:45, schrieb Thomas Bächler:
Files hosted on kernel.org only provide signatures for the uncompress tarball. ^^^^^^^^^^ There's a typo in here, it should be 'uncompressed'.
Support this scheme by transparently uncompressing the archives and piping the data into gpg.
On 28/02/14 20:16, Thomas Bächler wrote:
Am 28.02.2014 01:45, schrieb Thomas Bächler:
Files hosted on kernel.org only provide signatures for the uncompress tarball. ^^^^^^^^^^ There's a typo in here, it should be 'uncompressed'.
Thanks. Fixed on my branch.
participants (4)
-
Allan McRae
-
Dave Reisner
-
Martin Panter
-
Thomas Bächler