check signatures for download and git fetchers #305
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
we might add a setting to allow unverified downloads. |
|
Examples with bash downloads: diff --git a/app-shells/bash/bash-5.2.032.recipe b/app-shells/bash/bash-5.2.032.recipe
index 0d27c2bab..4a2686fa3 100644
--- a/app-shells/bash/bash-5.2.032.recipe
+++ b/app-shells/bash/bash-5.2.032.recipe
@@ -7,8 +7,10 @@ COPYRIGHT="1987-2024 Free Software Foundation, Inc."
LICENSE="GNU GPL v3"
REVISION="1"
SOURCE_URI="https://ftpmirror.gnu.org/bash/bash-5.2.tar.gz"
+SOURCE_SIG_URI="${SOURCE_URI}.sig"
for i in {001..032}; do
eval "SOURCE_URI_$i=\"https://ftpmirror.gnu.org/bash/bash-5.2-patches/bash52-$i#noarchive\""
+ eval "SOURCE_SIG_URI_$i=\"https://ftpmirror.gnu.org/bash/bash-5.2-patches/bash52-$i.sig\""
done
CHECKSUM_SHA256="a139c166df7ff4471c5e0733051642ee5556c1cc8a4a78f145583c5c81ab32fb"
CHECKSUM_SHA256_001="f42f2fee923bc2209f406a1892772121c467f44533bedfe00a176139da5d310a"
@@ -43,6 +45,7 @@ CHECKSUM_SHA256_029="125cacb37e625471924b3ee06c54cb1bf21b3b7fe0e569d24a681b0ec4a
CHECKSUM_SHA256_030="c3ff73230e123acdb5ac216921a386df8f74340459533d776d02811a1f76698f"
CHECKSUM_SHA256_031="c2d1b7be2df771126105020af7fafa00fffd4deff4a4e45d60fc6a235bcba795"
CHECKSUM_SHA256_032="7b9c77daeca93ff711781d7537234166e83ed9835ce1ee7dcd5742319c372a16"
+PGPKEYS=(7C0135FB088AAF6C66C650B9BB5869F064EA74AB)
SOURCE_DIR="bash-5.2"
PATCHES="Example with expat git tag diff --git a/dev-libs/expat/expat-2.6.2.recipe b/dev-libs/expat/expat-2.6.2.recipe
index 0057be0aa..3075887e8 100644
--- a/dev-libs/expat/expat-2.6.2.recipe
+++ b/dev-libs/expat/expat-2.6.2.recipe
@@ -7,9 +7,10 @@ COPYRIGHT="1998-2000 Thai Open Source Software Center Ltd and Clark Cooper
2001-2023 Expat maintainers."
LICENSE="MIT"
REVISION="1"
-SOURCE_URI="https://downloads.sourceforge.net/expat/expat-$portVersion.tar.bz2"
-CHECKSUM_SHA256="9c7c1b5dcbc3c237c500a8fb1493e14d9582146dd9b42aa8d3ffb856a3b927e0"
+SOURCE_URI="git+https://github.com/libexpat/libexpat?signed#tag=R_${portVersion//./_}"
+CHECKSUM_SHA256="20d949d216e5bca4cc35eb63737bb91812ba040576b211b325f92a67330c3ddc"
PATCHES="expat-$portVersion.patchset"
+PGPKEYS="3176EF7DB2367F1FCA4F306B1F9B0E909AF37285"
ARCHITECTURES="all !x86_gcc2"
SECONDARY_ARCHITECTURES="x86" |
OscarL
reviewed
Nov 21, 2024
HaikuPorter/SourceFetcher.py
Outdated
| command = 'gpg --verify --status-fd 1 %s %s 2>/dev/null' % (sigFilename, filename) | ||
| try: | ||
| output = check_output(command, shell=True, cwd=downloadDir).decode('utf-8') | ||
| except: |
There was a problem hiding this comment.
Bare excepts are generally to be avoided (as they can make debugging harder by masking away unrelated BaseException/Exception).
Better to just catch CalledProcessError here, and print some relevant info/warning (even if only on verbose mode) instead.
There was a problem hiding this comment.
You're right, I'm still a newbie in Python :)
|
What's the value of checking PGP signature when we already check SHA256? |
Actually it's mostly useful for people doing the version bump, hence they check the origin of the new version. |
|
Updated the examples, shows the diff better. |
download: add SOURCE_SIG_URI for the signature file URI git: add ?signed on the SOURCE_URI to have signed tags and commits checked this uses gpg to verify. the public key has to exist in the ring.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
download: add SOURCE_SIG_URI for the signature file URI
git: add ?signed on the SOURCE_URI to have signed tags and commits checked
this uses gpg to verify. the public key has to exist in the ring.