[gentoo-dev] [PATCH 2/2] verify-sig.eclass: Support verifying checksum lists

Thu, 05 Nov 2020 07:23:09 -0800 

Signed-off-by: Michał Górny <mgo...@gentoo.org>
---
 eclass/verify-sig.eclass | 55 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 8445f4e26440..b6dd31fa83a1 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -143,6 +143,61 @@ verify-sig_verify_message() {
                die "PGP signature verification failed"
 }
 
+# @FUNCTION: verify-sig_verify_signed_checksums
+# @USAGE: <checksum-file> <algo> <files> [<key-file>]
+# @DESCRIPTION:
+# Verify the checksums for all files listed in the space-separated list
+# <files> (akin to ${A}) using a PGP-signed <checksum-file>.  <algo>
+# specified the checksum algorithm (e.g. sha256).  <key-file> can either
+# be passed directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH.
+#
+# The function dies if PGP verification fails, the checksum file
+# contains unsigned data, one of the files do not match checksums
+# or are missing from the checksum file.
+verify-sig_verify_signed_checksums() {
+       local checksum_file=${1}
+       local algo=${2}
+       local files=()
+       read -r -d '' -a files <<<"${3}"
+       local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
+
+       local chksum_prog chksum_len
+       case ${algo} in
+               sha256)
+                       chksum_prog=sha256sum
+                       chksum_len=64
+                       ;;
+               *)
+                       die "${FUNCNAME}: unknown checksum algo ${algo}"
+                       ;;
+       esac
+
+       [[ -n ${key} ]] ||
+               die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH 
unset"
+
+       verify-sig_verify_message "${checksum_file}" "${key}"
+
+       local checksum filename junk ret=0 count=0
+       while read -r checksum filename junk; do
+               [[ ${#checksum} -eq ${chksum_len} ]] || continue
+               [[ -z ${checksum//[0-9a-f]} ]] || continue
+               has "${filename}" "${files[@]}" || continue
+               [[ -z ${junk} ]] || continue
+
+               "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}"
+               if [[ ${?} -eq 0 ]]; then
+                       (( count++ ))
+               else
+                       ret=1
+               fi
+       done <"${checksum_file}"
+
+       [[ ${ret} -eq 0 ]] ||
+               die "${FUNCNAME}: at least one file did not verify successfully"
+       [[ ${count} -eq ${#files[@]} ]] ||
+               die "${FUNCNAME}: checksums for some of the specified files 
were missing"
+}
+
 # @FUNCTION: verify-sig_src_unpack
 # @DESCRIPTION:
 # Default src_unpack override that verifies signatures for all
-- 
2.29.2

Reply via email to