commit 0f6800a9fe4225915014140077e4ea1ec5919eb5 Author: Mike Perry mikeperry-git@torproject.org Date: Tue May 6 07:14:49 2014 -0700
Bug 11771: Verify all tags/hashes prior to each build invocation.
Only if VERIFY_TAGS=1 is set from the versions file though. --- gitian/fetch-inputs.sh | 2 ++ gitian/mkbundle-linux.sh | 9 +++++- gitian/mkbundle-mac.sh | 9 +++++- gitian/mkbundle-windows.sh | 9 +++++- gitian/verify-tags.sh | 76 ++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 102 insertions(+), 3 deletions(-)
diff --git a/gitian/fetch-inputs.sh b/gitian/fetch-inputs.sh index b542cf0..03827b6 100755 --- a/gitian/fetch-inputs.sh +++ b/gitian/fetch-inputs.sh @@ -44,6 +44,8 @@ cd "$INPUTS_DIR" CLEANUP=$(tempfile) trap "bash '$CLEANUP'; rm -f '$CLEANUP'" EXIT
+# FIXME: This code is copied to verify-tags.sh.. Should we make a bash +# function library? verify() { local file="$1"; shift local keyring="$1"; shift diff --git a/gitian/mkbundle-linux.sh b/gitian/mkbundle-linux.sh index 1328a9c..6101971 100755 --- a/gitian/mkbundle-linux.sh +++ b/gitian/mkbundle-linux.sh @@ -65,6 +65,13 @@ $WRAPPER_DIR/build-helpers/dzip.sh $GITIAN_DIR/inputs/linux-skeleton.zip .
cd $WRAPPER_DIR
+# FIXME: Library function? +die_msg() { + local msg="$1"; shift + printf "\n\n$msg\n" + exit 1 +} + # Let's preserve the original $FOO for creating proper symlinks after building # the utils both if we verify tags and if we don't.
@@ -72,7 +79,7 @@ LIBEVENT_TAG_ORIG=$LIBEVENT_TAG
if [ "z$VERIFY_TAGS" = "z1" ]; then - ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || exit 1 + ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || die_msg "You should run 'make prep' to ensure your inputs are up to date" # If we're verifying tags, be explicit to gitian that we # want to build from tags. NSIS_TAG=refs/tags/$NSIS_TAG diff --git a/gitian/mkbundle-mac.sh b/gitian/mkbundle-mac.sh index a9cbacb..7681ed4 100755 --- a/gitian/mkbundle-mac.sh +++ b/gitian/mkbundle-mac.sh @@ -72,9 +72,16 @@ $WRAPPER_DIR/build-helpers/dtar.sh $GITIAN_DIR/inputs/dmg-applications.tar.xz .
cd $WRAPPER_DIR
+# FIXME: Library function? +die_msg() { + local msg="$1"; shift + printf "\n\n$msg\n" + exit 1 +} + if [ "z$VERIFY_TAGS" = "z1" ]; then - ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || exit 1 + ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || die_msg "You should run 'make prep' to ensure your inputs are up to date" # If we're verifying tags, be explicit to gitian that we # want to build from tags. NSIS_TAG=refs/tags/$NSIS_TAG diff --git a/gitian/mkbundle-windows.sh b/gitian/mkbundle-windows.sh index 7ab0aa6..bf6a5d4 100755 --- a/gitian/mkbundle-windows.sh +++ b/gitian/mkbundle-windows.sh @@ -67,9 +67,16 @@ $WRAPPER_DIR/build-helpers/dzip.sh $GITIAN_DIR/inputs/windows-skeleton.zip .
cd $WRAPPER_DIR
+# FIXME: Library function? +die_msg() { + local msg="$1"; shift + printf "\n\n$msg\n" + exit 1 +} + if [ "z$VERIFY_TAGS" = "z1" ]; then - ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || exit 1 + ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || die_msg "You should run 'make prep' to ensure your inputs are up to date" # If we're verifying tags, be explicit to gitian that we # want to build from tags. NSIS_TAG=refs/tags/$NSIS_TAG diff --git a/gitian/verify-tags.sh b/gitian/verify-tags.sh index 28c16f1..8829b9d 100755 --- a/gitian/verify-tags.sh +++ b/gitian/verify-tags.sh @@ -48,6 +48,43 @@ verify_git() { popd }
+# FIXME: This code is copied from fetch-inputs.sh.. Should we make a bash +# function library? +verify() { + local file="$1"; shift + local keyring="$1"; shift + local suffix="$1"; shift + + local f + for f in "$file" "$file.$suffix" "$keyring"; do + if ! [ -e "$f" ]; then + echo >&2 "Error: Required file $f does not exist."; exit 1 + fi + done + + local tmpfile=$(tempfile) + echo "rm -f '$tmpfile'" >> "$CLEANUP" + local gpghome=$(mktemp -d) + echo "rm -rf '$gpghome'" >> "$CLEANUP" + exec 3> "$tmpfile" + + GNUPGHOME="$gpghome" gpg --no-options --no-default-keyring --trust-model=always --keyring="$keyring" --status-fd=3 --verify "$file.$suffix" "$file" >/dev/null 2>&1 + if grep -q '^[GNUPG:] GOODSIG ' "$tmpfile"; then + return 0 + else + return 1 + fi +} + +check_git_hash() { + local dir="$1"; shift + local commit="${1:-}" + + if [ -n "$commit" ]; then + (cd "$dir" && git checkout "$commit") + fi +} +
while read dir keyring tag; do verify_git "$dir" "$WRAPPER_DIR/gpg/$keyring" "$tag" @@ -65,6 +102,45 @@ obfsproxy obfsproxy.gpg $OBFSPROXY_TAG flashproxy flashproxy.gpg $FLASHPROXY_TAG EOF
+while read dir commit; do + check_git_hash "$dir" "$commit" +done << EOF +libdmg-hfsplus $LIBDMG_TAG +fteproxy $FTEPROXY_TAG +EOF + +# Verify signatures on signed packages +for i in BINUTILS GCC PYTHON PYCRYPTO M2CRYPTO PYTHON_MSI GMP LXML +do + PACKAGE="${i}_PACKAGE" + URL="${i}_URL" + if [ "${i}" == "PYTHON" -o "${i}" == "PYCRYPTO" -o "${i}" == "M2CRYPTO" -o \ + "${i}" == "PYTHON_MSI" -o "${i}" == "LXML" ]; then + SUFFIX="asc" + else + SUFFIX="sig" + fi + + if ! verify "${!PACKAGE}" "$WRAPPER_DIR/gpg/$i.gpg" $SUFFIX; then + echo "$i: GPG signature is broken for ${!URL}" + mv "${!PACKAGE}" "${!PACKAGE}.badgpg" + exit 1 + fi +done + +# Verify packages with weak or no signatures via direct sha256 check +# (OpenSSL is signed with MD5, and OSXSDK is not signed at all) +for i in OSXSDK TOOLCHAIN4 TOOLCHAIN4_OLD NOSCRIPT HTTPSE MINGW MSVCR100 PYCRYPTO ARGPARSE PYYAML ZOPEINTERFACE TWISTED M2CRYPTO SETUPTOOLS OPENSSL GMP +do + PACKAGE="${i}_PACKAGE" + HASH="${i}_HASH" + if ! echo "${!HASH} ${!PACKAGE}" | sha256sum -c -; then + echo "Package hash for ${!PACKAGE} differs from our locally stored sha256!" + exit 1 + fi +done + + cd "$INPUTS_DIR" verify_git "." "$WRAPPER_DIR/gpg/torbutton.gpg" "$GITIAN_TAG" git checkout "$GITIAN_TAG"
tbb-commits@lists.torproject.org