diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2019-09-15 22:18:19 +0200 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2019-09-15 22:18:19 +0200 |
commit | 95399e244e492b044a680dac87569d18c6564de5 (patch) | |
tree | 63ca1b674a74bc096fce0c1e4af2ff7136db1ad6 | |
parent | 5b2aff639e7ffed125dbe1832608a63e77fe7ffe (diff) | |
download | slackupgrade-95399e244e492b044a680dac87569d18c6564de5.tar.gz slackupgrade-95399e244e492b044a680dac87569d18c6564de5.tar.bz2 |
Implement GPG and MD5 sum checking
-rw-r--r-- | slackware-upgrade-system | 71 | ||||
-rw-r--r-- | slackware-upgrade-system.8 | 15 |
2 files changed, 60 insertions, 26 deletions
diff --git a/slackware-upgrade-system b/slackware-upgrade-system index 89bb3fc..4b66255 100644 --- a/slackware-upgrade-system +++ b/slackware-upgrade-system @@ -35,8 +35,6 @@ install_all= install_series= # Name of the keep-list file. keep_file= -# Verify GPG signatures -verify= # Internal variables remote= @@ -134,6 +132,18 @@ function package_file_name() { fi } +function package_name_md5sum() { + pkg=$(awk -vname=$1 '$1==name { print $3 }' $avail_index) +} + +function check_package_md5sum() { + if [ -n "$checksums" ]; then + awk -vcname="$1" -vdname="$2" \ + '$2==cname { print $1 " " dname }' $checksums | \ + md5sum --status --check + fi +} + function all_package_names() { grep -v '.*/kde[^/]*/' $avail_index | cut -d ' ' -f 1 } @@ -147,11 +157,11 @@ function catfile() { } function download_curl { - curl -L -sS -o$1 $2 + curl $CURL_OPTIONS -L -sS -o$1 $2 } function download_wget { - if ! wget --no-check-certificate -nv -o wget.log -O$1 $2; then + if ! wget $WGET_OPTIONS -nv -o wget.log -O$1 $2; then grep -i "failed\|error" wget.log /bin/false fi @@ -173,25 +183,37 @@ function download() { local name=$(basename $1) local url=$(catfile $1) if $dnfunc $name $url; then - if [ -n "$verify" ]; then - if $dnfunc $name.asc $url.asc \ - && ${GPG:-gpg2} --verify $name.asc $name 2>/dev/null; then - : - else - error "gpg verification failed for $name" - return - fi - fi + echo $name fi - echo $name } function getfile() { - if [ -n "$remote" ]; then - download $1 - else - catfile $1 + local name=$(if [ -n "$remote" ]; then + download $1 + else + catfile $1 + fi) + + if [ -n "$2" ]; then + ascname=$(if [ -n "$remote" ]; then + download $1.asc + else + catfile $1.asc + fi) + if [ -n "$ascname" ] \ + && ${GPG:-gpg} --verify $ascname $name 2>/dev/null; then + : + else + error "gpg verification failed for $name" + return + fi + fi + + if [ -n "$checksums" ] && ! check_package_md5sum $1 $name; then + error "ERROR: $1: checksum failed" + name= fi + echo $name } function dropfile() { @@ -308,14 +330,19 @@ if [ -z "$remote" ]; then fi # Check if rooturl contains all we need -checksums=$(getfile CHECKSUMS.md5) +error "info: verifying distribution..." + +# +# Download CHECKSUMS.md5. So far it is the only file that is gpg-checked. +# For the rest we rely on MD5 sums. +checksums=$(getfile CHECKSUMS.md5 gpg) if [ -z "$checksums" ]; then abend "CHECKSUMS.md5 not found in $rooturl" fi announce=$(tail +13 $checksums | \ sed -n -r\ - -e 's/^[0-9a-fA-F]+[[:space:]]+\.\/(ANNOUNCE\.[[:digit:]_]+)$/\1/p') + -e 's/^[0-9a-fA-F]+[[:space:]]+(\.\/ANNOUNCE\.[[:digit:]_]+)$/\1/p') if [ -z "$announce" ]; then abend "ANNOUNCE not found in $rooturl" fi @@ -324,7 +351,7 @@ if [ -z "$file" ]; then abend "file $announce not found in $rooturl" fi -newversion=$(echo "$announce" | sed -e 's/ANNOUNCE\.//' -e 's/_/./g') +newversion=$(echo "$announce" | sed -e 's/\.\/ANNOUNCE\.//' -e 's/_/./g') if [ -z "$newversion" ]; then abend "cannot determine new version" fi @@ -343,7 +370,7 @@ logfile=$logstem.log # Check if pkgdir exists and contains the necessary files and directories for series in $series_names do - n=$(sed -n -r -e 's/^[0-9a-fA-F]+[[:space:]]+(\.\/slackware(64)?\/l\/.*\.t.z)$/\1/p' $avail_index | head -1) + n=$(sed -n -r -e 's/^[^[:space:]]+[[:space:]]+(\.\/slackware(64)?\/'$series'\/.*\.t.z)$/\1/p' $avail_index | head -1) if [ -z "$n" ]; then abend "no files in series $series" fi diff --git a/slackware-upgrade-system.8 b/slackware-upgrade-system.8 index fcbdbda..dbf35e4 100644 --- a/slackware-upgrade-system.8 +++ b/slackware-upgrade-system.8 @@ -14,7 +14,7 @@ .\" You should have received a copy of the GNU General Public License .\" along with slackware-upgrade-system. If not, see .\" <http://www.gnu.org/licenses/>. -.TH SLACKWARE\-UPGRADE\-SYSTEM 8 "September 14, 2019" "SLACKWARE\-UPGRADE\-SYSTEM" "System Manager's Manual" +.TH SLACKWARE\-UPGRADE\-SYSTEM 8 "September 15, 2019" "SLACKWARE\-UPGRADE\-SYSTEM" "System Manager's Manual" .SH NAME slackware\-upgrade\-system \- do a full upgrade of a Slackware installation .SH SYNOPSIS @@ -41,7 +41,16 @@ When started, the program first verifies that it runs with root privileges on a Slackware installation and determines the current release version number. Then it verifies the distribution \fIURL\fR: it must contain the files \fBCHECKSUMS.md5\fR, -\fBANNOUNCE.\fIVERSION\fR and the Slackware package series directories. +\fBANNOUNCE.\fIVERSION\fR and the Slackware package series +directories. +.PP +The file \fBCHECKSUMS.md5\fR and its GPG signature are downloaded +first. Then, the program verifies that the signature is correct. +For this to succeed, you must have the Slackware Linux Project +public key in your keyring. If you don't, run +.EX +curl -o - https://www.slackware.com/gpg-key | gpg --import +.EE .PP When this initial check is passed, the program constructs the list of currently installed packages and packages available in the @@ -169,8 +178,6 @@ The \fBUPGRADE.TXT\fR document, outlining the procedure as a whole: .PP .BR upgradepkg (8). .SH BUGS -No checking of MD5 sums and GPG signatures. -.PP Only main Slackware packages are considered. The \fBpatches\fR subdirectory is not used. .PP |