summaryrefslogtreecommitdiff
path: root/eclass/verify-sig.eclass
diff options
context:
space:
mode:
Diffstat (limited to 'eclass/verify-sig.eclass')
-rw-r--r--eclass/verify-sig.eclass56
1 files changed, 56 insertions, 0 deletions
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 1cd3e10..695918c 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -86,6 +86,12 @@ case ${VERIFY_SIG_METHOD} in
)
"
;;
+ git)
+ BDEPEND="
+ dev-vcs/git
+ app-portage/gemato
+ "
+ ;;
*)
die "${ECLASS}: unknown method '${VERIFY_SIG_METHOD}'"
;;
@@ -94,6 +100,8 @@ esac
# @ECLASS_VARIABLE: VERIFY_SIG_OPENPGP_KEY_PATH
# @DEFAULT_UNSET
# @DESCRIPTION:
+# Note: This variable is deprecated. Please use VERIFY_SIG_KEYS in new ebuilds.
+#
# Path to key bundle used to perform the verification. This is required
# when using default src_unpack. Alternatively, the key path can be
# passed directly to the verification functions.
@@ -104,6 +112,11 @@ esac
# contains "OPENPGP" for historical reasons. It is not used
# for sigstore, since it uses a single trusted root.
+# @ECLASS_VARIABLE: VERIFY_SIG_KEY_PATHS
+# @DESCRIPTION:
+# Just like VERIFY_SIG_OPENPGP_KEY_PATH but an array.
+VERIFY_SIG_KEY_PATHS=(${VERIFY_SIG_OPENPGP_KEY_PATH})
+
# @ECLASS_VARIABLE: VERIFY_SIG_CERT_IDENTITY
# @DEFAULT_UNSET
# @DESCRIPTION:
@@ -455,6 +468,49 @@ verify-sig_uncompress_verify_unpack() {
)
}
+# @FUNCTION: verify-sig_verify_git_repo
+verify-sig_verify_git_repo() {
+ local git_dir="${1}" commit="${2}"
+
+ local args
+ [[ -n ${VERIFY_SIG_OPENPGP_KEY_REFRESH} ]] || args+=(-R)
+
+ local key found_pgp_key
+ for key in "${VERIFY_SIG_KEY_PATHS[@]}"; do
+ dir=$(dirname "${key}")
+ base=$(basename "${dir}")
+
+ case ${base} in
+ openpgp-keys)
+ args+=(-K "${key}")
+ found_pgp_key=yes
+ ;;
+ ssh-keys)
+ cat "${key}" >> ${T}/allowed_signers || die
+ ;;
+ *)
+ die "unknown key type ${base}"
+ ;;
+ esac
+ done
+
+ git config --global 'gpg.ssh.allowedSignersFile' ${T}/allowed_signers || die
+
+ # gemato *requires* at least one pgp key is passed to it, so if we don't find a pgp key
+ # we don't use gemato at all.
+ ebegin "verifying ${git_dir}/${commit}"
+ case ${found_pgp_key} in
+ yes)
+ gemato gpg-wrap ${args[@]} -- git --git-dir ${git_dir} verify-commit ${commit}
+ ;;
+ *)
+ git --git-dir ${git_dir} verify-commit ${commit}
+ ;;
+ esac
+ eend $? || die $?
+
+}
+
# @FUNCTION: verify-sig_src_unpack
# @DESCRIPTION:
# Default src_unpack override that verifies signatures for all
generated by cgit v1.2.3 (git 2.46.0) at 2025-09-20 12:43:02 +0000