| Current File : //bin/dscverify |
#!/usr/bin/perl
# This program takes .changes or .dsc files as arguments and verifies
# that they're properly signed by a Debian developer, and that the local
# copies of the files mentioned in them match the MD5 sums given.
# Copyright 1998 Roderick Schertler <roderick@argon.org>
# Modifications copyright 1999,2000,2002 Julian Gilbey <jdg@debian.org>
# Drastically simplified to match katie's signature checking Feb 2002
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
use 5.004; # correct pipe close behavior
use strict;
use warnings;
use Cwd;
use Fcntl;
use Digest::MD5;
use Dpkg::IPC;
use File::HomeDir;
use File::Spec;
use File::Temp;
use File::Basename;
use POSIX qw(:errno_h);
use Getopt::Long qw(:config bundling permute no_getopt_compat);
use List::Util qw(first);
my $progname = basename $0;
my $modified_conf_msg;
my $Exit = 0;
my $start_dir = cwd;
my $verify_sigs = 1;
my $use_default_keyrings = 1;
my $verbose = 0;
my $havegpg = first { !system('sh', '-c', "command -v $_ >/dev/null 2>&1") }
qw(gpg2 gpg);
sub usage {
print <<"EOF";
Usage: $progname [options] changes-or-buildinfo-dsc-file ...
Options: --help Display this message
--version Display version and copyright information
--keyring <keyring>
Add <keyring> to the list of keyrings used
--no-default-keyrings
Do not check against the default keyrings
--nosigcheck, --no-sig-check, -u
Do not verify the GPG signature
--no-conf, --noconf
Do not read the devscripts config file
--verbose
Do not suppress GPG output.
Default settings modified by devscripts configuration files:
$modified_conf_msg
EOF
}
my $version = <<"EOF";
This is $progname, from the Debian devscripts package, version 2.22.1ubuntu1
This code is copyright 1998 Roderick Schertler <roderick\@argon.org>
Modifications are copyright 1999, 2000, 2002 Julian Gilbey <jdg\@debian.org>
This program comes with ABSOLUTELY NO WARRANTY.
You are free to redistribute this code under the terms of the
GNU General Public License, version 2 or later.
EOF
sub xwarndie_mess {
my @mess = ("$progname: ", @_);
$mess[$#mess] =~ s/:$/: $!\n/; # XXX loses if it's really /:\n/
return @mess;
}
sub xwarn {
warn xwarndie_mess @_;
$Exit ||= 1;
}
sub xdie {
die xwarndie_mess @_;
}
sub get_rings {
my @rings = @_;
my @keyrings = qw(/usr/share/keyrings/debian-keyring.gpg
/usr/share/keyrings/debian-maintainers.gpg
/usr/share/keyrings/debian-nonupload.gpg);
$ENV{HOME} = File::HomeDir->my_home;
if (defined $ENV{HOME} && -r "$ENV{HOME}/.gnupg/trustedkeys.gpg") {
unshift(@keyrings, "$ENV{HOME}/.gnupg/trustedkeys.gpg");
}
unshift(@keyrings, '/srv/keyring.debian.org/keyrings/debian-keyring.gpg');
if (system('dpkg-vendor', '--derives-from', 'Ubuntu') == 0) {
unshift(
@keyrings, qw(/usr/share/keyrings/ubuntu-master-keyring.gpg
/usr/share/keyrings/ubuntu-archive-keyring.gpg)
);
}
for (@keyrings) {
push @rings, $_ if -r;
}
return @rings if @rings;
xdie "can't find any system keyrings\n";
}
sub check_signature($\@;\$) {
my ($file, $rings, $outref) = @_;
my $fh = eval { File::Temp->new() }
or xdie "unable to open status file for gpg: $@\n";
# Allow the status file descriptor to pass on to the child process
my $flags = fcntl($fh, F_GETFD, 0);
fcntl($fh, F_SETFD, $flags & ~FD_CLOEXEC);
my $fd = fileno $fh;
my @cmd;
push @cmd, $havegpg, "--status-fd", $fd,
qw(--batch --no-options --no-default-keyring --always-trust);
foreach (@$rings) { push @cmd, '--keyring'; push @cmd, $_; }
push @cmd, '--verify', '--output', '-';
my ($out, $err) = ('', '');
eval {
spawn(
exec => \@cmd,
from_file => $file,
to_string => \$out,
error_to_string => \$err,
wait_child => 1
);
};
if ($@) {
print $out if ($verbose);
return $err || $@;
}
print $err if ($verbose);
seek($fh, 0, SEEK_SET);
my $status;
$status .= $_ while <$fh>;
close $fh;
if ($status !~ m/^\[GNUPG:\] VALIDSIG/m) {
return $out;
}
if (defined $outref) {
$$outref = $out;
}
return '';
}
sub process_file {
my ($file, @rings) = @_;
my ($filedir, $filebase);
my $sigcheck;
print "$file:\n";
# Move to the directory in which the file appears to live
chdir $start_dir or xdie "can't chdir to original directory!\n";
if ($file =~ m-(.*)/([^/]+)-) {
$filedir = $1;
$filebase = $2;
unless (chdir $filedir) {
xwarn "can't chdir $filedir:";
return;
}
} else {
$filebase = $file;
}
my $out;
if ($verify_sigs) {
$sigcheck = check_signature $filebase, @rings, $out;
if ($sigcheck) {
xwarn "$file failed signature check:\n$sigcheck";
return;
} else {
print " Good signature found\n";
}
} else {
if (!open SIGNED, '<', $filebase) {
xwarn "can't open $file:";
return;
}
$out = do { local $/; <SIGNED> };
if (!close SIGNED) {
xwarn "problem reading $file:";
return;
}
}
if ($file =~ /\.(changes|buildinfo)$/ and $out =~ /^Format:\s*(.*)$/mi) {
my $format = $1;
unless ($format =~ /^(\d+)\.(\d+)$/) {
xwarn "$file has an unrecognised format: $format\n";
return;
}
my ($major, $minor) = split /\./, $format;
$major += 0;
$minor += 0;
if (
$file =~ /\.changes$/ and ($major != 1 or $minor > 8)
or $file =~ /\.buildinfo$/ and (($major != 0 or $minor > 2)
and ($major != 1 or $minor > 0))
) {
xwarn "$file is an unsupported format: $format\n";
return;
}
}
my @spec = map { split /\n/ }
$out =~ /^(?:Checksums-Md5|Files):\s*\n((?:[ \t]+.*\n)+)/mgi;
unless (@spec) {
xwarn "no file spec lines in $file\n";
return;
}
my @checksums = map { split /\n/ } $out =~ /^Checksums-(\S+):\s*\n/mgi;
@checksums = grep { !/^(Md5|Sha(1|256))$/i } @checksums;
if (@checksums) {
xwarn "$file contains unsupported checksums:\n"
. join(", ", @checksums) . "\n";
return;
}
my %sha1s = map { reverse split /(\S+)\s*$/m }
$out =~ /^Checksums-Sha1:\s*\n((?:[ \t]+.*\n)+)/mgi;
my %sha256s = map { reverse split /(\S+)\s*$/m }
$out =~ /^Checksums-Sha256:\s*\n((?:[ \t]+.*\n)+)/mgi;
my $md5o = Digest::MD5->new or xdie "can't initialize MD5\n";
my $any;
for (@spec) {
unless (/^\s+([0-9a-f]{32})\s+(\d+)\s+(?:\S+\s+\S+\s+)?(\S+)\s*$/) {
xwarn "invalid file spec in $file `$_'\n";
next;
}
my ($md5, $size, $filename) = ($1, $2, $3);
my ($sha1, $sha1size, $sha256, $sha256size);
$filename !~ m,[/\x00],
or xdie "File name contains invalid characters: $file";
if (keys %sha1s) {
$sha1 = $sha1s{$filename};
unless (defined $sha1) {
xwarn "no sha1 for `$filename' in $file\n";
next;
}
unless ($sha1 =~ /^\s+([0-9a-f]{40})\s+(\d+)\s*$/) {
xwarn "invalid sha1 spec in $file `$sha1'\n";
next;
}
($sha1, $sha1size) = ($1, $2);
} else {
$sha1size = $size;
}
if (keys %sha256s) {
$sha256 = $sha256s{$filename};
unless (defined $sha256) {
xwarn "no sha256 for `$filename' in $file\n";
next;
}
unless ($sha256 =~ /^\s+([0-9a-f]{64})\s+(\d+)\s*$/) {
xwarn "invalid sha256 spec in $file `$sha256'\n";
next;
}
($sha256, $sha256size) = ($1, $2);
} else {
$sha256size = $size;
}
unless (open FILE, '<', $filename) {
if ($! == ENOENT) {
print STDERR " skipping $filename (not present)\n";
} else {
xwarn "can't read $filename:";
}
next;
}
$any = 1;
print " validating $filename\n";
# size
my $this_size = -s FILE;
unless (defined $this_size) {
xwarn "can't fstat $filename:";
next;
}
unless ($this_size == $size) {
xwarn
"invalid file length for $filename (wanted $size got $this_size)\n";
next;
}
unless ($this_size == $sha1size) {
xwarn
"invalid sha1 file length for $filename (wanted $sha1size got $this_size)\n";
next;
}
unless ($this_size == $sha256size) {
xwarn
"invalid sha256 file length for $filename (wanted $sha256size got $this_size)\n";
next;
}
# MD5
$md5o->reset;
$md5o->addfile(*FILE);
my $this_md5 = $md5o->hexdigest;
unless ($this_md5 eq $md5) {
xwarn "MD5 mismatch for $filename (wanted $md5 got $this_md5)\n";
next;
}
my $this_sha1;
eval {
spawn(
exec => ['sha1sum', $filename],
to_string => \$this_sha1,
wait_child => 1
);
};
($this_sha1) = split /\s/, $this_sha1, 2;
$this_sha1 ||= '';
unless (!keys %sha1s or $this_sha1 eq $sha1) {
xwarn
"SHA1 mismatch for $filename (wanted $sha1 got $this_sha1)\n";
next;
}
my $this_sha256;
eval {
spawn(
exec => ['sha256sum', $filename],
to_string => \$this_sha256,
wait_child => 1
);
};
($this_sha256) = split /\s/, $this_sha256, 2;
$this_sha256 ||= '';
unless (!keys %sha256s or $this_sha256 eq $sha256) {
xwarn
"SHA256 mismatch for $filename (wanted $sha256 got $this_sha256)\n";
next;
}
close FILE;
if ($filename =~ /\.(?:dsc|buildinfo)$/ && $verify_sigs) {
$sigcheck = check_signature $filename, @rings;
if ($sigcheck) {
xwarn "$filename failed signature check:\n$sigcheck";
next;
} else {
print " Good signature found\n";
}
}
}
$any
or xwarn "$file didn't specify any files present locally\n";
}
sub main {
@ARGV or xdie "no .changes, .buildinfo or .dsc files specified\n";
my @rings;
# Handle config file unless --no-conf or --noconf is specified
# The next stuff is boilerplate
if (@ARGV and $ARGV[0] =~ /^--no-?conf$/) {
$modified_conf_msg = " (no configuration files read)";
shift @ARGV;
} else {
my @config_files = ('/etc/devscripts.conf', '~/.devscripts');
my %config_vars = ('DSCVERIFY_KEYRINGS' => '',);
my %config_default = %config_vars;
my $shell_cmd;
# Set defaults
foreach my $var (keys %config_vars) {
$shell_cmd .= "$var='$config_vars{$var}';\n";
}
$shell_cmd .= 'for file in ' . join(" ", @config_files) . "; do\n";
$shell_cmd .= '[ -f $file ] && . $file; done;' . "\n";
# Read back values
foreach my $var (keys %config_vars) { $shell_cmd .= "echo \$$var;\n" }
my $shell_out = `/bin/bash -c '$shell_cmd'`;
@config_vars{ keys %config_vars } = split /\n/, $shell_out, -1;
foreach my $var (sort keys %config_vars) {
if ($config_vars{$var} ne $config_default{$var}) {
$modified_conf_msg .= " $var=$config_vars{$var}\n";
}
}
$modified_conf_msg ||= " (none)\n";
chomp $modified_conf_msg;
$config_vars{'DSCVERIFY_KEYRINGS'} =~ s/^\s*:\s*//;
$config_vars{'DSCVERIFY_KEYRINGS'} =~ s/\s*:\s*$//;
@rings = split /\s*:\s*/, $config_vars{'DSCVERIFY_KEYRINGS'};
}
GetOptions(
'help' => sub { usage; exit 0; },
'version' => sub { print $version; exit 0; },
'sigcheck|sig-check!' => \$verify_sigs,
'u' => sub { $verify_sigs = 0 },
'noconf|no-conf' => sub {
die
"--$_[0] is only acceptable as the first command-line option!\n";
},
'default-keyrings!' => \$use_default_keyrings,
'keyring=s@' => sub {
my $ring = $_[1];
if (-r $ring) { push @rings, $ring; }
else { die "Keyring $ring unreadable\n" }
},
'verbose' => \$verbose,
)
or do {
usage;
exit 1;
};
@ARGV or xdie "no .changes, .buildinfo or .dsc files specified\n";
@rings = get_rings @rings if $use_default_keyrings and $verify_sigs;
for my $file (@ARGV) {
process_file $file, @rings;
}
return 0;
}
$Exit = main || $Exit;
$Exit = 1 if $Exit and not $Exit % 256;
if ($Exit) { print STDERR "Validation FAILED!!\n"; }
else { print "All files validated successfully.\n"; }
exit $Exit;