Mailing List Archive

emerge-webrsync patch
Hi there,

Here is my patch for the emerge-webrsync script. If anyone has any
problems with it, please let me know.

You'll need to import the key that Kurt announced yesterday into a public
keyring somewhere on your system, then add the following line to your
/etc/make.conf file:

PORTAGE_KEYRING=/etc/pubring.gpg

Or wherever you keep it.

If the signature does not verify successfully, the script will delete
the files it downloaded (i.e. the files that failed will not be left on
your system to be accidentally used later).

Enjoy,
- Chris



--- /usr/sbin/emerge-webrsync 2004-09-02 16:21:52.000000000 -0400
+++ emerge-webrsync 2004-11-17 23:54:45.000000000 -0500
@@ -7,8 +7,15 @@

GENTOO_MIRRORS="$(/usr/lib/portage/bin/portageq gentoo_mirrors)"
PORTDIR="$(/usr/lib/portage/bin/portageq portdir)"
+KEYRING="$(grep "^PORTAGE_KEYRING=" /etc/make.conf | sed "s/^.*=//")"
syncpath="/var/tmp/emerge-webrsync"

+if [ -z "$KEYRING" ] ; then
+ echo "Please set PORTAGE_KEYRING in /etc/make.conf to the location"
+ echo "of your public keyring."
+ exit 1
+fi
+
if [ ! -d $syncpath ] ; then
mkdir -p $syncpath
fi
@@ -28,6 +35,17 @@
download=0
fi

+verify_sig() {
+ echo Verifying signature...
+ if gpg --keyring "$KEYRING" --verify $file.gpgsig $file ; then
+ echo "Good signature."
+ else
+ echo "Bad signature! Deleting suspect file."
+ rm -f $file $file.gpgsig
+ exit 1
+ fi
+}
+
sync_local() {
echo Syncing local tree...
tar jxf $file
@@ -36,7 +54,10 @@
chown -R root:root portage
cd portage
rsync -av --progress --stats --delete --delete-after \
- --exclude='distfiles/*' --exclude='packages/*' . ${PORTDIR%%/}
+ --exclude='distfiles/*' \
+ --exclude='packages/*' \
+ --exclude='local/*' \
+ . ${PORTDIR%%/}
cd ..
rm -rf portage
}
@@ -58,9 +79,10 @@

for i in $GENTOO_MIRRORS ; do
url="${i}/snapshots/$file"
- rm -f $file
+ rm -f $file $file.gpgsig

- if (wget $wgetops $url) && [ -s $file ] ; then
+ if (wget $wgetops $url $url.gpgsig) && [ -s $file ] ; then
+ verify_sig
sync_local
echo
echo " *** Completed websync, please now perform a normal rsync if possible."


--
gentoo-security@gentoo.org mailing list