[gentoo-commits] repo/gentoo:master commit in: eclass/

Fri, 10 Jan 2025 05:15:14 -0800 

commit:     c80dc591e4803f5f2feacde4a79d339c0cc2e3b5
Author:     Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Mon Dec 23 14:28:36 2024 +0000
Commit:     Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Fri Jan 10 13:15:02 2025 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c80dc591

verify-sig.eclass: Add verify-sig_uncompress_verify_unpack

Add a function that carries out the surprisingly common pattern of
uncompress-verify-unpack found in kernel.org distfiles, where
the signature is created against the uncompressed archive rather than
the actual distfile.  Just like the code currently copied across
ebuilds, the function uses a pipeline to simultaneously decompress,
unpack and verify the signature, except with correct error handling
this time.

Note that the code technically implies that the archive will be unpacked
even if the signature does not match -- the ebuild will abort
afterwards.

Thanks to Ulrich Müller for the suggestion!

Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>

 eclass/verify-sig.eclass | 34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 0e6b9b43e557..12b689f0f4b2 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -1,4 +1,4 @@
-# Copyright 2020-2024 Gentoo Authors
+# Copyright 2020-2025 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # @ECLASS: verify-sig.eclass
@@ -48,6 +48,8 @@ esac
 if [[ -z ${_VERIFY_SIG_ECLASS} ]]; then
 _VERIFY_SIG_ECLASS=1
 
+inherit eapi9-pipestatus
+
 IUSE="verify-sig"
 
 # @ECLASS_VARIABLE: VERIFY_SIG_METHOD
@@ -423,6 +425,36 @@ verify-sig_verify_signed_checksums() {
        esac
 }
 
+# @FUNCTION: verify-sig_uncompress_verify_unpack
+# @USAGE: <compressed-tar> <sig-file> [<key-file>]
+# @DESCRIPTION:
+# Uncompress the <compressed-tar> tarball, verify the uncompressed
+# archive against the signature in <sig-file> and unpack it.  This is
+# useful for kernel.org packages that sign the uncompressed tarball
+# instead of the compressed archive.  <key-file> can either be passed
+# directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH.  The function
+# dies if verification or any of the unpacking steps fail.
+verify-sig_uncompress_verify_unpack() {
+       local file=${1}
+       local unpacker
+
+       # TODO: integrate with unpacker.eclass somehow?
+       case ${file} in
+               *.tar.xz)
+                       unpacker=( xz -cd )
+                       ;;
+               *)
+                       die "${FUNCNAME}: only .tar.xz archives are supported 
at the moment"
+                       ;;
+       esac
+
+       einfo "Unpacking ${file} ..."
+       verify-sig_verify_detached - "${@:2}" < <(
+               "${unpacker[@]}" "${file}" | tee >(tar -xf - || die)
+               pipestatus || die
+       )
+}
+
 # @FUNCTION: verify-sig_src_unpack
 # @DESCRIPTION:
 # Default src_unpack override that verifies signatures for all

Reply via email to