From: David Schweikert Date: Thu, 25 Dec 2025 10:50:37 +0000 (+0100) Subject: Implement GPG verification of autotools tarballs X-Git-Tag: v5.5~10 X-Git-Url: https://git.gsnw.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5bfe33f608b495d97c72773433933c1642e421a5;p=fping.git Implement GPG verification of autotools tarballs --- diff --git a/CHANGELOG.md b/CHANGELOG.md index 7560f01..5b78c4e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -43,6 +43,7 @@ fping 5.5-rc1 (2025-12-21) - Updated autoconf from 2.71 to 2.72 - Updated automake from 1.16.5 to 1.18.1 - Updated libtool from 2.4.6 to 2.5.4 +- Implemented verification of autotools tarballs in Github actions. fping 5.4 (2025-04-19) ====================== diff --git a/ci/build-1-autotools.sh b/ci/build-1-autotools.sh index c72d923..1a4c028 100755 --- a/ci/build-1-autotools.sh +++ b/ci/build-1-autotools.sh @@ -10,8 +10,8 @@ fi # We keep our own list of mirrors because https://ftpmirror.gnu.org is # unreliable (frequent errors from selected mirror). MIRRORS=( - https://mirror.cs.odu.edu/gnu https://mirrors.ocf.berkeley.edu/gnu + https://mirror.cs.odu.edu/gnu https://ftp.gnu.org/gnu ) @@ -21,6 +21,7 @@ LIBTOOL_REL=libtool/libtool-2.5.4.tar.gz PREFIX=$(pwd)/ci/build PATH=$(pwd)/ci/build/bin:$PATH +KEYRING=$(pwd)/ci/fping-deps.gpg if [ ! -d ci ]; then echo "you must run this in the root fping directory" >&2 @@ -30,38 +31,53 @@ fi # remove standard versions sudo apt-get remove -qq autoconf automake autotools-dev libtool +# install dependencies +sudo apt-get install -y gpgv + # prepare build environment cd ci rm -rf build mkdir -p build/src cd build/src -install_release() { - local relpath=$1 - local file=$(basename "$relpath") - local dir="${file%%.tar.*}" - - local success=0 +mirror_fetch() { + local relpath="$1" for mirror in "${MIRRORS[@]}"; do local url="$mirror/$relpath" - if wget -t 3 -O "$file" "$url"; then - success=1 - break + if wget -t 3 "$url"; then + return 0 fi done + return 1 +} + +install_release() { + local relpath="$1" + local file=$(basename "$relpath") + local dir="${file%%.tar.*}" - if [ $success -eq 0 ]; then + if ! mirror_fetch "$relpath"; then echo "Failed to download $relpath from any mirror" >&2 exit 1 fi + if ! mirror_fetch "$relpath.sig"; then + echo "Failed to download $relpath.sig from any mirror" >&2 + exit 1 + fi + + if ! gpgv --keyring "$KEYRING" "$file.sig" "$file"; then + echo "GPG verification failed for $file" + exit 1 + fi + tar xf "$file" ( cd "$dir" ./configure --prefix=$PREFIX make install ) - rm "$file" + rm "$file" "$file.sig" } # autoconf diff --git a/ci/fping-deps.gpg b/ci/fping-deps.gpg new file mode 100644 index 0000000..d0b657d Binary files /dev/null and b/ci/fping-deps.gpg differ diff --git a/ci/update-keyring.sh b/ci/update-keyring.sh new file mode 100755 index 0000000..fd168a1 --- /dev/null +++ b/ci/update-keyring.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +set -e + +# Configuration +GNU_KEYRING_URL="https://ftp.gnu.org/gnu/gnu-keyring.gpg" +TMP_KEYRING="gnu-keyring.gpg" +OUTPUT_KEYRING="ci/fping-deps.gpg" + +# Maintainer emails to extract their keys from the GNU keyring. +MAINTAINER_EMAILS=( + "zackw@panix.com" # Autoconf: Zack Weinberg + "karl@freefriends.org" # Automake: Karl Berry + "ileanadumi95@protonmail.com" # Libtool: Ileana Dumitrescu +) + +# Step 1: Initialize an isolated environment to avoid side effects. +export GNUPGHOME="$(mktemp -d)" +chmod 700 "$GNUPGHOME" +echo "Initialized isolated GNUPGHOME at $GNUPGHOME" +cleanup() { + rm -rf "$GNUPGHOME" + rm -f "$TMP_KEYRING" + echo "Cleaned up." +} +trap cleanup EXIT + +# Step 2: Download the official GNU Keyring (relies on https certificate checking). +echo "Downloading GNU Keyring from $GNU_KEYRING_URL"... +wget -q -O "$TMP_KEYRING" "$GNU_KEYRING_URL" + +# Step 3: Extract the specific keys we need. +echo "Extracting maintainer keys from GNU Keyring..." +for EMAIL in "${MAINTAINER_EMAILS[@]}"; do + # Verify that the key exists in the keyring + if ! gpg --no-default-keyring --keyring "./$TMP_KEYRING" --list-keys "$EMAIL" > /dev/null 2>&1; then + echo "Error: No key found for $EMAIL in GNU Keyring!" + exit 1 + fi + echo "Found key(s) for $EMAIL" +done + +# Export specific keys to our project keyring. +gpg --no-default-keyring --keyring "./$TMP_KEYRING" --export \ + "${MAINTAINER_EMAILS[@]}" \ + > "$OUTPUT_KEYRING" + +echo "Success! Updated $OUTPUT_KEYRING with keys from the official GNU Keyring."