|
|
@@ -24,8 +24,7 @@ MIRROR=http://distfiles.gentoo.org
|
|
|
stage3base=${MIRROR}/releases/x86/autobuilds
|
|
|
portage=${MIRROR}/snapshots/portage-latest.tar.bz2
|
|
|
|
|
|
-# Don't rely on the HKP outbounding port being open
|
|
|
-gpg_wwwserver='https://zimmermann.mayfirst.org/pks/lookup?op=get&search=0x${fpr}'
|
|
|
+# GPG keys used at bulid-time
|
|
|
gpg_keys=`sed '/^#/d; /^$/d; s/ //g' ${FROM}/conf/pubkeys`
|
|
|
|
|
|
|
|
|
@@ -40,6 +39,12 @@ fi
|
|
|
mkdir -p ${LIVECD}/mirror/stage3 ${LIVECD}/mirror/portage ${LIVECD}/mirror/keys
|
|
|
mkdir -p -m 700 ${LIVECD}/mirror/gnupg
|
|
|
|
|
|
+sinfo "Testing for required utilities"
|
|
|
+if ! type gpg 1>/dev/null 2>&1; then
|
|
|
+ echo "Please install GnuPG"
|
|
|
+ exit 1
|
|
|
+fi
|
|
|
+
|
|
|
sinfo "Testing security labels and user xattrs support"
|
|
|
touch ${LIVECD}/mirror/fs-test
|
|
|
if ! setcap cap_net_raw+i ${LIVECD}/mirror/fs-test || \
|
|
|
@@ -72,7 +77,7 @@ sinfo "Downloading portage-latest.tar.bz2"
|
|
|
wget -N -nv -P ${LIVECD}/mirror/portage ${portage}.gpgsig ${portage}
|
|
|
|
|
|
|
|
|
-sinfo "Fetching PGP public keys and verifying fingerprints"
|
|
|
+sinfo "Copying certificates and PGP keys"
|
|
|
cp ${FROM}/conf/certs/mfpl.crt ${LIVECD}/mirror/keys
|
|
|
|
|
|
for key in ${gpg_keys}; do
|
|
|
@@ -80,54 +85,39 @@ for key in ${gpg_keys}; do
|
|
|
fpr=`echo ${key} | cut -d: -f2`
|
|
|
keyid=`echo -n ${fpr} | tail -c -8`
|
|
|
|
|
|
- if [ ! -e ${LIVECD}/mirror/keys/${org}-${keyid}.asc ]; then
|
|
|
- if ! eval wget -nv --retry-connrefused \
|
|
|
- --ca-certificate=${LIVECD}/mirror/keys/mfpl.crt \
|
|
|
- -O ${LIVECD}/mirror/keys/${org}-${keyid}.asc \"${gpg_wwwserver}\"; then
|
|
|
- echo "Warning: Failed to fetch ${org}-${keyid}.asc, copying from cache"
|
|
|
- cp ${FROM}/conf/certs/${org}-${keyid}.asc ${LIVECD}/mirror/keys
|
|
|
- fi
|
|
|
+ cp ${FROM}/conf/certs/${org}-${keyid}.asc ${LIVECD}/mirror/keys
|
|
|
+
|
|
|
+ gpg -q --homedir ${LIVECD}/mirror/gnupg --no-default-keyring \
|
|
|
+ --keyring ${org}.gpg --import ${LIVECD}/mirror/keys/${org}-${keyid}.asc
|
|
|
+
|
|
|
+ fpr2=`gpg -q --homedir ${LIVECD}/mirror/gnupg --keyring ${org}.gpg \
|
|
|
+ --fingerprint --with-colons 0x${fpr} | sed -n '/^fpr:/p' | cut -d: -f10`
|
|
|
+ if [ ${fpr} != "${fpr2}" ]; then
|
|
|
+ echo "Fingerprint mismatch: [${fpr}] != [${fpr2}]"
|
|
|
+ exit 1
|
|
|
fi
|
|
|
+done
|
|
|
+
|
|
|
|
|
|
- if type gpg 1>/dev/null 2>&1; then
|
|
|
- gpg -q --homedir ${LIVECD}/mirror/gnupg --no-default-keyring \
|
|
|
- --keyring ${org}.gpg --import ${LIVECD}/mirror/keys/${org}-${keyid}.asc
|
|
|
-
|
|
|
- fpr2=`gpg -q --homedir ${LIVECD}/mirror/gnupg --keyring ${org}.gpg \
|
|
|
- --fingerprint --with-colons 0x${fpr} | sed -n '/^fpr:/p' | cut -d: -f10`
|
|
|
- if [ ${fpr} != "${fpr2}" ]; then
|
|
|
- echo "Fingerprint mismatch: [${fpr}] != [${fpr2}]"
|
|
|
- exit 1
|
|
|
- fi
|
|
|
- else
|
|
|
- sinfo "*** No GnuPG, skipping fingerprint verification: ${org}-${keyid}"
|
|
|
+sinfo "Verifying keyrings"
|
|
|
+for keyring in `echo "${gpg_keys}" | cut -d: -f1 | sort -u`; do
|
|
|
+ keyids=`gpg -q -k --homedir ${LIVECD}/mirror/gnupg --keyring ${keyring}.gpg \
|
|
|
+ --fingerprint --with-colons | sed -n '/^fpr:/p' | cut -d: -f10 | sort`
|
|
|
+ expids=`echo "${gpg_keys}" | sed -n "/^${keyring}:/p" | cut -d: -f2 | sort`
|
|
|
+
|
|
|
+ if [ "${keyids}" != "${expids}" ]; then
|
|
|
+ echo "Unexpected public keys in keyring ${keyring}.gpg"
|
|
|
+ exit 1
|
|
|
fi
|
|
|
done
|
|
|
|
|
|
|
|
|
-if type gpg 1>/dev/null 2>&1; then
|
|
|
- sinfo "Verifying keyrings"
|
|
|
- for keyring in `echo "${gpg_keys}" | cut -d: -f1 | sort -u`; do
|
|
|
- keyids=`gpg -q -k --homedir ${LIVECD}/mirror/gnupg --keyring ${keyring}.gpg \
|
|
|
- --fingerprint --with-colons | sed -n '/^fpr:/p' | cut -d: -f10 | sort`
|
|
|
- expids=`echo "${gpg_keys}" | sed -n "/^${keyring}:/p" | cut -d: -f2 | sort`
|
|
|
-
|
|
|
- if [ "${keyids}" != "${expids}" ]; then
|
|
|
- echo "Unexpected public keys in keyring ${keyring}.gpg"
|
|
|
- exit 1
|
|
|
- fi
|
|
|
- done
|
|
|
-
|
|
|
-
|
|
|
- sinfo "Verifying stage3 and portage PGP signatures"
|
|
|
- gpg -q --homedir ${LIVECD}/mirror/gnupg --trust-model always --keyring gentoo.gpg \
|
|
|
- --verify ${LIVECD}/mirror/stage3/${stage3file}.DIGESTS.asc
|
|
|
- gpg -q --homedir ${LIVECD}/mirror/gnupg --trust-model always --keyring gentoo.gpg \
|
|
|
- --verify ${LIVECD}/mirror/portage/portage-latest.tar.bz2.gpgsig \
|
|
|
- ${LIVECD}/mirror/portage/portage-latest.tar.bz2
|
|
|
-else
|
|
|
- sinfo "*** No GnuPG, skipping stage3, portage and HKPS CA certificate verification"
|
|
|
-fi
|
|
|
+sinfo "Verifying stage3 and portage snapshot PGP signatures"
|
|
|
+gpg -q --homedir ${LIVECD}/mirror/gnupg --trust-model always --keyring gentoo.gpg \
|
|
|
+ --verify ${LIVECD}/mirror/stage3/${stage3file}.DIGESTS.asc
|
|
|
+gpg -q --homedir ${LIVECD}/mirror/gnupg --trust-model always --keyring gentoo.gpg \
|
|
|
+ --verify ${LIVECD}/mirror/portage/portage-latest.tar.bz2.gpgsig \
|
|
|
+ ${LIVECD}/mirror/portage/portage-latest.tar.bz2
|
|
|
|
|
|
|
|
|
sinfo "Verifying stage3 SHA512 digests"
|
Maxim Kammerer