[PR PATCH] [RFC/POC] Support checks for signify signature inside xbps-src

[PR PATCH] [RFC/POC] Support checks for signify signature inside xbps-src

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 1754 bytes --]

There is a new pull request by ericonr against master on the void-packages repository

https://github.com/ericonr/void-packages signify
https://github.com/void-linux/void-packages/pull/28400

[RFC/POC] Support checks for signify signature inside xbps-src
<!-- Mark items with [x] where applicable -->

The idea was flown around on IRC and it tickled me. It's probably of very limited utility, but who knows, maybe the recent PGP crisis drive people towards signify :P 

It's very very simple, and only really supports a single distfile per template. Maybe it should loop through `signify_sigs` instead? I don't think things are being downloaded in the best place either.

I think this is unlikely to have much support, so other maintainers feel free to close the issue; if anyone thinks it's worth it, we can improve on it and potentially merge some day?

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!-- 
#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl
-->


A patch file from https://github.com/void-linux/void-packages/pull/28400.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-signify-28400.patch --]
[-- Type: text/x-diff, Size: 4322 bytes --]

From f97099f09e3dd9da6b06efe99cb47450338cd4c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Rolim?= <erico.erc@gmail.com>
Date: Mon, 1 Feb 2021 23:15:43 -0300
Subject: [PATCH 1/3] base-chroot: add outils for signify.

---
 srcpkgs/base-chroot/template | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/srcpkgs/base-chroot/template b/srcpkgs/base-chroot/template
index 78f6d0cc2a1..7b2963132a9 100644
--- a/srcpkgs/base-chroot/template
+++ b/srcpkgs/base-chroot/template
@@ -1,7 +1,7 @@
 # Template file for 'base-chroot'
 pkgname=base-chroot
-version=0.66
-revision=3
+version=0.67
+revision=1
 bootstrap=yes
 build_style=meta
 short_desc="Minimal set of packages required for chroot with xbps-src"
@@ -19,4 +19,4 @@ depends+="
  patch sed findutils diffutils make gzip coreutils
  file bsdtar ccache xbps mpfr ncurses libreadline8
  chroot-bash chroot-grep chroot-gawk chroot-distcc
- chroot-util-linux chroot-git"
+ chroot-util-linux chroot-git outils"

From 3be3f29772c66bb50c905157854ae654b7363c3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Rolim?= <erico.erc@gmail.com>
Date: Mon, 1 Feb 2021 23:16:02 -0300
Subject: [PATCH 2/3] mblaze: add signify keys and signature.

---
 common/signify-keys/mblaze.pub | 2 ++
 srcpkgs/mblaze/template        | 2 ++
 2 files changed, 4 insertions(+)
 create mode 100644 common/signify-keys/mblaze.pub

diff --git a/common/signify-keys/mblaze.pub b/common/signify-keys/mblaze.pub
new file mode 100644
index 00000000000..74fed42cceb
--- /dev/null
+++ b/common/signify-keys/mblaze.pub
@@ -0,0 +1,2 @@
+untrusted comment: mblaze release key public key
+RWT/F+mCqnmHzj/+dB32aXOuZ+4Afcr3r6TOVHXGkRNCBExd3kS0tCnL
diff --git a/srcpkgs/mblaze/template b/srcpkgs/mblaze/template
index 88624be8f71..74de8e9933b 100644
--- a/srcpkgs/mblaze/template
+++ b/srcpkgs/mblaze/template
@@ -9,6 +9,8 @@ maintainer="Leah Neukirchen <leah@vuxu.org>"
 license="Public Domain, MIT"
 homepage="https://github.com/leahneukirchen/mblaze"
 distfiles="https://leahneukirchen.org/releases/${pkgname}-${version}.tar.gz"
+signify_sig="https://leahneukirchen.org/releases/${pkgname}-${version}.tar.gz.sig"
+signify_key="mblaze.pub"
 checksum=edd8cb86f667543e703dee58263b81c7e47744339d23ebbb6a43e75059ba93b1
 
 post_install() {

From abb4e7097681334e005b4c04dacf5c218fdd2511 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Rolim?= <erico.erc@gmail.com>
Date: Mon, 1 Feb 2021 23:16:21 -0300
Subject: [PATCH 3/3] hooks/do-fetch: check signify signature in 00-distfiles.

---
 common/hooks/do-fetch/00-distfiles.sh | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/common/hooks/do-fetch/00-distfiles.sh b/common/hooks/do-fetch/00-distfiles.sh
index e2bf54378fe..c2a651a1f6f 100644
--- a/common/hooks/do-fetch/00-distfiles.sh
+++ b/common/hooks/do-fetch/00-distfiles.sh
@@ -115,6 +115,7 @@ verify_cksum() {
 	cksum=$(get_cksum $curfile $dfcount)
 
 	# If the checksum starts with an commercial at (@) it is the contents checksum
+	# Only constant tarballs can be signed, so only check for signify below
 	if [ "${cksum:0:1}" = "@" ]; then
 		cksum=${cksum:1}
 		msg_normal "$pkgver: verifying contents checksum for distfile '$curfile'... "
@@ -131,7 +132,7 @@ verify_cksum() {
 		filesum=$(${XBPS_DIGEST_CMD} "$distfile")
 		if [ "$cksum" != "$filesum" ]; then
 			echo
-			msg_red "SHA256 mismatch for '$curfile:'\n$filesum\n"
+			msg_red "SHA256 mismatch for '$curfile':\n$filesum\n"
 			errors=$((errors + 1))
 		else
 			if [ ! -f "$XBPS_SRCDISTDIR/by_sha256/${cksum}_${curfile}" ]; then
@@ -140,6 +141,25 @@ verify_cksum() {
 			fi
 			msg_normal_append "OK.\n"
 		fi
+
+		if [ -n "$signify_sig" ]; then
+			if [ -z "$signify_key" ]; then
+				msg_error "$pkgver: signify_sig is set but signify_key isn't\n"
+			fi
+			sigfile="${signify_sig##*/}"
+			msg_normal "$pkgver: fetching signify signature '$sigfile'...\n"
+			$fetch_cmd -o "$sigfile" "$signify_sig"
+			msg_normal "$pkgver: verifying signify signature for distfile '$curfile'... "
+			if signify -V \
+				-p "$XBPS_COMMONDIR/signify-keys/$signify_key" \
+				-x "$sigfile" \
+				-m "$distfile" >/dev/null; then
+				msg_normal_append "OK.\n"
+			else
+				msg_red "signify signature mismatch for '$curfile'\n"
+				errors=$((errors + 1))
+			fi
+		fi
 	fi
 }
 

Re: [PR PATCH] [Updated] [RFC/POC] Support checks for signify signature inside xbps-src

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 1759 bytes --]

There is an updated pull request by ericonr against master on the void-packages repository

https://github.com/ericonr/void-packages signify
https://github.com/void-linux/void-packages/pull/28400

[RFC/POC] Support checks for signify signature inside xbps-src
<!-- Mark items with [x] where applicable -->

The idea was flown around on IRC and it tickled me. It's probably of very limited utility, but who knows, maybe the recent PGP crisis drive people towards signify :P 

It's very very simple, and only really supports a single distfile per template. Maybe it should loop through `signify_sigs` instead? I don't think things are being downloaded in the best place either.

I think this is unlikely to have much support, so other maintainers feel free to close the issue; if anyone thinks it's worth it, we can improve on it and potentially merge some day?

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!-- 
#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl
-->


A patch file from https://github.com/void-linux/void-packages/pull/28400.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-signify-28400.patch --]
[-- Type: text/x-diff, Size: 5034 bytes --]

From f97099f09e3dd9da6b06efe99cb47450338cd4c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Rolim?= <erico.erc@gmail.com>
Date: Mon, 1 Feb 2021 23:15:43 -0300
Subject: [PATCH 1/4] base-chroot: add outils for signify.

---
 srcpkgs/base-chroot/template | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/srcpkgs/base-chroot/template b/srcpkgs/base-chroot/template
index 78f6d0cc2a1..7b2963132a9 100644
--- a/srcpkgs/base-chroot/template
+++ b/srcpkgs/base-chroot/template
@@ -1,7 +1,7 @@
 # Template file for 'base-chroot'
 pkgname=base-chroot
-version=0.66
-revision=3
+version=0.67
+revision=1
 bootstrap=yes
 build_style=meta
 short_desc="Minimal set of packages required for chroot with xbps-src"
@@ -19,4 +19,4 @@ depends+="
  patch sed findutils diffutils make gzip coreutils
  file bsdtar ccache xbps mpfr ncurses libreadline8
  chroot-bash chroot-grep chroot-gawk chroot-distcc
- chroot-util-linux chroot-git"
+ chroot-util-linux chroot-git outils"

From 3be3f29772c66bb50c905157854ae654b7363c3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Rolim?= <erico.erc@gmail.com>
Date: Mon, 1 Feb 2021 23:16:02 -0300
Subject: [PATCH 2/4] mblaze: add signify keys and signature.

---
 common/signify-keys/mblaze.pub | 2 ++
 srcpkgs/mblaze/template        | 2 ++
 2 files changed, 4 insertions(+)
 create mode 100644 common/signify-keys/mblaze.pub

diff --git a/common/signify-keys/mblaze.pub b/common/signify-keys/mblaze.pub
new file mode 100644
index 00000000000..74fed42cceb
--- /dev/null
+++ b/common/signify-keys/mblaze.pub
@@ -0,0 +1,2 @@
+untrusted comment: mblaze release key public key
+RWT/F+mCqnmHzj/+dB32aXOuZ+4Afcr3r6TOVHXGkRNCBExd3kS0tCnL
diff --git a/srcpkgs/mblaze/template b/srcpkgs/mblaze/template
index 88624be8f71..74de8e9933b 100644
--- a/srcpkgs/mblaze/template
+++ b/srcpkgs/mblaze/template
@@ -9,6 +9,8 @@ maintainer="Leah Neukirchen <leah@vuxu.org>"
 license="Public Domain, MIT"
 homepage="https://github.com/leahneukirchen/mblaze"
 distfiles="https://leahneukirchen.org/releases/${pkgname}-${version}.tar.gz"
+signify_sig="https://leahneukirchen.org/releases/${pkgname}-${version}.tar.gz.sig"
+signify_key="mblaze.pub"
 checksum=edd8cb86f667543e703dee58263b81c7e47744339d23ebbb6a43e75059ba93b1
 
 post_install() {

From abb4e7097681334e005b4c04dacf5c218fdd2511 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Rolim?= <erico.erc@gmail.com>
Date: Mon, 1 Feb 2021 23:16:21 -0300
Subject: [PATCH 3/4] hooks/do-fetch: check signify signature in 00-distfiles.

---
 common/hooks/do-fetch/00-distfiles.sh | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/common/hooks/do-fetch/00-distfiles.sh b/common/hooks/do-fetch/00-distfiles.sh
index e2bf54378fe..c2a651a1f6f 100644
--- a/common/hooks/do-fetch/00-distfiles.sh
+++ b/common/hooks/do-fetch/00-distfiles.sh
@@ -115,6 +115,7 @@ verify_cksum() {
 	cksum=$(get_cksum $curfile $dfcount)
 
 	# If the checksum starts with an commercial at (@) it is the contents checksum
+	# Only constant tarballs can be signed, so only check for signify below
 	if [ "${cksum:0:1}" = "@" ]; then
 		cksum=${cksum:1}
 		msg_normal "$pkgver: verifying contents checksum for distfile '$curfile'... "
@@ -131,7 +132,7 @@ verify_cksum() {
 		filesum=$(${XBPS_DIGEST_CMD} "$distfile")
 		if [ "$cksum" != "$filesum" ]; then
 			echo
-			msg_red "SHA256 mismatch for '$curfile:'\n$filesum\n"
+			msg_red "SHA256 mismatch for '$curfile':\n$filesum\n"
 			errors=$((errors + 1))
 		else
 			if [ ! -f "$XBPS_SRCDISTDIR/by_sha256/${cksum}_${curfile}" ]; then
@@ -140,6 +141,25 @@ verify_cksum() {
 			fi
 			msg_normal_append "OK.\n"
 		fi
+
+		if [ -n "$signify_sig" ]; then
+			if [ -z "$signify_key" ]; then
+				msg_error "$pkgver: signify_sig is set but signify_key isn't\n"
+			fi
+			sigfile="${signify_sig##*/}"
+			msg_normal "$pkgver: fetching signify signature '$sigfile'...\n"
+			$fetch_cmd -o "$sigfile" "$signify_sig"
+			msg_normal "$pkgver: verifying signify signature for distfile '$curfile'... "
+			if signify -V \
+				-p "$XBPS_COMMONDIR/signify-keys/$signify_key" \
+				-x "$sigfile" \
+				-m "$distfile" >/dev/null; then
+				msg_normal_append "OK.\n"
+			else
+				msg_red "signify signature mismatch for '$curfile'\n"
+				errors=$((errors + 1))
+			fi
+		fi
 	fi
 }
 

From be5022bdb19c707d65108ec6adbcdac824113da4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Rolim?= <erico.erc@gmail.com>
Date: Mon, 1 Feb 2021 23:47:57 -0300
Subject: [PATCH 4/4] mblaze: dummy commit so outils is available in the
 masterdir.

---
 srcpkgs/mblaze/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/mblaze/template b/srcpkgs/mblaze/template
index 74de8e9933b..a2a1279097b 100644
--- a/srcpkgs/mblaze/template
+++ b/srcpkgs/mblaze/template
@@ -3,6 +3,7 @@ pkgname=mblaze
 version=1.1
 revision=1
 build_style=gnu-makefile
+hostmakedepends="outils"
 checkdepends="perl"
 short_desc="Maildir-focused command line mail client"
 maintainer="Leah Neukirchen <leah@vuxu.org>"

Re: [RFC/POC] Support checks for signify signature inside xbps-src

[eli-schwartz]

[-- Attachment #1: Type: text/plain, Size: 1152 bytes --]

New comment by eli-schwartz on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771336697

Comment:
> The idea was flown around on IRC and it tickled me. It's probably of very limited utility, but who knows, maybe the recent PGP crisis drive people towards signify :P

Disclaimer: "the idea" was my suggestion that PGP verification of the large body of software out there that *is* signed today with PGP signatures would be a good idea. :D

Since .sig is a valid and common PGP signature extension, heuristically detecting which flavor it is might be necessary in the event someone implements the, uh, more common variety in xbps-src.

...

Again, as mentioned in IRC, implementing PGP verification support need not force every user to install GnuPG. pacman/makepkg has an option to disable checking PGP (on by default), xbps-src can have an option to enable it (off by default). As long as it is there and can be validated, people can double-check that the known distfile with the known checksum does validate using PGP. (I would advise official builders to enable such checks, if off by default.)

Re: [RFC/POC] Support checks for signify signature inside xbps-src

[Chocimier]

[-- Attachment #1: Type: text/plain, Size: 405 bytes --]

New comment by Chocimier on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771879490

Comment:
What are we going to do when new releases start to appear signed with unrelated key?
When _same_ release will be reuploaded signed with unrelated key?
Now we update checksums of same version when they change without any verification. Will it be same with keys?

Re: [RFC/POC] Support checks for signify signature inside xbps-src

[eli-schwartz]

[-- Attachment #1: Type: text/plain, Size: 598 bytes --]

New comment by eli-schwartz on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771882046

Comment:
You regard that as a security violation. The point of checking a code-signing key on ANY operating system is that you want to make sure a reputable person is still signing the releases.

Random changes in the security token are a red flag indicating a compromised security token, unless the old security token has produced a signed message stating that the new security token is legit due to scheduled rotation or onboarding of a new release manager.

Re: [RFC/POC] Support checks for signify signature inside xbps-src

[Chocimier]

[-- Attachment #1: Type: text/plain, Size: 265 bytes --]

New comment by Chocimier on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771884624

Comment:
So, we would never update package that was signed at first with one key, but then all following releases with another key?

Re: [RFC/POC] Support checks for signify signature inside xbps-src

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 287 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771886164

Comment:
You'd have to confirm that the new key is valid in some way. The change would also be visible in git history and should ideally be well justified.

Re: [RFC/POC] Support checks for signify signature inside xbps-src

[Chocimier]

[-- Attachment #1: Type: text/plain, Size: 337 bytes --]

New comment by Chocimier on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771887987

Comment:
> You'd have to confirm that the new key is valid in some way.

Will publishing "it's legit, please update, i lost old key" message in same domain where source and new key is places be enough?

Re: [RFC/POC] Support checks for signify signature inside xbps-src

[Chocimier]

[-- Attachment #1: Type: text/plain, Size: 337 bytes --]

New comment by Chocimier on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771887987

Comment:
> You'd have to confirm that the new key is valid in some way.

Will publishing "it's legit, please update, i lost old key" message in same domain where source and new key is placed be enough?

Re: [RFC/POC] Support checks for signify signature inside xbps-src

[eli-schwartz]

[-- Attachment #1: Type: text/plain, Size: 792 bytes --]

New comment by eli-schwartz on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771896892

Comment:
As a developer for a Linux distribution, you'll have to ask yourself how confident you are that that is what ACTUALLY happened, rather than a malicious attacker breaking into e.g. github and hijacking lines of communication.

Your proposed case is a sob story, not a cryptographic proof...

Assuming you do decide to believe that story, and re-bootstrap your Trust On First Use relationship with upstream, the fact that that happened is visible in the git commit history for the package, so that people are aware that yes, something changed.

For the record, people don't generally "just lose" their cryptographic security tokens like that.

Re: [RFC/POC] Support checks for signify signature inside xbps-src

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 656 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771897723

Comment:
> Will publishing "it's legit, please update, i lost old key" message in same domain where source and new key is placed be enough?

I think ideally no, since checking signatures includes the belief that the domain can't be fully trusted either. So some other method, including checking with people who know the dev personally and such (?).

If your point is that adding this to xbps-src requires thought on policy and how to handle keys, you are right, and I haven't given almost any thought to that side of it.

Re: [RFC/POC] Support checks for signify signature inside xbps-src

[Chocimier]

[-- Attachment #1: Type: text/plain, Size: 316 bytes --]

New comment by Chocimier on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771941198

Comment:
Yes, my point is that we need such policy, I could be more direct.

> Your proposed case is a sob story

If crypto system only considers happy path it's not that useful.

Re: [RFC/POC] Support checks for signify signature inside xbps-src

[eli-schwartz]

[-- Attachment #1: Type: text/plain, Size: 1471 bytes --]

New comment by eli-schwartz on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771959898

Comment:
> If crypto system only considers happy path it's not that useful.

It considers both the happy path and the unhappy path.

It considers the happy path by saying "yay, let's be happy".
It considers the unhappy path by saying "oh no, looks like you're going to feel unhappy now".

I don't see the problem here.
- Are you optimizing for "I just want to package something, anything, that people put in front of me, and this will stop me from doing so"?
- Are you optimizing for "I want to make sure I'm packaging the right stuff, and not packaging the wrong stuff, and this will help me tell the difference"?

Do you have a reasonable expectation that people are going to be losing their security tokens, not have them securely backed up (e.g. printout in a safe or bank deposit box), and then be unable to be contacted IRL to provide legal evidence of ID connecting an old security token to a new security token?

If the Void repos suddenly lost the private key used to sign repodata, what would you do?

If a Void team member suddenly lost their github login and showed up the next day with a new account e.g. @Chocimier2 and insisted "yes I am the same person, please believe me and add me to the github org with push rights", what is your ideal proposed mechanism to verify the truthfulness of this statement?

Re: [RFC/POC] Support checks for signify signature inside xbps-src

[Chocimier]

[-- Attachment #1: Type: text/plain, Size: 1319 bytes --]

New comment by Chocimier on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771978889

Comment:
> Do you have a reasonable expectation that people are going to be losing their security tokens, not have them securely backed up (e.g. printout in a safe or bank deposit box), and then be unable to be contacted IRL to provide legal evidence of ID connecting an old security token to a new security token?

Yes, rarely.
Contacting IRL is only meaningful when previous contact IRL occured, is not always a case.

> If the Void repos suddenly lost the private key used to sign repodata, what would you do?

Ask everyone to trust new key?

> If a Void team member suddenly lost their github login and showed up the next day with a new account e.g. @Chocimier2 and insisted "yes I am the same person, please believe me and add me to the github org with push rights", what is your ideal proposed mechanism to verify the truthfulness of this statement?

I propose to reject that statement, treat Chocimier2 as stranger and only add to organization once he earn trust as any other stranger: by doing month of meaningful work.

For packages, earning trust to be added to repo same as any other new package, is: to verify new source code against new key, then add to repo.

Re: [PR PATCH] [Updated] [RFC/POC] Support checks for signify signature inside xbps-src

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 1759 bytes --]

There is an updated pull request by ericonr against master on the void-packages repository

https://github.com/ericonr/void-packages signify
https://github.com/void-linux/void-packages/pull/28400

[RFC/POC] Support checks for signify signature inside xbps-src
<!-- Mark items with [x] where applicable -->

The idea was flown around on IRC and it tickled me. It's probably of very limited utility, but who knows, maybe the recent PGP crisis drive people towards signify :P 

It's very very simple, and only really supports a single distfile per template. Maybe it should loop through `signify_sigs` instead? I don't think things are being downloaded in the best place either.

I think this is unlikely to have much support, so other maintainers feel free to close the issue; if anyone thinks it's worth it, we can improve on it and potentially merge some day?

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!-- 
#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl
-->


A patch file from https://github.com/void-linux/void-packages/pull/28400.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-signify-28400.patch --]
[-- Type: text/x-diff, Size: 5034 bytes --]

From 9c2e1e8a1047f2cd9612eee05ea89b3afca3c7f6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Rolim?= <erico.erc@gmail.com>
Date: Mon, 1 Feb 2021 23:15:43 -0300
Subject: [PATCH 1/4] base-chroot: add outils for signify.

---
 srcpkgs/base-chroot/template | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/srcpkgs/base-chroot/template b/srcpkgs/base-chroot/template
index 78f6d0cc2a1..7b2963132a9 100644
--- a/srcpkgs/base-chroot/template
+++ b/srcpkgs/base-chroot/template
@@ -1,7 +1,7 @@
 # Template file for 'base-chroot'
 pkgname=base-chroot
-version=0.66
-revision=3
+version=0.67
+revision=1
 bootstrap=yes
 build_style=meta
 short_desc="Minimal set of packages required for chroot with xbps-src"
@@ -19,4 +19,4 @@ depends+="
  patch sed findutils diffutils make gzip coreutils
  file bsdtar ccache xbps mpfr ncurses libreadline8
  chroot-bash chroot-grep chroot-gawk chroot-distcc
- chroot-util-linux chroot-git"
+ chroot-util-linux chroot-git outils"

From fc30eca559b1b10859b151d40edc259f3da4836b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Rolim?= <erico.erc@gmail.com>
Date: Mon, 1 Feb 2021 23:16:02 -0300
Subject: [PATCH 2/4] mblaze: add signify keys and signature.

---
 common/signify-keys/mblaze.pub | 2 ++
 srcpkgs/mblaze/template        | 2 ++
 2 files changed, 4 insertions(+)
 create mode 100644 common/signify-keys/mblaze.pub

diff --git a/common/signify-keys/mblaze.pub b/common/signify-keys/mblaze.pub
new file mode 100644
index 00000000000..74fed42cceb
--- /dev/null
+++ b/common/signify-keys/mblaze.pub
@@ -0,0 +1,2 @@
+untrusted comment: mblaze release key public key
+RWT/F+mCqnmHzj/+dB32aXOuZ+4Afcr3r6TOVHXGkRNCBExd3kS0tCnL
diff --git a/srcpkgs/mblaze/template b/srcpkgs/mblaze/template
index 88624be8f71..74de8e9933b 100644
--- a/srcpkgs/mblaze/template
+++ b/srcpkgs/mblaze/template
@@ -9,6 +9,8 @@ maintainer="Leah Neukirchen <leah@vuxu.org>"
 license="Public Domain, MIT"
 homepage="https://github.com/leahneukirchen/mblaze"
 distfiles="https://leahneukirchen.org/releases/${pkgname}-${version}.tar.gz"
+signify_sig="https://leahneukirchen.org/releases/${pkgname}-${version}.tar.gz.sig"
+signify_key="mblaze.pub"
 checksum=edd8cb86f667543e703dee58263b81c7e47744339d23ebbb6a43e75059ba93b1
 
 post_install() {

From 54be7f4ef3f6dd90234fde769febb60d6ff84c08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Rolim?= <erico.erc@gmail.com>
Date: Mon, 1 Feb 2021 23:16:21 -0300
Subject: [PATCH 3/4] hooks/do-fetch: check signify signature in 00-distfiles.

---
 common/hooks/do-fetch/00-distfiles.sh | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/common/hooks/do-fetch/00-distfiles.sh b/common/hooks/do-fetch/00-distfiles.sh
index e2bf54378fe..c2a651a1f6f 100644
--- a/common/hooks/do-fetch/00-distfiles.sh
+++ b/common/hooks/do-fetch/00-distfiles.sh
@@ -115,6 +115,7 @@ verify_cksum() {
 	cksum=$(get_cksum $curfile $dfcount)
 
 	# If the checksum starts with an commercial at (@) it is the contents checksum
+	# Only constant tarballs can be signed, so only check for signify below
 	if [ "${cksum:0:1}" = "@" ]; then
 		cksum=${cksum:1}
 		msg_normal "$pkgver: verifying contents checksum for distfile '$curfile'... "
@@ -131,7 +132,7 @@ verify_cksum() {
 		filesum=$(${XBPS_DIGEST_CMD} "$distfile")
 		if [ "$cksum" != "$filesum" ]; then
 			echo
-			msg_red "SHA256 mismatch for '$curfile:'\n$filesum\n"
+			msg_red "SHA256 mismatch for '$curfile':\n$filesum\n"
 			errors=$((errors + 1))
 		else
 			if [ ! -f "$XBPS_SRCDISTDIR/by_sha256/${cksum}_${curfile}" ]; then
@@ -140,6 +141,25 @@ verify_cksum() {
 			fi
 			msg_normal_append "OK.\n"
 		fi
+
+		if [ -n "$signify_sig" ]; then
+			if [ -z "$signify_key" ]; then
+				msg_error "$pkgver: signify_sig is set but signify_key isn't\n"
+			fi
+			sigfile="${signify_sig##*/}"
+			msg_normal "$pkgver: fetching signify signature '$sigfile'...\n"
+			$fetch_cmd -o "$sigfile" "$signify_sig"
+			msg_normal "$pkgver: verifying signify signature for distfile '$curfile'... "
+			if signify -V \
+				-p "$XBPS_COMMONDIR/signify-keys/$signify_key" \
+				-x "$sigfile" \
+				-m "$distfile" >/dev/null; then
+				msg_normal_append "OK.\n"
+			else
+				msg_red "signify signature mismatch for '$curfile'\n"
+				errors=$((errors + 1))
+			fi
+		fi
 	fi
 }
 

From 26a3ddcded8a89a2b030964b4e0213c41e7aecdc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Rolim?= <erico.erc@gmail.com>
Date: Mon, 1 Feb 2021 23:47:57 -0300
Subject: [PATCH 4/4] mblaze: dummy commit so outils is available in the
 masterdir.

---
 srcpkgs/mblaze/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/mblaze/template b/srcpkgs/mblaze/template
index 74de8e9933b..a2a1279097b 100644
--- a/srcpkgs/mblaze/template
+++ b/srcpkgs/mblaze/template
@@ -3,6 +3,7 @@ pkgname=mblaze
 version=1.1
 revision=1
 build_style=gnu-makefile
+hostmakedepends="outils"
 checkdepends="perl"
 short_desc="Maildir-focused command line mail client"
 maintainer="Leah Neukirchen <leah@vuxu.org>"

Re: [RFC/POC] Support checks for signify signature inside xbps-src

[github-actions]

[-- Attachment #1: Type: text/plain, Size: 305 bytes --]

New comment by github-actions[bot] on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-1115549602

Comment:
Pull Requests become stale 90 days after last activity and are closed 14 days after that.  If this pull request is still relevant bump it or assign it.

Re: [PR PATCH] [Closed]: [RFC/POC] Support checks for signify signature inside xbps-src

[github-actions]

[-- Attachment #1: Type: text/plain, Size: 1603 bytes --]

There's a closed pull request on the void-packages repository

[RFC/POC] Support checks for signify signature inside xbps-src
https://github.com/void-linux/void-packages/pull/28400

Description:
<!-- Mark items with [x] where applicable -->

The idea was flown around on IRC and it tickled me. It's probably of very limited utility, but who knows, maybe the recent PGP crisis drive people towards signify :P 

It's very very simple, and only really supports a single distfile per template. Maybe it should loop through `signify_sigs` instead? I don't think things are being downloaded in the best place either.

I think this is unlikely to have much support, so other maintainers feel free to close the issue; if anyone thinks it's worth it, we can improve on it and potentially merge some day?

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!-- 
#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl
-->