gitian-builder/bin/gverify

#!/usr/bin/ruby

require 'optparse'
require 'yaml'
require 'fileutils'
require 'pathname'

@options = {}

def system!(cmd)
  system(cmd) or raise "failed to run #{cmd}"
end

def sanitize(str, where)
  raise "unsanitary string in #{where}" if (str =~ /[^\w.-]/)
  str
end

def sanitize_path(str, where)
  raise "unsanitary string in #{where}" if (str =~ /[^@\w\/. -]/)
  str
end

def info(str)
  puts str if @options[:verbose]
end

################################

OptionParser.new do |opts|
  opts.banner = "Usage: build [options] <build-description>.yml"

  opts.on("-v", "--verbose", "be more verbose") do |v|
    @options[:verbose] = v
  end
  opts.on("-r REL", "--release REL", "release name") do |v|
    @options[:release] = v
  end

  opts.on("-d DEST", "--destination DEST", "directory to place signature in") do |v|
    @options[:destination] = v
  end
end.parse!

base_dir = Pathname.new(__FILE__).expand_path.dirname.parent

build_desc_file = ARGV.shift or raise "must supply YAML build description file"

build_desc = YAML.load_file(build_desc_file)

in_sums = []

result_dir = 'result'

package_name = build_desc["name"] or raise "must supply name"
package_name = sanitize(package_name, "package name")

destination = @options[:destination] || File.join(base_dir, "sigs", package_name)
release = @options[:release] || "current"
release = sanitize(release, "release")

release_path = File.join(destination, release)

File.exists?(release_path) or raise "#{release_path} does not exist"

result_file = "#{package_name}-res.yml"

#system!("gpg --detach-sign -u #{signer} -o #{release_path}/signature.pgp #{result_path}")

current_manifest = nil

did_fail = false

Dir.foreach(release_path) do |signer_dir|
  next if signer_dir == "." or signer_dir == ".."
  signer_path = sanitize_path(File.join(release_path, signer_dir), "signer path")
  next if !File.directory?(signer_path)
  result_path = sanitize_path(File.join(signer_path, result_file), "result path")
  result = YAML.load_file(result_path)
  system("gpg --keyserver pgp.mit.edu --recv-keys `gpg --quiet --batch --verify \"#{File.join(signer_path, 'signature.pgp')}\" \"#{result_path}\" 2>&1 | head -n1 | grep \"key ID\" | awk '{ print $15 }'` > /dev/null 2>&1")
  out = `gpg --quiet --batch --verify \"#{File.join(signer_path, 'signature.pgp')}\" \"#{result_path}\" 2>&1`
  if $? != 0
    out.each do |line|
      if line =~ /^gpg: Signature made/
        info(line)
      else
        puts line
      end
    end
    puts "#{signer_dir}: BAD SIGNATURE"
    did_fail = true
  elsif current_manifest and result['out_manifest'] != current_manifest
    out.each do |line|
      if line =~ /^gpg: Signature made/
        info(line)
      elsif line =~ /^gpg: Good signature/
        info(line)
      elsif line =~ /^gpg:                 aka/
        info(line)
      else
        puts line
      end
    end
    puts "#{signer_dir}: MISMATCH"
    did_fail = true
  else
    out.each do |line|
      if line =~ /^gpg: Signature made/
        info(line)
      elsif line =~ /^gpg: Good signature/
        info(line)
      elsif line =~ /^gpg:                 aka/
        info(line)
      else
        puts line
      end
    end
    puts "#{signer_dir}: OK"
  end
  current_manifest = result['out_manifest']
end

exit 1 if did_fail
gverify 2011-03-27 19:24:22 +00:00			`#!/usr/bin/ruby`

			`require 'optparse'`
			`require 'yaml'`
			`require 'fileutils'`
			`require 'pathname'`

			`@options = {}`

			`def system!(cmd)`
			`system(cmd) or raise "failed to run #{cmd}"`
			`end`

			`def sanitize(str, where)`
			`raise "unsanitary string in #{where}" if (str =~ /[^\w.-]/)`
			`str`
			`end`

			`def sanitize_path(str, where)`
Add support for names with spaces in them and automatically pull keys first. 2011-04-28 15:30:54 +00:00			`raise "unsanitary string in #{where}" if (str =~ /[^@\w\/. -]/)`
gverify 2011-03-27 19:24:22 +00:00			`str`
			`end`

			`def info(str)`
Make gpg quiet by default, but not too quiet. 2011-04-29 15:06:07 +00:00			`puts str if @options[:verbose]`
gverify 2011-03-27 19:24:22 +00:00			`end`

			`################################`

			`OptionParser.new do \|opts\|`
			`opts.banner = "Usage: build [options] <build-description>.yml"`

Make gpg quiet by default, but not too quiet. 2011-04-29 15:06:07 +00:00			`opts.on("-v", "--verbose", "be more verbose") do \|v\|`
			`@options[:verbose] = v`
gverify 2011-03-27 19:24:22 +00:00			`end`
			`opts.on("-r REL", "--release REL", "release name") do \|v\|`
			`@options[:release] = v`
			`end`

			`opts.on("-d DEST", "--destination DEST", "directory to place signature in") do \|v\|`
			`@options[:destination] = v`
			`end`
			`end.parse!`

			`base_dir = Pathname.new(__FILE__).expand_path.dirname.parent`

			`build_desc_file = ARGV.shift or raise "must supply YAML build description file"`

			`build_desc = YAML.load_file(build_desc_file)`

			`in_sums = []`

			`result_dir = 'result'`

			`package_name = build_desc["name"] or raise "must supply name"`
			`package_name = sanitize(package_name, "package name")`

			`destination = @options[:destination] \|\| File.join(base_dir, "sigs", package_name)`
			`release = @options[:release] \|\| "current"`
			`release = sanitize(release, "release")`

			`release_path = File.join(destination, release)`

			`File.exists?(release_path) or raise "#{release_path} does not exist"`

			`result_file = "#{package_name}-res.yml"`

			`#system!("gpg --detach-sign -u #{signer} -o #{release_path}/signature.pgp #{result_path}")`

			`current_manifest = nil`

			`did_fail = false`

			`Dir.foreach(release_path) do \|signer_dir\|`
			`next if signer_dir == "." or signer_dir == ".."`
			`signer_path = sanitize_path(File.join(release_path, signer_dir), "signer path")`
			`next if !File.directory?(signer_path)`
			`result_path = sanitize_path(File.join(signer_path, result_file), "result path")`
			`result = YAML.load_file(result_path)`
Add support for names with spaces in them and automatically pull keys first. 2011-04-28 15:30:54 +00:00			system("gpg --keyserver pgp.mit.edu --recv-keys `gpg --quiet --batch --verify \"#{File.join(signer_path, 'signature.pgp')}\" \"#{result_path}\" 2>&1 \| head -n1 \| grep \"key ID\" \| awk '{ print $15 }'` > /dev/null 2>&1")
Make gpg be quiet if -q is set. 2011-04-28 17:04:22 +00:00			out = `gpg --quiet --batch --verify \"#{File.join(signer_path, 'signature.pgp')}\" \"#{result_path}\" 2>&1`
			`if $? != 0`
			`out.each do \|line\|`
			`if line =~ /^gpg: Signature made/`
			`info(line)`
			`else`
			`puts line`
			`end`
			`end`
gverify 2011-03-27 19:24:22 +00:00			`puts "#{signer_dir}: BAD SIGNATURE"`
			`did_fail = true`
			`elsif current_manifest and result['out_manifest'] != current_manifest`
Make gpg quiet by default, but not too quiet. 2011-04-29 15:06:07 +00:00			`out.each do \|line\|`
			`if line =~ /^gpg: Signature made/`
			`info(line)`
			`elsif line =~ /^gpg: Good signature/`
			`info(line)`
Hide akas by default as well 2011-05-01 23:17:15 +00:00			`elsif line =~ /^gpg: aka/`
			`info(line)`
Make gpg quiet by default, but not too quiet. 2011-04-29 15:06:07 +00:00			`else`
			`puts line`
			`end`
			`end`
gverify 2011-03-27 19:24:22 +00:00			`puts "#{signer_dir}: MISMATCH"`
			`did_fail = true`
			`else`
Make gpg quiet by default, but not too quiet. 2011-04-29 15:06:07 +00:00			`out.each do \|line\|`
			`if line =~ /^gpg: Signature made/`
			`info(line)`
			`elsif line =~ /^gpg: Good signature/`
			`info(line)`
Hide akas by default as well 2011-05-01 23:17:15 +00:00			`elsif line =~ /^gpg: aka/`
			`info(line)`
Make gpg quiet by default, but not too quiet. 2011-04-29 15:06:07 +00:00			`else`
			`puts line`
			`end`
			`end`
gverify 2011-03-27 19:24:22 +00:00			`puts "#{signer_dir}: OK"`
			`end`
			`current_manifest = result['out_manifest']`
			`end`

			`exit 1 if did_fail`