Mailing List Archive

md5/sha scripts
Not wanting to re-ignite the (heated) discussion about how to ensure the
integrity of the connection to the gentoo servers, but has anyone got
any working scripts to test the md5/sha sums?
I remember that the discussion ended with a temporary measure being put
in place until the proper solution is integrated in portage. I would
like to use this feature, but I would prefer not having to write the
script myself, if possible.

Thanks
Antoine

--
gentoo-security@gentoo.org mailing list
Re: md5/sha scripts [ In reply to ]
On Mon, Apr 25, 2005 at 11:58:42PM +0100, Antoine Martin wrote:
> Not wanting to re-ignite the (heated) discussion about how to ensure the
> integrity of the connection to the gentoo servers, but has anyone got
> any working scripts to test the md5/sha sums?
> I remember that the discussion ended with a temporary measure being put
> in place until the proper solution is integrated in portage. I would
> like to use this feature, but I would prefer not having to write the
> script myself, if possible.

Sorry, I'm a little behind in my email.

Here is the script I use. It depends on a keyring defined in /etc/make.conf
called "PORTAGE_KEYRING="

It is not based on the the latest portage sources, but it works. I just
used it the other day.

Enjoy,
- Chris


#!/bin/sh
# Copyright 1999-2003 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License v2
# $Header: /home/cvsroot/gentoo-src/portage/bin/emerge-webrsync,v 1.3 2003/02/23 23:10:03 alain Exp $
# Author: Karl Trygve Kalleberg <karltk@gentoo.org>
# Rewritten from the old, Perl-based emerge-webrsync script

GENTOO_MIRRORS="$(/usr/lib/portage/bin/portageq gentoo_mirrors)"
PORTDIR="$(/usr/lib/portage/bin/portageq portdir)"
KEYRING="$(grep "^PORTAGE_KEYRING=" /etc/make.conf | sed "s/^.*=//")"
syncpath="/var/tmp/emerge-webrsync"

if [ -z "$KEYRING" ] ; then
echo "Please set PORTAGE_KEYRING in /etc/make.conf to the location"
echo "of your public keyring."
exit 1
fi

if [ ! -d $syncpath ] ; then
mkdir -p $syncpath
fi

cd $syncpath

found=0
attempts=0
download=1
if [ "$1" == "-v" ] ; then
wgetops=
else
wgetops=-q
fi

if [ "$1" == "-n" ] ; then
download=0
fi

verify_sig() {
echo Verifying signature...
if gpg --keyring "$KEYRING" --verify $file.gpgsig $file ; then
echo "Good signature."
else
echo "Bad signature! Deleting suspect file."
rm -f $file $file.gpgsig
exit 1
fi
}

sync_local() {
echo Syncing local tree...
tar jxf $file
rm -f $file $file.gpgsig
# Make sure user and group file ownership is root
chown -R root:root portage
cd portage
rsync -av --progress --stats --delete --delete-after \
--exclude='distfiles/*' \
--exclude='packages/*' \
--exclude='local/*' \
. ${PORTDIR%%/}
cd ..
rm -rf portage
}

echo "Fetching most recent snapshot"

while (( $attempts < 40 )) ; do

day=`date -d "-$attempts day" +"%d"`
month=`date -d "-$attempts day" +"%m"`
year=`date -d "-$attempts day" +"%Y"`

file="portage-${year}${month}${day}.tar.bz2"

if [ -f $file ] && [ $download == 0 ] ; then
sync_local
exit 0
fi

for i in $GENTOO_MIRRORS ; do
url="${i}/snapshots/$file"
rm -f $file $file.gpgsig

if (wget $wgetops $url $url.gpgsig) && [ -s $file ] ; then
verify_sig
sync_local
echo
echo " *** Completed websync, please now perform a normal rsync if possible."
echo " Update is current as of the of YYMMDD: ${year}${month}${day}"
echo
exit 0
fi
done
attempts=$[attempts+1]
done

rm -rf portage

exit 1

--
gentoo-security@gentoo.org mailing list