From b102b5d275c972e06f7c014029e44d189b62339b Mon Sep 17 00:00:00 2001 From: fivepiece Date: Fri, 16 Nov 2018 11:05:08 +0200 Subject: [PATCH 1/2] use gpg for fetching pubkeys --- install.sh | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/install.sh b/install.sh index b9f22af..f04ad8e 100755 --- a/install.sh +++ b/install.sh @@ -1,18 +1,26 @@ #!/bin/bash -gpg_verify_key () +_gpg () { - gpg --keyid-format long <"$1" | grep "$2" + gpg --no-default-keyring --keyring "${jm_deps}/keyring.gpg" "$@" } gpg_add_to_keyring () { - gpg --dearmor <"$1" >>"${jm_deps}/keyring.gpg" + if _gpg --list-keys "$1"; then + return 0 + fi + for keyserv in 'pgp.mit.edu' 'keys.gnupg.net'; do + if _gpg --keyserver "${keyserv}" --recv-keys "$1"; then + return 0 + fi + done + return 1 } gpg_verify_sig () { - gpg --no-default-keyring --keyring "${jm_deps}/keyring.gpg" --verify "$1" + _gpg --verify "$1" } sha256_verify () @@ -95,7 +103,6 @@ openssl_get () { if [[ -z "${no_gpg_validation}" ]]; then openssl_files=( "${openssl_lib_tar}" "${openssl_lib_sig}" ) - curl --retry 5 -L "${openssl_signer_key_url}" -o openssl_signer.key else openssl_files=( "${openssl_lib_tar}" ) fi @@ -129,7 +136,6 @@ openssl_install () openssl_lib_sig="${openssl_lib_tar}.asc" openssl_url='https://www.openssl.org/source' openssl_signer_key_id='D9C4D26D0E604491' - openssl_signer_key_url="https://pgp.mit.edu/pks/lookup?op=get&search=0x${openssl_signer_key_id}" if check_skip_build "${openssl_version}"; then return 0 @@ -142,9 +148,7 @@ openssl_install () return 1 fi if [[ -z "${no_gpg_validation}" ]]; then - if gpg_verify_key openssl_signer.key "${openssl_signer_key_id}"; then - gpg_add_to_keyring openssl_signer.key - else + if ! gpg_add_to_keyring "${openssl_signer_key_id}"; then return 1 fi if gpg_verify_sig "${openssl_lib_sig}"; then @@ -315,7 +319,6 @@ libsodium_get () { if [[ -z "${no_gpg_validation}" ]]; then libsodium_files=( "${sodium_lib_tar}" "${sodium_lib_sig}" ) - curl --retry 5 -L "${sodium_signer_key_url}" -o libsodium_signer.key else libsodium_files=( "${sodium_lib_tar}" ) fi @@ -342,7 +345,6 @@ libsodium_install () sodium_lib_sig="${sodium_lib_tar}.sig" sodium_lib_sha='9c13accb1a9e59ab3affde0e60ef9a2149ed4d6e8f99c93c7a5b97499ee323fd' sodium_url='https://download.libsodium.org/libsodium/releases/old' - sodium_signer_key_url='https://pgp.mit.edu/pks/lookup?op=get&search=0x210627AABA709FE1' sodium_signer_key_id='62F25B592B6F76DA' if check_skip_build "${sodium_version}"; then @@ -356,9 +358,7 @@ libsodium_install () return 1 fi if [[ -z "${no_gpg_validation}" ]]; then - if gpg_verify_key libsodium_signer.key "${sodium_signer_key_id}"; then - gpg_add_to_keyring libsodium_signer.key - else + if ! gpg_add_to_keyring "${sodium_signer_key_id}"; then return 1 fi if gpg_verify_sig "${sodium_lib_sig}"; then From 69f898d1fe1c82eee4feb3d4edd3a1fae36b73f3 Mon Sep 17 00:00:00 2001 From: fivepiece Date: Fri, 16 Nov 2018 11:05:55 +0200 Subject: [PATCH 2/2] check gpg signatures on travis --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 4831b8e..a56566d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -43,7 +43,7 @@ install: - mkdir -p "$HOME/downloads" - mkdir -p "$TRAVIS_BUILD_DIR/deps/cache/" - find "$HOME/downloads" -type f -exec cp -v {} "$TRAVIS_BUILD_DIR/deps/cache/" \; - - on_host ./install.sh --develop --no-gpg-validation + - on_host ./install.sh --develop - on_host find "$TRAVIS_BUILD_DIR/deps/cache/" -type f -exec cp -v {} "$HOME/downloads/" \; before_script: - on_host source jmvenv/bin/activate