aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergey Poznyakoff <gray@gnu.org.ua>2019-09-15 22:18:19 +0200
committerSergey Poznyakoff <gray@gnu.org.ua>2019-09-15 22:18:19 +0200
commit95399e244e492b044a680dac87569d18c6564de5 (patch)
tree63ca1b674a74bc096fce0c1e4af2ff7136db1ad6
parent5b2aff639e7ffed125dbe1832608a63e77fe7ffe (diff)
downloadslackupgrade-95399e244e492b044a680dac87569d18c6564de5.tar.gz
slackupgrade-95399e244e492b044a680dac87569d18c6564de5.tar.bz2
Implement GPG and MD5 sum checking
-rw-r--r--slackware-upgrade-system71
-rw-r--r--slackware-upgrade-system.815
2 files changed, 60 insertions, 26 deletions
diff --git a/slackware-upgrade-system b/slackware-upgrade-system
index 89bb3fc..4b66255 100644
--- a/slackware-upgrade-system
+++ b/slackware-upgrade-system
@@ -35,8 +35,6 @@ install_all=
install_series=
# Name of the keep-list file.
keep_file=
-# Verify GPG signatures
-verify=
# Internal variables
remote=
@@ -134,6 +132,18 @@ function package_file_name() {
fi
}
+function package_name_md5sum() {
+ pkg=$(awk -vname=$1 '$1==name { print $3 }' $avail_index)
+}
+
+function check_package_md5sum() {
+ if [ -n "$checksums" ]; then
+ awk -vcname="$1" -vdname="$2" \
+ '$2==cname { print $1 " " dname }' $checksums | \
+ md5sum --status --check
+ fi
+}
+
function all_package_names() {
grep -v '.*/kde[^/]*/' $avail_index | cut -d ' ' -f 1
}
@@ -147,11 +157,11 @@ function catfile() {
}
function download_curl {
- curl -L -sS -o$1 $2
+ curl $CURL_OPTIONS -L -sS -o$1 $2
}
function download_wget {
- if ! wget --no-check-certificate -nv -o wget.log -O$1 $2; then
+ if ! wget $WGET_OPTIONS -nv -o wget.log -O$1 $2; then
grep -i "failed\|error" wget.log
/bin/false
fi
@@ -173,25 +183,37 @@ function download() {
local name=$(basename $1)
local url=$(catfile $1)
if $dnfunc $name $url; then
- if [ -n "$verify" ]; then
- if $dnfunc $name.asc $url.asc \
- && ${GPG:-gpg2} --verify $name.asc $name 2>/dev/null; then
- :
- else
- error "gpg verification failed for $name"
- return
- fi
- fi
+ echo $name
fi
- echo $name
}
function getfile() {
- if [ -n "$remote" ]; then
- download $1
- else
- catfile $1
+ local name=$(if [ -n "$remote" ]; then
+ download $1
+ else
+ catfile $1
+ fi)
+
+ if [ -n "$2" ]; then
+ ascname=$(if [ -n "$remote" ]; then
+ download $1.asc
+ else
+ catfile $1.asc
+ fi)
+ if [ -n "$ascname" ] \
+ && ${GPG:-gpg} --verify $ascname $name 2>/dev/null; then
+ :
+ else
+ error "gpg verification failed for $name"
+ return
+ fi
+ fi
+
+ if [ -n "$checksums" ] && ! check_package_md5sum $1 $name; then
+ error "ERROR: $1: checksum failed"
+ name=
fi
+ echo $name
}
function dropfile() {
@@ -308,14 +330,19 @@ if [ -z "$remote" ]; then
fi
# Check if rooturl contains all we need
-checksums=$(getfile CHECKSUMS.md5)
+error "info: verifying distribution..."
+
+#
+# Download CHECKSUMS.md5. So far it is the only file that is gpg-checked.
+# For the rest we rely on MD5 sums.
+checksums=$(getfile CHECKSUMS.md5 gpg)
if [ -z "$checksums" ]; then
abend "CHECKSUMS.md5 not found in $rooturl"
fi
announce=$(tail +13 $checksums | \
sed -n -r\
- -e 's/^[0-9a-fA-F]+[[:space:]]+\.\/(ANNOUNCE\.[[:digit:]_]+)$/\1/p')
+ -e 's/^[0-9a-fA-F]+[[:space:]]+(\.\/ANNOUNCE\.[[:digit:]_]+)$/\1/p')
if [ -z "$announce" ]; then
abend "ANNOUNCE not found in $rooturl"
fi
@@ -324,7 +351,7 @@ if [ -z "$file" ]; then
abend "file $announce not found in $rooturl"
fi
-newversion=$(echo "$announce" | sed -e 's/ANNOUNCE\.//' -e 's/_/./g')
+newversion=$(echo "$announce" | sed -e 's/\.\/ANNOUNCE\.//' -e 's/_/./g')
if [ -z "$newversion" ]; then
abend "cannot determine new version"
fi
@@ -343,7 +370,7 @@ logfile=$logstem.log
# Check if pkgdir exists and contains the necessary files and directories
for series in $series_names
do
- n=$(sed -n -r -e 's/^[0-9a-fA-F]+[[:space:]]+(\.\/slackware(64)?\/l\/.*\.t.z)$/\1/p' $avail_index | head -1)
+ n=$(sed -n -r -e 's/^[^[:space:]]+[[:space:]]+(\.\/slackware(64)?\/'$series'\/.*\.t.z)$/\1/p' $avail_index | head -1)
if [ -z "$n" ]; then
abend "no files in series $series"
fi
diff --git a/slackware-upgrade-system.8 b/slackware-upgrade-system.8
index fcbdbda..dbf35e4 100644
--- a/slackware-upgrade-system.8
+++ b/slackware-upgrade-system.8
@@ -14,7 +14,7 @@
.\" You should have received a copy of the GNU General Public License
.\" along with slackware-upgrade-system. If not, see
.\" <http://www.gnu.org/licenses/>.
-.TH SLACKWARE\-UPGRADE\-SYSTEM 8 "September 14, 2019" "SLACKWARE\-UPGRADE\-SYSTEM" "System Manager's Manual"
+.TH SLACKWARE\-UPGRADE\-SYSTEM 8 "September 15, 2019" "SLACKWARE\-UPGRADE\-SYSTEM" "System Manager's Manual"
.SH NAME
slackware\-upgrade\-system \- do a full upgrade of a Slackware installation
.SH SYNOPSIS
@@ -41,7 +41,16 @@ When started, the program first verifies that it runs with root
privileges on a Slackware installation and determines the current
release version number. Then it verifies the distribution \fIURL\fR:
it must contain the files \fBCHECKSUMS.md5\fR,
-\fBANNOUNCE.\fIVERSION\fR and the Slackware package series directories.
+\fBANNOUNCE.\fIVERSION\fR and the Slackware package series
+directories.
+.PP
+The file \fBCHECKSUMS.md5\fR and its GPG signature are downloaded
+first. Then, the program verifies that the signature is correct.
+For this to succeed, you must have the Slackware Linux Project
+public key in your keyring. If you don't, run
+.EX
+curl -o - https://www.slackware.com/gpg-key | gpg --import
+.EE
.PP
When this initial check is passed, the program constructs the list
of currently installed packages and packages available in the
@@ -169,8 +178,6 @@ The \fBUPGRADE.TXT\fR document, outlining the procedure as a whole:
.PP
.BR upgradepkg (8).
.SH BUGS
-No checking of MD5 sums and GPG signatures.
-.PP
Only main Slackware packages are considered. The \fBpatches\fR
subdirectory is not used.
.PP

Return to:

Send suggestions and report system problems to the System administrator.