| @@ -1,18 +1,18 @@ | | | @@ -1,18 +1,18 @@ |
| 1 | #! /bin/sh | | 1 | #! /bin/sh |
| 2 | | | 2 | |
| 3 | # $NetBSD: chk.sh,v 1.1 2014/02/04 02:11:18 agc Exp $ | | 3 | # $NetBSD: chk.sh,v 1.2 2015/01/30 18:55:01 agc Exp $ |
| 4 | | | 4 | |
| 5 | # Copyright (c) 2013,2014 Alistair Crooks <agc@NetBSD.org> | | 5 | # Copyright (c) 2013,2014,2015 Alistair Crooks <agc@NetBSD.org> |
| 6 | # All rights reserved. | | 6 | # All rights reserved. |
| 7 | # | | 7 | # |
| 8 | # Redistribution and use in source and binary forms, with or without | | 8 | # Redistribution and use in source and binary forms, with or without |
| 9 | # modification, are permitted provided that the following conditions | | 9 | # modification, are permitted provided that the following conditions |
| 10 | # are met: | | 10 | # are met: |
| 11 | # 1. Redistributions of source code must retain the above copyright | | 11 | # 1. Redistributions of source code must retain the above copyright |
| 12 | # notice, this list of conditions and the following disclaimer. | | 12 | # notice, this list of conditions and the following disclaimer. |
| 13 | # 2. Redistributions in binary form must reproduce the above copyright | | 13 | # 2. Redistributions in binary form must reproduce the above copyright |
| 14 | # notice, this list of conditions and the following disclaimer in the | | 14 | # notice, this list of conditions and the following disclaimer in the |
| 15 | # documentation and/or other materials provided with the distribution. | | 15 | # documentation and/or other materials provided with the distribution. |
| 16 | # | | 16 | # |
| 17 | # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | | 17 | # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
| 18 | # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | | 18 | # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
| @@ -24,46 +24,40 @@ | | | @@ -24,46 +24,40 @@ |
| 24 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | | 24 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 25 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | | 25 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 26 | # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | | 26 | # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 27 | # | | 27 | # |
| 28 | | | 28 | |
| 29 | die() { | | 29 | die() { |
| 30 | echo "$*" >&2 | | 30 | echo "$*" >&2 |
| 31 | exit 1 | | 31 | exit 1 |
| 32 | } | | 32 | } |
| 33 | | | 33 | |
| 34 | os=EdgeBSD | | 34 | os=EdgeBSD |
| 35 | osrev=6 | | 35 | osrev=6 |
| 36 | arch=amd64 | | 36 | arch=amd64 |
| 37 | pkgsrc=pkgsrc-2013Q2 | | 37 | pkgsrc=pkgsrc-2013Q1 |
| 38 | keyring="" | | | |
| 39 | while [ $# -gt 0 ]; do | | 38 | while [ $# -gt 0 ]; do |
| 40 | case "$1" in | | 39 | case "$1" in |
| 41 | --arch|-a) arch=$2; shift ;; | | 40 | --arch|-a) arch=$2; shift ;; |
| 42 | --keyring|-k) keyring=$2; shift ;; | | | |
| 43 | --os|-o) os=$2; shift ;; | | 41 | --os|-o) os=$2; shift ;; |
| 44 | --pkgsrc) pkgsrc=$2; shift ;; | | 42 | --pkgsrc) pkgsrc=$2; shift ;; |
| 45 | -v) set -x ;; | | 43 | -v) set -x ;; |
| 46 | *) break ;; | | 44 | *) break ;; |
| 47 | esac | | 45 | esac |
| 48 | shift | | 46 | shift |
| 49 | done | | 47 | done |
| 50 | | | 48 | |
| 51 | case "${keyring}" in | | | |
| 52 | "") keyring=$HOME/.gnupg/pubring.gpg ;; | | | |
| 53 | esac | | | |
| 54 | | | | |
| 55 | #fetch file | | 49 | #fetch file |
| 56 | repo=ftp://ftp.edgebsd.org/pub/pkgsrc/packages/${os}/${arch}/${os}-${osrev}/${pkgsrc}/All/ | | 50 | repo=ftp://ftp.edgebsd.org/pub/pkgsrc/packages/${os}/${os}-${osrev}/${arch}/${pkgsrc}/All/ |
| 57 | | | 51 | |
| 58 | if [ ! -f $1 ]; then | | 52 | if [ ! -f $1 ]; then |
| 59 | case "${repo}" in | | 53 | case "${repo}" in |
| 60 | */) remote=${repo}$1 ;; | | 54 | */) remote=${repo}$1 ;; |
| 61 | *) remote=${repo}/$1 ;; | | 55 | *) remote=${repo}/$1 ;; |
| 62 | esac | | 56 | esac |
| 63 | ftp ${remote} | | 57 | ftp ${remote} |
| 64 | fi | | 58 | fi |
| 65 | | | 59 | |
| 66 | name=$(basename $1 .tgz) | | 60 | name=$(basename $1 .tgz) |
| 67 | dir=$(mktemp -d /tmp/chk.XXXXXX) | | 61 | dir=$(mktemp -d /tmp/chk.XXXXXX) |
| 68 | here=$(pwd) | | 62 | here=$(pwd) |
| 69 | case "$1" in | | 63 | case "$1" in |
| @@ -88,32 +82,34 @@ n=0 | | | @@ -88,32 +82,34 @@ n=0 |
| 88 | while [ ${off} -lt ${size} ]; do | | 82 | while [ ${off} -lt ${size} ]; do |
| 89 | rm -f ${dir}/in | | 83 | rm -f ${dir}/in |
| 90 | dd if=${dir}/$1 of=${dir}/in bs=${blocksize} count=1 skip=${n} 2>/dev/null | | 84 | dd if=${dir}/$1 of=${dir}/in bs=${blocksize} count=1 skip=${n} 2>/dev/null |
| 91 | digest ${digest} < ${dir}/in >> ${dir}/calc | | 85 | digest ${digest} < ${dir}/in >> ${dir}/calc |
| 92 | off=$(( off + ${blocksize} )) | | 86 | off=$(( off + ${blocksize} )) |
| 93 | n=$(( n + 1 )) | | 87 | n=$(( n + 1 )) |
| 94 | done | | 88 | done |
| 95 | printf "end pkgsrc signature\n" >> ${dir}/calc | | 89 | printf "end pkgsrc signature\n" >> ${dir}/calc |
| 96 | | | 90 | |
| 97 | # make sure what was signed is what we have | | 91 | # make sure what was signed is what we have |
| 98 | diff ${dir}/+PKG_HASH ${dir}/calc || die "Bad hashes generated" | | 92 | diff ${dir}/+PKG_HASH ${dir}/calc || die "Bad hashes generated" |
| 99 | | | 93 | |
| 100 | # use netpgpverify to verify the signature | | 94 | # use netpgpverify to verify the signature |
| 101 | if [ -x /usr/pkg/bin/netpgpverify ]; then | | 95 | if [ -x /usr/bin/netpgpverify -o -x /usr/pkg/bin/netpgpverify ]; then |
| | | 96 | echo "=== Using netpgpverify to verify the package signature ===" |
| 102 | # check the signature in +PKG_GPG_SIGNATURE | | 97 | # check the signature in +PKG_GPG_SIGNATURE |
| 103 | cp ${keyring} ${dir}/pubring.gpg | | 98 | cp ${here}/pubring.pub ${dir}/pubring.gpg |
| 104 | # calculate the sig file we want to verify | | 99 | # calculate the sig file we want to verify |
| 105 | echo "-----BEGIN PGP SIGNED MESSAGE-----" > ${dir}/${name}.sig | | 100 | echo "-----BEGIN PGP SIGNED MESSAGE-----" > ${dir}/${name}.sig |
| 106 | echo "Hash: ${digest}" >> ${dir}/${name}.sig | | 101 | echo "Hash: ${digest}" >> ${dir}/${name}.sig |
| 107 | echo "" >> ${dir}/${name}.sig | | 102 | echo "" >> ${dir}/${name}.sig |
| 108 | cat ${dir}/+PKG_HASH ${dir}/+PKG_GPG_SIGNATURE >> ${dir}/${name}.sig | | 103 | cat ${dir}/+PKG_HASH ${dir}/+PKG_GPG_SIGNATURE >> ${dir}/${name}.sig |
| 109 | (cd ${dir} && netpgpverify -k pubring.gpg ${name}.sig) || die "Bad signature" | | 104 | (cd ${dir} && netpgpverify -k pubring.gpg ${name}.sig) || die "Bad signature" |
| 110 | else | | 105 | else |
| 111 | gpg --recv 0x6F3AF5E2 | | 106 | echo "=== Using gpg to verify the package signature ===" |
| | | 107 | gpg --recv --keyserver pgp.mit.edu 0x6F3AF5E2 |
| 112 | (cd ${dir} && gpg --verify --homedir=${dir} ./+PKG_GPG_SIGNATURE ./+PKG_HASH) || die "Bad signature" | | 108 | (cd ${dir} && gpg --verify --homedir=${dir} ./+PKG_GPG_SIGNATURE ./+PKG_HASH) || die "Bad signature" |
| 113 | fi | | 109 | fi |
| 114 | echo "Signatures match on ${name} package" | | 110 | echo "Signatures match on ${name} package" |
| 115 | | | 111 | |
| 116 | # clean up | | 112 | # clean up |
| 117 | rm -rf ${dir} | | 113 | rm -rf ${dir} |
| 118 | | | 114 | |
| 119 | exit 0 | | 115 | exit 0 |