base_role/overlay/Gentoo/usr/local/sbin/gentoo_base_verify-sig.bash

169 lines
5.6 KiB
Bash
Raw Permalink Normal View History

2024-01-06 01:38:28 +00:00
#!/bin/sh
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
prog=$( basename $0 .bash )
ROLE=base
. /usr/local/bin/usr_local_tput.bash
PYVER=3
PYTHON_MINOR=$( python$PYVER --version 2>&1| sed -e 's@^.* @@' -e 's@\.[0-9]*$@@' )
[ -d /etc/portage ] || exit 0
usage () { echo "USAGE: $prog [command args] -" $* ; exit 1 ; }
error () { retval=$1 ; shift; ERROR "$prog" $* ; exit $retval ; }
warn () { : ; }
info () { : ; }
debug () { : ; }
# must be run as root
[ "$( id -u )" -ne "0" ] && error 1 "must be run as root"
[ -f /etc/portage/package.use/2021-00_verify-sig.txt ] || \
touch /etc/portage/package.use/2021-00_verify-sig.txt || exit 2
equery h -F '$cp:$slot' verify-sig | \
sed -e 's/:0.*//' | while read b ; do \
grep -q "^$b " /etc/portage/package.use/2021-00_verify-sig.txt && continue
eix -r "^$b$" | grep -q Installed && \
echo '#' $b verify-sig>>/etc/portage/package.use/2021-00_verify-sig.txt || \
echo '##' $b verify-sig>>/etc/portage/package.use/2021-00_verify-sig.txt
done
[ -f /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py.diff ] || \
cat > /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py.diff << EOF
*** eclass_cache.py.dst 2021-06-13 21:26:05.000000000 +0000
--- eclass_cache.py 2021-06-24 10:45:12.422857990 +0000
***************
*** 166,175 ****
--- 166,176 ----
return d
def get_eclass_data(self, inherits):
ec_dict = {}
for x in inherits:
+ if x not in self.eclasses: continue
ec_dict[x] = self.eclasses[x]
return ec_dict
@property
EOF
[ -f /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py.dst ] || \
patch -b -z .dst /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py \
< /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py.diff
[ -f /usr/portage/eclass/verify-sig.eclass.diff ] || \
cat > /usr/portage/eclass/verify-sig.eclass.diff << EOF
*** /usr/portage/eclass/verify-sig.eclass.dst 2021-07-29 06:09:55.000000000 +0000
--- /usr/portage/eclass/verify-sig.eclass 2021-08-18 19:13:29.502980940 +0000
***************
*** 86,95 ****
--- 86,99 ----
[[ -n ${key} ]] ||
die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
local extra_args=()
[[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
+ # gemato -R, --no-refresh-keys
+ # Disable refreshing OpenPGP key (prevents network
+ # access, applicable when using -K only)
+ [ -z "$http_proxy" ] || extra_args+=( --proxy $http_proxy )
[[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
--keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
)
# GPG upstream knows better than to follow the spec, so we can't
***************
*** 98,110 ****
addpredict /run/user
local filename=${file##*/}
[[ ${file} == - ]] && filename='(stdin)'
einfo "Verifying ${filename} ..."
! gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
! gpg --verify "${sig}" "${file}" ||
! die "PGP signature verification failed"
}
# @FUNCTION: verify-sig_verify_message
# @USAGE: <file> <output-file> [<key-file>]
# @DESCRIPTION:
--- 102,121 ----
addpredict /run/user
local filename=${file##*/}
[[ ${file} == - ]] && filename='(stdin)'
einfo "Verifying ${filename} ..."
! einfo gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
! gpg --verify --disable-dirmngr \
! "${sig}" "${file}"
! # --keyserver-options http-proxy=http://localhost:3128
! einfo `env |sort`
! # env - is necessary andx sufficient
! env - gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
! gpg --verify --disable-dirmngr \
! "${sig}" "${file}" || \
! die "PGP signature verification failed"
}
# @FUNCTION: verify-sig_verify_message
# @USAGE: <file> <output-file> [<key-file>]
# @DESCRIPTION:
***************
*** 122,131 ****
--- 133,143 ----
[[ -n ${key} ]] ||
die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
local extra_args=()
[[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
+ [ -z "$http_proxy" ] || extra_args+=( --proxy $http_proxy )
[[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
--keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
)
# GPG upstream knows better than to follow the spec, so we can't
***************
*** 134,146 ****
addpredict /run/user
local filename=${file##*/}
[[ ${file} == - ]] && filename='(stdin)'
einfo "Verifying ${filename} ..."
! gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
! gpg --verify --output="${output_file}" "${file}" ||
! die "PGP signature verification failed"
}
# @FUNCTION: verify-sig_verify_signed_checksums
# @USAGE: <checksum-file> <algo> <files> [<key-file>]
# @DESCRIPTION:
--- 146,165 ----
addpredict /run/user
local filename=${file##*/}
[[ ${file} == - ]] && filename='(stdin)'
einfo "Verifying ${filename} ..."
! einfo gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
! gpg --verify --disable-dirmngr --output="${output_file}" \
! "${file}"
! # --keyserver-options http-proxy=http://localhost:3128
! einfo `env |sort`
! # env - is necessary and sufficient
! env - gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
! gpg --verify --disable-dirmngr --output="${output_file}" \
! "${file}" || \
! die "PGP signature verification failed"
}
# @FUNCTION: verify-sig_verify_signed_checksums
# @USAGE: <checksum-file> <algo> <files> [<key-file>]
# @DESCRIPTION:
EOF
[ -f /usr/portage/eclass/verify-sig.eclass.dst ] || \
patch -b -z .dst /usr/portage/eclass/verify-sig.eclass \
< /usr/portage/eclass/verify-sig.eclass.diff || exit 3