From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Dec 25 05:50:19 2003 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D517116A4CE for ; Thu, 25 Dec 2003 05:50:19 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94A8B43D45 for ; Thu, 25 Dec 2003 05:50:16 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) hBPDoGFR018541 for ; Thu, 25 Dec 2003 05:50:16 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id hBPDoG4x018540; Thu, 25 Dec 2003 05:50:16 -0800 (PST) (envelope-from gnats) Resent-Date: Thu, 25 Dec 2003 05:50:16 -0800 (PST) Resent-Message-Id: <200312251350.hBPDoG4x018540@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Sergei Kolobov Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F157B16A4CE for ; Thu, 25 Dec 2003 05:48:13 -0800 (PST) Received: from outpost.globcon.net (outpost.globcon.net [62.141.88.161]) by mx1.FreeBSD.org (Postfix) with SMTP id 9BBC543D49 for ; Thu, 25 Dec 2003 05:48:10 -0800 (PST) (envelope-from sgk@kolobov.com) Received: (qmail 78910 invoked from network); 25 Dec 2003 13:48:10 -0000 Received: from agdcgw01.akingump.com (HELO kolobov.com) (12.40.174.2) by outpost.globcon.net (62.141.88.161) with SMTP; 25 Dec 2003 13:48:10 -0000 Received: (qmail 86817 invoked by uid 911); 25 Dec 2003 13:47:36 -0000 Message-Id: <20031225134736.86816.qmail@kolobov.com> Date: 25 Dec 2003 13:47:36 -0000 From: Sergei Kolobov To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: ports/60558: [PATCH] bsd.port.mk: automatically verify GnuPG signatures X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Dec 2003 13:50:19 -0000 >Number: 60558 >Category: ports >Synopsis: [PATCH] bsd.port.mk: automatically verify GnuPG signatures >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Dec 25 05:50:16 PST 2003 >Closed-Date: >Last-Modified: >Originator: Sergei Kolobov >Release: FreeBSD 5.2-BETA i386 >Organization: >Environment: System: FreeBSD elf.chetwood.ru 5.2-BETA FreeBSD 5.2-BETA #0: Wed Dec 3 19:11:41 MSK 2003 sgk@elf.chetwood.ru:/usr/obj/usr/src/sys/ELF i386 >Description: Add hooks to automatically verify GnuPG signatures. Example usage: 1. Simple (the most common) case, assuming all defaults: PORTNAME= libgcrypt PORTVERSION= 1.1.43 [...] USE_GPG= yes [...] This adds libgcrypt-1.1.43.tar.gz.sig to the list of files to fetch, checks MD5 checksum of the signature, and then verify GnuPG signature in "checksum" target: sgk@elf% make checksum >How-To-Repeat: >Fix: --- gpg-sig.patch begins here --- Index: bsd.port.mk =================================================================== RCS file: /FreeBSD/cvs/ports/Mk/bsd.port.mk,v retrieving revision 1.474 diff -u -r1.474 bsd.port.mk --- bsd.port.mk 24 Nov 2003 01:08:41 -0000 1.474 +++ bsd.port.mk 25 Dec 2003 13:24:28 -0000 @@ -305,6 +305,24 @@ # CPPFLAGS and LDFLAGS in CONFIGURE_ENV. # Default: not set. ## +# USE_GPG - Says that the port has files with detached GnuPG +# signatures. Automatically adds files with SIG_SUFFIX +# to the list of files to be fetched. +# Signature verification is done in checksum target. +# SIGNED_FILES - List of files that are signed (have detached signatures) +# (default: ${DISTFILES}) +# SIG_FILES - List of signature files. Unless overridden, include +# all files from SIGNED_FILES, each with SIG_SUFFIX added. +# SIG_SUFFIX - Suffix of detached signature file name - e.g. .sig or .asc +# (default: ".sig") +# GPG - Set to path of GnuPG binary (default: ${LOCALBASE}/bin/gpg) +# GPG_FLAGS - Parameters to pass to GnuPG when verifying a signature +# (default: "--verify --keyserver ${KEYSERVER} \ +# --keyserver-options auto-key-retrieve") +# KEYSERVER - Host name of PGP/GPG keyserver to use for fetching +# public keys not found in your current keyring +# (default: pgp.mit.edu) +## # USE_PERL5 - Says that the port uses perl5 for building and running. # USE_PERL5_BUILD - Says that the port uses perl5 for building. # USE_PERL5_RUN - Says that the port uses perl5 for running. @@ -1053,6 +1071,13 @@ RUN_DEPENDS+= ${APXS}:${PORTSDIR}/${APACHE_PORT} .endif +.if defined(USE_GPG) +GPG?= ${LOCALBASE}/bin/gpg +GPG_FLAGS?= --verify --keyserver ${KEYSERVER} \ + --keyserver-options auto-key-retrieve +KEYSERVER?= pgp.mit.edu +.endif + .if !defined(PERL_LEVEL) && defined(PERL_VERSION) perl_major= ${PERL_VERSION:C|^([1-9]+).*|\1|} _perl_minor= 00${PERL_VERSION:C|^([1-9]+)\.([0-9]+).*|\2|} @@ -2234,7 +2259,16 @@ .endfor _G_TEMP= _G_TEMP_TEMP= -ALLFILES?= ${_DISTFILES} ${_PATCHFILES} +.if defined(USE_GPG) +SIGNED_FILES?= ${_DISTFILES} +SIG_SUFFIX?= .sig +.if !defined(SIG_FILES) +.for __FILE in ${SIGNED_FILES} +SIG_FILES+= ${__FILE}${SIG_SUFFIX} +.endfor +.endif +.endif +ALLFILES?= ${_DISTFILES} ${_PATCHFILES} ${SIG_FILES} # # Sort the master site list according to the patterns in MASTER_SORT @@ -2812,7 +2846,7 @@ @${MKDIR} ${_DISTDIR} @(cd ${_DISTDIR}; \ ${_MASTER_SITES_ENV} ; \ - for _file in ${DISTFILES}; do \ + for _file in ${DISTFILES} ${SIG_FILES}; do \ file=`echo $$_file | ${SED} -E -e 's/:[^:]+$$//'` ; \ select=`echo $${_file#$${file}} | ${SED} -e 's/^://' -e 's/,/ /g'` ; \ force_fetch=false; \ @@ -3905,6 +3939,16 @@ exit 1; \ fi); \ fi +.if defined(USE_GPG) +.if exists(${GPG}) +.for __SIG in ${SIG_FILES} + @${ECHO_MSG} "===> Verifying GnuPG signature for ${__SIG:S/${SIG_SUFFIX}//}" + @${GPG} ${GPG_FLAGS} ${DISTDIR}/${__SIG} +.endfor +.else + @${ECHO_MSG} "===> GnuPG not installed. Signature(s) cannot be verified" +.endif +.endif .endif ################################################################ --- gpg-sig.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: >> Checksum OK for libgcrypt-1.1.43.tar.gz. >> Checksum OK for libgcrypt-1.1.43.tar.gz.sig. ===> Verifying GnuPG signature for libgcrypt-1.1.43.tar.gz gpg: Signature made Thu Sep 4 14:48:49 2003 MSD using DSA key ID 57548DCD gpg: Good signature from "Werner Koch (gnupg sig) " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6BD9 050F D8FC 941B 4341 2DCC 68B7 AB89 5754 8DCD sgk@elf% The public key will be automatically fetched from a keyserver if not found on user's keyring. NOTE: the patch does NOT add an automatic dependency on security/gnupg, rather, if no gpg is found, it displays a warning message saying that it could not verify signatures. 2. Use alternate suffix for signatures: [...] USE_GPG= yes SIG_SUFFIX= .asc [...] 3. Port has 2 distfiles, but only 1 has a signature. The solution: override either SIGNED_FILES or SIG_FILES: a. Overriding SIGNED_FILES: DISTFILES= file1.tar.gz file2.tar.gz [...] USE_GPG= yes SIGNED_FILES= file1.tar.gz [...] b. Overriding SIG_FILES: DISTFILES= file1.tar.gz file2.tar.gz [...] USE_GPG= yes SIG_FILES= file1.tar.gz.asc [...]