Hola! Here is a WIP port of what I am calling "signing". At the moment it's a pile of gpg pub keys pulled from signature files I found upstream (962 total). The end goal is to have a workflow like below that supports the various signing methods (so far detached signature and signed shasum seem to be the most common) and programs (gpg, signify, keybase? opmsg?):
$ pkg_add signing
$ cd /usr/ports/myfavport
... bump version ...
$ make makesum verify
I currently have this working for ports that have detached signatures in
the form of "${DISTNAME}${EXTRACT_SUFX}.{asc,sig}". Signed shasum files
will be more difficult as there doesn't seem to be much standard in the
naming of them (sha256sums.txt.asc vs SHASUMS256.txt.asc vs
SHA256.sig... etc)
The port installs a README file that has the following snippet from
mk.conf:
SIG_SUFX ?= .asc
SIG_FILE ?= ${DISTNAME}${EXTRACT_SUFX}${SIG_SUFX}
SIG_PATH ?= ${DISTDIR}/${SIG_FILE}
fetch-sig:
@${ECHO_MSG} "===> Checking signature files for
${FULLPKGNAME}${_MASTER}"
@if [ ! -f ${SIG_PATH} ]; then \
for site in ${MASTER_SITES}; do \
if ${_PFETCH} ${FETCH_CMD} -o ${SIG_PATH} $${site}${SIG_FILE};
then \
exit 0; \
fi; \
done; exit 1; \
fi
verify: fetch fetch-sig
@GNUPGHOME=${PREFIX}/share/signing/gnupg/ \
${PREFIX}/bin/gpg2 --verify \
${DISTDIR}/${DISTNAME}${EXTRACT_SUFX}${SIG_SUFX}
Unfortunately out of the 962 signatures, 568 have the .asc extension
while the remaining 532 are .sig. This means we would either need an
index in the "signing" port, some more logic in the mk files or an
update to all the signed ports to add something like SIG_SUFX.. Open
to suggestions on this one.
Any and all feedback is welcome!
Cheers,
Aaron
--
PGP: 0x1F81112D62A9ADCE / 3586 3350 BFEA C101 DB1A 4AF0 1F81 112D 62A9 ADCE
signing.tgz
Description: Binary data
