obs-service-source_validator/25-keyring-validate at master · openSUSE/obs-service-source_validator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/bin/bash

test "$1" = "--verbose" && { VERBOSE=true ; shift ; }
test "$1" = "--batchmode" && { BATCHMODE=true ; shift ; }
DIR_TO_CHECK="$1"
test -n "$DIR_TO_CHECK" || DIR_TO_CHECK=$PWD
RETURN=0

keyrings=()
for i in "$DIR_TO_CHECK"/*.keyring ; do
    test -f "$i" || continue
    : Found keyring "$i"
    keyrings+=("$i")
done

# check for stale .keyring files
if test ${#keyrings[@]} -gt 1; then
    echo "ERROR: expecting one keyring named '$(basename -- "$DIR_TO_CHECK").keyring'"
    RETURN=1
elif test ${#keyrings[@]} -lt 1; then
    # check for missing .keyring files
    for i in "$DIR_TO_CHECK"/*.sig "$DIR_TO_CHECK"/*.sign "$DIR_TO_CHECK"/*.asc "$DIR_TO_CHECK"/*.minisig; do
	test -f "$i" || continue
	if test ! -f "${keyrings[0]}"; then
	    echo "Warning: Need a $(basename -- "$DIR_TO_CHECK").keyring file for validating '$(basename -- $i)'"
	fi
    done
elif test -f "$DIR_TO_CHECK"/*.minisig; then
    # verify minisign signatures
    MINISIGN="minisign"
    if ! $MINISIGN -v &> /dev/null; then
        echo "ERROR: $MINISIGN command not available"
        RETURN=2
    else
        for i in "$DIR_TO_CHECK"/*.minisig; do
            test -f "$i" || continue
            validatefn=${i%.minisig}
            if ! $MINISIGN -V -q -p "${keyrings[0]}" -x "$i" -m "$validatefn"; then
                echo "ERROR: signature $i does not validate"
                RETURN=2
            fi
        done
    fi
else
    # verify GPG signatures
    GPGTMP=$(mktemp -d)
    GPG="gpg --homedir $GPGTMP -q --no-default-keyring --keyring $GPGTMP/.gpg-keyring --trust-model always"
    $GPG --import "${keyrings[0]}"
    for i in "$DIR_TO_CHECK"/*.sig "$DIR_TO_CHECK"/*.sign "$DIR_TO_CHECK"/*.asc; do
        test -f "$i" || continue
        validatefn=${i%.asc}
        validatefn=${validatefn%.sig}
        validatefn=${validatefn%.sign}
        if [ -f "$validatefn" ]; then
            if ! $GPG -q --verify -- "$i" "$validatefn"; then
                echo "ERROR: signature $i does not validate"
                RETURN=2
            fi
        else
            for ext in gz bz2 xz zst ; do
                if [ -f "$validatefn.$ext" ] ; then
                    case $ext in
                        gz) decomp=zcat ;;
                        bz2) decomp=bzcat ;;
                        xz) decomp=xzcat ;;
                        zst) decomp=zstdcat ;;
                    esac
                    if ! $decomp "$validatefn.$ext" | $GPG -q --verify -- "$i" - ; then
                        echo "ERROR: signature $i does not validate"
                        RETURN=2
                    fi
                fi
            done
        fi
    done
    rm -rf "$GPGTMP"
fi

test "$VERBOSE" = true && echo ".. completed $0"
exit $RETURN