diff options
author | Erich Eckner <git@eckner.net> | 2019-08-07 12:11:06 +0200 |
---|---|---|
committer | Erich Eckner <git@eckner.net> | 2019-08-07 12:11:06 +0200 |
commit | 068754e19667551367ee5bb21b1cdd5218c21213 (patch) | |
tree | 94997a05c88657d3ded840f1e067405113e3cb86 | |
parent | 1daf76e9fc55e08bd341673b2f43eec04e5ac134 (diff) | |
download | builder-068754e19667551367ee5bb21b1cdd5218c21213.tar.xz |
bin/nit-picker: check packager-keys, too
-rwxr-xr-x | bin/nit-picker | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/bin/nit-picker b/bin/nit-picker index 102b831..24f274d 100755 --- a/bin/nit-picker +++ b/bin/nit-picker @@ -110,6 +110,16 @@ while pgrep -x ii >/dev/null \ printf ';\n' printf 'SELECT DISTINCT' + printf ' "binary-signature",' + mysql_package_name_query + printf ' FROM `binary_packages`' + mysql_join_binary_packages_architectures + mysql_join_binary_packages_binary_packages_in_repositories + mysql_join_binary_packages_in_repositories_repositories + printf ' WHERE `repositories`.`is_on_master_mirror`' + printf ';\n' + + printf 'SELECT DISTINCT' printf ' "binary-dependencies",' mysql_package_name_query printf ' FROM `binary_packages`' @@ -249,6 +259,68 @@ while pgrep -x ii >/dev/null \ "${tmp_dir}/db-deps" \ "${tmp_dir}/pkg-deps" ;; + 'binary-signature') + ${master_mirror_rsync_command} \ + "${master_mirror_rsync_directory}/pool/${parameters}" \ + "${master_mirror_rsync_directory}/pool/${parameters}.sig" \ + "${tmp_dir}/" + unset error_message + if ! gpg_output=$( + gpg --batch --status-fd 1 -q --homedir /etc/pacman.d/gnupg \ + --verify "${tmp_dir}/${parameters}.sig" "${tmp_dir}/${parameters}" \ + 2>/dev/null + ); then + error_message="package ${parameters} has an invalid signature." + fi + if [ -z "${error_message}" ]; then + gpg_key=$( + printf '%s\n' "${gpg_output}" \ + | sed ' + s/^\[GNUPG:] KEY_CONSIDERED \([0-9A-F]\{40\}\) 0$/\1/ + t + d + ' \ + | sort -u + ) + if [ -z "${gpg_key}" ]; then + error_message="cannot find pgp_key of package ${parameters}." + fi + fi + if [ -z "${error_message}" ]; then + for expiration in $( + gpg --batch --homedir /etc/pacman.d/gnupg --with-colons --list-keys "0x${gpg_key}" \ + | grep '^\(sub\|pub\):' \ + | cut -d: -f7 + ); do + expiration_days=$(((expiration - $(date +%s))/24/60/60)) + if [ ${expiration_days} -lt 100 ]; then + error_message=$( + printf 'signing key %s (from %s) for package %s expires on %s (in %s < 100 days).\n' \ + "${gpg_key}" \ + "$( + gpg --batch --homedir /etc/pacman.d/gnupg --with-colons --list-keys "0x${gpg_key}" \ + | grep '^\(uid\):' \ + | cut -d: -f10 + )" \ + "${parameters}" \ + "$(date -I -d@"${expiration}")" \ + "${expiration_days}" + ) + break + fi + done + fi + if [ -n "${error_message}" ]; then + printf '%s\n' "${error_message}" \ + | irc_say + if [ $# -eq 0 ]; then + sleep 60 + fi + fi + rm \ + "${tmp_dir}/${parameters}" \ + "${tmp_dir}/${parameters}.sig" + ;; *) >&2 printf 'action "%s" is not yet implemented ...\n' "${action}" ;; |