VERIFY-SIG.ECLASS

Section: eclass-manpages (5)
Updated: Dec 2020
Index Return to Main Contents

NAME

verify-sig.eclass - Eclass to verify upstream signatures on distfiles

DESCRIPTION

verify-sig eclass provides a streamlined approach to verifying upstream signatures on distfiles. Its primary purpose is to permit developers to easily verify signatures while bumping packages. The eclass removes the risk of developer forgetting to perform the verification, or performing it incorrectly, e.g. due to additional keys in the local keyring. It also permits users to verify the developer's work.

To use the eclass, start by packaging the upstream's key as app-crypt/openpgp-keys-*. Then inherit the eclass, add detached signatures to SRC_URI and set VERIFY_SIG_OPENPGP_KEY_PATH. The eclass provides verify-sig USE flag to toggle the verification.

Example use:

inherit verify-sig

SRC_URI="https://example.org/${P}.tar.gz
  verify-sig? ( https://example.org/${P}.tar.gz.sig )"
BDEPEND="
  verify-sig? ( app-crypt/openpgp-keys-example )"

VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/example.asc

SUPPORTED EAPIS

7

FUNCTIONS

verify-sig_verify_detached <file> <sig-file> [<key-file>]
Read the detached signature from <sig-file> and verify <file> against it. <key-file> can either be passed directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH. The function dies if verification fails.
verify-sig_verify_message <file> <output-file> [<key-file>]
Verify that the file ('-' for stdin) contains a valid, signed PGP message and write the message into <output-file> ('-' for stdout). <key-file> can either be passed directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH. The function dies if verification fails. Note that using output from <output-file> is important as it prevents the injection of unsigned data.
verify-sig_verify_signed_checksums <checksum-file> <algo> <files> [<key-file>]
Verify the checksums for all files listed in the space-separated list <files> (akin to ${A}) using a PGP-signed <checksum-file>. <algo> specified the checksum algorithm (e.g. sha256). <key-file> can either be passed directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH.

The function dies if PGP verification fails, the checksum file contains unsigned data, one of the files do not match checksums or are missing from the checksum file.

verify-sig_src_unpack
Default src_unpack override that verifies signatures for all distfiles if 'verify-sig' flag is enabled. The function dies if any of the signatures fails to verify or if any distfiles are not signed. Please write src_unpack() yourself if you need to perform partial verification.

ECLASS VARIABLES

VERIFY_SIG_OPENPGP_KEY_PATH
Path to key bundle used to perform the verification. This is required when using default src_unpack. Alternatively, the key path can be passed directly to the verification functions.
VERIFY_SIG_OPENPGP_KEYSERVER
Keyserver used to refresh keys. If not specified, the keyserver preference from the key will be respected. If no preference is specified by the key, the GnuPG default will be used.
VERIFY_SIG_OPENPGP_KEY_REFRESH ?= no (USER VARIABLE)
Attempt to refresh keys via WKD/keyserver. Set it to "yes" in make.conf to enable. Note that this requires working Internet connection.

MAINTAINERS

Michał Górny <mgorny@gentoo.org>

REPORTING BUGS

Please report bugs via https://bugs.gentoo.org/

FILES

verify-sig.eclass

SEE ALSO

ebuild(5)
https://gitweb.gentoo.org/repo/gentoo.git/log/eclass/verify-sig.eclass


Index

NAME
DESCRIPTION
SUPPORTED EAPIS
FUNCTIONS
ECLASS VARIABLES
MAINTAINERS
REPORTING BUGS
FILES
SEE ALSO

This document was created by man2html, using the manual pages.
Time: 03:27:01 GMT, December 03, 2020