[linux] 01/01: [rt] genpatch.py: Verify tag and tarball signatures
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Jan 25 04:35:28 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit b5cdf98158932b245db302dc0fd3c82dee437f7b
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Jan 25 04:24:09 2017 +0000
[rt] genpatch.py: Verify tag and tarball signatures
---
debian/bin/git-tag-gpg-wrapper | 2 +-
debian/changelog | 1 +
debian/patches/features/all/rt/genpatch.py | 41 ++++++++++++++++++++++++-----
debian/source/include-binaries | 1 +
debian/upstream/rt-signing-key.pgp | Bin 0 -> 13892 bytes
5 files changed, 38 insertions(+), 7 deletions(-)
diff --git a/debian/bin/git-tag-gpg-wrapper b/debian/bin/git-tag-gpg-wrapper
index 58e1750..9982b01 100755
--- a/debian/bin/git-tag-gpg-wrapper
+++ b/debian/bin/git-tag-gpg-wrapper
@@ -30,4 +30,4 @@ while true; do
esac
done
-exec gpgv "${gpgv_opts[@]}" --keyring "$debian_dir/upstream/signing-key.pgp" -- "$@"
+exec gpgv "${gpgv_opts[@]}" --keyring "$debian_dir/upstream/${DEBIAN_KERNEL_KEYRING:-signing-key.pgp}" -- "$@"
diff --git a/debian/changelog b/debian/changelog
index feb3850..1532202 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -363,6 +363,7 @@ linux (4.9.5-1) UNRELEASED; urgency=medium
* [arm64] video/fbdev: Change FB from module to built-in
* [arm64,armhf] video/fbdev: Enable FB_EFI (Closes: #851778)
* fs: Disable LOGFS, as it is unmaintained and will be removed in 4.10
+ * [rt] genpatch.py: Verify tag and tarball signatures
[ Salvatore Bonaccorso ]
* tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551)
diff --git a/debian/patches/features/all/rt/genpatch.py b/debian/patches/features/all/rt/genpatch.py
index 6253a4e..eb3792d 100755
--- a/debian/patches/features/all/rt/genpatch.py
+++ b/debian/patches/features/all/rt/genpatch.py
@@ -1,6 +1,6 @@
#!/usr/bin/python3
-import errno, io, os, os.path, re, shutil, subprocess, sys, tempfile
+import codecs, errno, io, os, os.path, re, shutil, subprocess, sys, tempfile
def main(source, version=None):
patch_dir = 'debian/patches'
@@ -44,13 +44,25 @@ def main(source, version=None):
if os.path.isdir(os.path.join(source, '.git')):
# Export rebased branch from stable-rt git as patch series
up_ver = re.sub(r'-rt\d+$', '', version)
- args = ['git', 'format-patch', 'v%s..v%s-rebase' % (up_ver, version)]
env = os.environ.copy()
env['GIT_DIR'] = os.path.join(source, '.git')
- child = subprocess.Popen(args,
- cwd=os.path.join(patch_dir, rt_patch_dir),
- env=env, stdout=subprocess.PIPE)
- with io.open(child.stdout.fileno(), encoding='utf-8') as pipe:
+ env['DEBIAN_KERNEL_KEYRING'] = 'rt-signing-key.pgp'
+
+ # Validate tag signature
+ gpg_wrapper = os.path.join(os.getcwd(),
+ "debian/bin/git-tag-gpg-wrapper")
+ verify_proc = subprocess.Popen(['git',
+ '-c', 'gpg.program=%s' % gpg_wrapper,
+ 'tag', '-v', 'v%s-rebase' % version],
+ env=env)
+ if verify_proc.wait():
+ raise RuntimeError("GPG tag verification failed")
+
+ args = ['git', 'format-patch', 'v%s..v%s-rebase' % (up_ver, version)]
+ format_proc = subprocess.Popen(args,
+ cwd=os.path.join(patch_dir, rt_patch_dir),
+ env=env, stdout=subprocess.PIPE)
+ with io.open(format_proc.stdout.fileno(), encoding='utf-8') as pipe:
for line in pipe:
name = line.strip('\n')
with open(os.path.join(patch_dir, rt_patch_dir, name)) as \
@@ -60,6 +72,7 @@ def main(source, version=None):
assert match
origin = 'https://git.kernel.org/cgit/linux/kernel/git/rt/linux-stable-rt.git/commit?id=%s' % match.group(1)
add_patch(name, source_patch, origin)
+
else:
# Get version and upstream version
if version is None:
@@ -70,6 +83,22 @@ def main(source, version=None):
assert match, 'could not parse version string'
up_ver = match.group(1)
+ # Expect an accompanying signature, and validate it
+ source_sig = re.sub(r'.[gx]z$', '.sign', source)
+ unxz_proc = subprocess.Popen(['xzcat', source],
+ stdout=subprocess.PIPE)
+ verify_output = subprocess.check_output(
+ ['gpgv', '--status-fd', '1',
+ '--keyring', 'debian/upstream/rt-signing-key.pgp',
+ '--ignore-time-conflict', source_sig, '-'],
+ stdin=unxz_proc.stdout)
+ if unxz_proc.wait() or \
+ not re.search(r'^\[GNUPG:\]\s+VALIDSIG\s',
+ codecs.decode(verify_output),
+ re.MULTILINE):
+ os.write(2, verify_output) # bytes not str!
+ raise RuntimeError("GPG signature verification failed")
+
temp_dir = tempfile.mkdtemp(prefix='rt-genpatch', dir='debian')
try:
# Unpack tarball
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index a610508..f9b9653 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -1 +1,2 @@
+debian/upstream/rt-signing-key.pgp
debian/upstream/signing-key.pgp
diff --git a/debian/upstream/rt-signing-key.pgp b/debian/upstream/rt-signing-key.pgp
new file mode 100644
index 0000000..f55b064
Binary files /dev/null and b/debian/upstream/rt-signing-key.pgp differ
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list