createpkg: package signature; simplaret: enhanced signature checking

git-svn-id: svn+slack://slack.fluxo.info/var/svn/simplepkg@669 04377dda-e619-0410-9926-eae83683ac58

diff --git a/trunk/conf/simplepkg.conf b/trunk/conf/simplepkg.conf
index 1842b778c17182262234f9ba1af4dc9a9ef8b1a3..746070768c3b3a6c27d31cf6ce2a5489ce6e2a74 100644 (file)
--- a/trunk/conf/simplepkg.conf
+++ b/trunk/conf/simplepkg.conf
@@ -100,6 +100,15 @@ MOVE_SLACK_REQUIRED="on"
 # characters only and no spaces.
 CREATEPKG_AUTHOR=""
 
+# Whether createpkg should sign packages.
+SIGN_PACKAGES="off"
+
+# Username used for package signatures.
+SIGN_PACKAGES_USER=""
+
+# GPG key id used for package signature, leave blank to use default key.
+SIGN_PACKAGES_KEYID=""
+
 #---------------------------------------------------------------------
 #                        SIMPLARET SECTION
 #---------------------------------------------------------------------
@@ -159,7 +168,7 @@ REPOS_PRIORITY="patches slackware extra testing pasture"
 
 # Whether to check package signatures (you should have the repository
 # maintainer key on your keyring)
-SIGNATURE_CHECKING="0"
+SIGNATURE_CHECKING="on"
 
 # Whether simplaret will try to solve dependencies by looking
 # for packages' slack-required

diff --git a/trunk/doc/CHANGELOG b/trunk/doc/CHANGELOG
index 81d5ccba496cf1fb1fb9897390707eaf45dcb3b9..f1d3843ecb3433f05a7a1918043534e37e5db89c 100644 (file)
--- a/trunk/doc/CHANGELOG
+++ b/trunk/doc/CHANGELOG
@@ -47,7 +47,7 @@ simplepkg changelog
       - renamed all "MAKEPKG" config parameters to "PACKAGES", "MAKEPKG_REPOS" to "PACKAGES_DIR"
       - new config parameters PACKAGES_REPOS_STYLE, MOVE_SLACK_REQUIRED, MKBUILDS_SVN_USER,
         PACKAGES_SVN_USER, PACKAGES_SVN_GROUP, MKBUILDS_SVN_GROUP, PACKAGES_REPOS_NOARCH,
-        PACKAGES_SVN, CREATEPKG_AUTHOR
+        PACKAGES_SVN, CREATEPKG_AUTHOR, SIGN_PACKAGES, SIGN_PACKAGES_USER. SIGN_PACKAGES_KEYID
       - cleaner -s option output
     - lspkg: fix on package search routine
     - jail-commit: using unified diff

diff --git a/trunk/lib/common.sh b/trunk/lib/common.sh
index 56b506f1dec2a3b5941eee5d820f9591e25d06ff..dad6471060333061629ebf5445dd259aa087ba1c 100644 (file)
--- a/trunk/lib/common.sh
+++ b/trunk/lib/common.sh
@@ -687,7 +687,7 @@ function svn_copy {
     fi
 
     # copy file
-    if [ "$(cd $(dirname $orig) ; pwd)" != "$(cd $(dirname $dest) ; pwd)" ]; then
+    if is_the_same $orig $(dirname $dest); then
       cp $orig/$file $dest
     fi
 
@@ -1318,3 +1318,17 @@ function regexp_slash {
 
 }
 
+function is_the_same {
+
+  # check if two files are in fact the same
+  # usage: is_the_same <path1> <path2>
+
+  if [ -e "$1" ] && [ -e "$2" ] && \
+     [ "`stat -c '%d' $1`" == "`stat -c '%d' $2`" ] && \
+     [ "`stat -c '%i' $1`" == "`stat -c '%i' $2`" ]; then
+     return 0
+  else
+    return 1
+  fi
+
+}

diff --git a/trunk/src/createpkg b/trunk/src/createpkg
index 87fa202a752d042a2b6dbf2229ac8004d754dcb8..94469daa59fa88eb0c234c72129adaa83cf44fd2 100644 (file)
--- a/trunk/src/createpkg
+++ b/trunk/src/createpkg
@@ -263,6 +263,10 @@ function load_parameters {
   CREATEPKG_AUTHOR="`eval_parameter CREATEPKG_AUTHOR`"
   TMP="`eval_parameter TMP /tmp`"
 
+  SIGN_PACKAGES="`eval_boolean_parameter SIGN_PACKAGES $off`"
+  SIGN_PACKAGES_USER="`eval_parameter SIGN_PACKAGES_USER`"
+  SIGN_PACKAGES_KEYID="`eval_parameter SIGN_PACKAGES_KEYID`"
+
   REMOVE_OLD_PACKAGE="`eval_boolean_parameter REMOVE_OLD_PACKAGE $off`"
   MOVE_BIN_PACKAGE="`eval_boolean_parameter MOVE_BIN_PACKAGE $off`"
   MOVE_SLACK_REQUIRED="`eval_boolean_parameter MOVE_SLACK_REQUIRED $off`"
@@ -385,8 +389,9 @@ function remove_old_package_data {
       cd $makepkg_repos
 
       # Using -mindepth 2 so it doesn't delete the new PACKAGE
-      for file in `find . -mindepth 2 -name "$PACKAGE-*-*-*.tgz" -o -name "$PACKAGE-*-*-*.meta"`; do
-        candidate="`echo $file | sed -e 's/\.meta/\.tgz/'`" # otherwise PACKAGE info functions can fail
+      for file in `find . -mindepth 2 -name "$PACKAGE-*-*-*.tgz" -o -name "$PACKAGE-*-*-*.meta" -o -name "$PACKAGE-*-*-*.tgz.asc"`; do
+        candidate="`echo $file | sed -e 's/\.meta$/\.tgz/'`" # otherwise PACKAGE info functions can fail
+        candidate="`echo $candidate | sed -e 's/\.asc$//'`" # otherwise PACKAGE info functions can fail
         # Just delete packages with different arch, version, build number or folder
         if [ "`package_version $candidate`" != "$PACKAGE_VERSION" ] || \
            [ "`package_arch $candidate`" != "$PACKAGE_ARCH" ] || \
@@ -410,6 +415,7 @@ function remove_old_package_data {
       # Using -mindepth 2 so it doesn't delete the new package
       find $makepkg_repos -mindepth 2 -name "$PACKAGE-*-*-*.tgz" -exec rm {} 2>/dev/null \;
       find $makepkg_repos -mindepth 2 -name "$PACKAGE-*-*-*.meta" -exec rm {} 2>/dev/null \;
+      find $makepkg_repos -mindepth 2 -name "$PACKAGE-*-*-*.tgz.asc" -exec rm {} 2>/dev/null \;
       find $makepkg_repos -name "$PACKAGE.slack-required" -exec rm {} 2>/dev/null \;
     fi
   fi
@@ -671,6 +677,7 @@ PACKAGE_VERSION="`package_version $PKG_NAME`"
 PACKAGE_ARCH="`package_arch $PKG_NAME`"
 PACKAGE_BUILD="`package_build $PKG_NAME`"
 
+# Update package author
 if [ ! -z "$CREATEPKG_AUTHOR" ]; then
   AUTHOR="`echo $PACKAGE_BUILD | sed -e 's/^[0-9]*//'`"
   if [ "$AUTHOR" != "$CREATEPKG_AUTHOR" ]; then
@@ -685,6 +692,23 @@ if [ ! -z "$CREATEPKG_AUTHOR" ]; then
   fi
 fi
 
+# Sign package
+if [ $SIGN_PACKAGES -eq $on ]; then
+
+  if [ ! -z "$SIGN_PACKAGES_KEYID" ]; then
+    SIGN_KEYID="-u $SIGN_PACKAGES_KEYID"
+  else
+    SIGN_KEYID=""
+  fi
+
+  if [ ! -z "$SIGN_PACKAGES_USER" ]; then
+    su -c $SIGN_PACKAGES_USER -c "gpg --use-agent --armor -sb $SIGN_KEYID $PACKAGES_DIR/$PKG_NAME"
+  else
+    gpg --use-agent --armor -sb $SIGN_KEYID $PACKAGES_DIR/$PKG_NAME
+  fi
+
+fi
+
 # Select repository directory
 if [ $MOVE_BIN_PACKAGE -eq $on ]; then
   SUBFOLDER="$( echo ${SCRIPT_BASE#$SLACKBUILDS_DIR/} )"
@@ -707,11 +731,16 @@ remove_old_package_data $PACKAGES_DIR
 if [ $MOVE_BIN_PACKAGE -eq $on ]; then 
 
   mv $PACKAGES_DIR/$PKG_NAME $NEW_REPOS/
+  if [ -e "$PACKAGES_DIR/$PKG_NAME.asc" ]; then
+    mv $PACKAGES_DIR/$PKG_NAME.asc $NEW_REPOS/
+  fi
+
   if [ -d "$NEW_REPOS/.svn" ]; then
     (
       cd $NEW_REPOS
       chown_svn $PACKAGES_DIR && chgrp_svn $PACKAGES_DIR
       svn_add $PKG_NAME
+      svn_add $PKG_NAME.asc
     )
   fi
 
@@ -739,6 +768,7 @@ if [ $PACKAGES_REPOS_NOARCH -eq $on ] && [ "`package_arch $PKG_NAME`" == "noarch
   remove_old_package_data $NOARCH_DIR
   svn_copy $NEW_REPOS/$PKG_NAME $NOARCH_DIR/$SUBFOLDER/
   svn_copy $NEW_REPOS/`basename $PKG_NAME .tgz`.meta $NOARCH_DIR/$SUBFOLDER/
+  svn_copy $NEW_REPOS/`basename $PKG_NAME`.asc $NOARCH_DIR/$SUBFOLDER/
   svn_copy $NEW_REPOS/$PACKAGE.slack-required $NOARCH_DIR/$SUBFOLDER/
   update_metadata $NOARCH_DIR
   svn_remove_empty_folders $NOARCH_DIR

diff --git a/trunk/src/mkbuild b/trunk/src/mkbuild
index 228d7b00040c6530b63a29f333f9f84a910831d8..fa91278255bf37d170317928f79bb6c8d4258252 100755 (executable)
--- a/trunk/src/mkbuild
+++ b/trunk/src/mkbuild
@@ -649,7 +649,7 @@ function submit_mkbuild {
 function submit_cleanup {
 
   # remove files that should not be stored at the mkbuilds repository
-  if [ "$(cd $(dirname $MKBUILD_PATH) ; pwd)" == "$WORK" ]; then
+  if is_the_same $(dirname $MKBUILD_PATH) $WORK; then
     (
       cd $WORK
       rm -f *.old *.tmp *.SlackBuild *.slack-required

diff --git a/trunk/src/simplaret b/trunk/src/simplaret
index 861172158938bd2608411bd6a280deed701102ca..9519cfe9309eb9edd6909029a6b6ad5eab087d46 100755 (executable)
--- a/trunk/src/simplaret
+++ b/trunk/src/simplaret
@@ -674,12 +674,18 @@ function simplaret_get {
           # echo $folder/$candidate
           silent="--silent"
         fi
-        if [ -f "$folder/$candidate.asc" ] || [ "$SIGNATURE_CHECKING" == "1" ]; then
+        if [ -f "$folder/$candidate.asc" ] || [ "$SIGNATURE_CHECKING" == "$on" ]; then
           gpg --verify $folder/$candidate.asc $folder/$candidate
+          if [ "$?" != "0" ]; then
+            echo "Package signature does not match. Removing package."
+            rm -f $folder/$candidate.asc $folder/$candidate
+            LAST_DOWNLOADED_PACKAGE=""
+            return 1
+          fi
         fi
         # generate the patches FILE_LIST and PACKAGES.TXT if needed
         if [ "$generate_patches" == "1" ]; then
-          gen_patches_filelst $folder
+          gen_patches_filelist $folder
           gen_packages_txt $folder
           gen_md5_checksums $folder
         fi