[tor-commits] [tor-browser-bundle/master] Bug 11771: Verify all tags/hashes prior to each build invocation.
mikeperry at torproject.org
mikeperry at torproject.org
Tue May 6 15:01:18 UTC 2014
commit 0f6800a9fe4225915014140077e4ea1ec5919eb5
Author: Mike Perry <mikeperry-git at torproject.org>
Date: Tue May 6 07:14:49 2014 -0700
Bug 11771: Verify all tags/hashes prior to each build invocation.
Only if VERIFY_TAGS=1 is set from the versions file though.
---
gitian/fetch-inputs.sh | 2 ++
gitian/mkbundle-linux.sh | 9 +++++-
gitian/mkbundle-mac.sh | 9 +++++-
gitian/mkbundle-windows.sh | 9 +++++-
gitian/verify-tags.sh | 76 ++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 102 insertions(+), 3 deletions(-)
diff --git a/gitian/fetch-inputs.sh b/gitian/fetch-inputs.sh
index b542cf0..03827b6 100755
--- a/gitian/fetch-inputs.sh
+++ b/gitian/fetch-inputs.sh
@@ -44,6 +44,8 @@ cd "$INPUTS_DIR"
CLEANUP=$(tempfile)
trap "bash '$CLEANUP'; rm -f '$CLEANUP'" EXIT
+# FIXME: This code is copied to verify-tags.sh.. Should we make a bash
+# function library?
verify() {
local file="$1"; shift
local keyring="$1"; shift
diff --git a/gitian/mkbundle-linux.sh b/gitian/mkbundle-linux.sh
index 1328a9c..6101971 100755
--- a/gitian/mkbundle-linux.sh
+++ b/gitian/mkbundle-linux.sh
@@ -65,6 +65,13 @@ $WRAPPER_DIR/build-helpers/dzip.sh $GITIAN_DIR/inputs/linux-skeleton.zip .
cd $WRAPPER_DIR
+# FIXME: Library function?
+die_msg() {
+ local msg="$1"; shift
+ printf "\n\n$msg\n"
+ exit 1
+}
+
# Let's preserve the original $FOO for creating proper symlinks after building
# the utils both if we verify tags and if we don't.
@@ -72,7 +79,7 @@ LIBEVENT_TAG_ORIG=$LIBEVENT_TAG
if [ "z$VERIFY_TAGS" = "z1" ];
then
- ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || exit 1
+ ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || die_msg "You should run 'make prep' to ensure your inputs are up to date"
# If we're verifying tags, be explicit to gitian that we
# want to build from tags.
NSIS_TAG=refs/tags/$NSIS_TAG
diff --git a/gitian/mkbundle-mac.sh b/gitian/mkbundle-mac.sh
index a9cbacb..7681ed4 100755
--- a/gitian/mkbundle-mac.sh
+++ b/gitian/mkbundle-mac.sh
@@ -72,9 +72,16 @@ $WRAPPER_DIR/build-helpers/dtar.sh $GITIAN_DIR/inputs/dmg-applications.tar.xz .
cd $WRAPPER_DIR
+# FIXME: Library function?
+die_msg() {
+ local msg="$1"; shift
+ printf "\n\n$msg\n"
+ exit 1
+}
+
if [ "z$VERIFY_TAGS" = "z1" ];
then
- ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || exit 1
+ ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || die_msg "You should run 'make prep' to ensure your inputs are up to date"
# If we're verifying tags, be explicit to gitian that we
# want to build from tags.
NSIS_TAG=refs/tags/$NSIS_TAG
diff --git a/gitian/mkbundle-windows.sh b/gitian/mkbundle-windows.sh
index 7ab0aa6..bf6a5d4 100755
--- a/gitian/mkbundle-windows.sh
+++ b/gitian/mkbundle-windows.sh
@@ -67,9 +67,16 @@ $WRAPPER_DIR/build-helpers/dzip.sh $GITIAN_DIR/inputs/windows-skeleton.zip .
cd $WRAPPER_DIR
+# FIXME: Library function?
+die_msg() {
+ local msg="$1"; shift
+ printf "\n\n$msg\n"
+ exit 1
+}
+
if [ "z$VERIFY_TAGS" = "z1" ];
then
- ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || exit 1
+ ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || die_msg "You should run 'make prep' to ensure your inputs are up to date"
# If we're verifying tags, be explicit to gitian that we
# want to build from tags.
NSIS_TAG=refs/tags/$NSIS_TAG
diff --git a/gitian/verify-tags.sh b/gitian/verify-tags.sh
index 28c16f1..8829b9d 100755
--- a/gitian/verify-tags.sh
+++ b/gitian/verify-tags.sh
@@ -48,6 +48,43 @@ verify_git() {
popd
}
+# FIXME: This code is copied from fetch-inputs.sh.. Should we make a bash
+# function library?
+verify() {
+ local file="$1"; shift
+ local keyring="$1"; shift
+ local suffix="$1"; shift
+
+ local f
+ for f in "$file" "$file.$suffix" "$keyring"; do
+ if ! [ -e "$f" ]; then
+ echo >&2 "Error: Required file $f does not exist."; exit 1
+ fi
+ done
+
+ local tmpfile=$(tempfile)
+ echo "rm -f '$tmpfile'" >> "$CLEANUP"
+ local gpghome=$(mktemp -d)
+ echo "rm -rf '$gpghome'" >> "$CLEANUP"
+ exec 3> "$tmpfile"
+
+ GNUPGHOME="$gpghome" gpg --no-options --no-default-keyring --trust-model=always --keyring="$keyring" --status-fd=3 --verify "$file.$suffix" "$file" >/dev/null 2>&1
+ if grep -q '^\[GNUPG:\] GOODSIG ' "$tmpfile"; then
+ return 0
+ else
+ return 1
+ fi
+}
+
+check_git_hash() {
+ local dir="$1"; shift
+ local commit="${1:-}"
+
+ if [ -n "$commit" ]; then
+ (cd "$dir" && git checkout "$commit")
+ fi
+}
+
while read dir keyring tag; do
verify_git "$dir" "$WRAPPER_DIR/gpg/$keyring" "$tag"
@@ -65,6 +102,45 @@ obfsproxy obfsproxy.gpg $OBFSPROXY_TAG
flashproxy flashproxy.gpg $FLASHPROXY_TAG
EOF
+while read dir commit; do
+ check_git_hash "$dir" "$commit"
+done << EOF
+libdmg-hfsplus $LIBDMG_TAG
+fteproxy $FTEPROXY_TAG
+EOF
+
+# Verify signatures on signed packages
+for i in BINUTILS GCC PYTHON PYCRYPTO M2CRYPTO PYTHON_MSI GMP LXML
+do
+ PACKAGE="${i}_PACKAGE"
+ URL="${i}_URL"
+ if [ "${i}" == "PYTHON" -o "${i}" == "PYCRYPTO" -o "${i}" == "M2CRYPTO" -o \
+ "${i}" == "PYTHON_MSI" -o "${i}" == "LXML" ]; then
+ SUFFIX="asc"
+ else
+ SUFFIX="sig"
+ fi
+
+ if ! verify "${!PACKAGE}" "$WRAPPER_DIR/gpg/$i.gpg" $SUFFIX; then
+ echo "$i: GPG signature is broken for ${!URL}"
+ mv "${!PACKAGE}" "${!PACKAGE}.badgpg"
+ exit 1
+ fi
+done
+
+# Verify packages with weak or no signatures via direct sha256 check
+# (OpenSSL is signed with MD5, and OSXSDK is not signed at all)
+for i in OSXSDK TOOLCHAIN4 TOOLCHAIN4_OLD NOSCRIPT HTTPSE MINGW MSVCR100 PYCRYPTO ARGPARSE PYYAML ZOPEINTERFACE TWISTED M2CRYPTO SETUPTOOLS OPENSSL GMP
+do
+ PACKAGE="${i}_PACKAGE"
+ HASH="${i}_HASH"
+ if ! echo "${!HASH} ${!PACKAGE}" | sha256sum -c -; then
+ echo "Package hash for ${!PACKAGE} differs from our locally stored sha256!"
+ exit 1
+ fi
+done
+
+
cd "$INPUTS_DIR"
verify_git "." "$WRAPPER_DIR/gpg/torbutton.gpg" "$GITIAN_TAG"
git checkout "$GITIAN_TAG"
More information about the tor-commits
mailing list