[rt] genpatch.py: Verify tag and tarball signatures
This commit is contained in:
parent
6dea280bae
commit
b5cdf98158
|
@ -30,4 +30,4 @@ while true; do
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
exec gpgv "${gpgv_opts[@]}" --keyring "$debian_dir/upstream/signing-key.pgp" -- "$@"
|
exec gpgv "${gpgv_opts[@]}" --keyring "$debian_dir/upstream/${DEBIAN_KERNEL_KEYRING:-signing-key.pgp}" -- "$@"
|
||||||
|
|
|
@ -363,6 +363,7 @@ linux (4.9.5-1) UNRELEASED; urgency=medium
|
||||||
* [arm64] video/fbdev: Change FB from module to built-in
|
* [arm64] video/fbdev: Change FB from module to built-in
|
||||||
* [arm64,armhf] video/fbdev: Enable FB_EFI (Closes: #851778)
|
* [arm64,armhf] video/fbdev: Enable FB_EFI (Closes: #851778)
|
||||||
* fs: Disable LOGFS, as it is unmaintained and will be removed in 4.10
|
* fs: Disable LOGFS, as it is unmaintained and will be removed in 4.10
|
||||||
|
* [rt] genpatch.py: Verify tag and tarball signatures
|
||||||
|
|
||||||
[ Salvatore Bonaccorso ]
|
[ Salvatore Bonaccorso ]
|
||||||
* tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551)
|
* tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551)
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
#!/usr/bin/python3
|
#!/usr/bin/python3
|
||||||
|
|
||||||
import errno, io, os, os.path, re, shutil, subprocess, sys, tempfile
|
import codecs, errno, io, os, os.path, re, shutil, subprocess, sys, tempfile
|
||||||
|
|
||||||
def main(source, version=None):
|
def main(source, version=None):
|
||||||
patch_dir = 'debian/patches'
|
patch_dir = 'debian/patches'
|
||||||
|
@ -44,13 +44,25 @@ def main(source, version=None):
|
||||||
if os.path.isdir(os.path.join(source, '.git')):
|
if os.path.isdir(os.path.join(source, '.git')):
|
||||||
# Export rebased branch from stable-rt git as patch series
|
# Export rebased branch from stable-rt git as patch series
|
||||||
up_ver = re.sub(r'-rt\d+$', '', version)
|
up_ver = re.sub(r'-rt\d+$', '', version)
|
||||||
args = ['git', 'format-patch', 'v%s..v%s-rebase' % (up_ver, version)]
|
|
||||||
env = os.environ.copy()
|
env = os.environ.copy()
|
||||||
env['GIT_DIR'] = os.path.join(source, '.git')
|
env['GIT_DIR'] = os.path.join(source, '.git')
|
||||||
child = subprocess.Popen(args,
|
env['DEBIAN_KERNEL_KEYRING'] = 'rt-signing-key.pgp'
|
||||||
cwd=os.path.join(patch_dir, rt_patch_dir),
|
|
||||||
env=env, stdout=subprocess.PIPE)
|
# Validate tag signature
|
||||||
with io.open(child.stdout.fileno(), encoding='utf-8') as pipe:
|
gpg_wrapper = os.path.join(os.getcwd(),
|
||||||
|
"debian/bin/git-tag-gpg-wrapper")
|
||||||
|
verify_proc = subprocess.Popen(['git',
|
||||||
|
'-c', 'gpg.program=%s' % gpg_wrapper,
|
||||||
|
'tag', '-v', 'v%s-rebase' % version],
|
||||||
|
env=env)
|
||||||
|
if verify_proc.wait():
|
||||||
|
raise RuntimeError("GPG tag verification failed")
|
||||||
|
|
||||||
|
args = ['git', 'format-patch', 'v%s..v%s-rebase' % (up_ver, version)]
|
||||||
|
format_proc = subprocess.Popen(args,
|
||||||
|
cwd=os.path.join(patch_dir, rt_patch_dir),
|
||||||
|
env=env, stdout=subprocess.PIPE)
|
||||||
|
with io.open(format_proc.stdout.fileno(), encoding='utf-8') as pipe:
|
||||||
for line in pipe:
|
for line in pipe:
|
||||||
name = line.strip('\n')
|
name = line.strip('\n')
|
||||||
with open(os.path.join(patch_dir, rt_patch_dir, name)) as \
|
with open(os.path.join(patch_dir, rt_patch_dir, name)) as \
|
||||||
|
@ -60,6 +72,7 @@ def main(source, version=None):
|
||||||
assert match
|
assert match
|
||||||
origin = 'https://git.kernel.org/cgit/linux/kernel/git/rt/linux-stable-rt.git/commit?id=%s' % match.group(1)
|
origin = 'https://git.kernel.org/cgit/linux/kernel/git/rt/linux-stable-rt.git/commit?id=%s' % match.group(1)
|
||||||
add_patch(name, source_patch, origin)
|
add_patch(name, source_patch, origin)
|
||||||
|
|
||||||
else:
|
else:
|
||||||
# Get version and upstream version
|
# Get version and upstream version
|
||||||
if version is None:
|
if version is None:
|
||||||
|
@ -70,6 +83,22 @@ def main(source, version=None):
|
||||||
assert match, 'could not parse version string'
|
assert match, 'could not parse version string'
|
||||||
up_ver = match.group(1)
|
up_ver = match.group(1)
|
||||||
|
|
||||||
|
# Expect an accompanying signature, and validate it
|
||||||
|
source_sig = re.sub(r'.[gx]z$', '.sign', source)
|
||||||
|
unxz_proc = subprocess.Popen(['xzcat', source],
|
||||||
|
stdout=subprocess.PIPE)
|
||||||
|
verify_output = subprocess.check_output(
|
||||||
|
['gpgv', '--status-fd', '1',
|
||||||
|
'--keyring', 'debian/upstream/rt-signing-key.pgp',
|
||||||
|
'--ignore-time-conflict', source_sig, '-'],
|
||||||
|
stdin=unxz_proc.stdout)
|
||||||
|
if unxz_proc.wait() or \
|
||||||
|
not re.search(r'^\[GNUPG:\]\s+VALIDSIG\s',
|
||||||
|
codecs.decode(verify_output),
|
||||||
|
re.MULTILINE):
|
||||||
|
os.write(2, verify_output) # bytes not str!
|
||||||
|
raise RuntimeError("GPG signature verification failed")
|
||||||
|
|
||||||
temp_dir = tempfile.mkdtemp(prefix='rt-genpatch', dir='debian')
|
temp_dir = tempfile.mkdtemp(prefix='rt-genpatch', dir='debian')
|
||||||
try:
|
try:
|
||||||
# Unpack tarball
|
# Unpack tarball
|
||||||
|
|
|
@ -1 +1,2 @@
|
||||||
|
debian/upstream/rt-signing-key.pgp
|
||||||
debian/upstream/signing-key.pgp
|
debian/upstream/signing-key.pgp
|
||||||
|
|
Binary file not shown.
Loading…
Reference in New Issue