1#! /bin/sh 2 3# $NetBSD: chk.sh,v 1.1 2014/03/09 00:15:45 agc Exp $ 4 5# Copyright (c) 2013,2014 Alistair Crooks <agc@NetBSD.org> 6# All rights reserved. 7# 8# Redistribution and use in source and binary forms, with or without 9# modification, are permitted provided that the following conditions 10# are met: 11# 1. Redistributions of source code must retain the above copyright 12# notice, this list of conditions and the following disclaimer. 13# 2. Redistributions in binary form must reproduce the above copyright 14# notice, this list of conditions and the following disclaimer in the 15# documentation and/or other materials provided with the distribution. 16# 17# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27# 28 29die() { 30 echo "$*" >&2 31 exit 1 32} 33 34os=EdgeBSD 35osrev=6 36arch=amd64 37pkgsrc=pkgsrc-2013Q2 38keyring="" 39while [ $# -gt 0 ]; do 40 case "$1" in 41 --arch|-a) arch=$2; shift ;; 42 --keyring|-k) keyring=$2; shift ;; 43 --os|-o) os=$2; shift ;; 44 --pkgsrc) pkgsrc=$2; shift ;; 45 -v) set -x ;; 46 *) break ;; 47 esac 48 shift 49done 50 51case "${keyring}" in 52"") keyring=$HOME/.gnupg/pubring.gpg ;; 53esac 54 55#fetch file 56repo=ftp://ftp.edgebsd.org/pub/pkgsrc/packages/${os}/${arch}/${os}-${osrev}/${pkgsrc}/All/ 57 58if [ ! -f $1 ]; then 59 case "${repo}" in 60 */) remote=${repo}$1 ;; 61 *) remote=${repo}/$1 ;; 62 esac 63 ftp ${remote} 64fi 65 66name=$(basename $1 .tgz) 67dir=$(mktemp -d /tmp/chk.XXXXXX) 68here=$(pwd) 69case "$1" in 70/*) archive=$1 ;; 71*) archive=${here}/$1 ;; 72esac 73(cd ${dir} && ar x ${archive}) 74 75# grab values from already calculated hashes 76digest=$(awk '$1 ~ /algorithm:/ { print $2 }' ${dir}/+PKG_HASH) 77blocksize=$(awk '/^block size:/ { print $3 }' ${dir}/+PKG_HASH) 78 79# check the hashes in +PKG_HASH match the original archive 80size=$(ls -l ${dir}/$1 | awk '{ print $5 }') 81printf "pkgsrc signature\n\nversion: 1\n" > ${dir}/calc 82printf "pkgname: %s\n" ${name} >> ${dir}/calc 83printf "algorithm: ${digest}\n" >> ${dir}/calc 84printf "block size: ${blocksize}\n" >> ${dir}/calc 85printf "file size: %s\n\n" ${size} >> ${dir}/calc 86off=0 87n=0 88while [ ${off} -lt ${size} ]; do 89 rm -f ${dir}/in 90 dd if=${dir}/$1 of=${dir}/in bs=${blocksize} count=1 skip=${n} 2>/dev/null 91 digest ${digest} < ${dir}/in >> ${dir}/calc 92 off=$(( off + ${blocksize} )) 93 n=$(( n + 1 )) 94done 95printf "end pkgsrc signature\n" >> ${dir}/calc 96 97# make sure what was signed is what we have 98diff ${dir}/+PKG_HASH ${dir}/calc || die "Bad hashes generated" 99 100# use netpgpverify to verify the signature 101if [ -x /usr/pkg/bin/netpgpverify ]; then 102 # check the signature in +PKG_GPG_SIGNATURE 103 cp ${keyring} ${dir}/pubring.gpg 104 # calculate the sig file we want to verify 105 echo "-----BEGIN PGP SIGNED MESSAGE-----" > ${dir}/${name}.sig 106 echo "Hash: ${digest}" >> ${dir}/${name}.sig 107 echo "" >> ${dir}/${name}.sig 108 cat ${dir}/+PKG_HASH ${dir}/+PKG_GPG_SIGNATURE >> ${dir}/${name}.sig 109 (cd ${dir} && netpgpverify -k pubring.gpg ${name}.sig) || die "Bad signature" 110else 111 gpg --recv 0x6F3AF5E2 112 (cd ${dir} && gpg --verify --homedir=${dir} ./+PKG_GPG_SIGNATURE ./+PKG_HASH) || die "Bad signature" 113fi 114echo "Signatures match on ${name} package" 115 116# clean up 117rm -rf ${dir} 118 119exit 0 120