From c46804a91d09ae9d737715dfb14019458bceefa1 Mon Sep 17 00:00:00 2001 From: rhatto Date: Thu, 22 Jan 2009 01:36:35 +0000 Subject: initial support for #41, lots of changes git-svn-id: svn+slack://slack.fluxo.info/var/svn/simplepkg@765 04377dda-e619-0410-9926-eae83683ac58 --- trunk/conf/simplepkg.conf | 9 +++ trunk/doc/CHANGELOG | 3 +- trunk/lib/common.sh | 50 ++++++++++------ trunk/src/createpkg | 11 +++- trunk/src/mkbuild | 146 +++++++++++++++++++++++++++++++++++++++++++--- 5 files changed, 191 insertions(+), 28 deletions(-) diff --git a/trunk/conf/simplepkg.conf b/trunk/conf/simplepkg.conf index 003d40e..2da1116 100644 --- a/trunk/conf/simplepkg.conf +++ b/trunk/conf/simplepkg.conf @@ -118,6 +118,15 @@ SIGN_PACKAGES_KEYID="" # Whether to use gpg-agent to sign packages SIGN_PACKAGES_WITH_GPG_AGENT="off" +# Whether mkbuild should sign Manifests. +SIGN_MANIFESTS="off" + +# GPG key id used for Manifest signature, leave blank to use default key. +SIGN_MANIFESTS_KEYID="" + +# Whether to use gpg-agent to sign Manifests +SIGN_MANIFESTS_WITH_GPG_AGENT="off" + #--------------------------------------------------------------------- # SIMPLARET SECTION #--------------------------------------------------------------------- diff --git a/trunk/doc/CHANGELOG b/trunk/doc/CHANGELOG index 21f945e..6ce61ee 100644 --- a/trunk/doc/CHANGELOG +++ b/trunk/doc/CHANGELOG @@ -52,7 +52,8 @@ simplepkg changelog - new config parameters PACKAGES_REPOS_STYLE, MOVE_SLACK_REQUIRED, MKBUILDS_SVN_USER, PACKAGES_SVN_USER, PACKAGES_SVN_GROUP, MKBUILDS_SVN_GROUP, PACKAGES_REPOS_NOARCH, PACKAGES_SVN, CREATEPKG_AUTHOR, SIGN_PACKAGES, SIGN_PACKAGES_USER. SIGN_PACKAGES_KEYID, - SIGN_PACKAGES_WITH_GPG_AGENT, SOURCE_DIR_USER, SOURCE_DIR_GROUP + SIGN_PACKAGES_WITH_GPG_AGENT, SOURCE_DIR_USER, SOURCE_DIR_GROUP, SIGN_MANIFESTS, + SIGN_MANIFESTS_KEYID, SIGN_MANIFESTS_WITH_GPG_AGENT - cleaner -s option output - lspkg: fix on package search routine - jail-commit: using unified diff diff --git a/trunk/lib/common.sh b/trunk/lib/common.sh index 932c1c5..cc63bc6 100644 --- a/trunk/lib/common.sh +++ b/trunk/lib/common.sh @@ -1320,6 +1320,7 @@ function gen_meta { function repo_gpg_key { + # adds or updates a repository keyring # usage: repo_gpg_key [update] local folder="$1" update="$2" tmp_gpg_folder @@ -1335,7 +1336,7 @@ function repo_gpg_key { update=false fi - if [ $SIGN_PACKAGES -eq $on ]; then + if [ $SIGN -eq $on ]; then if [ -f "$folder/GPG-KEY" ]; then if $update || ! gpg --with-colons < $folder/GPG-KEY | cut -d : -f 5 | grep -q -e "$SIGN_KEYID$"; then echo "Adding OpenPGP key id $SIGN_KEYID to $folder/GPG-KEY file..." @@ -1343,17 +1344,17 @@ function repo_gpg_key { tmp_gpg_folder="`mktemp -d $TMP/tmp_gpg_folder.XXXXXX`" tmp_gpg_pubkey="`mktemp -d $TMP/tmp_gpg_pubkey.XXXXXX`" - if [ ! -z "$SIGN_PACKAGES_USER" ]; then - chown $SIGN_PACKAGES_USER $tmp_gpg_folder - chown $SIGN_PACKAGES_USER $tmp_gpg_pubkey + if [ ! -z "$SIGN_USER" ] && [ "`whoami`" != "$SIGN_USER" ]; then + chown $SIGN_USER $tmp_gpg_folder + chown $SIGN_USER $tmp_gpg_pubkey # merge pubkey information in a temporary keyring - su $SIGN_PACKAGES_USER -c "gpg --export --armor $SIGN_KEYID > $tmp_gpg_pubkey/pubkey.asc" - su $SIGN_PACKAGES_USER -c "gpg --homedir $tmp_gpg_folder --import < $folder/GPG-KEY" - su $SIGN_PACKAGES_USER -c "gpg --homedir $tmp_gpg_folder --import < $tmp_gpg_pubkey/pubkey.asc" + su $SIGN_USER -c "gpg --export --armor $SIGN_KEYID > $tmp_gpg_pubkey/pubkey.asc" + su $SIGN_USER -c "gpg --homedir $tmp_gpg_folder --import < $folder/GPG-KEY" + su $SIGN_USER -c "gpg --homedir $tmp_gpg_folder --import < $tmp_gpg_pubkey/pubkey.asc" # export temporary keyring to repository keyring - su $SIGN_PACKAGES_USER -c "gpg --homedir $tmp_gpg_folder --export --armor" > $folder/GPG-KEY + su $SIGN_USER -c "gpg --homedir $tmp_gpg_folder --export --armor" > $folder/GPG-KEY else # merge pubkey information in a temporary keyring gpg --export --armor $SIGN_KEYID > $tmp_gpg_pubkey/pubkey.asc @@ -1370,8 +1371,8 @@ function repo_gpg_key { fi else echo "Adding OpenPGP key id $SIGN_KEYID to $folder/GPG-KEY file..." - if [ ! -z "$SIGN_PACKAGES_USER" ]; then - su $SIGN_PACKAGES_USER -c "gpg --export --armor $SIGN_KEYID" > $folder/GPG-KEY + if [ ! -z "$SIGN_USER" ] && [ "`whoami`" != "$SIGN_USER" ]; then + su $SIGN_USER -c "gpg --export --armor $SIGN_KEYID" > $folder/GPG-KEY else gpg --export --armor $SIGN_KEYID > $folder/GPG-KEY fi @@ -1650,18 +1651,33 @@ function check_gnupg { } -function get_sign_packages_user { +function strip_gpg_signature { + + # strip gpg signature from file + # usage: strip_gpg_signature + + local file="$1" + + if [ -e "$file" ]; then + if grep -q -- "-----BEGIN PGP SIGNED MESSAGE-----" $file; then + sed -e '1,3d' -e '/^$/d' -e '/-----BEGIN PGP SIGNATURE-----/,/-----END PGP SIGNATURE-----/d' $file + else + cat $file + fi + fi + +} + +function get_sign_user { # get sign package user # usage: get_sign_package_user - check_gnupg $SIGN_PACKAGES_USER + check_gnupg $SIGN_USER - if [ ! -z "$SIGN_PACKAGES_KEYID" ]; then - SIGN_KEYID="$SIGN_PACKAGES_KEYID" - else - if [ ! -z "$SIGN_PACKAGES_USER" ]; then - SIGN_KEYID="`su $SIGN_PACKAGES_USER -c \ + if [ -z "$SIGN_KEYID" ]; then + if [ ! -z "$SIGN_USER" ] && [ "`whoami`" != "$SIGN_USER" ]; then + SIGN_KEYID="`su $SIGN_USER -c \ "gpg --list-secret-keys --with-colons | grep ^sec | head -n 1 | cut -d : -f 5 | sed 's/^.*\(.\{8\}\)$/\1/'"`" else SIGN_KEYID="`gpg --list-secret-keys --with-colons | grep ^sec | head -n 1 | cut -d : -f 5 | sed 's/^.*\(.\{8\}\)$/\1/'`" diff --git a/trunk/src/createpkg b/trunk/src/createpkg index b3b3f97..705b10b 100644 --- a/trunk/src/createpkg +++ b/trunk/src/createpkg @@ -256,6 +256,11 @@ function load_parameters { GPG_AGENT_OPTION="" fi + # For use at common.sh functions + SIGN="$SIGN_PACKAGES" + SIGN_KEYID="$SIGN_PACKAGES_KEYID" + SIGN_USER="$SIGN_PACKAGES_USER" + REMOVE_OLD_PACKAGE="`eval_boolean_parameter REMOVE_OLD_PACKAGE $off`" MOVE_BIN_PACKAGE="`eval_boolean_parameter MOVE_BIN_PACKAGE $off`" MOVE_SLACK_REQUIRED="`eval_boolean_parameter MOVE_SLACK_REQUIRED $off`" @@ -633,7 +638,7 @@ case $1 in exit $EXIT_CODE ;; '--update-keyring') - get_sign_packages_user + get_sign_user repo_gpg_key $PACKAGES_DIR --update if [ $PACKAGES_REPOS_NOARCH -eq $on ]; then repo_gpg_key $NOARCH_DIR --update @@ -773,9 +778,9 @@ if [ $SIGN_PACKAGES -eq $on ]; then echo "Signing package..." - get_sign_packages_user + get_sign_user - if [ ! -z "$SIGN_PACKAGES_USER" ]; then + if [ ! -z "$SIGN_PACKAGES_USER" ] && [ "`whoami`" != "$SIGN_PACKAGES_USER" ]; then tmp_sign_folder="`mktemp -d $TMP/createpkg_sign.XXXXXX`" chown $SIGN_PACKAGES_USER $tmp_sign_folder su $SIGN_PACKAGES_USER -c "gpg $GPG_AGENT_OPTION --armor -sb -u $SIGN_KEYID -o $tmp_sign_folder/$PKG_NAME.asc $PACKAGES_DIR/$PKG_NAME" diff --git a/trunk/src/mkbuild b/trunk/src/mkbuild index ffa4d04..6ca1259 100755 --- a/trunk/src/mkbuild +++ b/trunk/src/mkbuild @@ -238,6 +238,7 @@ function set_parameters { ;; '--sync' ) # Synchronize mkbuilds repository + mkbuild_update_keyring sync_repo $MKBUILDS_DIR $MKBUILDS_SVN exit $? ;; @@ -664,6 +665,10 @@ function submit_slackbuild { fi done + if [ "$SIGN_MANIFESTS" -eq $on ]; then + repo_gpg_key $SLACKBUILDS_DIR + fi + cd $WORK } @@ -708,6 +713,11 @@ function submit_mkbuild { done submit_cleanup + + if [ "$SIGN_MANIFESTS" -eq $on ]; then + repo_gpg_key $MKBUILDS_DIR + fi + cd $WORK } @@ -839,6 +849,30 @@ function load_parameters { COLOR_MODE="`eval_parameter COLOR_MODE none`" TMP="`eval_parameter TMP /tmp`" + SIGN_MANIFESTS="`eval_boolean_parameter SIGN_MANIFESTS $off`" + SIGN_MANIFESTS_USER="`eval_parameter SIGN_MANIFESTS_USER`" + SIGN_MANIFESTS_KEYID="`eval_parameter SIGN_MANIFESTS_KEYID`" + SIGN_MANIFESTS_WITH_GPG_AGENT="`eval_boolean_parameter SIGN_MANIFESTS_WITH_GPG_AGENT $off`" + + if [ ! -z "$SIGN_MANIFESTS_KEYID" ]; then + SIGN_MANIFESTS_KEYID="`echo $SIGN_MANIFESTS_KEYID | tr '[:lower:]' '[:upper:]'`" + fi + + if [ "$SIGN_MANIFESTS_WITH_GPG_AGENT" -eq $on ]; then + GPG_AGENT_OPTION="--use-agent" + else + GPG_AGENT_OPTION="" + fi + + # For use at common.sh functions + SIGN="$SIGN_MANIFESTS" + SIGN_KEYID="$SIGN_MANIFESTS_KEYID" + SIGN_USER="$SIGN_MANIFESTS_USER" + + if [ "$SIGN_MANIFESTS" -eq $on ]; then + get_sign_user + fi + } function file_metainfo { @@ -941,7 +975,7 @@ function update_manifest_info { fi # Save Manifest changes - sort $tmpfile > $WORK/Manifest + strip_gpg_signature $tmpfile | sort > $WORK/Manifest rm -f $tmpfile @@ -949,6 +983,12 @@ function update_manifest_info { function edit_manifest { + # Check if existing Manifest is properly signed + if ! check_manifest_signature; then + echo "Invalid signature at $WORK/Manifest, aborting." + return 1 + fi + # Update Manifest file echo "Updating Manifest..." @@ -994,6 +1034,9 @@ function edit_manifest { fi done + # Finally, sign the Manifest + sign_manifest + } function get_file { @@ -1150,6 +1193,12 @@ function update_manifest { return fi + # Check if existing Manifest is properly signed + if ! check_manifest_signature; then + echo "Invalid signature at $WORK/Manifest, aborting." + return 1 + fi + echo "Updating DIST information at $MKBUILD_NAME Manifest..." # Determine file location @@ -1162,6 +1211,9 @@ function update_manifest { echo "Can't get $DIST_SRC_NAME." fi + # Finally, sign the Manifest + sign_manifest + } function if_previous_error { @@ -1400,11 +1452,14 @@ function make_slackbuild { # Update Manifest file edit_manifest - # Commit SlackBuild - [ $SUBMIT_SLACKBUILD -eq $on ] && submit_slackbuild + if [ "$?" == "0" ]; then - # Commit mkbuild - [ $SUBMIT_MKBUILD -eq $on ] && submit_mkbuild + # Commit SlackBuild + [ $SUBMIT_SLACKBUILD -eq $on ] && submit_slackbuild + + # Commit mkbuild + [ $SUBMIT_MKBUILD -eq $on ] && submit_mkbuild + fi } @@ -1468,8 +1523,6 @@ function edit_mkbuild { # edit a mkbuild # usage: edit_mkbuild - local match - if [ -e "$MKBUILD_NAME" ]; then if [ -z "$EDITOR" ]; then EDITOR="vi" @@ -1482,6 +1535,85 @@ function edit_mkbuild { } +function mkbuild_update_keyring { + + # Update keyring using GPG-KEY from + # mkbuild repository + + local keyring keys key + + keyring="$MKBUILDS_DIR/GPG-KEY" + + if [ ! -e "$keyring" ]; then + repo_gpg_key $MKBUILDS_DIR + return + fi + + keys="`gpg --with-colons $MKBUILDS_DIR/GPG-KEY | cut -d : -f 5 | sed -e '/^$/d'`" + + for key in $keys; do + if [ ! -z "$SIGN_USER" ] && [ "`whoami`" != "$SIGN_USER" ]; then + su $SIGN_USER -c "gpg --list-keys $key &> /dev/null" + if [ "$?" != "0" ]; then + echo "Updating keyring using $keyring..." + su $SIGN_USER -c "gpg --import $keyring" + break + fi + else + gpg --list-keys $key &> /dev/null + if [ "$?" != "0" ]; then + echo "Updating keyring using $keyring..." + gpg --import $keyring + break + fi + fi + done + +} + +function sign_manifest { + + # sign manifest file + # usage: sign_manifest + + if [ "$SIGN_MANIFESTS" -eq $on ]; then + echo "Signing Manifest..." + if [ ! -z "$SIGN_USER" ] && [ "`whoami`" != "$SIGN_USER" ]; then + su $SIGN_USER -c "gpg $GPG_AGENT_OPTION --clearsign -u $SIGN_KEYID $WORK/Manifest" + mv $WORK/Manifest.asc $WORK/Manifest + else + gpg $GPG_AGENT_OPTION --clearsign -u $SIGN_KEYID $WORK/Manifest + mv $WORK/Manifest.asc $WORK/Manifest + fi + fi + +} + +function check_manifest_signature { + + # check if a manifest signature is valid + # usage: check_manifest_signature + + if [ -e "$WORK/Manifest" ]; then + if grep -q -- "-----BEGIN PGP SIGNED MESSAGE-----" $WORK/Manifest; then + echo "Checking existing Manifest signature..." + mkbuild_update_keyring + if [ ! -z "$SIGN_USER" ] && [ "`whoami`" != "$SIGN_USER" ]; then + su $SIGN_USER -c "gpg --verify $WORK/Manifest" + if [ "$?" != "0" ]; then + return 1 + fi + else + gpg --verify $WORK/Manifest + if [ "$?" != "0" ]; then + return 1 + fi + fi + fi + fi + +} + function delete_mkbuilds { # TODO -- cgit v1.2.3