[rt] genpatch.py: Verify tag and tarball signatures
This commit is contained in:
Ben Hutchings
parent
6dea280bae
commit
b5cdf98158
|
|
@ -30,4 +30,4 @@ while true; do
|
|||
esac
|
||||
done
|
||||
|
||||
exec gpgv "${gpgv_opts[@]}" --keyring "$debian_dir/upstream/signing-key.pgp" -- "$@"
|
||||
exec gpgv "${gpgv_opts[@]}" --keyring "$debian_dir/upstream/${DEBIAN_KERNEL_KEYRING:-signing-key.pgp}" -- "$@"
|
||||
|
|
|
|||
|
|
@ -363,6 +363,7 @@ linux (4.9.5-1) UNRELEASED; urgency=medium
|
|||
* [arm64] video/fbdev: Change FB from module to built-in
|
||||
* [arm64,armhf] video/fbdev: Enable FB_EFI (Closes: #851778)
|
||||
* fs: Disable LOGFS, as it is unmaintained and will be removed in 4.10
|
||||
* [rt] genpatch.py: Verify tag and tarball signatures
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551)
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
#!/usr/bin/python3
|
||||
|
||||
import errno, io, os, os.path, re, shutil, subprocess, sys, tempfile
|
||||
import codecs, errno, io, os, os.path, re, shutil, subprocess, sys, tempfile
|
||||
|
||||
def main(source, version=None):
|
||||
patch_dir = 'debian/patches'
|
||||
|
|
@ -44,13 +44,25 @@ def main(source, version=None):
|
|||
if os.path.isdir(os.path.join(source, '.git')):
|
||||
# Export rebased branch from stable-rt git as patch series
|
||||
up_ver = re.sub(r'-rt\d+$', '', version)
|
||||
args = ['git', 'format-patch', 'v%s..v%s-rebase' % (up_ver, version)]
|
||||
env = os.environ.copy()
|
||||
env['GIT_DIR'] = os.path.join(source, '.git')
|
||||
child = subprocess.Popen(args,
|
||||
cwd=os.path.join(patch_dir, rt_patch_dir),
|
||||
env=env, stdout=subprocess.PIPE)
|
||||
with io.open(child.stdout.fileno(), encoding='utf-8') as pipe:
|
||||
env['DEBIAN_KERNEL_KEYRING'] = 'rt-signing-key.pgp'
|
||||
|
||||
# Validate tag signature
|
||||
gpg_wrapper = os.path.join(os.getcwd(),
|
||||
"debian/bin/git-tag-gpg-wrapper")
|
||||
verify_proc = subprocess.Popen(['git',
|
||||
'-c', 'gpg.program=%s' % gpg_wrapper,
|
||||
'tag', '-v', 'v%s-rebase' % version],
|
||||
env=env)
|
||||
if verify_proc.wait():
|
||||
raise RuntimeError("GPG tag verification failed")
|
||||
|
||||
args = ['git', 'format-patch', 'v%s..v%s-rebase' % (up_ver, version)]
|
||||
format_proc = subprocess.Popen(args,
|
||||
cwd=os.path.join(patch_dir, rt_patch_dir),
|
||||
env=env, stdout=subprocess.PIPE)
|
||||
with io.open(format_proc.stdout.fileno(), encoding='utf-8') as pipe:
|
||||
for line in pipe:
|
||||
name = line.strip('\n')
|
||||
with open(os.path.join(patch_dir, rt_patch_dir, name)) as \
|
||||
|
|
@ -60,6 +72,7 @@ def main(source, version=None):
|
|||
assert match
|
||||
origin = 'https://git.kernel.org/cgit/linux/kernel/git/rt/linux-stable-rt.git/commit?id=%s' % match.group(1)
|
||||
add_patch(name, source_patch, origin)
|
||||
|
||||
else:
|
||||
# Get version and upstream version
|
||||
if version is None:
|
||||
|
|
@ -70,6 +83,22 @@ def main(source, version=None):
|
|||
assert match, 'could not parse version string'
|
||||
up_ver = match.group(1)
|
||||
|
||||
# Expect an accompanying signature, and validate it
|
||||
source_sig = re.sub(r'.[gx]z$', '.sign', source)
|
||||
unxz_proc = subprocess.Popen(['xzcat', source],
|
||||
stdout=subprocess.PIPE)
|
||||
verify_output = subprocess.check_output(
|
||||
['gpgv', '--status-fd', '1',
|
||||
'--keyring', 'debian/upstream/rt-signing-key.pgp',
|
||||
'--ignore-time-conflict', source_sig, '-'],
|
||||
stdin=unxz_proc.stdout)
|
||||
if unxz_proc.wait() or \
|
||||
not re.search(r'^\[GNUPG:\]\s+VALIDSIG\s',
|
||||
codecs.decode(verify_output),
|
||||
re.MULTILINE):
|
||||
os.write(2, verify_output) # bytes not str!
|
||||
raise RuntimeError("GPG signature verification failed")
|
||||
|
||||
temp_dir = tempfile.mkdtemp(prefix='rt-genpatch', dir='debian')
|
||||
try:
|
||||
# Unpack tarball
|
||||
|
|
|
|||
|
|
@ -1 +1,2 @@
|
|||
debian/upstream/rt-signing-key.pgp
|
||||
debian/upstream/signing-key.pgp
|
||||
|
|
|
|||
Binary file not shown.
Loading…
Reference in New Issue