summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorErich Eckner <git@eckner.net>2019-08-07 12:11:06 +0200
committerErich Eckner <git@eckner.net>2019-08-07 12:11:06 +0200
commit068754e19667551367ee5bb21b1cdd5218c21213 (patch)
tree94997a05c88657d3ded840f1e067405113e3cb86
parent1daf76e9fc55e08bd341673b2f43eec04e5ac134 (diff)
downloadbuilder-068754e19667551367ee5bb21b1cdd5218c21213.tar.xz
bin/nit-picker: check packager-keys, too
-rwxr-xr-xbin/nit-picker72
1 files changed, 72 insertions, 0 deletions
diff --git a/bin/nit-picker b/bin/nit-picker
index 102b831..24f274d 100755
--- a/bin/nit-picker
+++ b/bin/nit-picker
@@ -110,6 +110,16 @@ while pgrep -x ii >/dev/null \
printf ';\n'
printf 'SELECT DISTINCT'
+ printf ' "binary-signature",'
+ mysql_package_name_query
+ printf ' FROM `binary_packages`'
+ mysql_join_binary_packages_architectures
+ mysql_join_binary_packages_binary_packages_in_repositories
+ mysql_join_binary_packages_in_repositories_repositories
+ printf ' WHERE `repositories`.`is_on_master_mirror`'
+ printf ';\n'
+
+ printf 'SELECT DISTINCT'
printf ' "binary-dependencies",'
mysql_package_name_query
printf ' FROM `binary_packages`'
@@ -249,6 +259,68 @@ while pgrep -x ii >/dev/null \
"${tmp_dir}/db-deps" \
"${tmp_dir}/pkg-deps"
;;
+ 'binary-signature')
+ ${master_mirror_rsync_command} \
+ "${master_mirror_rsync_directory}/pool/${parameters}" \
+ "${master_mirror_rsync_directory}/pool/${parameters}.sig" \
+ "${tmp_dir}/"
+ unset error_message
+ if ! gpg_output=$(
+ gpg --batch --status-fd 1 -q --homedir /etc/pacman.d/gnupg \
+ --verify "${tmp_dir}/${parameters}.sig" "${tmp_dir}/${parameters}" \
+ 2>/dev/null
+ ); then
+ error_message="package ${parameters} has an invalid signature."
+ fi
+ if [ -z "${error_message}" ]; then
+ gpg_key=$(
+ printf '%s\n' "${gpg_output}" \
+ | sed '
+ s/^\[GNUPG:] KEY_CONSIDERED \([0-9A-F]\{40\}\) 0$/\1/
+ t
+ d
+ ' \
+ | sort -u
+ )
+ if [ -z "${gpg_key}" ]; then
+ error_message="cannot find pgp_key of package ${parameters}."
+ fi
+ fi
+ if [ -z "${error_message}" ]; then
+ for expiration in $(
+ gpg --batch --homedir /etc/pacman.d/gnupg --with-colons --list-keys "0x${gpg_key}" \
+ | grep '^\(sub\|pub\):' \
+ | cut -d: -f7
+ ); do
+ expiration_days=$(((expiration - $(date +%s))/24/60/60))
+ if [ ${expiration_days} -lt 100 ]; then
+ error_message=$(
+ printf 'signing key %s (from %s) for package %s expires on %s (in %s < 100 days).\n' \
+ "${gpg_key}" \
+ "$(
+ gpg --batch --homedir /etc/pacman.d/gnupg --with-colons --list-keys "0x${gpg_key}" \
+ | grep '^\(uid\):' \
+ | cut -d: -f10
+ )" \
+ "${parameters}" \
+ "$(date -I -d@"${expiration}")" \
+ "${expiration_days}"
+ )
+ break
+ fi
+ done
+ fi
+ if [ -n "${error_message}" ]; then
+ printf '%s\n' "${error_message}" \
+ | irc_say
+ if [ $# -eq 0 ]; then
+ sleep 60
+ fi
+ fi
+ rm \
+ "${tmp_dir}/${parameters}" \
+ "${tmp_dir}/${parameters}.sig"
+ ;;
*)
>&2 printf 'action "%s" is not yet implemented ...\n' "${action}"
;;