Date: 25 Dec 2003 13:47:36 -0000 From: Sergei Kolobov <sergei@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/60558: [PATCH] bsd.port.mk: automatically verify GnuPG signatures Message-ID: <20031225134736.86816.qmail@kolobov.com> Resent-Message-ID: <200312251350.hBPDoG4x018540@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 60558
>Category: ports
>Synopsis: [PATCH] bsd.port.mk: automatically verify GnuPG signatures
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Dec 25 05:50:16 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Sergei Kolobov <sergei@FreeBSD.org>
>Release: FreeBSD 5.2-BETA i386
>Organization:
>Environment:
System: FreeBSD elf.chetwood.ru 5.2-BETA FreeBSD 5.2-BETA #0: Wed Dec 3 19:11:41 MSK 2003 sgk@elf.chetwood.ru:/usr/obj/usr/src/sys/ELF i386
>Description:
Add hooks to automatically verify GnuPG signatures.
Example usage:
1. Simple (the most common) case, assuming all defaults:
PORTNAME= libgcrypt
PORTVERSION= 1.1.43
[...]
USE_GPG= yes
[...]
This adds libgcrypt-1.1.43.tar.gz.sig to the list of files to fetch,
checks MD5 checksum of the signature, and then verify GnuPG signature
in "checksum" target:
sgk@elf% make checksum
>How-To-Repeat:
>Fix:
--- gpg-sig.patch begins here ---
Index: bsd.port.mk
===================================================================
RCS file: /FreeBSD/cvs/ports/Mk/bsd.port.mk,v
retrieving revision 1.474
diff -u -r1.474 bsd.port.mk
--- bsd.port.mk 24 Nov 2003 01:08:41 -0000 1.474
+++ bsd.port.mk 25 Dec 2003 13:24:28 -0000
@@ -305,6 +305,24 @@
# CPPFLAGS and LDFLAGS in CONFIGURE_ENV.
# Default: not set.
##
+# USE_GPG - Says that the port has files with detached GnuPG
+# signatures. Automatically adds files with SIG_SUFFIX
+# to the list of files to be fetched.
+# Signature verification is done in checksum target.
+# SIGNED_FILES - List of files that are signed (have detached signatures)
+# (default: ${DISTFILES})
+# SIG_FILES - List of signature files. Unless overridden, include
+# all files from SIGNED_FILES, each with SIG_SUFFIX added.
+# SIG_SUFFIX - Suffix of detached signature file name - e.g. .sig or .asc
+# (default: ".sig")
+# GPG - Set to path of GnuPG binary (default: ${LOCALBASE}/bin/gpg)
+# GPG_FLAGS - Parameters to pass to GnuPG when verifying a signature
+# (default: "--verify --keyserver ${KEYSERVER} \
+# --keyserver-options auto-key-retrieve")
+# KEYSERVER - Host name of PGP/GPG keyserver to use for fetching
+# public keys not found in your current keyring
+# (default: pgp.mit.edu)
+##
# USE_PERL5 - Says that the port uses perl5 for building and running.
# USE_PERL5_BUILD - Says that the port uses perl5 for building.
# USE_PERL5_RUN - Says that the port uses perl5 for running.
@@ -1053,6 +1071,13 @@
RUN_DEPENDS+= ${APXS}:${PORTSDIR}/${APACHE_PORT}
.endif
+.if defined(USE_GPG)
+GPG?= ${LOCALBASE}/bin/gpg
+GPG_FLAGS?= --verify --keyserver ${KEYSERVER} \
+ --keyserver-options auto-key-retrieve
+KEYSERVER?= pgp.mit.edu
+.endif
+
.if !defined(PERL_LEVEL) && defined(PERL_VERSION)
perl_major= ${PERL_VERSION:C|^([1-9]+).*|\1|}
_perl_minor= 00${PERL_VERSION:C|^([1-9]+)\.([0-9]+).*|\2|}
@@ -2234,7 +2259,16 @@
.endfor
_G_TEMP=
_G_TEMP_TEMP=
-ALLFILES?= ${_DISTFILES} ${_PATCHFILES}
+.if defined(USE_GPG)
+SIGNED_FILES?= ${_DISTFILES}
+SIG_SUFFIX?= .sig
+.if !defined(SIG_FILES)
+.for __FILE in ${SIGNED_FILES}
+SIG_FILES+= ${__FILE}${SIG_SUFFIX}
+.endfor
+.endif
+.endif
+ALLFILES?= ${_DISTFILES} ${_PATCHFILES} ${SIG_FILES}
#
# Sort the master site list according to the patterns in MASTER_SORT
@@ -2812,7 +2846,7 @@
@${MKDIR} ${_DISTDIR}
@(cd ${_DISTDIR}; \
${_MASTER_SITES_ENV} ; \
- for _file in ${DISTFILES}; do \
+ for _file in ${DISTFILES} ${SIG_FILES}; do \
file=`echo $$_file | ${SED} -E -e 's/:[^:]+$$//'` ; \
select=`echo $${_file#$${file}} | ${SED} -e 's/^://' -e 's/,/ /g'` ; \
force_fetch=false; \
@@ -3905,6 +3939,16 @@
exit 1; \
fi); \
fi
+.if defined(USE_GPG)
+.if exists(${GPG})
+.for __SIG in ${SIG_FILES}
+ @${ECHO_MSG} "===> Verifying GnuPG signature for ${__SIG:S/${SIG_SUFFIX}//}"
+ @${GPG} ${GPG_FLAGS} ${DISTDIR}/${__SIG}
+.endfor
+.else
+ @${ECHO_MSG} "===> GnuPG not installed. Signature(s) cannot be verified"
+.endif
+.endif
.endif
################################################################
--- gpg-sig.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
>> Checksum OK for libgcrypt-1.1.43.tar.gz.
>> Checksum OK for libgcrypt-1.1.43.tar.gz.sig.
===> Verifying GnuPG signature for libgcrypt-1.1.43.tar.gz
gpg: Signature made Thu Sep 4 14:48:49 2003 MSD using DSA key ID 57548DCD
gpg: Good signature from "Werner Koch (gnupg sig) <dd9jn@gnu.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6BD9 050F D8FC 941B 4341 2DCC 68B7 AB89 5754 8DCD
sgk@elf%
The public key will be automatically fetched from a keyserver if not found on
user's keyring.
NOTE: the patch does NOT add an automatic dependency on security/gnupg,
rather, if no gpg is found, it displays a warning message saying
that it could not verify signatures.
2. Use alternate suffix for signatures:
[...]
USE_GPG= yes
SIG_SUFFIX= .asc
[...]
3. Port has 2 distfiles, but only 1 has a signature.
The solution: override either SIGNED_FILES or SIG_FILES:
a. Overriding SIGNED_FILES:
DISTFILES= file1.tar.gz file2.tar.gz
[...]
USE_GPG= yes
SIGNED_FILES= file1.tar.gz
[...]
b. Overriding SIG_FILES:
DISTFILES= file1.tar.gz file2.tar.gz
[...]
USE_GPG= yes
SIG_FILES= file1.tar.gz.asc
[...]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031225134736.86816.qmail>