diff options
author | V3n3RiX <venerix@koprulu.sector> | 2023-09-16 17:00:58 +0100 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2023-09-16 17:00:58 +0100 |
commit | 7b830374520118e805fdd214530a389653750f51 (patch) | |
tree | 1f6ef2872a3f89b278b2d5c7f82f36df335dce30 /sec-keys | |
parent | 3c490942d0d98701d1c0971e60911fa6bd3ecb76 (diff) |
gentoo auto-resync : 16:09:2023 - 17:00:58
Diffstat (limited to 'sec-keys')
-rw-r--r-- | sec-keys/Manifest.gz | bin | 20885 -> 21237 bytes | |||
-rw-r--r-- | sec-keys/minisig-keys-libsodium/Manifest | 2 | ||||
-rw-r--r-- | sec-keys/minisig-keys-libsodium/metadata.xml | 9 | ||||
-rw-r--r-- | sec-keys/minisig-keys-libsodium/minisig-keys-libsodium-20230914.ebuild | 19 | ||||
-rw-r--r-- | sec-keys/openpgp-keys-apache-xerces-j/Manifest | 3 | ||||
-rw-r--r-- | sec-keys/openpgp-keys-apache-xerces-j/metadata.xml | 8 | ||||
-rw-r--r-- | sec-keys/openpgp-keys-apache-xerces-j/openpgp-keys-apache-xerces-j-20200102.ebuild | 21 | ||||
-rw-r--r-- | sec-keys/openpgp-keys-gentoo-developers/Manifest | 2 | ||||
-rw-r--r-- | sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230911.ebuild | 233 |
9 files changed, 297 insertions, 0 deletions
diff --git a/sec-keys/Manifest.gz b/sec-keys/Manifest.gz Binary files differindex a6f3c9b9919f..732b285ec838 100644 --- a/sec-keys/Manifest.gz +++ b/sec-keys/Manifest.gz diff --git a/sec-keys/minisig-keys-libsodium/Manifest b/sec-keys/minisig-keys-libsodium/Manifest new file mode 100644 index 000000000000..dd69113261de --- /dev/null +++ b/sec-keys/minisig-keys-libsodium/Manifest @@ -0,0 +1,2 @@ +EBUILD minisig-keys-libsodium-20230914.ebuild 525 BLAKE2B 7076295e4bf6d6e206664ee6e28c064b897ab90ef0948ecdd4550b358f8afae600cf83423af260986adb85325c2426046a71200b9379a8ce4886fed2844fce9e SHA512 63e043a6d2e84d0debfc29e6752ea6844e84bcf07d8565bdeb05a24199d9f27e95ce35eecf6ac32b3aed465c5d9ffa975ac2c111b5b1fbbf5a5fe25ba3149304 +MISC metadata.xml 264 BLAKE2B 630ac0044f623dc63de725aae23da036b649a2d65331c06fbe9eb66d18ad1a4d3fd804cdffc4703500662b01272063af346680d2550f2fb6a262d6acee8c6789 SHA512 3cf1981080b4a7634537d20a3e837fa802c52ae5ee750531cc4aa3f8478cda78579375602bc058abbd75f9393f9681b79603c3ddd9af809a1e72f7336a708056 diff --git a/sec-keys/minisig-keys-libsodium/metadata.xml b/sec-keys/minisig-keys-libsodium/metadata.xml new file mode 100644 index 000000000000..7efb31b9e7f2 --- /dev/null +++ b/sec-keys/minisig-keys-libsodium/metadata.xml @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> + <maintainer type="person"> + <email>sam@gentoo.org</email> + <name>Sam James</name> + </maintainer> + <stabilize-allarches/> +</pkgmetadata> diff --git a/sec-keys/minisig-keys-libsodium/minisig-keys-libsodium-20230914.ebuild b/sec-keys/minisig-keys-libsodium/minisig-keys-libsodium-20230914.ebuild new file mode 100644 index 000000000000..3d16a1016576 --- /dev/null +++ b/sec-keys/minisig-keys-libsodium/minisig-keys-libsodium-20230914.ebuild @@ -0,0 +1,19 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DESCRIPTION="OpenPGP keys used for libsodium" +HOMEPAGE="https://doc.libsodium.org/installation#integrity-checking" +S="${WORKDIR}" + +LICENSE="public-domain" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" + +src_install() { + insinto /usr/share/openpgp-keys + newins - libsodium.minisig <<-EOF + RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3 + EOF +} diff --git a/sec-keys/openpgp-keys-apache-xerces-j/Manifest b/sec-keys/openpgp-keys-apache-xerces-j/Manifest new file mode 100644 index 000000000000..7f2b7eafec74 --- /dev/null +++ b/sec-keys/openpgp-keys-apache-xerces-j/Manifest @@ -0,0 +1,3 @@ +DIST openpgp-keys-apache-xerces-j-20200102-KEYS.asc 19880 BLAKE2B 7307d801fbfe347946ff1927970210d51c1db9934ab641464243d8d7d3bbd47bc740d8c4cf900d20bb65a3af143368ca650000a1b45b273bec72e5eb88118861 SHA512 2a8befee7384b35dafd7835bd6abc59284bd217dd65d77b90255dcb832db205163c90d28d11b5deea870c3501c9851a06028921bba1395fbb74323f517329106 +EBUILD openpgp-keys-apache-xerces-j-20200102.ebuild 575 BLAKE2B 9e78295129061c67903013631e28c22aadd5ae4727c6001f64c561aa54e449428280608e54b43103ae6aa5c3230fc1281dc704d7841ad7ea7b1e73a1df5588c8 SHA512 11b19877dc74974b51afc935ccf6845e12b2040f7738d6ef826650a10e7e0fd4bda627633a3c3d88f383868f8db1e243e2c364632e7c819a9e2a9fa84f44e9b7 +MISC metadata.xml 243 BLAKE2B d1937cd00ce74d225075f1cf0e2584ce3f3d04b4ab3bd4ce636326ef8ed6ccaa54535a1c126025464e48a272959a579e08ceb008b8bacb2160f8f623fea5b6b3 SHA512 5431123c80f2e11811efde927819546af19c9ca93c9810399fe784c77ad2201696a081ed146df5b59fbf78ffb39cf8633cd6805e16ca82244aa8458c2ab8c4fd diff --git a/sec-keys/openpgp-keys-apache-xerces-j/metadata.xml b/sec-keys/openpgp-keys-apache-xerces-j/metadata.xml new file mode 100644 index 000000000000..6ef2d50cf07e --- /dev/null +++ b/sec-keys/openpgp-keys-apache-xerces-j/metadata.xml @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> + <maintainer type="project"> + <email>java@gentoo.org</email> + <name>Java</name> + </maintainer> +</pkgmetadata> diff --git a/sec-keys/openpgp-keys-apache-xerces-j/openpgp-keys-apache-xerces-j-20200102.ebuild b/sec-keys/openpgp-keys-apache-xerces-j/openpgp-keys-apache-xerces-j-20200102.ebuild new file mode 100644 index 000000000000..76f4fd3be859 --- /dev/null +++ b/sec-keys/openpgp-keys-apache-xerces-j/openpgp-keys-apache-xerces-j-20200102.ebuild @@ -0,0 +1,21 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DESCRIPTION="OpenPGP keys used by xerces.apache.org/xerces2-j" +HOMEPAGE="https://xerces.apache.org" +SRC_URI="https://downloads.apache.org/xerces/j/KEYS -> ${P}-KEYS.asc" +# https://downloads.apache.org/xerces/j/KEYS + +LICENSE="public-domain" +SLOT="0" +KEYWORDS="amd64 ~arm arm64 ppc64 x86" + +S="${WORKDIR}" + +src_install() { + local files=( ${A} ) + insinto /usr/share/openpgp-keys + newins - xerces-j.apache.org.asc < <(cat "${files[@]/#/${DISTDIR}/}" || die) +} diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest index 40a66c95e2f0..c080f584dfa3 100644 --- a/sec-keys/openpgp-keys-gentoo-developers/Manifest +++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest @@ -2,8 +2,10 @@ AUX keyring-mangler.py 3061 BLAKE2B a5acb20346c8eb4b036773562625ac39469d378a343c DIST openpgp-keys-gentoo-developers-20230717-active-devs.gpg 3104679 BLAKE2B 81777f536f342de356bdc9e5bc6b8b3319bec058c5fff663c80db6b9acbfc625703bf66bbc271c9dbb53de714dc581637ae01bfcd750174579410813c64717c4 SHA512 6f6f5d50d24acaec7774497fb8dc01e240e9b8f93578b5b08ef097b02299c2116deb87264fa3ce3144dc6fbb28d9e2d7363ed2505f5e264d783901b581262105 DIST openpgp-keys-gentoo-developers-20230828-active-devs.gpg 3102805 BLAKE2B efd321e8ebb76d32e47df8085c9bb0d393c59d747b54cb5cf6febcc301a92a7c2a2b8bebd95b8f1b8fa9a6683aefc673809d8418408434bc41a1cf2bf8076938 SHA512 9e2e7408c2371edbe037243971fe6d45931cf526dff1d6014e472c056f8ed6881632d86497e9d6cd6b535574fb99c2af43fb63074911f4af476b5f590cc272dd DIST openpgp-keys-gentoo-developers-20230904-active-devs.gpg 3101925 BLAKE2B d49e8c43979ce0c57275e866d753cdf8ddd56a323f49706431a3fa2c30c432a197107051cc7600bafb25626dac0b60f3a787b6106b29dfa0573828bdebad8f2e SHA512 9f3bae591970a26e194e97e5e44a2bb5e510d4e87bc2e334ad75edbb90be5413b12b34b73123ff7d65b26069b7c64fbd0db4747837921965a041adb2f0d5028a +DIST openpgp-keys-gentoo-developers-20230911-active-devs.gpg 3107469 BLAKE2B eae368d380cb93e03c66926b04fa86ca21c0a7cc591668bd28b62d7483e3be483610c373a871fbcbe2a10361ee981d7f00f9d6204c244b838cc74b70edd7639c SHA512 224e548915e9d878b22837f695ecf1b1a24f7ea2be45fe2e057cd5a4a814ae4132ba8dd6e2e032a4d4662e7ed0063e84e90e445ee46ced6dc56955fa3a968097 EBUILD openpgp-keys-gentoo-developers-20230717.ebuild 7523 BLAKE2B 2b3f5c5c1694b782ac318bdfd0dc7941ce47ed8f60fc2d715b88bf1404cd59639797e65e45891fad1aba9b456c3d356d7cadc1b79a9919cce0a8b1587364f7e5 SHA512 a013e480059fb7b0de2da5581f8d6c01b9eecb0593751fda7b57b4d4e98db2ab6b21a2aaefce7aec0c0981e6dc22fd9fc202bea6dedaf170816bd05c1031311e EBUILD openpgp-keys-gentoo-developers-20230828.ebuild 7523 BLAKE2B 2b3f5c5c1694b782ac318bdfd0dc7941ce47ed8f60fc2d715b88bf1404cd59639797e65e45891fad1aba9b456c3d356d7cadc1b79a9919cce0a8b1587364f7e5 SHA512 a013e480059fb7b0de2da5581f8d6c01b9eecb0593751fda7b57b4d4e98db2ab6b21a2aaefce7aec0c0981e6dc22fd9fc202bea6dedaf170816bd05c1031311e EBUILD openpgp-keys-gentoo-developers-20230904.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840 +EBUILD openpgp-keys-gentoo-developers-20230911.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840 EBUILD openpgp-keys-gentoo-developers-99999999.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840 MISC metadata.xml 264 BLAKE2B 630ac0044f623dc63de725aae23da036b649a2d65331c06fbe9eb66d18ad1a4d3fd804cdffc4703500662b01272063af346680d2550f2fb6a262d6acee8c6789 SHA512 3cf1981080b4a7634537d20a3e837fa802c52ae5ee750531cc4aa3f8478cda78579375602bc058abbd75f9393f9681b79603c3ddd9af809a1e72f7336a708056 diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230911.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230911.ebuild new file mode 100644 index 000000000000..fda85a259ff6 --- /dev/null +++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230911.ebuild @@ -0,0 +1,233 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{10..12} ) +inherit edo python-any-r1 + +DESCRIPTION="Gentoo Authority Keys (GLEP 79)" +HOMEPAGE="https://www.gentoo.org/downloads/signatures/" +if [[ ${PV} == 9999* ]] ; then + PROPERTIES="live" + + BDEPEND="net-misc/curl" +else + SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" +fi + +S="${WORKDIR}" + +LICENSE="public-domain" +SLOT="0" +IUSE="test" +RESTRICT="!test? ( test )" + +BDEPEND+=" + $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') + sec-keys/openpgp-keys-gentoo-auth + test? ( + app-crypt/gnupg + sys-apps/grep[pcre] + ) +" + +python_check_deps() { + python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" +} + +src_unpack() { + if [[ ${PV} == 9999* ]] ; then + curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die + else + default + fi +} + +src_compile() { + export GNUPGHOME="${T}"/.gnupg + + get_gpg_keyring_dir() { + if [[ ${PV} == 9999* ]] ; then + echo "${WORKDIR}" + else + echo "${DISTDIR}" + fi + } + + local mygpgargs=( + --no-autostart + --no-default-keyring + --homedir "${GNUPGHOME}" + ) + + # From verify-sig.eclass: + # "GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME." + addpredict /run/user + + mkdir "${GNUPGHOME}" || die + chmod 700 "${GNUPGHOME}" || die + + # Convert the binary keyring into an armored one so we can process it + edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg + edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc + + # Now strip out the keys which are expired and/or missing a signature + # from our L2 developer authority key + edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ + "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ + "${WORKDIR}"/gentoo-developers.asc \ + "${WORKDIR}"/gentoo-developers-sanitised.asc +} + +src_test() { + export GNUPGHOME="${T}"/tests/.gnupg + + local mygpgargs=( + # We don't have --no-autostart here because we need + # to let it spawn an agent for the key generation. + --no-default-keyring + --homedir "${GNUPGHOME}" + ) + + # From verify-sig.eclass: + # "GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME." + addpredict /run/user + + # Check each of the keys to verify they're trusted by + # the L2 developer key. + mkdir -p "${GNUPGHOME}" || die + chmod 700 "${GNUPGHOME}" || die + cd "${T}"/tests || die + + # First, grab the L1 key, and mark it as ultimately trusted. + edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc + edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt + + # Generate a temporary key which isn't signed by anything to check + # whether we're detecting unexpected keys. + # + # The test is whether this appears in the sanitised keyring we + # produce in src_compile (it should not be in there). + # + # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html + edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF + %echo Generating temporary key for testing... + + %no-protection + %transient-key + %pubring ${P}-ebuild-test-key.asc + + Key-Type: 1 + Key-Length: 2048 + Subkey-Type: 1 + Subkey-Length: 2048 + Name-Real: Larry The Cow + Name-Email: larry@example.com + Expire-Date: 0 + Handle: ${P}-ebuild-test-key + + %commit + %echo Temporary key generated! + EOF + + # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring + edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc + + # Sign a tiny file with the to-be-injected key for testing rejection below + echo "Hello world!" > "${T}"/tests/signme || die + edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die + + edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc + + # keyring-mangler.py should now produce a keyring *without* it + edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ + "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ + "${T}"/tests/tainted-keyring.asc \ + "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log + assert "Key mangling in tests failed?" + + # Check the log to verify the injected key got detected + grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" + + # gnupg doesn't have an easy way for us to actually just.. ask + # if a key is known via WoT. So, sign a file using the key + # we just made, and then try to gpg --verify it, and check exit code. + # + # Let's now double check by seeing if a file signed by the injected key + # is rejected. + if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then + die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" + fi + + # Bonus lame sanity check + edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log + assert "trustdb call failed!" + + check_trust_levels() { + local mode=${1} + + while IFS= read -r line; do + # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u + # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u + if [[ ${line} == *depth* ]] ; then + depth=$(echo ${line} | grep -Po "depth: [0-9]") + trust=$(echo ${line} | grep -Po "trust:.*") + + trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") + [[ ${trust_uncalculated} == 0 ]] || ${mode} + + trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") + [[ ${trust_insufficient} == 0 ]] || ${mode} + + trust_never=$(echo ${trust} | grep -Po "[0-9]n") + [[ ${trust_never} == 0 ]] || ${mode} + + trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") + [[ ${trust_marginal} == 0 ]] || ${mode} + + trust_full=$(echo ${trust} | grep -Po "[0-9]f") + [[ ${trust_full} != 0 ]] || ${mode} + + trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") + [[ ${trust_ultimate} == 1 ]] || ${mode} + + echo "${trust_uncalculated}, ${trust_insufficient}" + fi + done < "${T}"/tests/trustdb.log + } + + # First, check with the bad key still in the test keyring. + # This is supposed to fail, so we want it to return 1 + check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" + + # Now check without the bad key in the test keyring. + # This one should pass. + # + # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) + keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \ + | grep "^fpr" \ + | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') + + local key + for key in ${keys[@]} ; do + nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} + done + + edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>" + check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" + + gpgconf --kill gpg-agent || die +} + +src_install() { + insinto /usr/share/openpgp-keys + newins gentoo-developers-sanitised.asc gentoo-developers.asc + + # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? +} |