commit: e111329e222787152b6d99ce4b551c8758349aac
Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 3 13:21:57 2023 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 05:30:10 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e111329e
verify-sig.eclass: Support `openssl dgst` format checksums
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
eclass/tests/verify-sig.sh | 18 ++++++++++++++++
eclass/verify-sig.eclass | 54 ++++++++++++++++++++++++++++++----------------
2 files changed, 54 insertions(+), 18 deletions(-)
diff --git a/eclass/tests/verify-sig.sh b/eclass/tests/verify-sig.sh
index fcd2ee7480a2..fb7f2cdb2a5d 100755
--- a/eclass/tests/verify-sig.sh
+++ b/eclass/tests/verify-sig.sh
@@ -62,4 +62,22 @@ EOF
test_verify_unsigned_checksums sha256
eoutdent
+einfo "Testing openssl-dgst format."
+eindent
+
+> "annoying ( filename )= yes ).txt" || die
+
+cat > checksums.txt <<-EOF || die
+ junk text that ought to be ignored
+
+
SHA256(empty)=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+ SHA256(text)=
b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380
+
SHA256(fail)=b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380
+
+ SHA256(annoying ( filename )= yes )=
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+EOF
+
+test_verify_unsigned_checksums openssl-dgst
+eoutdent
+
texit
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index d99dc3461858..815299b419ed 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -214,12 +214,15 @@ verify-sig_verify_message() {
}
# @FUNCTION: verify-sig_verify_unsigned_checksums
-# @USAGE: <checksum-file> <algo> <files>
+# @USAGE: <checksum-file> <format> <files>
# @DESCRIPTION:
# Verify the checksums for all files listed in the space-separated list
-# <files> (akin to ${A}) using a <checksum-file>. <algo> specifies
-# the checksum algorithm (e.g. sha256). <checksum-file> can be "-"
-# for stdin.
+# <files> (akin to ${A}) using a <checksum-file>. <format> specifies
+# the checksum file format. <checksum-file> can be "-" for stdin.
+#
+# The following formats are supported:
+# - sha256 -- sha256sum (<hash> <filename>)
+# - openssl-dgst -- openssl dgst (<algo>(<filename>)=<hash>)
#
# The function dies if one of the files does not match checksums or
# is missing from the checksum file.
@@ -231,35 +234,50 @@ verify-sig_verify_message() {
# verify-sig_verify_signed_checksums instead.
verify-sig_verify_unsigned_checksums() {
local checksum_file=${1}
- local algo=${2}
+ local format=${2}
local files=()
read -r -d '' -a files <<<"${3}"
- local chksum_prog chksum_len
+ local chksum_prog chksum_len algo=${format}
- case ${algo} in
+ case ${format} in
sha256)
- chksum_prog=sha256sum
chksum_len=64
;;
+ openssl-dgst)
+ ;;
*)
- die "${FUNCNAME}: unknown checksum algo ${algo}"
+ die "${FUNCNAME}: unknown checksum format ${format}"
;;
esac
[[ ${checksum_file} == - ]] && checksum_file=/dev/stdin
- local checksum filename junk ret=0 count=0
- while read -r checksum filename junk; do
- if [[ ${checksum} == "-----BEGIN" ]]; then
+ local line checksum filename junk ret=0 count=0
+ while read -r line; do
+ if [[ ${line} == "-----BEGIN"* ]]; then
die "${FUNCNAME}: PGP armor found, use
verify-sig_verify_signed_checksums instead"
fi
- [[ ${#checksum} -eq ${chksum_len} ]] || continue
- [[ -z ${checksum//[0-9a-f]} ]] || continue
- has "${filename}" "${files[@]}" || continue
- [[ -z ${junk} ]] || continue
+ case ${format} in
+ sha256)
+ read -r checksum filename junk <<<"${line}"
+ [[ ${#checksum} -ne ${chksum_len} ]] && continue
+ [[ -n ${checksum//[0-9a-f]} ]] && continue
+ [[ -n ${junk} ]] && continue
+ ;;
+ openssl-dgst)
+ [[ ${line} != *"("*")="* ]] && continue
+ checksum=${line##*)=}
+ algo=${line%%(*}
+ filename=${line#*(}
+ filename=${filename%)=*}
+ ;;
+ esac
+
+ if ! has "${filename}" "${files[@]}"; then
+ continue
+ fi
- "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}"
- if [[ ${?} -eq 0 ]]; then
+ if "${algo,,}sum" -c --strict - <<<"${checksum} ${filename}";
then
(( count++ ))
else
ret=1
