Forum: >>> Magnum BBS <<<

[gentoo-dev] [PATCH 2/3] verify-sig.eclass: Support `openssl dgst` form

From =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?@21:1/5 to All on Mon Sep 4 04:00:02 2023

Signed-off-by: Michał Górny <[email protected]>
---
eclass/tests/verify-sig.sh | 18 ++++++++++++++
eclass/verify-sig.eclass | 51 +++++++++++++++++++++++++-------------
2 files changed, 52 insertions(+), 17 deletions(-)

diff --git a/eclass/tests/verify-sig.sh b/eclass/tests/verify-sig.sh
index fcd2ee7480a2..fb7f2cdb2a5d 100755
--- a/eclass/tests/verify-sig.sh
+++ b/eclass/tests/verify-sig.sh
@@ -62,4 +62,22 @@ EOF
test_verify_unsigned_checksums sha256
eoutdent

+einfo "Testing openssl-dgst format."
+eindent
+

"annoying ( filename )= yes ).txt" || die

+
+cat > checksums.txt <<-EOF || die
+ junk text that ought to be ignored
+
+ SHA256(empty)=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+ SHA256(text)= b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380
+ SHA256(fail)=b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380
+
+ SHA256(annoying ( filename )= yes )= e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+EOF
+
+test_verify_unsigned_checksums openssl-dgst

From Ulrich Mueller@21:1/5 to when the documentation now on Mon Sep 4 08:50:01 2023

On Mon, 04 Sep 2023, Michał Górny wrote:

--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -214,12 +214,15 @@ verify-sig_verify_message() {
}

# @FUNCTION: verify-sig_verify_unsigned_checksums
-# @USAGE: <checksum-file> <algo> <files>
+# @USAGE: <checksum-file> <format> <files>

Below, verify-sig_verify_signed_checksums() still says "algo", change
that too for consistency?

# @DESCRIPTION:
# Verify the checksums for all files listed in the space-separated list
-# <files> (akin to ${A}) using a <checksum-file>. <algo> specifies
-# the checksum algorithm (e.g. sha256). <checksum-file> can be "-"
-# for stdin.
+# <files> (akin to ${A}) using a <checksum-file>. <format> specifies
+# the checksum file format. <checksum-file> can be "-" for stdin.
+#
+# The following formats are supported:
+# - sha256 -- sha256sum (<hash> <filename>)
+# - openssl-dgst -- openssl dgst (<algo>(<filename>)=<hash>)

This won't be rendered as a list in the man page, but will be rewrapped
as a paragraph. (Putting a space before the "-" will help.)

The existing variable documentation of VERIFY_SIG_METHOD suffers from
the same problem, BTW.

#
# The function dies if one of the files does not match checksums or
# is missing from the checksum file.
@@ -234,32 +237,46 @@ verify-sig_verify_unsigned_checksums() {
local algo=${2}

Maybe rename the variable to "format", when the documentation now says
that the second parameter specifies the format?

local files=()
read -r -d '' -a files <<<"${3}"
- local chksum_prog chksum_len
+ local chksum_prog chksum_len format=coreutils

And rename this one too. (I don't find it intuitive for a checksum
format to be named "coreutils", when coreutils provides cksum, md5sum,
b2sum, etc.)

case ${algo} in
sha256)
- chksum_prog=sha256sum
chksum_len=64
;;
+ openssl-dgst)
+ format=${algo}
+ ;;
*)
- die "${FUNCNAME}: unknown checksum algo ${algo}"
+ die "${FUNCNAME}: unknown checksum format ${algo}"
;;
esac

[[ ${checksum_file} == - ]] && checksum_file=/dev/stdin
- local checksum filename junk ret=0 count=0
- while read -r checksum filename junk; do
- if [[ ${checksum} == "-----BEGIN" ]]; then
+ local line checksum filename junk ret=0 count=0
+ while read -r line; do
+ if [[ ${line} == "-----BEGIN"* ]]; then
die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead"
fi

- [[ ${#checksum} -eq ${chksum_len} ]] || continue
- [[ -z ${checksum//[0-9a-f]} ]] || continue
- has "${filename}" "${files[@]}" || continue
- [[ -z ${junk} ]] || continue
-
- "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}"
- if [[ ${?} -eq 0 ]]; then
+ case ${format} in
+ coreutils)
+ read -r checksum filename junk <<<"${line}"
+ [[ ${#checksum} -ne ${chksum_len} ]] && continue
+ [[ -n ${checksum//[0-9a-f]} ]] && continue
+ [[ -n ${junk} ]] && continue
+ ;;
+ openssl-dgst)
+ [[ ${line} != *"("*")="* ]] && continue
+ checksum=${line##*)=}
+ algo=${line%%(*}
+ filename=${line#*(}
+ filename=${filename%)=*}
+ ;;
+ esac
+
+ ! has "${filename}" "${files[@]}" && continue

This might be clearer if it was written as:

has "${filename}" "${files[@]}" || continue

+
+ if "${algo,,}sum" -c --strict - <<<"${checksum} ${filename}"; then
(( count++ ))
else
ret=1

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAmT1fEIPHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4uaysIAJyq7wka58gaiKup2NSbp3QhVzDL1jq+tqkK PkNTftRzRdg2P2yULITRorZxmFOyksrFVWcE1s/H5qpGE0mUvskmi5dNWS7fceic kGr05gsa44wiBeVlWGJG9qKEq7xDHexSnmCLpeGxbhhzNpVrJ8ddRIq7y+/6kNCt u71+bTRmA8z60F0z6K1sIjHXXGXgsLUD668R68Y05L/HlfoOtOWOPevXOQReWLi4 CkX3q6BE6Sgh1+PGW1uUOAPm6AE/LB6FkmdnpTB1CedkOMlXPGFCekJRYc0VaiGY WgAFamKm2gcOjIDFnj9JA1Wh8IOJtEw5p4D6aNQv7/RM8FXdGEo=jAK9
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?=@21:1/5 to All on Fri Sep 8 12:10:01 2023

On Fri, 2023-09-08 at 12:03 +0200, Michał Górny wrote:

On Mon, 2023-09-04 at 08:42 +0200, Ulrich Mueller wrote:

On Mon, 04 Sep 2023, Michał Górny wrote:

--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -214,12 +214,15 @@ verify-sig_verify_message() {
}

# @FUNCTION: verify-sig_verify_unsigned_checksums
-# @USAGE: <checksum-file> <algo> <files>
+# @USAGE: <checksum-file> <format> <files>

Below, verify-sig_verify_signed_checksums() still says "algo", change
that too for consistency?

If I must.

# @DESCRIPTION:
# Verify the checksums for all files listed in the space-separated list -# <files> (akin to ${A}) using a <checksum-file>. <algo> specifies
-# the checksum algorithm (e.g. sha256). <checksum-file> can be "-"
-# for stdin.
+# <files> (akin to ${A}) using a <checksum-file>. <format> specifies
+# the checksum file format. <checksum-file> can be "-" for stdin.
+#
+# The following formats are supported:
+# - sha256 -- sha256sum (<hash> <filename>)
+# - openssl-dgst -- openssl dgst (<algo>(<filename>)=<hash>)

This won't be rendered as a list in the man page, but will be rewrapped
as a paragraph. (Putting a space before the "-" will help.)

The existing variable documentation of VERIFY_SIG_METHOD suffers from
the same problem, BTW.

Hmm, I can't get it to work with the space either. Whatever I do, eclass-to-manpage.awk seems to copy it verbatim.

Nevermind, now I see that it's meaningful to groff. For some reason, I
thought eclass-to-manpage will use some magical sequences.

--
Best regards,
Michał Górny

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?=@21:1/5 to Ulrich Mueller on Fri Sep 8 12:10:01 2023

On Mon, 2023-09-04 at 08:42 +0200, Ulrich Mueller wrote:

On Mon, 04 Sep 2023, Michał Górny wrote:

--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -214,12 +214,15 @@ verify-sig_verify_message() {
}

# @FUNCTION: verify-sig_verify_unsigned_checksums
-# @USAGE: <checksum-file> <algo> <files>
+# @USAGE: <checksum-file> <format> <files>

Below, verify-sig_verify_signed_checksums() still says "algo", change
that too for consistency?

If I must.

# @DESCRIPTION:
# Verify the checksums for all files listed in the space-separated list -# <files> (akin to ${A}) using a <checksum-file>. <algo> specifies
-# the checksum algorithm (e.g. sha256). <checksum-file> can be "-"
-# for stdin.
+# <files> (akin to ${A}) using a <checksum-file>. <format> specifies
+# the checksum file format. <checksum-file> can be "-" for stdin.
+#
+# The following formats are supported:
+# - sha256 -- sha256sum (<hash> <filename>)
+# - openssl-dgst -- openssl dgst (<algo>(<filename>)=<hash>)

This won't be rendered as a list in the man page, but will be rewrapped
as a paragraph. (Putting a space before the "-" will help.)

The existing variable documentation of VERIFY_SIG_METHOD suffers from
the same problem, BTW.

Hmm, I can't get it to work with the space either. Whatever I do, eclass-to-manpage.awk seems to copy it verbatim.

#
# The function dies if one of the files does not match checksums or
# is missing from the checksum file.
@@ -234,32 +237,46 @@ verify-sig_verify_unsigned_checksums() {
local algo=${2}

Maybe rename the variable to "format", when the documentation now says
that the second parameter specifies the format?

local files=()
read -r -d '' -a files <<<"${3}"
- local chksum_prog chksum_len
+ local chksum_prog chksum_len format=coreutils

And rename this one too. (I don't find it intuitive for a checksum
format to be named "coreutils", when coreutils provides cksum, md5sum,
b2sum, etc.)

case ${algo} in
sha256)
- chksum_prog=sha256sum
chksum_len=64
;;
+ openssl-dgst)
+ format=${algo}
+ ;;
*)
- die "${FUNCNAME}: unknown checksum algo ${algo}"
+ die "${FUNCNAME}: unknown checksum format ${algo}"
;;
esac

[[ ${checksum_file} == - ]] && checksum_file=/dev/stdin
- local checksum filename junk ret=0 count=0
- while read -r checksum filename junk; do
- if [[ ${checksum} == "-----BEGIN" ]]; then
+ local line checksum filename junk ret=0 count=0
+ while read -r line; do
+ if [[ ${line} == "-----BEGIN"* ]]; then
die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead"
fi

- [[ ${#checksum} -eq ${chksum_len} ]] || continue
- [[ -z ${checksum//[0-9a-f]} ]] || continue
- has "${filename}" "${files[@]}" || continue
- [[ -z ${junk} ]] || continue
-
- "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}"
- if [[ ${?} -eq 0 ]]; then
+ case ${format} in
+ coreutils)
+ read -r checksum filename junk <<<"${line}"
+ [[ ${#checksum} -ne ${chksum_len} ]] && continue
+ [[ -n ${checksum//[0-9a-f]} ]] && continue
+ [[ -n ${junk} ]] && continue
+ ;;
+ openssl-dgst)
+ [[ ${line} != *"("*")="* ]] && continue
+ checksum=${line##*)=}
+ algo=${line%%(*}
+ filename=${line#*(}
+ filename=${filename%)=*}
+ ;;
+ esac
+
+ ! has "${filename}" "${files[@]}" && continue

This might be clearer if it was written as:

has "${filename}" "${files[@]}" || continue

Negative logic is never clearer.

+
+ if "${algo,,}sum" -c --strict - <<<"${checksum} ${filename}"; then
(( count++ ))
else
ret=1

--
Best regards,
Michał Górny

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Ulrich Mueller@21:1/5 to All on Fri Sep 8 15:10:01 2023

On Fri, 08 Sep 2023, Michał Górny wrote:

+ ! has "${filename}" "${files[@]}" && continue

This might be clearer if it was written as:

has "${filename}" "${files[@]}" || continue

Negative logic is never clearer.

Exactly. That's why we generally do "command || die" rather than
"! command && die".

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAmT7HD4PHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4uqCwIAMKwTPP/pAKuYqRiqbF2LAYJJVmb+Ca7NyQk QWsrVS9W8tzW5b8vC50elMOlrlXQSfyYjPZjUmxWJ+m9DzKrL+nMCpL3ynfc9VMD EqHVZNT0UaEglJv5lnXU3HRDuEs87SQXI+fGbatn2+ojKuYQHRjI4JeqPDbSSrRu anadas605fnwlEffsJHc9qPSwM0KMKXdqrNlZxWn5XmBL7fN54tCGDvEB2bSF+c3 pTOTMSXcd0wYL7/gueemzjlIdhG6dgUw9O6Gk2aAygF88u4nt8OIDIDzwKLBSSMy xLt0D9Gbav+zzdGiOQ6ElF87YACS7r/k5n47yxW53dqGAfTdL3s�mW
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Krenn
  Sun Jun 7 03:07:26 2026
  from Sydney, Nsw via Telnet
- Krenn
  Sun Jun 7 01:30:12 2026
  from Sydney, Nsw via Telnet
- Centurion
  Sat Jun 6 23:27:30 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Sat Jun 6 15:42:53 2026
  from Sheboygan, Wi via Telnet
- Centurion
  Sat Jun 6 15:32:28 2026
  from Berea, Ohio via Telnet
- Krenn
  Sat Jun 6 11:38:56 2026
  from Sydney, Nsw via Telnet
- Furryboy
  Sat Jun 6 10:56:29 2026
  from Romania, Galati via SSH
- Centurion
  Fri Jun 5 22:28:01 2026
  from Berea, Ohio via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (0 / 16)
Uptime:	162:14:11
Calls:	12,094
Calls today:	2
Files:	15,000
Messages:	6,517,780

[gentoo-dev] [PATCH 2/3] verify-sig.eclass: Support `openssl dgst` form

Who's Online

Recent Visitors

System Info