[gentoo-commits] repo/gentoo:master commit in: sys-kernel/vanilla-kernel/

Michał Górny Wed, 02 Jul 2025 01:21:06 -0700

commit:     ab4da1dc4e50a35563440606e40d729d938d2291
Author:     Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Wed Jul  2 05:25:45 2025 +0000
Commit:     Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Wed Jul  2 08:12:16 2025 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab4da1dc


sys-kernel/vanilla-kernel: Use sha256sums.asc for verify-sig

Replace the unpacked tarball signature verification with verification
via signed sha256sums file.  While this is not the method recommended
upstream, it is pretty solid as well and it has the advantage
of covering all the files, including compressed tarballs and patches.
Unfortunately, the file is a moving target, so we need to rename it
and expect checksum mismatches when people skip Gentoo mirrors -- but
I guess that's okay for verify-sig.  Bumping SHA256SUM_DATE will be
taken care of by the bump-kernels script.

Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>

 sys-kernel/vanilla-kernel/Manifest                     |  2 +-
 sys-kernel/vanilla-kernel/vanilla-kernel-6.15.4.ebuild | 18 +++++++++++-------
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/sys-kernel/vanilla-kernel/Manifest 
b/sys-kernel/vanilla-kernel/Manifest
index 893fdb469a13..4a5fdaeef90d 100644
--- a/sys-kernel/vanilla-kernel/Manifest
+++ b/sys-kernel/vanilla-kernel/Manifest
@@ -35,9 +35,9 @@ DIST linux-6.12.34.tar.sign 991 BLAKE2B 
282fb87ed4b9482d56e4763c026fdac77769f89d
 DIST linux-6.12.34.tar.xz 148160336 BLAKE2B 
a1527edf5ea06d55ad4468341d2e8cc44406df1edfe1a619ece86692e42afe7f5919ee051942fc9e70c47d79bcd4f0fc2e54ae32c79392702d8493596dca1a83
 SHA512 
b20afb64443656ab01d070405cda010a7133a157917ec33a9dec4957787c93ef9da9de277f08382be12ead66088d00919dc77a238e8618c443a9bf2bb7fa1224
 DIST linux-6.12.35.tar.sign 991 BLAKE2B 
893a49d03dd208c6222ed921aa419e2a479f4955a45ee72990d9c812fcd84f0816c45a34705919d44fd2c8af05fb7ff2c5025fa6ec1f227280cd0a21d550d8a5
 SHA512 
ae13ffe2e00b6d23f9e0e23836f7415687e2a352eb6554e6ec167ac2e9eb6184ef1e0acbed3142257d9e4c6aaa96c716fa429a9302965503bebccb1c96a466b0
 DIST linux-6.12.35.tar.xz 148182928 BLAKE2B 
87048a310dca3841f8ad31267e52992ac4c84c8e39b5500743ae07a39f52126c85ddba924f6aa478b8a3adc6dbbe9dbf5fa265b4587e5b7f1e970c11b150747c
 SHA512 
3697bf2c9525c8d11f7e821fa080d8c366ae751af02b471a506224002abe6b23b0ccf17d9694c7590c1b07002289eb19003ba8677bbb0bb09d54458495964188
-DIST linux-6.15.4.tar.sign 989 BLAKE2B 
71e04e033f62d9ecbd33aa3da6ebdab213c2eca5f773087f6e0918c5e4c591f817f58bd14e8bec7c6cabec2e7a1d004a062eecf06ea5caa9eaae4b47db8591bf
 SHA512 
1e8d5ec9b5d4f3d8bb386a7e7012b0099485fccc21c4475b2b1b44fe845f62a6412dfdf561240aaee4950e10b0f7e137d1514c366441bc1328dd6949f364c494
 DIST linux-6.15.4.tar.xz 151225376 BLAKE2B 
926cbb770f3928263414b444f63790606376f9a48ee006e85d15f877ed04444c6de889be7ccde8d25ffc650f98de78fd04639c11bf4540182244366440b6ccaa
 SHA512 
a59ef99de7e286f363beda9dec9332f1486f3f9f34773882b017a682d964899662117bc20413420570cb685371a0956b1deebfa2583ea59cc3537d630e237bfa
 DIST linux-6.6.94.tar.sign 989 BLAKE2B 
ff090df5f609aa2784fe70b60e865c2057e332f4d2a9dc7b2da167fe77d9a285d2015abc99cadc63a9976907c6103de10d9aabe907e9f1c02f042f3894a24e92
 SHA512 
04d9dee0369b0b0de20215ccdd676401ec49a734232684edb697e6d38bc5e45368f77145b36d9302d44176dbbb263ac2184f4290fbf2b5311edee0fd770a3725
 DIST linux-6.6.94.tar.xz 140571164 BLAKE2B 
1fc4d4e72ab3d979343eb39055167df8f530c58b66fa5f16870f5bc33cc04f6375f569eef005d034d23c2c6a90e07ce9bd598bf0311df0579f80bfc7f9fa53b1
 SHA512 
c25a7f0bdc3c333fec9a9930884c0d30e9322a166e66de2949a81881f2c1d727916d7a7a78f2de5f2d2ab44f28149f2610c68dfb64382566891318b9b9f8cc7e
 DIST linux-6.6.95.tar.sign 989 BLAKE2B 
95d7f0158ba938dc707aad8fe5a58106b80b95ab8014347b24c9fdf9e34e6e516934617aed5bc63065126d384cba8e2e1c4304c9ac9ffb88b1cf806156ad44cf
 SHA512 
4fe453c92d82d0f776ddcf4260334455d07c11cb8b3c9ba40c3d3655af647981003a56ed88bf480dff32da20f05160717cec71a75479730b13b3962ed45eaf3f
 DIST linux-6.6.95.tar.xz 140626236 BLAKE2B 
6213ebd4875c57b94ee9040df96384b114d18e1531916de6c2940e753bfe5912c16ecfcee4e9a83ff2f15d0aa17c728380edb0edc4710c6656c5076face3a2ec
 SHA512 
a92c40b190d3e74c21144447c0edbe4164e22fc9a0b0fe31f65bfad90d36c29b41edb8704c4d3db153590f7d5d34759e4bba1d49388bc1739c7c09a1b77f6fdd
+DIST linux-sha256sums-20250701.asc 153342 BLAKE2B 
3243b072afd76efc565d6b7162e4720e514f31ff495b771d7d123169628d9b2da9f550078afaeff45815f8a17563953bdba14de0f20c7e5caf8c5dc4cfdf3763
 SHA512 
a2ce48a3ea3d85d6ac29905c58f70ee4dd932e531ad660fab7dc5153890bbd9e8198b263cd7b2403b49ca65fa885742081fe512776091985b2c28eeb8b6179d9

diff --git a/sys-kernel/vanilla-kernel/vanilla-kernel-6.15.4.ebuild 
b/sys-kernel/vanilla-kernel/vanilla-kernel-6.15.4.ebuild
index c53cdd1deea5..88a0cc9291de 100644
--- a/sys-kernel/vanilla-kernel/vanilla-kernel-6.15.4.ebuild
+++ b/sys-kernel/vanilla-kernel/vanilla-kernel-6.15.4.ebuild
@@ -13,6 +13,7 @@ MY_P=linux-${PV}
 # forked to https://github.com/projg2/fedora-kernel-config-for-gentoo
 CONFIG_VER=6.15.3-gentoo
 GENTOO_CONFIG_VER=g16
+SHA256SUM_DATE=20250701
 
 DESCRIPTION="Linux kernel built from vanilla upstream sources"
 HOMEPAGE="
@@ -24,7 +25,8 @@ SRC_URI+="
        
https://github.com/projg2/gentoo-kernel-config/archive/${GENTOO_CONFIG_VER}.tar.gz
                -> gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz
        verify-sig? (
-               https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 
1).x/${MY_P}.tar.sign
+               https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 
1).x/sha256sums.asc
+                       -> linux-sha256sums-${SHA256SUM_DATE}.asc
        )
        amd64? (
                
https://raw.githubusercontent.com/projg2/fedora-kernel-config-for-gentoo/${CONFIG_VER}/kernel-x86_64-fedora.config
@@ -52,7 +54,7 @@ REQUIRED_USE="arm? ( savedconfig )"
 
 BDEPEND="
        debug? ( dev-util/pahole )
-       verify-sig? ( sec-keys/openpgp-keys-kernel )
+       verify-sig? ( >=sec-keys/openpgp-keys-kernel-20250702 )
 "
 PDEPEND="
        >=virtual/dist-kernel-${PV}
@@ -62,12 +64,14 @@ 
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/kernel.org.asc
 
 src_unpack() {
        if use verify-sig; then
-               verify-sig_uncompress_verify_unpack \
-                       "${DISTDIR}"/linux-${PV}.tar.{xz,sign}
-               unpack "gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz"
-       else
-               default
+               cd "${DISTDIR}" || die
+               verify-sig_verify_signed_checksums \
+                       "linux-sha256sums-${SHA256SUM_DATE}.asc" sha256 \
+                       "${MY_P}.tar.xz"
+               cd "${WORKDIR}" || die
        fi
+
+       default
 }
 
 src_prepare() {

[gentoo-commits] repo/gentoo:master commit in: sys-kernel/vanilla-kernel/

Reply via email to