Update gen-frameworks.sh now that KDE signs pkgs
authorAndre Heinecke <aheinecke@gnupg.org>
Mon, 18 Feb 2019 13:39:46 +0000 (14:39 +0100)
committerAndre Heinecke <aheinecke@gnupg.org>
Mon, 18 Feb 2019 13:39:46 +0000 (14:39 +0100)
* packages/gen-frameworks.sh: We can use gpgv now.
* packages/kde-release-key.gpg: New. Currently only David Faure's

packages/gen-frameworks.sh
packages/kde-release-key.gpg [new file with mode: 0644]

index 1037e34..4a649b0 100755 (executable)
@@ -25,7 +25,7 @@
 set -e
 
 if [ -z "$1" ]; then
-    echo "Usage $0 <Version>"
+    echo "Usage $0 <Version> > snippet"
     exit 1
 fi
 
@@ -49,72 +49,18 @@ FRAMEWORKS="extra-cmake-modules
 
 tmpdir=$(mktemp -d)
 
-# StartComs authenticates KDE.org
-cat > "$tmpdir/startcom.pem" << EOF
------BEGIN CERTIFICATE-----
-MIIHhzCCBW+gAwIBAgIBLTANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJJTDEW
-MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
-Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
-dGlvbiBBdXRob3JpdHkwHhcNMDYwOTE3MTk0NjM3WhcNMzYwOTE3MTk0NjM2WjB9
-MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi
-U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh
-cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUA
-A4ICDwAwggIKAoICAQDBiNsJvGxGfHiflXu1M5DycmLWwTYgIiRezul38kMKogZk
-pMyONvg45iPwbm2xPN1yo4UcodM9tDMr0y+v/uqwQVlntsQGfQqedIXWeUyAN3rf
-OQVSWff0G0ZDpNKFhdLDcfN1YjS6LIp/Ho/u7TTQEceWzVI9ujPW3U3eCztKS5/C
-Ji/6tRYccjV3yjxd5srhJosaNnZcAdt0FCX+7bWgiA/deMotHweXMAEtcnn6RtYT
-Kqi5pquDSR3l8u/d5AGOGAqPY1MWhWKpDhk6zLVmpsJrdAfkK+F2PrRt2PZE4XNi
-HzvEvqBTViVsUQn3qqvKv3b9bZvzndu/PWa8DFaqr5hIlTpL36dYUNk4dalb6kMM
-Av+Z6+hsTXBbKWWc3apdzK8BMewM69KN6Oqce+Zu9ydmDBpI125C4z/eIT574Q1w
-+2OqqGwaVLRcJXrJosmLFqa7LH4XXgVNWG4SHQHuEhANxjJ/GP/89PrNbpHoNkm+
-Gkhpi8KWTRoSsmkXwQqQ1vp5Iki/untp+HDH+no32NgN0nZPV/+Qt+OR0t3vwmC3
-Zzrd/qqc8NSLf3Iizsafl7b4r4qgEKjZ+xjGtrVcUjyJthkqcwEKDwOzEmDyei+B
-26Nu/yYwl/WL3YlXtq09s68rxbd2AvCl1iuahhQqcvbjM4xdCUsT37uMdBNSSwID
-AQABo4ICEDCCAgwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
-VR0OBBYEFE4L7xqkQFulF2mHMMo0aEPQQa7yMB8GA1UdIwQYMBaAFE4L7xqkQFul
-F2mHMMo0aEPQQa7yMIIBWgYDVR0gBIIBUTCCAU0wggFJBgsrBgEEAYG1NwEBATCC
-ATgwLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5w
-ZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2ludGVybWVk
-aWF0ZS5wZGYwgc8GCCsGAQUFBwICMIHCMCcWIFN0YXJ0IENvbW1lcmNpYWwgKFN0
-YXJ0Q29tKSBMdGQuMAMCAQEagZZMaW1pdGVkIExpYWJpbGl0eSwgcmVhZCB0aGUg
-c2VjdGlvbiAqTGVnYWwgTGltaXRhdGlvbnMqIG9mIHRoZSBTdGFydENvbSBDZXJ0
-aWZpY2F0aW9uIEF1dGhvcml0eSBQb2xpY3kgYXZhaWxhYmxlIGF0IGh0dHA6Ly93
-d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwEQYJYIZIAYb4QgEBBAQDAgAHMDgG
-CWCGSAGG+EIBDQQrFilTdGFydENvbSBGcmVlIFNTTCBDZXJ0aWZpY2F0aW9uIEF1
-dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAgEAjo/n3JR5fPGFf59Jb2vKXfuM/gTF
-wWLRfUKKvFO3lANmMD+x5wqnUCBVJX92ehQN6wQOQOY+2IirByeDqXWmN3PH/UvS
-Ta0XQMhGvjt/UfzDtgUx3M2FIk5xt/JxXrAaxrqTi3iSSoX4eA+D/i+tLPfkpLst
-0OcNOrg+zvZ49q5HJMqjNTbOx8aHmNrs++myziebiMMEofYLWWivydsQD032ZGNc
-pRJvkrKTlMeIFw6Ttn5ii5B/q06f/ON1FE8qMt9bDeD1e5MNq6HPh+GlBEXoPBKl
-CcWw0bdT82AUuoVpaiF8H3VhFyAXe2w7QSlc4axa0c2Mm+tgHRns9+Ww2vl5GKVF
-P0lDV9LdJNUso/2RjSe15esUBppMeyG7Oq0wBhjA2MFrLH9ZXF2RsXAiV+uKa0hK
-1Q8p7MZAwC+ITGgBF3f0JBlPvfrhsiAhS90a2Cl9qrjeVOwhVYBsHvUwyKMQ5bLm
-KhQxw4UtjJixhlpPiVktucf3HMiKf8CdBUrmQk9io20ppB+Fq9vlgcitKj1MXVuE
-JnHEhV5xJMqlG2zYYdMa4FTbzrqpMrUi9nNBCV24F10OD5mQ1kfabwo6YigUZ4LZ
-8dCAWZvLMdibD4x3TrVoivJs9iQOLWxwxXPR3hTQcY+203sC9uO41Alua551hDnm
-fyWl8kgAwKQB2j8=
------END CERTIFICATE-----
-EOF
-curl --cacert $tmpdir/startcom.pem "https://www.kde.org/info/kde-frameworks-${1}.php" > \
-    $tmpdir/relpage
-
 majorversion=$(echo $1 | head -c 4)
 curdate=$(date +%Y-%m-%d)
 
+KEYRING=$(dirname $0)/kde-release-key.gpg
+
 for fw in $FRAMEWORKS; do
-    # Download sha1sums and pacakges over http now and verify that file matches sha1
-    curl -L -s "http://download.kde.org/stable/frameworks/$majorversion/$fw-$1.tar.xz.sha1" > "$tmpdir/$fw-$1.tar.xz.sha1"
-    curl -L -s "http://download.kde.org/stable/frameworks/$majorversion/$fw-$1.tar.xz" > "$tmpdir/$fw-$1.tar.xz"
-    cd $tmpdir
-    if ! cat "$tmpdir/$fw-$1.tar.xz.sha1" | sha1sum -c > /dev/null 2>&1; then
-        echo "failed to verify sha1sum for $fw-$1.tar.xz"
-        exit 1
-    fi
-    cd - > /dev/null
-    # Now to validate that the sha1 is actually part of the https release page
-    sha1=$(cat "$tmpdir/$fw-$1.tar.xz.sha1" | cut -d ' ' -f 1)
-    if ! grep -q "$sha1" "$tmpdir/relpage"; then
-        echo "Sha1sum not found on release page!"
+    # Download pacakges over https now and verify that the signature matches
+    curl -L -s "https://download.kde.org/stable/frameworks/$majorversion/$fw-$1.tar.xz" > "$tmpdir/$fw-$1.tar.xz"
+    curl -L -s "https://download.kde.org/stable/frameworks/$majorversion/$fw-$1.tar.xz.sig" > "$tmpdir/$fw-$1.tar.xz.sig"
+    # Check the signature
+    if ! gpgv --keyring "$KEYRING" "$tmpdir/$fw-$1.tar.xz.sig" "$tmpdir/$fw-$1.tar.xz"; then
+        echo "Signature for $tmpdir/$fw-$1.tar.xz! does not match!"
         exit 1
     fi
 
@@ -123,7 +69,7 @@ for fw in $FRAMEWORKS; do
     echo "# $fw"
     echo "# last changed: $curdate"
     echo "# by: ah"
-    echo "# verified: https://www.kde.org/info/kde-frameworks-${1}.php (created by gen-frameworks.sh)"
+    echo "# verified: PGP Signed by ./kde-release-key.gpg (created by gen-frameworks.sh)"
     echo "file $majorversion/$fw-$1.tar.xz"
     echo "chk $sha2"
     echo ""
diff --git a/packages/kde-release-key.gpg b/packages/kde-release-key.gpg
new file mode 100644 (file)
index 0000000..0c4caa2
Binary files /dev/null and b/packages/kde-release-key.gpg differ