add git commit verification to git-r3 and verify-sig eclasses

2 files changed, 89 insertions, 2 deletions

diff --git a/eclass/git-r3.eclass b/eclass/git-r3.eclass
index 35ad6af..f223e66 100644
--- a/eclass/git-r3.eclass
+++ b/eclass/git-r3.eclass
@@ -1,4 +1,4 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # @ECLASS: git-r3.eclass
@@ -33,6 +33,12 @@ esac
 if [[ -z ${_GIT_R3_ECLASS} ]]; then
 _GIT_R3_ECLASS=1
 
+case ${VERIFY_SIG_METHOD} in
+	git)
+		inherit verify-sig
+		;;
+esac
+
 PROPERTIES+=" live"
 
 BDEPEND=">=dev-vcs/git-1.8.2.1[curl]"
@@ -512,7 +518,6 @@ _git-r3_set_subrepos() {
 	fi
 }
 
-
 # @FUNCTION: _git-r3_is_local_repo
 # @USAGE: <repo-uri>
 # @INTERNAL
@@ -1149,6 +1154,32 @@ git-r3_src_unpack() {
 
 	_git-r3_env_setup
 	git-r3_src_fetch
+
+	if use "verify-sig"; then
+
+		local repos
+
+		if [[ $(declare -p EGIT_REPO_URI) == "declare -a"* ]]; then
+			repos=( "${EGIT_REPO_URI[@]}" )
+		else
+			repos=( ${EGIT_REPO_URI} )
+		fi
+
+		local -x GIT_DIR
+		_git-r3_set_gitdir "${repos[0]}"
+
+		local commit
+		if [[ -n ${EGIT_BRANCH} ]]; then
+			commit=${EGIT_BRANCH}
+		elif [[ -n ${EGIT_COMMIT} ]]; then
+			commit=${EGIT_COMMIT}
+		else
+			commit=HEAD
+		fi
+
+		verify-sig_verify_git_repo "${GIT_DIR}" "${commit}"
+	fi
+
 	git-r3_checkout
 
 	if [[ ! ${EGIT_LFS} && ${_EGIT_LFS_FILTERS_FOUND} ]]; then
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 1cd3e10..695918c 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -86,6 +86,12 @@ case ${VERIFY_SIG_METHOD} in
 			)
 		"
 		;;
+	git)
+		BDEPEND="
+			dev-vcs/git
+			app-portage/gemato
+		"
+		;;
 	*)
 		die "${ECLASS}: unknown method '${VERIFY_SIG_METHOD}'"
 		;;
@@ -94,6 +100,8 @@ esac
 # @ECLASS_VARIABLE: VERIFY_SIG_OPENPGP_KEY_PATH
 # @DEFAULT_UNSET
 # @DESCRIPTION:
+# Note: This variable is deprecated. Please use VERIFY_SIG_KEYS in new ebuilds.
+#
 # Path to key bundle used to perform the verification.  This is required
 # when using default src_unpack.  Alternatively, the key path can be
 # passed directly to the verification functions.
@@ -104,6 +112,11 @@ esac
 # contains "OPENPGP" for historical reasons.  It is not used
 # for sigstore, since it uses a single trusted root.
 
+# @ECLASS_VARIABLE: VERIFY_SIG_KEY_PATHS
+# @DESCRIPTION:
+# Just like VERIFY_SIG_OPENPGP_KEY_PATH but an array.
+VERIFY_SIG_KEY_PATHS=(${VERIFY_SIG_OPENPGP_KEY_PATH})
+
 # @ECLASS_VARIABLE: VERIFY_SIG_CERT_IDENTITY
 # @DEFAULT_UNSET
 # @DESCRIPTION:
@@ -455,6 +468,49 @@ verify-sig_uncompress_verify_unpack() {
 	)
 }
 
+# @FUNCTION: verify-sig_verify_git_repo
+verify-sig_verify_git_repo() {
+	local git_dir="${1}" commit="${2}"
+
+	local args
+	[[ -n ${VERIFY_SIG_OPENPGP_KEY_REFRESH} ]] || args+=(-R)
+
+	local key found_pgp_key
+	for key in "${VERIFY_SIG_KEY_PATHS[@]}"; do
+		dir=$(dirname "${key}")
+		base=$(basename "${dir}")
+
+		case ${base} in
+			openpgp-keys)
+				args+=(-K "${key}")
+				found_pgp_key=yes
+				;;
+			ssh-keys)
+				cat "${key}" >> ${T}/allowed_signers || die
+				;;
+			*)
+				die "unknown key type ${base}"
+				;;
+		esac
+	done
+
+	git config --global 'gpg.ssh.allowedSignersFile' ${T}/allowed_signers || die
+
+	# gemato *requires* at least one pgp key is passed to it, so if we don't find a pgp key
+	# we don't use gemato at all.
+	ebegin "verifying ${git_dir}/${commit}"
+	case ${found_pgp_key} in
+		yes)
+			gemato gpg-wrap ${args[@]} -- git --git-dir ${git_dir} verify-commit ${commit}
+			;;
+		*)
+			git --git-dir ${git_dir} verify-commit ${commit}
+			;;
+	esac
+	eend $? || die $?
+
+}
+
 # @FUNCTION: verify-sig_src_unpack
 # @DESCRIPTION:
 # Default src_unpack override that verifies signatures for all