169 lines
5.6 KiB
Bash
169 lines
5.6 KiB
Bash
|
#!/bin/sh
|
||
|
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
|
||
|
|
||
|
prog=$( basename $0 .bash )
|
||
|
ROLE=base
|
||
|
. /usr/local/bin/usr_local_tput.bash
|
||
|
|
||
|
PYVER=3
|
||
|
PYTHON_MINOR=$( python$PYVER --version 2>&1| sed -e 's@^.* @@' -e 's@\.[0-9]*$@@' )
|
||
|
|
||
|
[ -d /etc/portage ] || exit 0
|
||
|
|
||
|
usage () { echo "USAGE: $prog [command args] -" $* ; exit 1 ; }
|
||
|
error () { retval=$1 ; shift; ERROR "$prog" $* ; exit $retval ; }
|
||
|
warn () { : ; }
|
||
|
info () { : ; }
|
||
|
debug () { : ; }
|
||
|
|
||
|
# must be run as root
|
||
|
[ "$( id -u )" -ne "0" ] && error 1 "must be run as root"
|
||
|
|
||
|
[ -f /etc/portage/package.use/2021-00_verify-sig.txt ] || \
|
||
|
touch /etc/portage/package.use/2021-00_verify-sig.txt || exit 2
|
||
|
|
||
|
equery h -F '$cp:$slot' verify-sig | \
|
||
|
sed -e 's/:0.*//' | while read b ; do \
|
||
|
grep -q "^$b " /etc/portage/package.use/2021-00_verify-sig.txt && continue
|
||
|
eix -r "^$b$" | grep -q Installed && \
|
||
|
echo '#' $b verify-sig>>/etc/portage/package.use/2021-00_verify-sig.txt || \
|
||
|
echo '##' $b verify-sig>>/etc/portage/package.use/2021-00_verify-sig.txt
|
||
|
done
|
||
|
|
||
|
[ -f /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py.diff ] || \
|
||
|
cat > /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py.diff << EOF
|
||
|
*** eclass_cache.py.dst 2021-06-13 21:26:05.000000000 +0000
|
||
|
--- eclass_cache.py 2021-06-24 10:45:12.422857990 +0000
|
||
|
***************
|
||
|
*** 166,175 ****
|
||
|
--- 166,176 ----
|
||
|
return d
|
||
|
|
||
|
def get_eclass_data(self, inherits):
|
||
|
ec_dict = {}
|
||
|
for x in inherits:
|
||
|
+ if x not in self.eclasses: continue
|
||
|
ec_dict[x] = self.eclasses[x]
|
||
|
|
||
|
return ec_dict
|
||
|
|
||
|
@property
|
||
|
EOF
|
||
|
[ -f /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py.dst ] || \
|
||
|
patch -b -z .dst /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py \
|
||
|
< /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py.diff
|
||
|
|
||
|
[ -f /usr/portage/eclass/verify-sig.eclass.diff ] || \
|
||
|
cat > /usr/portage/eclass/verify-sig.eclass.diff << EOF
|
||
|
*** /usr/portage/eclass/verify-sig.eclass.dst 2021-07-29 06:09:55.000000000 +0000
|
||
|
--- /usr/portage/eclass/verify-sig.eclass 2021-08-18 19:13:29.502980940 +0000
|
||
|
***************
|
||
|
*** 86,95 ****
|
||
|
--- 86,99 ----
|
||
|
[[ -n ${key} ]] ||
|
||
|
die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
|
||
|
|
||
|
local extra_args=()
|
||
|
[[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
|
||
|
+ # gemato -R, --no-refresh-keys
|
||
|
+ # Disable refreshing OpenPGP key (prevents network
|
||
|
+ # access, applicable when using -K only)
|
||
|
+ [ -z "$http_proxy" ] || extra_args+=( --proxy $http_proxy )
|
||
|
[[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
|
||
|
--keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
|
||
|
)
|
||
|
|
||
|
# GPG upstream knows better than to follow the spec, so we can't
|
||
|
***************
|
||
|
*** 98,110 ****
|
||
|
addpredict /run/user
|
||
|
|
||
|
local filename=${file##*/}
|
||
|
[[ ${file} == - ]] && filename='(stdin)'
|
||
|
einfo "Verifying ${filename} ..."
|
||
|
! gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
|
||
|
! gpg --verify "${sig}" "${file}" ||
|
||
|
! die "PGP signature verification failed"
|
||
|
}
|
||
|
|
||
|
# @FUNCTION: verify-sig_verify_message
|
||
|
# @USAGE: <file> <output-file> [<key-file>]
|
||
|
# @DESCRIPTION:
|
||
|
--- 102,121 ----
|
||
|
addpredict /run/user
|
||
|
|
||
|
local filename=${file##*/}
|
||
|
[[ ${file} == - ]] && filename='(stdin)'
|
||
|
einfo "Verifying ${filename} ..."
|
||
|
! einfo gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
|
||
|
! gpg --verify --disable-dirmngr \
|
||
|
! "${sig}" "${file}"
|
||
|
! # --keyserver-options http-proxy=http://localhost:3128
|
||
|
! einfo `env |sort`
|
||
|
! # env - is necessary andx sufficient
|
||
|
! env - gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
|
||
|
! gpg --verify --disable-dirmngr \
|
||
|
! "${sig}" "${file}" || \
|
||
|
! die "PGP signature verification failed"
|
||
|
}
|
||
|
|
||
|
# @FUNCTION: verify-sig_verify_message
|
||
|
# @USAGE: <file> <output-file> [<key-file>]
|
||
|
# @DESCRIPTION:
|
||
|
***************
|
||
|
*** 122,131 ****
|
||
|
--- 133,143 ----
|
||
|
[[ -n ${key} ]] ||
|
||
|
die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
|
||
|
|
||
|
local extra_args=()
|
||
|
[[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
|
||
|
+ [ -z "$http_proxy" ] || extra_args+=( --proxy $http_proxy )
|
||
|
[[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
|
||
|
--keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
|
||
|
)
|
||
|
|
||
|
# GPG upstream knows better than to follow the spec, so we can't
|
||
|
***************
|
||
|
*** 134,146 ****
|
||
|
addpredict /run/user
|
||
|
|
||
|
local filename=${file##*/}
|
||
|
[[ ${file} == - ]] && filename='(stdin)'
|
||
|
einfo "Verifying ${filename} ..."
|
||
|
! gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
|
||
|
! gpg --verify --output="${output_file}" "${file}" ||
|
||
|
! die "PGP signature verification failed"
|
||
|
}
|
||
|
|
||
|
# @FUNCTION: verify-sig_verify_signed_checksums
|
||
|
# @USAGE: <checksum-file> <algo> <files> [<key-file>]
|
||
|
# @DESCRIPTION:
|
||
|
--- 146,165 ----
|
||
|
addpredict /run/user
|
||
|
|
||
|
local filename=${file##*/}
|
||
|
[[ ${file} == - ]] && filename='(stdin)'
|
||
|
einfo "Verifying ${filename} ..."
|
||
|
! einfo gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
|
||
|
! gpg --verify --disable-dirmngr --output="${output_file}" \
|
||
|
! "${file}"
|
||
|
! # --keyserver-options http-proxy=http://localhost:3128
|
||
|
! einfo `env |sort`
|
||
|
! # env - is necessary and sufficient
|
||
|
! env - gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
|
||
|
! gpg --verify --disable-dirmngr --output="${output_file}" \
|
||
|
! "${file}" || \
|
||
|
! die "PGP signature verification failed"
|
||
|
}
|
||
|
|
||
|
# @FUNCTION: verify-sig_verify_signed_checksums
|
||
|
# @USAGE: <checksum-file> <algo> <files> [<key-file>]
|
||
|
# @DESCRIPTION:
|
||
|
EOF
|
||
|
|
||
|
[ -f /usr/portage/eclass/verify-sig.eclass.dst ] || \
|
||
|
patch -b -z .dst /usr/portage/eclass/verify-sig.eclass \
|
||
|
< /usr/portage/eclass/verify-sig.eclass.diff || exit 3
|
||
|
|