ports/60558: [PATCH] bsd.port.mk: automatically verify GnuPG signatures

Thu Dec 25 13:50:19 UTC 2003

>Number:         60558
>Category:       ports
>Synopsis:       [PATCH] bsd.port.mk: automatically verify GnuPG signatures
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 25 05:50:16 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Sergei Kolobov <sergei at FreeBSD.org>
>Release:        FreeBSD 5.2-BETA i386
>Organization:
>Environment:
System: FreeBSD elf.chetwood.ru 5.2-BETA FreeBSD 5.2-BETA #0: Wed Dec 3 19:11:41 MSK 2003 sgk at elf.chetwood.ru:/usr/obj/usr/src/sys/ELF i386
>Description:
Add hooks to automatically verify GnuPG signatures.

Example usage:

1. Simple (the most common) case, assuming all defaults:
PORTNAME=	libgcrypt
PORTVERSION=	1.1.43
[...]
USE_GPG=	yes
[...]

This adds libgcrypt-1.1.43.tar.gz.sig to the list of files to fetch,
checks MD5 checksum of the signature, and then verify GnuPG signature
in "checksum" target:

sgk at elf% make checksum
>How-To-Repeat:
>Fix:

--- gpg-sig.patch begins here ---
Index: bsd.port.mk
===================================================================
RCS file: /FreeBSD/cvs/ports/Mk/bsd.port.mk,v
retrieving revision 1.474
diff -u -r1.474 bsd.port.mk
--- bsd.port.mk	24 Nov 2003 01:08:41 -0000	1.474
+++ bsd.port.mk	25 Dec 2003 13:24:28 -0000
@@ -305,6 +305,24 @@
 #				  CPPFLAGS and LDFLAGS in CONFIGURE_ENV.
 #				  Default: not set.
 ##
+# USE_GPG		- Says that the port has files with detached GnuPG
+# 				  signatures. Automatically adds files with SIG_SUFFIX
+# 				  to the list of files to be fetched.
+# 				  Signature verification is done in checksum target.
+# SIGNED_FILES	- List of files that are signed (have detached signatures)
+# 				  (default: ${DISTFILES})
+# SIG_FILES		- List of signature files. Unless overridden, include
+#				  all files from SIGNED_FILES, each with SIG_SUFFIX added.
+# SIG_SUFFIX	- Suffix of detached signature file name - e.g. .sig or .asc
+# 				  (default: ".sig")
+# GPG			- Set to path of GnuPG binary (default: ${LOCALBASE}/bin/gpg)
+# GPG_FLAGS		- Parameters to pass to GnuPG when verifying a signature
+# 				  (default: "--verify --keyserver ${KEYSERVER} \
+#				  --keyserver-options auto-key-retrieve")
+# KEYSERVER		- Host name of PGP/GPG keyserver to use for fetching
+# 				  public keys not found in your current keyring
+# 				  (default: pgp.mit.edu)
+##
 # USE_PERL5		- Says that the port uses perl5 for building and running.
 # USE_PERL5_BUILD	- Says that the port uses perl5 for building.
 # USE_PERL5_RUN		- Says that the port uses perl5 for running.
@@ -1053,6 +1071,13 @@
 RUN_DEPENDS+=	${APXS}:${PORTSDIR}/${APACHE_PORT}
 .endif
 
+.if defined(USE_GPG)
+GPG?=		${LOCALBASE}/bin/gpg
+GPG_FLAGS?=	--verify --keyserver ${KEYSERVER} \
+			--keyserver-options auto-key-retrieve
+KEYSERVER?=	pgp.mit.edu
+.endif
+
 .if !defined(PERL_LEVEL) && defined(PERL_VERSION)
 perl_major=		${PERL_VERSION:C|^([1-9]+).*|\1|}
 _perl_minor=	00${PERL_VERSION:C|^([1-9]+)\.([0-9]+).*|\2|}
@@ -2234,7 +2259,16 @@
 .endfor
 _G_TEMP=
 _G_TEMP_TEMP=
-ALLFILES?=	${_DISTFILES} ${_PATCHFILES}
+.if defined(USE_GPG)
+SIGNED_FILES?=	${_DISTFILES}
+SIG_SUFFIX?=	.sig
+.if !defined(SIG_FILES)
+.for __FILE in ${SIGNED_FILES}
+SIG_FILES+=	${__FILE}${SIG_SUFFIX}
+.endfor
+.endif
+.endif
+ALLFILES?=	${_DISTFILES} ${_PATCHFILES} ${SIG_FILES}
 
 #
 # Sort the master site list according to the patterns in MASTER_SORT
@@ -2812,7 +2846,7 @@
 	@${MKDIR} ${_DISTDIR}
 	@(cd ${_DISTDIR}; \
 	 ${_MASTER_SITES_ENV} ; \
-	 for _file in ${DISTFILES}; do \
+	 for _file in ${DISTFILES} ${SIG_FILES}; do \
 		file=`echo $$_file | ${SED} -E -e 's/:[^:]+$$//'` ; \
 		select=`echo $${_file#$${file}} | ${SED} -e 's/^://' -e 's/,/ /g'` ; \
 		force_fetch=false; \
@@ -3905,6 +3939,16 @@
 			  exit 1; \
 		  fi); \
 	fi
+.if defined(USE_GPG)
+.if exists(${GPG})
+.for __SIG in ${SIG_FILES}
+	@${ECHO_MSG} "===> Verifying GnuPG signature for ${__SIG:S/${SIG_SUFFIX}//}"
+	@${GPG} ${GPG_FLAGS} ${DISTDIR}/${__SIG}
+.endfor
+.else
+	@${ECHO_MSG} "===> GnuPG not installed. Signature(s) cannot be verified"
+.endif
+.endif
 .endif
 
 ################################################################
--- gpg-sig.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:
 >> Checksum OK for libgcrypt-1.1.43.tar.gz.
 >> Checksum OK for libgcrypt-1.1.43.tar.gz.sig.
 ===> Verifying GnuPG signature for libgcrypt-1.1.43.tar.gz
 gpg: Signature made Thu Sep  4 14:48:49 2003 MSD using DSA key ID 57548DCD
 gpg: Good signature from "Werner Koch (gnupg sig) <dd9jn at gnu.org>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
 Primary key fingerprint: 6BD9 050F D8FC 941B 4341  2DCC 68B7 AB89 5754 8DCD
 sgk at elf% 
 
 The public key will be automatically fetched from a keyserver if not found on
 user's keyring.
 
 NOTE: the patch does NOT add an automatic dependency on security/gnupg,
 rather, if no gpg is found, it displays a warning message saying 
 that it could not verify signatures.
 
 2. Use alternate suffix for signatures:
 
 [...]
 USE_GPG=	yes
 SIG_SUFFIX=	.asc
 [...]
 
 3. Port has 2 distfiles, but only 1 has a signature.
 The solution: override either SIGNED_FILES or SIG_FILES:
 
 a. Overriding SIGNED_FILES:
 
 DISTFILES=	file1.tar.gz file2.tar.gz
 [...]
 USE_GPG=	yes
 SIGNED_FILES=	file1.tar.gz
 [...]
 
 b. Overriding SIG_FILES:
 
 DISTFILES=	file1.tar.gz file2.tar.gz
 [...]
 USE_GPG=	yes
 SIG_FILES=	file1.tar.gz.asc
 [...]

