CMXSL.org/package-helpers-cmxsl
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improved signature verification system for repositories and dsc files

Browse source
This commit is contained in:
Ruben Rodriguez 2017-02-03 19:16:26 +00:00
parent 28cedae7e9
commit bc098d212a
1 changed files with 27 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

31
helpers/config
View file

@ -87,15 +87,17 @@ then
cp trusted.local.gpg "${LOCAL_APT}/etc/trusted.gpg"
else
# Trisquel key
apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --keyserver keyserver.ubuntu.com --recv-keys B4EFB9F38D8AEBF1
apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --keyserver keyserver.ubuntu.com --recv-keys B4EFB9F38D8AEBF1 > /dev/null
# Ubuntu gpg keys
apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D05B5
apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D05B5 > /dev/null
apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32 > /dev/null
# Debian gpg keys
apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --keyserver keyserver.ubuntu.com --recv-keys 9D6D8F6BC857C906
apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553
apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --keyserver keyserver.ubuntu.com --recv-keys 9D6D8F6BC857C906 > /dev/null
apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553 > /dev/null
fi
# Also import the repository key optionally listed in the helper
[ "1$REPOKEY" != "1" ] && apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --recv-keys --keyserver keyserver.ubuntu.com $REPOKEY
cat << EOF > ${LOCAL_APT}/etc/apt.sources.list
deb-src $MIRROR $UPSTREAM main universe
@ -106,8 +108,6 @@ EOF
[ "1$EXTERNAL" != "1" ] && eval echo "$EXTERNAL" >> ${LOCAL_APT}/etc/apt.sources.list
[ "1$SIGNKEY" != "1" ] && apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --recv-keys --keyserver keyserver.ubuntu.com $SIGNKEY
#Cleanup
rm -rf PACKAGES/$PACKAGE
mkdir PACKAGES/$PACKAGE
@ -116,8 +116,23 @@ cd PACKAGES/$PACKAGE
#Get package and uncompress it
apt-get update -c $LOCAL_APT/etc/apt.conf
apt-get source $PACKAGE --download-only -c ${LOCAL_APT}/etc/apt.conf
# verify it first
# Verify it first
# Import the key for the package uploader
# Use the one listed in the helper if available, otherwise download the one listed in the dsc
if [ "1$SIGNKEY" != "1" ] ; then
apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --recv-keys --keyserver keyserver.ubuntu.com $SIGNKEY > /dev/null
gpgv --keyring ${LOCAL_APT}/etc/trusted.gpg *.dsc
else
if grep -q "BEGIN PGP SIGNATURE" *.dsc; then
KEY=$(gpgv --keyring ${LOCAL_APT}/etc/trusted.gpg *.dsc 2>&1 | grep "key ID" | sed 's/.*key ID //' || true)
apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --recv-keys --keyserver keyserver.ubuntu.com $KEY > /dev/null
gpgv --keyring ${LOCAL_APT}/etc/trusted.gpg *.dsc
else
echo WARNING! The dsc file is not gpg signed!
[ -z "$EXTERNAL" ] && exit 1
fi
fi
dpkg-source --no-check -x --skip-patches *.dsc source
find -maxdepth 1 -type f | xargs rm