[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dscverify, program to check PGP/MD5 from .dsc file

On 09 Dec 1998 00:37:06 -0500, Roderick Schertler <roderick@argon.org> said:
>
> Here's what I use to verify that files I download from Incoming are
> valid.

Oops, this only worked for checking source packages, which is probably
not what people were talking about.  Here is a small change which allows
it to work with .changes files, too.

#!/bin/sh

# $Id: dscverify,v 1.3 1998-12-09 00:50:45-05 roderick Exp $
#
# Roderick Schertler <roderick@argon.org>

# This program takes .changes or .dsc files as arguments and verifies
# that they're properly signed by a Debian developer, and that the local
# copies of the files mentioned in them match the MD5 sums given in the
# file.

# Copyright (C) 1998 Roderick Schertler
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# For a copy of the GNU General Public License write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

script=`basename "$0"`
exit=0
warn()	{ echo "$script:" "$@" >&2; exit=1; }
die()	{ warn "$@"; exit $exit; }

[ $# = 0 ] && die "no .changes or .dsc files specified"

pubring=
for file in \
    	~maor/dinstall/debian-keyring.pgp \
	/usr/share/keyrings/debian-keyring.pgp
do
    [ -f "$file" ] && { pubring=$file; break; }
done
[ -n "$pubring" ] || die "can't find debian-keyring.pgp"

tmp=`tempfile` || die "return $? from tempfile"
stderr=`tempfile` || die "return $? from tempfile"

for file
do
    pgp +pubring="$pubring" -f <$file >$tmp 2>$stderr || {
    	warn "return $? from pgp for $file"
	continue
    }

    grep '^File has signature.' $stderr >/dev/null || {
    	warn "no signature in $file"
	continue
    }

    grep '^Good signature from user' $stderr || {
    	warn "invalid signature in $file"
	continue
    }

    perl -we '
    	$on = $any = 0;
    	while (<>) {
	    chomp;
	    if (/^Files:\s*$/) {
	    	$on = 1;
	    }
	    elsif (/^$/ || /^\S/) {
	    	$on = 0;
	    }
	    elsif ($on) {
	    	$any = 1;
	    	/^\s+(\S+)\s+(\d+)\s+(?:\S+\s+\S+\s+)?(\S+)\s*$/
		    or die qq/Invalid file line "$_"\n/;
		my ($md5, $size, $file) = ($1, $2, $3);
		length($md5) == 32 or die qq/Invalid MD5 hash "$md5"\n/;
		unless (-e $file) {
		    print "skipping $file\n";
		    next;
		}
		print "validating $file\n";
		defined($this_size = -s $file)
		    or die "Can'\''t stat $file: $!\n";
		$this_size == $size
		    or die "Invalid file length for $file (wanted $size)\n";
		chomp($output = `md5sum < $file`);
		$? and die "Return $? from md5 for $file\n";
		$output eq $md5
		    or die "MD5 mismatch for $file ($md5 vs $output)\n";
	    }
    	}
	$any or die "Did not see any files\n"' $tmp || {
	warn "return $? from perl"
	continue
    }
done

rm $tmp $stderr || warn "return $? removing $tmp and $stderr"
exit $exit

-- 
Roderick Schertler
roderick@argon.org
Reply to: