| @@ -1,18 +1,18 @@ | | | @@ -1,18 +1,18 @@ |
1 | #! /bin/sh | | 1 | #! /bin/sh |
2 | | | 2 | |
3 | # $NetBSD: chk.sh,v 1.1 2014/02/04 02:11:18 agc Exp $ | | 3 | # $NetBSD: chk.sh,v 1.2 2015/01/30 18:55:01 agc Exp $ |
4 | | | 4 | |
5 | # Copyright (c) 2013,2014 Alistair Crooks <agc@NetBSD.org> | | 5 | # Copyright (c) 2013,2014,2015 Alistair Crooks <agc@NetBSD.org> |
6 | # All rights reserved. | | 6 | # All rights reserved. |
7 | # | | 7 | # |
8 | # Redistribution and use in source and binary forms, with or without | | 8 | # Redistribution and use in source and binary forms, with or without |
9 | # modification, are permitted provided that the following conditions | | 9 | # modification, are permitted provided that the following conditions |
10 | # are met: | | 10 | # are met: |
11 | # 1. Redistributions of source code must retain the above copyright | | 11 | # 1. Redistributions of source code must retain the above copyright |
12 | # notice, this list of conditions and the following disclaimer. | | 12 | # notice, this list of conditions and the following disclaimer. |
13 | # 2. Redistributions in binary form must reproduce the above copyright | | 13 | # 2. Redistributions in binary form must reproduce the above copyright |
14 | # notice, this list of conditions and the following disclaimer in the | | 14 | # notice, this list of conditions and the following disclaimer in the |
15 | # documentation and/or other materials provided with the distribution. | | 15 | # documentation and/or other materials provided with the distribution. |
16 | # | | 16 | # |
17 | # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | | 17 | # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
18 | # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | | 18 | # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
| @@ -24,46 +24,40 @@ | | | @@ -24,46 +24,40 @@ |
24 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | | 24 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
25 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | | 25 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
26 | # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | | 26 | # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
27 | # | | 27 | # |
28 | | | 28 | |
29 | die() { | | 29 | die() { |
30 | echo "$*" >&2 | | 30 | echo "$*" >&2 |
31 | exit 1 | | 31 | exit 1 |
32 | } | | 32 | } |
33 | | | 33 | |
34 | os=EdgeBSD | | 34 | os=EdgeBSD |
35 | osrev=6 | | 35 | osrev=6 |
36 | arch=amd64 | | 36 | arch=amd64 |
37 | pkgsrc=pkgsrc-2013Q2 | | 37 | pkgsrc=pkgsrc-2013Q1 |
38 | keyring="" | | | |
39 | while [ $# -gt 0 ]; do | | 38 | while [ $# -gt 0 ]; do |
40 | case "$1" in | | 39 | case "$1" in |
41 | --arch|-a) arch=$2; shift ;; | | 40 | --arch|-a) arch=$2; shift ;; |
42 | --keyring|-k) keyring=$2; shift ;; | | | |
43 | --os|-o) os=$2; shift ;; | | 41 | --os|-o) os=$2; shift ;; |
44 | --pkgsrc) pkgsrc=$2; shift ;; | | 42 | --pkgsrc) pkgsrc=$2; shift ;; |
45 | -v) set -x ;; | | 43 | -v) set -x ;; |
46 | *) break ;; | | 44 | *) break ;; |
47 | esac | | 45 | esac |
48 | shift | | 46 | shift |
49 | done | | 47 | done |
50 | | | 48 | |
51 | case "${keyring}" in | | | |
52 | "") keyring=$HOME/.gnupg/pubring.gpg ;; | | | |
53 | esac | | | |
54 | | | | |
55 | #fetch file | | 49 | #fetch file |
56 | repo=ftp://ftp.edgebsd.org/pub/pkgsrc/packages/${os}/${arch}/${os}-${osrev}/${pkgsrc}/All/ | | 50 | repo=ftp://ftp.edgebsd.org/pub/pkgsrc/packages/${os}/${os}-${osrev}/${arch}/${pkgsrc}/All/ |
57 | | | 51 | |
58 | if [ ! -f $1 ]; then | | 52 | if [ ! -f $1 ]; then |
59 | case "${repo}" in | | 53 | case "${repo}" in |
60 | */) remote=${repo}$1 ;; | | 54 | */) remote=${repo}$1 ;; |
61 | *) remote=${repo}/$1 ;; | | 55 | *) remote=${repo}/$1 ;; |
62 | esac | | 56 | esac |
63 | ftp ${remote} | | 57 | ftp ${remote} |
64 | fi | | 58 | fi |
65 | | | 59 | |
66 | name=$(basename $1 .tgz) | | 60 | name=$(basename $1 .tgz) |
67 | dir=$(mktemp -d /tmp/chk.XXXXXX) | | 61 | dir=$(mktemp -d /tmp/chk.XXXXXX) |
68 | here=$(pwd) | | 62 | here=$(pwd) |
69 | case "$1" in | | 63 | case "$1" in |
| @@ -88,32 +82,34 @@ n=0 | | | @@ -88,32 +82,34 @@ n=0 |
88 | while [ ${off} -lt ${size} ]; do | | 82 | while [ ${off} -lt ${size} ]; do |
89 | rm -f ${dir}/in | | 83 | rm -f ${dir}/in |
90 | dd if=${dir}/$1 of=${dir}/in bs=${blocksize} count=1 skip=${n} 2>/dev/null | | 84 | dd if=${dir}/$1 of=${dir}/in bs=${blocksize} count=1 skip=${n} 2>/dev/null |
91 | digest ${digest} < ${dir}/in >> ${dir}/calc | | 85 | digest ${digest} < ${dir}/in >> ${dir}/calc |
92 | off=$(( off + ${blocksize} )) | | 86 | off=$(( off + ${blocksize} )) |
93 | n=$(( n + 1 )) | | 87 | n=$(( n + 1 )) |
94 | done | | 88 | done |
95 | printf "end pkgsrc signature\n" >> ${dir}/calc | | 89 | printf "end pkgsrc signature\n" >> ${dir}/calc |
96 | | | 90 | |
97 | # make sure what was signed is what we have | | 91 | # make sure what was signed is what we have |
98 | diff ${dir}/+PKG_HASH ${dir}/calc || die "Bad hashes generated" | | 92 | diff ${dir}/+PKG_HASH ${dir}/calc || die "Bad hashes generated" |
99 | | | 93 | |
100 | # use netpgpverify to verify the signature | | 94 | # use netpgpverify to verify the signature |
101 | if [ -x /usr/pkg/bin/netpgpverify ]; then | | 95 | if [ -x /usr/bin/netpgpverify -o -x /usr/pkg/bin/netpgpverify ]; then |
| | | 96 | echo "=== Using netpgpverify to verify the package signature ===" |
102 | # check the signature in +PKG_GPG_SIGNATURE | | 97 | # check the signature in +PKG_GPG_SIGNATURE |
103 | cp ${keyring} ${dir}/pubring.gpg | | 98 | cp ${here}/pubring.pub ${dir}/pubring.gpg |
104 | # calculate the sig file we want to verify | | 99 | # calculate the sig file we want to verify |
105 | echo "-----BEGIN PGP SIGNED MESSAGE-----" > ${dir}/${name}.sig | | 100 | echo "-----BEGIN PGP SIGNED MESSAGE-----" > ${dir}/${name}.sig |
106 | echo "Hash: ${digest}" >> ${dir}/${name}.sig | | 101 | echo "Hash: ${digest}" >> ${dir}/${name}.sig |
107 | echo "" >> ${dir}/${name}.sig | | 102 | echo "" >> ${dir}/${name}.sig |
108 | cat ${dir}/+PKG_HASH ${dir}/+PKG_GPG_SIGNATURE >> ${dir}/${name}.sig | | 103 | cat ${dir}/+PKG_HASH ${dir}/+PKG_GPG_SIGNATURE >> ${dir}/${name}.sig |
109 | (cd ${dir} && netpgpverify -k pubring.gpg ${name}.sig) || die "Bad signature" | | 104 | (cd ${dir} && netpgpverify -k pubring.gpg ${name}.sig) || die "Bad signature" |
110 | else | | 105 | else |
111 | gpg --recv 0x6F3AF5E2 | | 106 | echo "=== Using gpg to verify the package signature ===" |
| | | 107 | gpg --recv --keyserver pgp.mit.edu 0x6F3AF5E2 |
112 | (cd ${dir} && gpg --verify --homedir=${dir} ./+PKG_GPG_SIGNATURE ./+PKG_HASH) || die "Bad signature" | | 108 | (cd ${dir} && gpg --verify --homedir=${dir} ./+PKG_GPG_SIGNATURE ./+PKG_HASH) || die "Bad signature" |
113 | fi | | 109 | fi |
114 | echo "Signatures match on ${name} package" | | 110 | echo "Signatures match on ${name} package" |
115 | | | 111 | |
116 | # clean up | | 112 | # clean up |
117 | rm -rf ${dir} | | 113 | rm -rf ${dir} |
118 | | | 114 | |
119 | exit 0 | | 115 | exit 0 |