Re: [PR PATCH] [Updated] [RFC/POC] Support checks for signify signature inside xbps-src

[ericonr <ericonr@users.noreply.github.com>]

[-- Attachment #1: Type: text/plain, Size: 1759 bytes --]

There is an updated pull request by ericonr against master on the void-packages repository

https://github.com/ericonr/void-packages signify
https://github.com/void-linux/void-packages/pull/28400

[RFC/POC] Support checks for signify signature inside xbps-src
<!-- Mark items with [x] where applicable -->

The idea was flown around on IRC and it tickled me. It's probably of very limited utility, but who knows, maybe the recent PGP crisis drive people towards signify :P 

It's very very simple, and only really supports a single distfile per template. Maybe it should loop through `signify_sigs` instead? I don't think things are being downloaded in the best place either.

I think this is unlikely to have much support, so other maintainers feel free to close the issue; if anyone thinks it's worth it, we can improve on it and potentially merge some day?

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!-- 
#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl
-->


A patch file from https://github.com/void-linux/void-packages/pull/28400.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-signify-28400.patch --]
[-- Type: text/x-diff, Size: 5034 bytes --]

From f97099f09e3dd9da6b06efe99cb47450338cd4c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Rolim?= <erico.erc@gmail.com>
Date: Mon, 1 Feb 2021 23:15:43 -0300
Subject: [PATCH 1/4] base-chroot: add outils for signify.

---
 srcpkgs/base-chroot/template | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/srcpkgs/base-chroot/template b/srcpkgs/base-chroot/template
index 78f6d0cc2a1..7b2963132a9 100644
--- a/srcpkgs/base-chroot/template
+++ b/srcpkgs/base-chroot/template
@@ -1,7 +1,7 @@
 # Template file for 'base-chroot'
 pkgname=base-chroot
-version=0.66
-revision=3
+version=0.67
+revision=1
 bootstrap=yes
 build_style=meta
 short_desc="Minimal set of packages required for chroot with xbps-src"
@@ -19,4 +19,4 @@ depends+="
  patch sed findutils diffutils make gzip coreutils
  file bsdtar ccache xbps mpfr ncurses libreadline8
  chroot-bash chroot-grep chroot-gawk chroot-distcc
- chroot-util-linux chroot-git"
+ chroot-util-linux chroot-git outils"

From 3be3f29772c66bb50c905157854ae654b7363c3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Rolim?= <erico.erc@gmail.com>
Date: Mon, 1 Feb 2021 23:16:02 -0300
Subject: [PATCH 2/4] mblaze: add signify keys and signature.

---
 common/signify-keys/mblaze.pub | 2 ++
 srcpkgs/mblaze/template        | 2 ++
 2 files changed, 4 insertions(+)
 create mode 100644 common/signify-keys/mblaze.pub

diff --git a/common/signify-keys/mblaze.pub b/common/signify-keys/mblaze.pub
new file mode 100644
index 00000000000..74fed42cceb
--- /dev/null
+++ b/common/signify-keys/mblaze.pub
@@ -0,0 +1,2 @@
+untrusted comment: mblaze release key public key
+RWT/F+mCqnmHzj/+dB32aXOuZ+4Afcr3r6TOVHXGkRNCBExd3kS0tCnL
diff --git a/srcpkgs/mblaze/template b/srcpkgs/mblaze/template
index 88624be8f71..74de8e9933b 100644
--- a/srcpkgs/mblaze/template
+++ b/srcpkgs/mblaze/template
@@ -9,6 +9,8 @@ maintainer="Leah Neukirchen <leah@vuxu.org>"
 license="Public Domain, MIT"
 homepage="https://github.com/leahneukirchen/mblaze"
 distfiles="https://leahneukirchen.org/releases/${pkgname}-${version}.tar.gz"
+signify_sig="https://leahneukirchen.org/releases/${pkgname}-${version}.tar.gz.sig"
+signify_key="mblaze.pub"
 checksum=edd8cb86f667543e703dee58263b81c7e47744339d23ebbb6a43e75059ba93b1
 
 post_install() {

From abb4e7097681334e005b4c04dacf5c218fdd2511 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Rolim?= <erico.erc@gmail.com>
Date: Mon, 1 Feb 2021 23:16:21 -0300
Subject: [PATCH 3/4] hooks/do-fetch: check signify signature in 00-distfiles.

---
 common/hooks/do-fetch/00-distfiles.sh | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/common/hooks/do-fetch/00-distfiles.sh b/common/hooks/do-fetch/00-distfiles.sh
index e2bf54378fe..c2a651a1f6f 100644
--- a/common/hooks/do-fetch/00-distfiles.sh
+++ b/common/hooks/do-fetch/00-distfiles.sh
@@ -115,6 +115,7 @@ verify_cksum() {
 	cksum=$(get_cksum $curfile $dfcount)
 
 	# If the checksum starts with an commercial at (@) it is the contents checksum
+	# Only constant tarballs can be signed, so only check for signify below
 	if [ "${cksum:0:1}" = "@" ]; then
 		cksum=${cksum:1}
 		msg_normal "$pkgver: verifying contents checksum for distfile '$curfile'... "
@@ -131,7 +132,7 @@ verify_cksum() {
 		filesum=$(${XBPS_DIGEST_CMD} "$distfile")
 		if [ "$cksum" != "$filesum" ]; then
 			echo
-			msg_red "SHA256 mismatch for '$curfile:'\n$filesum\n"
+			msg_red "SHA256 mismatch for '$curfile':\n$filesum\n"
 			errors=$((errors + 1))
 		else
 			if [ ! -f "$XBPS_SRCDISTDIR/by_sha256/${cksum}_${curfile}" ]; then
@@ -140,6 +141,25 @@ verify_cksum() {
 			fi
 			msg_normal_append "OK.\n"
 		fi
+
+		if [ -n "$signify_sig" ]; then
+			if [ -z "$signify_key" ]; then
+				msg_error "$pkgver: signify_sig is set but signify_key isn't\n"
+			fi
+			sigfile="${signify_sig##*/}"
+			msg_normal "$pkgver: fetching signify signature '$sigfile'...\n"
+			$fetch_cmd -o "$sigfile" "$signify_sig"
+			msg_normal "$pkgver: verifying signify signature for distfile '$curfile'... "
+			if signify -V \
+				-p "$XBPS_COMMONDIR/signify-keys/$signify_key" \
+				-x "$sigfile" \
+				-m "$distfile" >/dev/null; then
+				msg_normal_append "OK.\n"
+			else
+				msg_red "signify signature mismatch for '$curfile'\n"
+				errors=$((errors + 1))
+			fi
+		fi
 	fi
 }
 

From be5022bdb19c707d65108ec6adbcdac824113da4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Rolim?= <erico.erc@gmail.com>
Date: Mon, 1 Feb 2021 23:47:57 -0300
Subject: [PATCH 4/4] mblaze: dummy commit so outils is available in the
 masterdir.

---
 srcpkgs/mblaze/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/mblaze/template b/srcpkgs/mblaze/template
index 74de8e9933b..a2a1279097b 100644
--- a/srcpkgs/mblaze/template
+++ b/srcpkgs/mblaze/template
@@ -3,6 +3,7 @@ pkgname=mblaze
 version=1.1
 revision=1
 build_style=gnu-makefile
+hostmakedepends="outils"
 checkdepends="perl"
 short_desc="Maildir-focused command line mail client"
 maintainer="Leah Neukirchen <leah@vuxu.org>"