Saturday, March 31, 2018

[new] sysutils/signing - make targets to verify upstream signatures

Hi,

Here is a mostly functional set of make targets that verify gnupg
signatures with ease.

To use it, you can simple add the following to your /etc/mk.conf:

.if exists(/usr/local/share/signing/signing.mk)
.include "/usr/local/share/signing/signing.mk"
.endif

(The above is taken from the readme which uses PREFIX, so might be
different if you are using weird setups. Weirdo.)

Once that is in place, you can verify distfiles for almost everything
that supports .sig or .asc extensions to ${DISTFILE}.

For example, security/gnupg2:

qbit@slip[0]:gnupg2λ make verify
===> Checking files for gnupg-2.2.4
>> Fetch https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.4.tar.bz2
gnupg-2.2.4.tar.bz2 100% |*********************************************| 6417 KB 00:18
===> Checking signature files for gnupg-2.2.4
ftp: Error retrieving file: 404 Not Found
ftp: Error retrieving file: 404 Not Found
gnupg-2.2.4.tar.bz2.sig 100% |*****************************************| 620 00:00
gpg: WARNING: unsafe ownership on homedir '/usr/local/share/signing/gnupg'
gpg: assuming signed data in '/usr/ports/distfiles/gnupg-2.2.4.tar.bz2'
gpg: Signature made Wed Dec 20 02:07:51 2017 MST
gpg: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Note: trustdb not writable
gpg: Good signature from "Werner Koch (dist sig)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6
gpg: Signature made Wed Dec 20 02:41:03 2017 MST
gpg: using RSA key 031EC2536E580D8EA286A9F22071B08A33BD3F06
gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06
Signature OK
qbit@slip[0]:gnupg2

I'd like to flesh out more of the process before getting it committed,
but if anyone has any suggestions, I am all ears!

Cheers,
Aaron

P.S. I would really dig it if someone could cross reference the keys I
imported into the keychain. Maybe the man is after me more than he is
you!

--
PGP: 0x1F81112D62A9ADCE / 3586 3350 BFEA C101 DB1A 4AF0 1F81 112D 62A9 ADCE

No comments:

Post a Comment