diff options
author | Michał Górny <mgorny@gentoo.org> | 2020-11-05 15:52:20 +0100 |
---|---|---|
committer | Michał Górny <mgorny@gentoo.org> | 2020-11-08 01:12:13 +0100 |
commit | f6a3bfcdda14d5ed2b9ac0a9e378f31c03fac809 (patch) | |
tree | 21c6a35df7fcfecabc0f2a0d180d2e3eb2176fde /eclass | |
parent | app-crypt/openpgp-keys-django: Add keys for Django releases (diff) | |
download | gentoo-f6a3bfcdda14d5ed2b9ac0a9e378f31c03fac809.tar.gz gentoo-f6a3bfcdda14d5ed2b9ac0a9e378f31c03fac809.tar.bz2 gentoo-f6a3bfcdda14d5ed2b9ac0a9e378f31c03fac809.zip |
verify-sig.eclass: Add a function to verify PGP signed messages
Add a function to verify files containing PGP signed messages (i.e. not
using detached signatures). This will be used for projects that publish
signed checksum lists.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Diffstat (limited to 'eclass')
-rw-r--r-- | eclass/verify-sig.eclass | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass index d16181f3bf0a..a499dd3c6c2a 100644 --- a/eclass/verify-sig.eclass +++ b/eclass/verify-sig.eclass @@ -111,6 +111,42 @@ verify-sig_verify_detached() { die "PGP signature verification failed" } +# @FUNCTION: verify-sig_verify_message +# @USAGE: <file> <output-file> [<key-file>] +# @DESCRIPTION: +# Verify that the file ('-' for stdin) contains a valid, signed PGP +# message and write the message into <output-file> ('-' for stdout). +# <key-file> can either be passed directly, or it defaults +# to VERIFY_SIG_OPENPGP_KEY_PATH. The function dies if verification +# fails. Note that using output from <output-file> is important as it +# prevents the injection of unsigned data. +verify-sig_verify_message() { + local file=${1} + local output_file=${2} + local key=${3:-${VERIFY_SIG_OPENPGP_KEY_PATH}} + + [[ -n ${key} ]] || + die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset" + + local extra_args=() + [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R ) + [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=( + --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}" + ) + + # GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME. + addpredict /run/user + + local filename=${file##*/} + [[ ${file} == - ]] && filename='(stdin)' + einfo "Verifying ${filename} ..." + gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \ + gpg --verify --output="${output_file}" "${sig}" "${file}" || + die "PGP signature verification failed" +} + # @FUNCTION: verify-sig_src_unpack # @DESCRIPTION: # Default src_unpack override that verifies signatures for all |