diff options
Diffstat (limited to 'eclass/verify-sig.eclass')
| -rw-r--r-- | eclass/verify-sig.eclass | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass index 1cd3e10..8734616 100644 --- a/eclass/verify-sig.eclass +++ b/eclass/verify-sig.eclass @@ -86,6 +86,17 @@ case ${VERIFY_SIG_METHOD} in ) " ;; + git+pgp) + BDEPEND=" + dev-vcs/git + app-portage/gemato + " + ;; + git+ssh) + BDEPEND=" + dev-vcs/git + " + ;; *) die "${ECLASS}: unknown method '${VERIFY_SIG_METHOD}'" ;; @@ -94,6 +105,8 @@ esac # @ECLASS_VARIABLE: VERIFY_SIG_OPENPGP_KEY_PATH # @DEFAULT_UNSET # @DESCRIPTION: +# Note: This variable is deprecated. Please use VERIFY_SIG_KEYS in new ebuilds. +# # Path to key bundle used to perform the verification. This is required # when using default src_unpack. Alternatively, the key path can be # passed directly to the verification functions. @@ -104,6 +117,19 @@ esac # contains "OPENPGP" for historical reasons. It is not used # for sigstore, since it uses a single trusted root. +# @ECLASS_VARIABLE: VERIFY_SIG_KEYS +# @DESCRIPTION: +# An array of keys or paths to key bundles depending on the verification method used. +# +# Example for SSH verfication: +# VERIFY_SIG_KEYS=( +# 'jturner.usa@gmail.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3D6QtWHDFV5agz2Ms/wPOAmRSuH3xGfsI/a8Nnex0c' +# ) +# +# Example for PGP: +# VERIFY_SIG_KEYS=(/usr/share/openpgp-keys/gentoo-developers.asc) +VERIFY_SIG_KEYS=(${VERIFY_SIG_OPENPGP_KEY_PATH}) + # @ECLASS_VARIABLE: VERIFY_SIG_CERT_IDENTITY # @DEFAULT_UNSET # @DESCRIPTION: @@ -455,6 +481,39 @@ verify-sig_uncompress_verify_unpack() { ) } +# @FUNCTION: verify-sig_verify_git_repo +verify-sig_verify_git_repo() { + local git_dir="${1}" commit="${2}" + + case ${VERIFY_SIG_METHOD} in + git+pgp) + local args key + + for key in "${VERIFY_SIG_KEYS[@]}"; do + args+=(-K "${key}") + done + + [[ -n ${VERIFY_SIG_OPENPGP_KEY_REFRESH} ]] || args+=(-R) + + gemato gpg-wrap "${args[@]}" -- git --git-dir ${git_dir} verify-commit ${commit} + ;; + git+ssh) + local key + + for key in "${VERIFY_SIG_KEYS[@]}"; do + <<<"${key}" cat >> ${T}/allowed_signers + done + + git config --global 'gpg.ssh.allowedSignersFile' ${T}/allowed_signers || die + + git --git-dir ${git_dir} verify-commit ${commit} + ;; + *) + die + ;; + esac +} + # @FUNCTION: verify-sig_src_unpack # @DESCRIPTION: # Default src_unpack override that verifies signatures for all |