gpg verifying of decompressed tarball / file (Feature #331)


Added by Ladislav Hagara almost 3 years ago. Updated over 2 years ago.


Status:New Start date:11/18/2011
Priority:Normal Due date:
Assignee:- % Done:

0%

Category:-
Target version:-

Description

Linux team changed its convention, the rule for signing of linux tarballs has been changed.
It was changed from signing of .tar.bz2 to signing only .tar.
For example linux-3.1.tar.bz2 and linux-3.1.tar.sign, patch-3.1.1.bz2 and patch-3.1.1.sign.

Now we use "SOURCE_GPG=kernel.gpg:\${SOURCE2}:ESTABLISHED_UPSTREAM_KEY" for verifying.

We would need something like "SOURCE_DECOMPRESSED_GPG=kernel.gpg:\${SOURCE2}:ESTABLISHED_UPSTREAM_KEY" or something more general:
"SOURCE_GPG_VERIFY=SOURCE:kernel.gpg:\${SOURCE2}:ESTABLISHED_UPSTREAM_KEY".

GPG_VERIFY=A:B:C:D
where A is source file, B is keyring, C is sign file and D is the quality.

Or something else.


Related issues

related to Grimoire - Bug #348: udev-175 fails to download Closed 02/04/2012

History

Updated by Ladislav Hagara almost 3 years ago

A is part of source file's name, for example linux.tar.

Updated by Jaka Kranjc almost 3 years ago

Heh, we came full circle, as this is exactly what the old md5 system was doing. Until there's a greater need for this, I'm not inclined to implement it in sorcery: customize the spell instead. Try setting SOURCE_GPG to point to the uncompressed filename, opening a new shell in PRE_BUILD, overriding SOURCEn to point to the uncompressed filename and then finally calling unpack_file.

Updated by David Kowis almost 3 years ago

Jaka Kranjc wrote:

Heh, we came full circle, as this is exactly what the old md5 system was doing. Until there's a greater need for this, I'm not inclined to implement it in sorcery: customize the spell instead. Try setting SOURCE_GPG to point to the uncompressed filename, opening a new shell in PRE_BUILD, overriding SOURCEn to point to the uncompressed filename and then finally calling unpack_file.

+1

Updated by Ladislav Hagara almost 3 years ago

I still think this should go to sorcery.
I updated linux spell to verify new signature, commit:69637facd1fa87ffd42bdf921998a9ba922949b4
Works with 3.1 for me.
Patch 3.1.1 is verified only by hash for now, we should update to signature verifying.

The similar code will have to go also into glibc spell (linux source verifying for sanitized headers).

Much easier with SOURCE_DECOMPRESSED_GPG.

Updated by Jaka Kranjc almost 3 years ago

Eventually it can, but this wouldn't solve the current problem (see bug #309). And really, if it turns out to be less than a handful of spells, I don't see why it is bad if it is solved on the spell side.

Updated by Ladislav Hagara almost 3 years ago

Seems that all software uploaded to kernel.org will be signed by "new" standard. For example http://www.kernel.org/pub/linux/utils/net/iproute2/ , iproute2-3.1.0.tar.bz2 and iproute2-3.1.0.tar.sign. Developers will use the new tool http://www.kernel.org/pub/software/network/kup/ to upload software to kernel.org. They will upload tar.sign and server compress to gz, bz2. xz.

Updated by Bor Kraljič over 2 years ago

Udev also:
ftp://ftp.kernel.org/pub/linux/utils/kernel/hotplug/

Does any spell (besides linux) already have "magic PRE_BUILD" that would do such check?

Updated by Ladislav Hagara over 2 years ago

util-linux is is next one.
http://www.kernel.org/pub/linux/utils/util-linux/v2.21/
Time to implement SOURCE_DECOMPRESSED_GPG?

Updated by Ladislav Hagara over 2 years ago

We would need not only SOURCE_DECOMPRESSED_GPG but also SOURCE_DECOMPRESSED_HASH.

15:47 <@Stealth> for example
15:47 <@Stealth> program-version.tar.bz2
15:48 <@Stealth> program-version.tar.sha1
15:48 <@Stealth> both on ftp
15:48 <@Stealth> and since we force sha512
15:49 <@Stealth> and there's no sig file on upstream location
15:49 <@Stealth> we must have sha512 sum of program-version.tar file
15:49 <@Stealth> in DETAILS
15:51 < lace> SOURCE_DECOMPRESSED_HASH ++

Also available in: Atom PDF