May 11, 2005, 4:05 AM
Post #2 of 2
(1351 views)
Permalink
On Mon, Apr 25, 2005 at 11:58:42PM +0100, Antoine Martin wrote:
> Not wanting to re-ignite the (heated) discussion about how to ensure the
> integrity of the connection to the gentoo servers, but has anyone got
> any working scripts to test the md5/sha sums?
> I remember that the discussion ended with a temporary measure being put
> in place until the proper solution is integrated in portage. I would
> like to use this feature, but I would prefer not having to write the
> script myself, if possible.
Sorry, I'm a little behind in my email.
Here is the script I use. It depends on a keyring defined in /etc/make.conf
called "PORTAGE_KEYRING="
It is not based on the the latest portage sources, but it works. I just
used it the other day.
Enjoy,
- Chris
#!/bin/sh
# Copyright 1999-2003 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License v2
# $Header: /home/cvsroot/gentoo-src/portage/bin/emerge-webrsync,v 1.3 2003/02/23 23:10:03 alain Exp $
# Author: Karl Trygve Kalleberg <karltk@gentoo.org>
# Rewritten from the old, Perl-based emerge-webrsync script
GENTOO_MIRRORS="$(/usr/lib/portage/bin/portageq gentoo_mirrors)"
PORTDIR="$(/usr/lib/portage/bin/portageq portdir)"
KEYRING="$(grep "^PORTAGE_KEYRING=" /etc/make.conf | sed "s/^.*=//")"
syncpath="/var/tmp/emerge-webrsync"
if [ -z "$KEYRING" ] ; then
echo "Please set PORTAGE_KEYRING in /etc/make.conf to the location"
echo "of your public keyring."
exit 1
fi
if [ ! -d $syncpath ] ; then
mkdir -p $syncpath
fi
cd $syncpath
found=0
attempts=0
download=1
if [ "$1" == "-v" ] ; then
wgetops=
else
wgetops=-q
fi
if [ "$1" == "-n" ] ; then
download=0
fi
verify_sig() {
echo Verifying signature...
if gpg --keyring "$KEYRING" --verify $file.gpgsig $file ; then
echo "Good signature."
else
echo "Bad signature! Deleting suspect file."
rm -f $file $file.gpgsig
exit 1
fi
}
sync_local() {
echo Syncing local tree...
tar jxf $file
rm -f $file $file.gpgsig
# Make sure user and group file ownership is root
chown -R root:root portage
cd portage
rsync -av --progress --stats --delete --delete-after \
--exclude='distfiles/*' \
--exclude='packages/*' \
--exclude='local/*' \
. ${PORTDIR%%/}
cd ..
rm -rf portage
}
echo "Fetching most recent snapshot"
while (( $attempts < 40 )) ; do
day=`date -d "-$attempts day" +"%d"`
month=`date -d "-$attempts day" +"%m"`
year=`date -d "-$attempts day" +"%Y"`
file="portage-${year}${month}${day}.tar.bz2"
if [ -f $file ] && [ $download == 0 ] ; then
sync_local
exit 0
fi
for i in $GENTOO_MIRRORS ; do
url="${i}/snapshots/$file"
rm -f $file $file.gpgsig
if (wget $wgetops $url $url.gpgsig) && [ -s $file ] ; then
verify_sig
sync_local
echo
echo " *** Completed websync, please now perform a normal rsync if possible."
echo " Update is current as of the of YYMMDD: ${year}${month}${day}"
echo
exit 0
fi
done
attempts=$[attempts+1]
done
rm -rf portage
exit 1
--
gentoo-security@gentoo.org mailing list