ports: Verify signatures of 3rd-party code

This patch adds integrity checks for the packages of the ports repository. Issue #748
2025-02-18 17:00:26 +00:00 · 2013-05-26 09:18:49 +02:00 · 2013-05-26 09:18:49 +02:00 · 96e9fcd326
commit 96e9fcd326
parent 64a2447d03
12 changed files with 105 additions and 36 deletions
--- a/ports/ports/bash.mk
+++ b/ports/ports/bash.mk
@ -1,6 +1,10 @@
-BASH     = bash-4.1
-BASH_TGZ = $(BASH).tar.gz
-BASH_URL = http://ftp.gnu.org/gnu/bash/$(BASH_TGZ)
+BASH          = bash-4.1
+BASH_TGZ      = $(BASH).tar.gz
+BASH_SIG      = $(BASH_TGZ).sig
+BASH_BASE_URL = http://ftp.gnu.org/gnu/bash
+BASH_URL      = $(BASH_BASE_URL)/$(BASH_TGZ)
+BASH_URL_SIG  = $(BASH_BASE_URL)/$(BASH_SIG)
+BASH_KEY      = GNU

 #
 # Interface to top-level prepare Makefile
@ -14,6 +18,8 @@ prepare:: $(CONTRIB_DIR)/$(BASH)
 #
 $(DOWNLOAD_DIR)/$(BASH_TGZ):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(BASH_URL) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(BASH_URL_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(BASH_TGZ) $(DOWNLOAD_DIR)/$(BASH_SIG) $(BASH_KEY)

 $(CONTRIB_DIR)/$(BASH): $(DOWNLOAD_DIR)/$(BASH_TGZ)
 	$(VERBOSE)tar xfz $< -C $(CONTRIB_DIR) && touch $@
--- a/ports/ports/binutils.mk
+++ b/ports/ports/binutils.mk
@ -1,6 +1,10 @@
-BINUTILS      = binutils-2.22
-BINUTILS_TBZ2 = $(BINUTILS).tar.bz2
-BINUTILS_URL  = ftp://ftp.fu-berlin.de/gnu/binutils/$(BINUTILS_TBZ2)
+BINUTILS          = binutils-2.22
+BINUTILS_TBZ2     = $(BINUTILS).tar.bz2
+BINUTILS_SIG      = $(BINUTILS_TBZ2).sig
+BINUTILS_BASE_URL = ftp://ftp.fu-berlin.de/gnu/binutils
+BINUTILS_URL      = $(BINUTILS_BASE_URL)/$(BINUTILS_TBZ2)
+BINUTILS_URL_SIG  = $(BINUTILS_BASE_URL)/$(BINUTILS_SIG)
+BINUTILS_KEY      = GNU

 #
 # Interface to top-level prepare Makefile
@ -14,6 +18,8 @@ prepare:: $(CONTRIB_DIR)/$(BINUTILS)
 #
 $(DOWNLOAD_DIR)/$(BINUTILS_TBZ2):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(BINUTILS_URL) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(BINUTILS_URL_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(BINUTILS_TBZ2) $(DOWNLOAD_DIR)/$(BINUTILS_SIG) $(BINUTILS_KEY)

 $(CONTRIB_DIR)/$(BINUTILS): $(DOWNLOAD_DIR)/$(BINUTILS_TBZ2)
 	$(VERBOSE)tar xfj $< -C $(CONTRIB_DIR) && touch $@
--- a/ports/ports/coreutils.mk
+++ b/ports/ports/coreutils.mk
@ -1,6 +1,10 @@
-COREUTILS     = coreutils-8.9
-COREUTILS_TGZ = $(COREUTILS).tar.gz
-COREUTILS_URL = http://ftp.gnu.org/gnu/coreutils/$(COREUTILS_TGZ)
+COREUTILS          = coreutils-8.9
+COREUTILS_TGZ      = $(COREUTILS).tar.gz
+COREUTILS_SIG      = $(COREUTILS_TGZ).sig
+COREUTILS_BASE_URL = http://ftp.gnu.org/gnu/coreutils
+COREUTILS_URL      = $(COREUTILS_BASE_URL)/$(COREUTILS_TGZ)
+COREUTILS_URL_SIG  = $(COREUTILS_BASE_URL)/$(COREUTILS_SIG)
+COREUTILS_KEY      = GNU

 #
 # Interface to top-level prepare Makefile
@ -14,6 +18,8 @@ prepare:: $(CONTRIB_DIR)/$(COREUTILS)
 #
 $(DOWNLOAD_DIR)/$(COREUTILS_TGZ):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(COREUTILS_URL) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(COREUTILS_URL_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(COREUTILS_TGZ) $(DOWNLOAD_DIR)/$(COREUTILS_SIG) $(COREUTILS_KEY)

 $(CONTRIB_DIR)/$(COREUTILS): $(DOWNLOAD_DIR)/$(COREUTILS_TGZ)
 	$(VERBOSE)tar xfz $< -C $(CONTRIB_DIR) && touch $@
--- a/ports/ports/findutils.mk
+++ b/ports/ports/findutils.mk
@ -1,6 +1,10 @@
-FINDUTILS     = findutils-4.4.2
-FINDUTILS_TGZ = $(FINDUTILS).tar.gz
-FINDUTILS_URL = http://ftp.gnu.org/pub/gnu/findutils/$(FINDUTILS_TGZ)
+FINDUTILS          = findutils-4.4.2
+FINDUTILS_TGZ      = $(FINDUTILS).tar.gz
+FINDUTILS_SIG      = $(FINDUTILS_TGZ).sig
+FINDUTILS_BASE_URL = http://ftp.gnu.org/pub/gnu/findutils
+FINDUTILS_URL      = $(FINDUTILS_BASE_URL)/$(FINDUTILS_TGZ)
+FINDUTILS_URL_SIG  = $(FINDUTILS_BASE_URL)/$(FINDUTILS_SIG)
+FINDUTILS_KEY      = GNU

 #
 # Interface to top-level prepare Makefile
@ -14,6 +18,8 @@ prepare:: $(CONTRIB_DIR)/$(FINDUTILS)
 #
 $(DOWNLOAD_DIR)/$(FINDUTILS_TGZ):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(FINDUTILS_URL) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(FINDUTILS_URL_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(FINDUTILS_TGZ) $(DOWNLOAD_DIR)/$(FINDUTILS_SIG) $(FINDUTILS_KEY)

 $(CONTRIB_DIR)/$(FINDUTILS): $(DOWNLOAD_DIR)/$(FINDUTILS_TGZ)
 	$(VERBOSE)tar xfz $< -C $(CONTRIB_DIR) && touch $@
--- a/ports/ports/gcc.mk
+++ b/ports/ports/gcc.mk
@ -1,8 +1,9 @@
-GCC_VERSION  = 4.7.2
-GCC          = gcc-$(GCC_VERSION)
-GCC_URL      = ftp://ftp.fu-berlin.de/gnu/gcc
-
-GCC_TGZ = gcc-$(GCC_VERSION).tar.gz
+GCC_VERSION = 4.7.2
+GCC         = gcc-$(GCC_VERSION)
+GCC_URL     = ftp://ftp.fu-berlin.de/gnu/gcc
+GCC_TGZ     = gcc-$(GCC_VERSION).tar.gz
+GCC_SIG     = $(GCC_TGZ).sig
+GCC_KEY     = GNU

 #
 # Interface to top-level prepare Makefile
@ -17,6 +18,8 @@ prepare:: $(CONTRIB_DIR)/$(GCC)/configure

 $(DOWNLOAD_DIR)/$(GCC_TGZ):
 	$(VERBOSE)wget -P $(DOWNLOAD_DIR) $(GCC_URL)/$(GCC)/$(GCC_TGZ) && touch $@
+	$(VERBOSE)wget -P $(DOWNLOAD_DIR) $(GCC_URL)/$(GCC)/$(GCC_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(GCC_TGZ) $(DOWNLOAD_DIR)/$(GCC_SIG) $(GCC_KEY)

 #
 # Utilities
--- a/ports/ports/gdb.mk
+++ b/ports/ports/gdb.mk
@ -1,7 +1,9 @@
-GDB_VERSION  = 7.3.1
-GDB          = gdb-$(GDB_VERSION)
-GDB_URL      = ftp://ftp.fu-berlin.de/gnu/gdb
-GDB_TBZ2     = gdb-$(GDB_VERSION).tar.bz2
+GDB_VERSION = 7.3.1
+GDB         = gdb-$(GDB_VERSION)
+GDB_URL     = ftp://ftp.fu-berlin.de/gnu/gdb
+GDB_TBZ2    = gdb-$(GDB_VERSION).tar.bz2
+GDB_SIG     = $(GDB_TBZ2).sig
+GDB_KEY     = GNU

 # these files are only needed to generate other files in the preparation process
 GDB_CONTENT := gdb/regformats/regdat.sh \
@ -51,6 +53,8 @@ prepare:: $(CONTRIB_DIR)/$(GDB)/configure generated_files

 $(DOWNLOAD_DIR)/$(GDB_TBZ2):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(GDB_URL)/$(GDB_TBZ2) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(GDB_URL)/$(GDB_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(GDB_TBZ2) $(DOWNLOAD_DIR)/$(GDB_SIG) $(GDB_KEY)

 $(CONTRIB_DIR)/$(GDB): $(DOWNLOAD_DIR)/$(GDB_TBZ2)
 	$(VERBOSE)tar xfj $< -C $(CONTRIB_DIR)
--- a/ports/ports/lighttpd.mk
+++ b/ports/ports/lighttpd.mk
@ -1,7 +1,11 @@
 include ports/lighttpd.inc

-LIGHTTPD_TGZ = $(LIGHTTPD).tar.gz
-LIGHTTPD_URL = http://download.lighttpd.net/lighttpd/releases-1.4.x/$(LIGHTTPD_TGZ)
+LIGHTTPD_TGZ      = $(LIGHTTPD).tar.gz
+LIGHTTPD_SIG      = $(LIGHTTPD_TGZ).asc
+LIGHTTPD_BASE_URL = http://download.lighttpd.net/lighttpd/releases-1.4.x
+LIGHTTPD_URL      = $(LIGHTTPD_BASE_URL)/$(LIGHTTPD_TGZ)
+LIGHTTPD_URL_SIG  = $(LIGHTTPD_BASE_URL)/$(LIGHTTPD_SIG)
+LIGHTTPD_KEY      = stbuehler@lighttpd.net

 #
 # Interface to top-level prepare Makefile
@ -15,6 +19,8 @@ prepare:: $(CONTRIB_DIR)/$(LIGHTTPD)
 #
 $(DOWNLOAD_DIR)/$(LIGHTTPD_TGZ):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(LIGHTTPD_URL) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(LIGHTTPD_URL_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(LIGHTTPD_TGZ) $(DOWNLOAD_DIR)/$(LIGHTTPD_SIG) $(LIGHTTPD_KEY)

 $(CONTRIB_DIR)/$(LIGHTTPD): $(DOWNLOAD_DIR)/$(LIGHTTPD_TGZ)
 	$(VERBOSE)tar xfz $< -C $(CONTRIB_DIR) && touch $@
--- a/ports/ports/lynx.mk
+++ b/ports/ports/lynx.mk
@ -1,6 +1,10 @@
-LYNX = lynx-2.8.8.dev12
-LYNX_TGZ = $(LYNX).tar.gz
-LYNX_URL = http://lynx.isc.org/gnumatic/$(LYNX_TGZ)
+LYNX         = lynx-2.8.8.dev12
+LYNX_TGZ     = $(LYNX).tar.gz
+LYNX_SIG     = $(LYNX_TGZ).asc
+LYNX_URL     = http://lynx.isc.org/gnumatic/$(LYNX_TGZ)
+LYNX_URL_SIG = UNKOWN/$(LYNX_SIG)
+LYNX_KEY     = dickey@sf1.isc.org
+
 #
 # Interface to top-level prepare Makefile
 #
@ -13,6 +17,14 @@ prepare:: $(CONTRIB_DIR)/$(LYNX)
 #
 $(DOWNLOAD_DIR)/$(LYNX_TGZ):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) -O $@ $(LYNX_URL) && touch $@
+	#$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(LYNX_URL_SIG) && touch $@
+	#
+	# XXX The current source of the lynx tarball does not contain the signature
+	#     file. The official location contains the signature. Thus, upon
+	#     switching to the official location, the signature check can be
+	#     enabled.
+	#
+	#$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(LYNX_TGZ) $(DOWNLOAD_DIR)/$(LYNX_SIG) $(LYNX_KEY)

 $(CONTRIB_DIR)/$(LYNX): $(DOWNLOAD_DIR)/$(LYNX_TGZ)
 	$(VERBOSE)tar xfz $< -C $(CONTRIB_DIR) && touch $@
--- a/ports/ports/make.mk
+++ b/ports/ports/make.mk
@ -1,6 +1,10 @@
-GNUMAKE     = make-3.82
-GNUMAKE_TGZ = $(GNUMAKE).tar.gz
-GNUMAKE_URL = http://ftp.gnu.org/pub/gnu/make/$(GNUMAKE_TGZ)
+GNUMAKE          = make-3.82
+GNUMAKE_TGZ      = $(GNUMAKE).tar.gz
+GNUMAKE_SIG      = $(GNUMAKE_TGZ).sig
+GNUMAKE_BASE_URL = http://ftp.gnu.org/pub/gnu/make
+GNUMAKE_URL      = $(GNUMAKE_BASE_URL)/$(GNUMAKE_TGZ)
+GNUMAKE_URL_SIG  = $(GNUMAKE_BASE_URL)/$(GNUMAKE_SIG)
+GNUMAKE_KEY      = GNU

 #
 # Interface to top-level prepare Makefile
@ -14,6 +18,8 @@ prepare:: $(CONTRIB_DIR)/$(GNUMAKE)
 #
 $(DOWNLOAD_DIR)/$(GNUMAKE_TGZ):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(GNUMAKE_URL) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(GNUMAKE_URL_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(GNUMAKE_TGZ) $(DOWNLOAD_DIR)/$(GNUMAKE_SIG) $(GNUMAKE_KEY)

 $(CONTRIB_DIR)/$(GNUMAKE): $(DOWNLOAD_DIR)/$(GNUMAKE_TGZ)
 	$(VERBOSE)tar xfz $< -C $(CONTRIB_DIR) && touch $@
--- a/ports/ports/openssh.mk
+++ b/ports/ports/openssh.mk
@ -1,6 +1,10 @@
-OPENSSH     = openssh-6.1p1
-OPENSSH_TGZ = $(OPENSSH).tar.gz
-OPENSSH_URL = ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$(OPENSSH).tar.gz
+OPENSSH          = openssh-6.1p1
+OPENSSH_TGZ      = $(OPENSSH).tar.gz
+OPENSSH_SIG      = $(OPENSSH_TGZ).asc
+OPENSSH_BASE_URL = ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
+OPENSSH_URL      = $(OPENSSH_BASE_URL)/$(OPENSSH_TGZ)
+OPENSSH_URL_SIG  = $(OPENSSH_BASE_URL)/$(OPENSSH_SIG)
+OPENSSH_KEY      = 3981992A1523ABA079DBFC66CE8ECB0386FF9C48

 #
 # Interface to top-level prepare Makefile
@ -14,6 +18,8 @@ prepare:: $(CONTRIB_DIR)/$(OPENSSH)
 #
 $(DOWNLOAD_DIR)/$(OPENSSH_TGZ):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(OPENSSH_URL) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(OPENSSH_URL_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(OPENSSH_TGZ) $(DOWNLOAD_DIR)/$(OPENSSH_SIG) $(OPENSSH_KEY)

 $(CONTRIB_DIR)/$(OPENSSH): $(DOWNLOAD_DIR)/$(OPENSSH_TGZ)
 	$(VERBOSE)tar xfz $< -C $(CONTRIB_DIR) && touch $@
--- a/ports/ports/vim.mk
+++ b/ports/ports/vim.mk
@ -1,7 +1,8 @@
 VIM      = vim-7.3
 VIM_TBZ2 = $(VIM).tar.bz2
 VIM_URL  = ftp://ftp.vim.org/pub/vim/unix/$(VIM_TBZ2)
-
+# from ftp://ftp.vim.org/pub/vim/unix/MD5SUMS
+VIM_MD5  = 5b9510a17074e2b37d8bb38ae09edbf2
 #
 # Interface to top-level prepare Makefile
 #
@ -19,6 +20,7 @@ prepare:: $(CONTRIB_DIR)/$(VIM)
 #
 $(DOWNLOAD_DIR)/$(VIM_TBZ2):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(VIM_URL) && touch $@
+	$(VERBOSE)$(HASHVERIFIER) $(DOWNLOAD_DIR)/$(VIM_TBZ2) $(VIM_MD5) md5

 $(CONTRIB_DIR)/$(VIM): $(DOWNLOAD_DIR)/$(VIM_TBZ2)
 	$(VERBOSE)tar xfj $< -C $(CONTRIB_DIR)
--- a/ports/ports/which.mk
+++ b/ports/ports/which.mk
@ -1,6 +1,10 @@
-WHICH = which-2.20
-WHICH_TGZ = $(WHICH).tar.gz
-WHICH_URL = http://ftp.gnu.org/gnu/which/$(WHICH_TGZ)
+WHICH          = which-2.20
+WHICH_TGZ      = $(WHICH).tar.gz
+WHICH_SIG      = $(WHICH_TGZ).sig
+WHICH_BASE_URL = http://ftp.gnu.org/gnu/which
+WHICH_URL      = $(WHICH_BASE_URL)/$(WHICH_TGZ)
+WHICH_URL_SIG  = $(WHICH_BASE_URL)/$(WHICH_SIG)
+WHICH_KEY      = GNU
 #
 # Interface to top-level prepare Makefile
 #
@ -13,6 +17,8 @@ prepare:: $(CONTRIB_DIR)/$(WHICH)
 #
 $(DOWNLOAD_DIR)/$(WHICH_TGZ):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) -O $@ $(WHICH_URL) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(WHICH_URL_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $@ $(DOWNLOAD_DIR)/$(WHICH_SIG) $(WHICH_KEY)

 $(CONTRIB_DIR)/$(WHICH): $(DOWNLOAD_DIR)/$(WHICH_TGZ)
 	$(VERBOSE)tar xfz $< -C $(CONTRIB_DIR) && touch $@