1#! /bin/sh 2 3# $NetBSD: chk.sh,v 1.3 2015/02/05 01:26:54 agc Exp $ 4 5# Copyright (c) 2013,2014,2015 Alistair Crooks <agc@NetBSD.org> 6# All rights reserved. 7# 8# Redistribution and use in source and binary forms, with or without 9# modification, are permitted provided that the following conditions 10# are met: 11# 1. Redistributions of source code must retain the above copyright 12# notice, this list of conditions and the following disclaimer. 13# 2. Redistributions in binary form must reproduce the above copyright 14# notice, this list of conditions and the following disclaimer in the 15# documentation and/or other materials provided with the distribution. 16# 17# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27# 28 29die() { 30 echo "$*" >&2 31 exit 1 32} 33 34os=EdgeBSD 35osrev=6 36arch=amd64 37pkgsrc=pkgsrc-2013Q1 38keyring=pubring.gpg 39while [ $# -gt 0 ]; do 40 case "$1" in 41 --arch|-a) arch=$2; shift ;; 42 --keyring|-k) keyring=$2; shift ;; 43 --os|-o) os=$2; shift ;; 44 --pkgsrc) pkgsrc=$2; shift ;; 45 -v) set -x ;; 46 *) break ;; 47 esac 48 shift 49done 50 51#fetch file 52repo=ftp://ftp.edgebsd.org/pub/pkgsrc/packages/${os}/${os}-${osrev}/${arch}/${pkgsrc}/All/ 53 54if [ ! -f $1 ]; then 55 case "${repo}" in 56 */) remote=${repo}$1 ;; 57 *) remote=${repo}/$1 ;; 58 esac 59 ftp ${remote} 60fi 61 62name=$(basename $1 .tgz) 63dir=$(mktemp -d /tmp/chk.XXXXXX) 64here=$(pwd) 65case "$1" in 66/*) archive=$1 ;; 67*) archive=${here}/$1 ;; 68esac 69(cd ${dir} && ar x ${archive}) 70 71# grab values from already calculated hashes 72digest=$(awk '$1 ~ /algorithm:/ { print $2 }' ${dir}/+PKG_HASH) 73blocksize=$(awk '/^block size:/ { print $3 }' ${dir}/+PKG_HASH) 74 75# check the hashes in +PKG_HASH match the original archive 76size=$(ls -l ${dir}/$1 | awk '{ print $5 }') 77printf "pkgsrc signature\n\nversion: 1\n" > ${dir}/calc 78printf "pkgname: %s\n" ${name} >> ${dir}/calc 79printf "algorithm: ${digest}\n" >> ${dir}/calc 80printf "block size: ${blocksize}\n" >> ${dir}/calc 81printf "file size: %s\n\n" ${size} >> ${dir}/calc 82off=0 83n=0 84while [ ${off} -lt ${size} ]; do 85 rm -f ${dir}/in 86 dd if=${dir}/$1 of=${dir}/in bs=${blocksize} count=1 skip=${n} 2>/dev/null 87 digest ${digest} < ${dir}/in >> ${dir}/calc 88 off=$(( off + ${blocksize} )) 89 n=$(( n + 1 )) 90done 91printf "end pkgsrc signature\n" >> ${dir}/calc 92 93# make sure what was signed is what we have 94diff ${dir}/+PKG_HASH ${dir}/calc || die "Bad hashes generated" 95 96# use netpgpverify to verify the signature 97if [ -x /usr/bin/netpgpverify -o -x /usr/pkg/bin/netpgpverify ]; then 98 echo "=== Using netpgpverify to verify the package signature ===" 99 # check the signature in +PKG_GPG_SIGNATURE 100 cp ${keyring} ${dir}/pubring.gpg 101 # calculate the sig file we want to verify 102 echo "-----BEGIN PGP SIGNED MESSAGE-----" > ${dir}/${name}.sig 103 echo "Hash: ${digest}" >> ${dir}/${name}.sig 104 echo "" >> ${dir}/${name}.sig 105 cat ${dir}/+PKG_HASH ${dir}/+PKG_GPG_SIGNATURE >> ${dir}/${name}.sig 106 (cd ${dir} && ${here}/netpgpverify -k pubring.gpg ${name}.sig) || die "Bad signature" 107else 108 echo "=== Using gpg to verify the package signature ===" 109 gpg --recv --keyserver pgp.mit.edu 0x6F3AF5E2 110 (cd ${dir} && gpg --verify --homedir=${dir} ./+PKG_GPG_SIGNATURE ./+PKG_HASH) || die "Bad signature" 111fi 112echo "Signatures match on ${name} package" 113 114# clean up 115rm -rf ${dir} 116 117exit 0 118