Hello,
For those of you that have some interest in security.
Mirrors may be compromised so using rsync or snapshot without verifying package
source may
lead to compromised system.
I have rewritten emerge-webrsync to enable checking tarball signature in
portage.
Attached is a diff to enable some of this for paludis as well.
Usage for portage snapshot:
1. Set PALUDIS_GNUPGHOME in bashrc to point into gnupg home directory where
trust resides.
2. Import release engineers (239C75C4) key into this directory and mark as
trusted.
3. Set the following to gentoo repository:
sync = tar+http+gpgsig://<mirror>/gentoo/snapshots/portage-latest.tar.lzma
sync_options = --strip-components=1 --timestamp=portage/metadata/timestamp.x
Notes:
1. I don't understand why paludis provides the dotar+* as separate files, as
they are all the same...
they can be symbolic links to one file.
2. Also it is not clear to me why local syncer cannot be placed in
/etc/paludis, or at least at /usr/local/,
I may miss something, but I did not find any configuration location to specify
this path.
3. The cleanup of TEMP should move to trap, but I did not change the current
behavior. It is easier
to use trap as it can be specified once throughout the source.
[[[
trap "{ [[ -n "${TEMP}" ]] && rm -fr "${TEMP}" }" EXIT
]]]
4. Does anybody know why tarsync is not used in paludis? It is much quicker to
use it instead of
extracting the tarball and removing files.
Regards,
Alon.
---
--- dotar+http 2008-05-22 21:28:25.000000000 +0300
+++ dotar+http+gpgsig 2008-05-30 14:42:21.000000000 +0300
@@ -15,6 +15,9 @@ REMOTE=
FETCHER_OPTIONS=( )
UNPACK_OPTIONS=( )
RSYNC_OPTIONS=( )
[EMAIL PROTECTED]
+SIGNATURE_SUFFIX=".gpgsig"
[EMAIL PROTECTED]
while [[ $# -gt 0 ]]; do
case "${1}" in
@@ -44,9 +47,20 @@ while [[ $# -gt 0 ]]; do
--rsync-option=*)
[EMAIL PROTECTED]"${1#*=}"
;;
[EMAIL PROTECTED]
+ --timestamp=*)
+ TIMESTAMP="${1#*=}"
+ ;;
+ --signature-suffix=*)
+ SIGNATURE_SUFFIX="${1#*=}"
+ ;;
[EMAIL PROTECTED]
--help)
PROTO="${0##*/do}"
[EMAIL PROTECTED]
+ PROTO="${PROTO#${SIGNATURE_SUFFIX}}"
[EMAIL PROTECTED]
if [[ "${PROTO}" == tar+file ]]; then
echo " URL syntax: tar+file:///PATH"
elif [[ "${PROTO}" == tar+http || "${PROTO}" == tar+https ||
"${PROTO}" == tar+ftp ]]; then
@@ -71,6 +85,13 @@ while [[ $# -gt 0 ]]; do
echo " useful with
custom fetchers)"
echo " --rsync-option=OPTION Pass OPTION to the
local rsync"
echo " --tar-option=OPTION Pass OPTION to tar"
[EMAIL PROTECTED]
+ if echo "$0" | grep -q "${SIGNATURE_SUFFIX}"; then
+ echo " --timestamp=file=file Check timestamp
against file contents"
+ echo " --signature-suffix=suffix Signature suffix
to download"
+ echo " default: .gpgsig"
+ fi
[EMAIL PROTECTED]
exit 0
;;
@@ -102,6 +123,9 @@ elif [[ -z "${REMOTE}" ]]; then
fi
URL="${REMOTE#tar+}"
[EMAIL PROTECTED]
+URL="${URL//+gpgsig}"
[EMAIL PROTECTED]
PROTOCOL="${URL%%://*}"
if [[ -z "${PROTOCOL}" ]]; then
@@ -133,6 +157,36 @@ TARFILE="${URL##*/}"
"${FETCHER}" "[EMAIL PROTECTED]" "${URL}" "${TEMP}/${TARFILE}" || exit $?
[EMAIL PROTECTED]
+
+mydie() {
+ eerror "${1}"
+ rm -fr "${TEMP}"
+ exit 1
+}
+
+if echo "$0" | grep -q "+gpgsig"; then
+ [ -n "${PALUDIS_GNUPGHOME}" ] || mydie "Please set PALUDIS_GNUPGHOME"
+
+ "${FETCHER}" "[EMAIL PROTECTED]" "${URL}${SIGNATURE_SUFFIX}"
"${TEMP}/${TARFILE}${SIGNATURE_SUFFIX}" || mydie "Cannot fetch signature"
+
+ ${GPG:-gpg} --homedir "${PALUDIS_GNUPGHOME}" --verify
"${TEMP}/${TARFILE}${SIGNATURE_SUFFIX}" "${TEMP}/${TARFILE}" || mydie "Invalid
signature"
+
+ if [[ -n "${TIMESTAMP}" ]]; then
+ TIMESTAMPDIR="${TEMP}/timestamp"
+ mkdir "${TIMESTAMPDIR}"
+ ( cd "${TIMESTAMPDIR}" && "${PALUDIS_EBUILD_DIR}/utils/unpack" \
+ "[EMAIL PROTECTED]" --tar-option="${TIMESTAMP}" \
+ "${TEMP}/${TARFILE}" ) || mydie "Cannot extract timestamp"
+ SNAPSHOT="$(find "${TIMESTAMPDIR}" -type f -exec cut -f 1 -d " " '{}'
';' | head)" || mydie "Cannot extract timestamp"
+ NOW="$(date -u +%s)"
+ [[ ${SNAPSHOT} -ge $((${NOW} - 2*86400)) && ${SNAPSHOT} -le $((${NOW} +
86400)) ]] || \
+ mydie "Invalid timestamp"
+ fi
+fi
+
[EMAIL PROTECTED]
+
UNPACKDIR="${TEMP}/repository"
mkdir "${UNPACKDIR}"
( cd "${UNPACKDIR}" && "${PALUDIS_EBUILD_DIR}/utils/unpack" \
_______________________________________________
paludis-user mailing list
[email protected]
http://lists.pioto.org/mailman/listinfo/paludis-user
