pkgsrc/security/netpgpverify/files/chk.sh

#! /bin/sh

# $NetBSD: chk.sh,v 1.4 2015/02/05 00:21:57 agc Exp $

# Copyright (c) 2013,2014,2015 Alistair Crooks <agc@NetBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

die() {
	echo "$*" >&2
	exit 1
}

os=EdgeBSD
osrev=6
arch=amd64
pkgsrc=pkgsrc-2013Q1
keyring=pubring.gpg
while [ $# -gt 0 ]; do
	case "$1" in
	--arch|-a)	arch=$2; shift ;;
	--keyring|-k)	keyring=$2; shift ;;
	--os|-o)	os=$2; shift ;;
	--pkgsrc)	pkgsrc=$2; shift ;;
	-v)		set -x ;;
	*)		break ;;
	esac
	shift
done

#fetch file
repo=ftp://ftp.edgebsd.org/pub/pkgsrc/packages/${os}/${os}-${osrev}/${arch}/${pkgsrc}/All/

if [ ! -f $1 ]; then
	case "${repo}" in
	*/)	remote=${repo}$1 ;;
	*)	remote=${repo}/$1 ;;
	esac
	ftp ${remote}
fi

name=$(basename $1 .tgz)
dir=$(mktemp -d /tmp/chk.XXXXXX)
here=$(pwd)
case "$1" in
/*)	archive=$1 ;;
*)	archive=${here}/$1 ;;
esac
(cd ${dir} && ar x ${archive})

# grab values from already calculated hashes
digest=$(awk '$1 ~ /algorithm:/ { print $2 }' ${dir}/+PKG_HASH)
blocksize=$(awk '/^block size:/ { print $3 }' ${dir}/+PKG_HASH)

# check the hashes in +PKG_HASH match the original archive
size=$(ls -l ${dir}/$1 | awk '{ print $5 }')
printf "pkgsrc signature\n\nversion: 1\n" > ${dir}/calc
printf "pkgname: %s\n" ${name} >> ${dir}/calc
printf "algorithm: ${digest}\n" >> ${dir}/calc
printf "block size: ${blocksize}\n" >> ${dir}/calc
printf "file size: %s\n\n" ${size} >> ${dir}/calc
off=0
n=0
while [ ${off} -lt ${size} ]; do
	rm -f ${dir}/in
	dd if=${dir}/$1 of=${dir}/in bs=${blocksize} count=1 skip=${n} 2>/dev/null
	digest ${digest} < ${dir}/in >> ${dir}/calc
	off=$(( off + ${blocksize} ))
	n=$(( n + 1 ))
done
printf "end pkgsrc signature\n" >> ${dir}/calc

# make sure what was signed is what we have
diff ${dir}/+PKG_HASH ${dir}/calc || die "Bad hashes generated"

# use netpgpverify to verify the signature
if [ -x /usr/bin/netpgpverify -o -x /usr/pkg/bin/netpgpverify ]; then
	echo "=== Using netpgpverify to verify the package signature ==="
	# check the signature in +PKG_GPG_SIGNATURE
	cp ${keyring} ${dir}/pubring.gpg
	# calculate the sig file we want to verify
	echo "-----BEGIN PGP SIGNED MESSAGE-----" > ${dir}/${name}.sig
	echo "Hash: ${digest}" >> ${dir}/${name}.sig
	echo "" >> ${dir}/${name}.sig
	cat ${dir}/+PKG_HASH ${dir}/+PKG_GPG_SIGNATURE >> ${dir}/${name}.sig
	(cd ${dir} && ${here}/netpgpverify -k pubring.gpg ${name}.sig) || die "Bad signature"
else
	echo "=== Using gpg to verify the package signature ==="
	gpg --recv --keyserver pgp.mit.edu 0x6F3AF5E2
	(cd ${dir} && gpg --verify --homedir=${dir} ./+PKG_GPG_SIGNATURE ./+PKG_HASH) || die "Bad signature"
fi
echo "Signatures match on ${name} package"

# clean up
rm -rf ${dir}

exit 0