add git commit verification to git-r3 and verify-sig eclasses

2 files changed, 94 insertions, 2 deletions

diff --git a/eclass/git-r3.eclass b/eclass/git-r3.eclass
index 35ad6af..45b9490 100644
--- a/eclass/git-r3.eclass
+++ b/eclass/git-r3.eclass
@@ -1,4 +1,4 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # @ECLASS: git-r3.eclass
@@ -33,6 +33,12 @@ esac
 if [[ -z ${_GIT_R3_ECLASS} ]]; then
 _GIT_R3_ECLASS=1
 
+case ${VERIFY_SIG_METHOD} in
+	git+pgp|git+ssh)
+		inherit verify-sig
+		;;
+esac
+
 PROPERTIES+=" live"
 
 BDEPEND=">=dev-vcs/git-1.8.2.1[curl]"
@@ -512,7 +518,6 @@ _git-r3_set_subrepos() {
 	fi
 }
 
-
 # @FUNCTION: _git-r3_is_local_repo
 # @USAGE: <repo-uri>
 # @INTERNAL
@@ -1149,6 +1154,34 @@ git-r3_src_unpack() {
 
 	_git-r3_env_setup
 	git-r3_src_fetch
+
+	if use "verify-sig"; then
+
+		local repos
+
+		if [[ $(declare -p EGIT_REPO_URI) == "declare -a"* ]]; then
+			repos=( "${EGIT_REPO_URI[@]}" )
+		else
+			repos=( ${EGIT_REPO_URI} )
+		fi
+
+		local -x GIT_DIR
+		_git-r3_set_gitdir "${repos[0]}"
+
+		local commit
+		if [[ -n ${EGIT_BRANCH} ]]; then
+			commit=${EGIT_BRANCH}
+		elif [[ -n ${EGIT_COMMIT} ]]; then
+			commit=${EGIT_COMMIT}
+		else
+			commit=HEAD
+		fi
+
+		ebegin "verifying ${GIT_DIR}/${commit}"
+		verify-sig_verify_git_repo "${GIT_DIR}" "${commit}"
+		eend $? || die
+	fi
+
 	git-r3_checkout
 
 	if [[ ! ${EGIT_LFS} && ${_EGIT_LFS_FILTERS_FOUND} ]]; then
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 1cd3e10..8734616 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -86,6 +86,17 @@ case ${VERIFY_SIG_METHOD} in
 			)
 		"
 		;;
+	git+pgp)
+		BDEPEND="
+			dev-vcs/git
+			app-portage/gemato
+		"
+		;;
+	git+ssh)
+		BDEPEND="
+			dev-vcs/git
+		"
+		;;
 	*)
 		die "${ECLASS}: unknown method '${VERIFY_SIG_METHOD}'"
 		;;
@@ -94,6 +105,8 @@ esac
 # @ECLASS_VARIABLE: VERIFY_SIG_OPENPGP_KEY_PATH
 # @DEFAULT_UNSET
 # @DESCRIPTION:
+# Note: This variable is deprecated. Please use VERIFY_SIG_KEYS in new ebuilds.
+#
 # Path to key bundle used to perform the verification.  This is required
 # when using default src_unpack.  Alternatively, the key path can be
 # passed directly to the verification functions.
@@ -104,6 +117,19 @@ esac
 # contains "OPENPGP" for historical reasons.  It is not used
 # for sigstore, since it uses a single trusted root.
 
+# @ECLASS_VARIABLE: VERIFY_SIG_KEYS
+# @DESCRIPTION:
+# An array of keys or paths to key bundles depending on the verification method used.
+#
+# Example for SSH verfication:
+# VERIFY_SIG_KEYS=(
+#  'jturner.usa@gmail.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3D6QtWHDFV5agz2Ms/wPOAmRSuH3xGfsI/a8Nnex0c'
+# )
+#
+# Example for PGP:
+# VERIFY_SIG_KEYS=(/usr/share/openpgp-keys/gentoo-developers.asc)
+VERIFY_SIG_KEYS=(${VERIFY_SIG_OPENPGP_KEY_PATH})
+
 # @ECLASS_VARIABLE: VERIFY_SIG_CERT_IDENTITY
 # @DEFAULT_UNSET
 # @DESCRIPTION:
@@ -455,6 +481,39 @@ verify-sig_uncompress_verify_unpack() {
 	)
 }
 
+# @FUNCTION: verify-sig_verify_git_repo
+verify-sig_verify_git_repo() {
+	local git_dir="${1}" commit="${2}"
+
+	case ${VERIFY_SIG_METHOD} in
+		git+pgp)
+			local args key
+
+			for key in "${VERIFY_SIG_KEYS[@]}"; do
+				args+=(-K "${key}")
+			done
+
+			[[ -n ${VERIFY_SIG_OPENPGP_KEY_REFRESH} ]] || args+=(-R)
+
+			gemato gpg-wrap "${args[@]}" -- git --git-dir ${git_dir} verify-commit ${commit}
+			;;
+		git+ssh)
+			local key
+
+			for key in "${VERIFY_SIG_KEYS[@]}"; do
+				<<<"${key}" cat >> ${T}/allowed_signers
+			done
+
+			git config --global 'gpg.ssh.allowedSignersFile' ${T}/allowed_signers || die
+
+			git --git-dir ${git_dir} verify-commit ${commit}
+			;;
+		*)
+			die
+			;;
+	esac
+}
+
 # @FUNCTION: verify-sig_src_unpack
 # @DESCRIPTION:
 # Default src_unpack override that verifies signatures for all