diff options
Diffstat (limited to 'security/netpgpverify/files/chk.sh')
| -rwxr-xr-x | security/netpgpverify/files/chk.sh | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/security/netpgpverify/files/chk.sh b/security/netpgpverify/files/chk.sh new file mode 100755 index 00000000000..8af99f1a360 --- /dev/null +++ b/security/netpgpverify/files/chk.sh @@ -0,0 +1,119 @@ +#! /bin/sh + +# $NetBSD: chk.sh,v 1.1 2014/02/04 02:11:18 agc Exp $ + +# Copyright (c) 2013,2014 Alistair Crooks <agc@NetBSD.org> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +die() { + echo "$*" >&2 + exit 1 +} + +os=EdgeBSD +osrev=6 +arch=amd64 +pkgsrc=pkgsrc-2013Q2 +keyring="" +while [ $# -gt 0 ]; do + case "$1" in + --arch|-a) arch=$2; shift ;; + --keyring|-k) keyring=$2; shift ;; + --os|-o) os=$2; shift ;; + --pkgsrc) pkgsrc=$2; shift ;; + -v) set -x ;; + *) break ;; + esac + shift +done + +case "${keyring}" in +"") keyring=$HOME/.gnupg/pubring.gpg ;; +esac + +#fetch file +repo=ftp://ftp.edgebsd.org/pub/pkgsrc/packages/${os}/${arch}/${os}-${osrev}/${pkgsrc}/All/ + +if [ ! -f $1 ]; then + case "${repo}" in + */) remote=${repo}$1 ;; + *) remote=${repo}/$1 ;; + esac + ftp ${remote} +fi + +name=$(basename $1 .tgz) +dir=$(mktemp -d /tmp/chk.XXXXXX) +here=$(pwd) +case "$1" in +/*) archive=$1 ;; +*) archive=${here}/$1 ;; +esac +(cd ${dir} && ar x ${archive}) + +# grab values from already calculated hashes +digest=$(awk '$1 ~ /algorithm:/ { print $2 }' ${dir}/+PKG_HASH) +blocksize=$(awk '/^block size:/ { print $3 }' ${dir}/+PKG_HASH) + +# check the hashes in +PKG_HASH match the original archive +size=$(ls -l ${dir}/$1 | awk '{ print $5 }') +printf "pkgsrc signature\n\nversion: 1\n" > ${dir}/calc +printf "pkgname: %s\n" ${name} >> ${dir}/calc +printf "algorithm: ${digest}\n" >> ${dir}/calc +printf "block size: ${blocksize}\n" >> ${dir}/calc +printf "file size: %s\n\n" ${size} >> ${dir}/calc +off=0 +n=0 +while [ ${off} -lt ${size} ]; do + rm -f ${dir}/in + dd if=${dir}/$1 of=${dir}/in bs=${blocksize} count=1 skip=${n} 2>/dev/null + digest ${digest} < ${dir}/in >> ${dir}/calc + off=$(( off + ${blocksize} )) + n=$(( n + 1 )) +done +printf "end pkgsrc signature\n" >> ${dir}/calc + +# make sure what was signed is what we have +diff ${dir}/+PKG_HASH ${dir}/calc || die "Bad hashes generated" + +# use netpgpverify to verify the signature +if [ -x /usr/pkg/bin/netpgpverify ]; then + # check the signature in +PKG_GPG_SIGNATURE + cp ${keyring} ${dir}/pubring.gpg + # calculate the sig file we want to verify + echo "-----BEGIN PGP SIGNED MESSAGE-----" > ${dir}/${name}.sig + echo "Hash: ${digest}" >> ${dir}/${name}.sig + echo "" >> ${dir}/${name}.sig + cat ${dir}/+PKG_HASH ${dir}/+PKG_GPG_SIGNATURE >> ${dir}/${name}.sig + (cd ${dir} && netpgpverify -k pubring.gpg ${name}.sig) || die "Bad signature" +else + gpg --recv 0x6F3AF5E2 + (cd ${dir} && gpg --verify --homedir=${dir} ./+PKG_GPG_SIGNATURE ./+PKG_HASH) || die "Bad signature" +fi +echo "Signatures match on ${name} package" + +# clean up +rm -rf ${dir} + +exit 0 |