net-p2p/p2pool: Add signature verification script for sources

Signed-off-by: Adam Pimentel <[email protected]>
gentoo · Aug 2, 2024 · 4c2441b · 4c2441b
1 parent 67439b7
commit 4c2441b
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 4 deletions.
diff --git a/net-p2p/p2pool/Manifest b/net-p2p/p2pool/Manifest
@@ -1 +1,2 @@
-DIST p2pool-4.0.tar.xz 127772256 BLAKE2B 77de14bd19f43483fa7da0e65f8a27d5f6cf8c2daf5d8d5e07be373c752794bd35c421fd812b65328acd22004766ff235e9ad6e7e613d08ca3c27ac95153cbc3 SHA512 ea37993d13342b303902e6aa6acb090a908ba99ae304d9415480ff39a3647c84a963ab80b317c9c78a9f11631e0ca9547a08c6e0c23b83892037b63d4beef7a2
+DIST p2pool-4.0_shasums.asc 2038 BLAKE2B f8f20875a9fa4771753b1eade7c609be761f007ac32a0641109d87890bdd7f2123f11a203d56ffcca5b74b16667e0d8288479688938935434b86875c6c72959c SHA512 bf4a933a81ce9bd48bf293a26d3e4e75b82c67fcfd48d79c57dd86aaac2c2cd54def43b47b05222e0b93fd61623d2c116c403531500a93d45059bca4a0dd3cb4
+DIST p2pool-4.0_source.tar.xz 127772256 BLAKE2B 77de14bd19f43483fa7da0e65f8a27d5f6cf8c2daf5d8d5e07be373c752794bd35c421fd812b65328acd22004766ff235e9ad6e7e613d08ca3c27ac95153cbc3 SHA512 ea37993d13342b303902e6aa6acb090a908ba99ae304d9415480ff39a3647c84a963ab80b317c9c78a9f11631e0ca9547a08c6e0c23b83892037b63d4beef7a2
diff --git a/net-p2p/p2pool/p2pool-4.0.ebuild b/net-p2p/p2pool/p2pool-4.0.ebuild
@@ -1,13 +1,19 @@
 # Copyright 2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
+#TODO: verify hell script is safe
+#TODO: enable/fix GRPC dependency and add it as USE flag (https://github.com/SChernykh/p2pool/issues/313)
+
 EAPI=8
 
-inherit cmake
+inherit cmake verify-sig
 
 DESCRIPTION="Decentralized pool for Monero mining"
 HOMEPAGE="https://p2pool.io"
-SRC_URI=" https://github.com/SChernykh/p2pool/releases/download/v${PV}/p2pool_source.tar.xz -> ${P}.tar.xz"
+SRC_URI="
+	https://github.com/SChernykh/p2pool/releases/download/v${PV}/p2pool_source.tar.xz -> ${P}_source.tar.xz
+	verify-sig? ( https://github.com/SChernykh/p2pool/releases/download/v${PV}/sha256sums.txt.asc -> ${P}_shasums.asc )
+"
 
 LICENSE="BSD GPL-3+ ISC LGPL-3+ MIT"
 SLOT="0"
@@ -17,9 +23,48 @@ DEPEND="
 	dev-libs/libsodium
 	net-libs/czmq
 "
+BDEPEND="
+	verify-sig? ( sec-keys/openpgp-keys-schernykh )
+"
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/SChernykh.asc
 
 src_unpack() {
-	unpack ${P}.tar.xz
+	if use verify-sig; then
+		#what we want to do is `verify-sig_verify_signed_checksums ${P}_shasums.asc sha512 p2pool_source.tar.xz`
+		verify-sig_verify_message "${DISTDIR}/${P}_shasums.asc" "${WORKDIR}/p2pool_shasums.txt"
+
+		#start of hell script
+		hellscript_stage=0
+		tr -d '\r' < p2pool_shasums.txt | while IFS='' read -r LINE; do
+			if [ "$hellscript_stage" -eq 0 ] && [ "$LINE" = "Name: p2pool_source.tar.xz" ]; then
+				hellscript_stage=1
+				continue
+			fi
+			if [ "$hellscript_stage" -eq 1 ]; then
+				hellscript_sizestring="Size: $(cat ${DISTDIR}/${P}_source.tar.xz | wc -c) bytes"
+				if [ "${LINE:0:"${#hellscript_sizestring}"}" = "$hellscript_sizestring" ]; then
+					hellscript_stage=2
+					continue
+				else
+					die
+				fi
+			fi
+			if [ "$hellscript_stage" -eq 2 ]; then
+				hellscript_shaprefix="SHA256: "
+				if [ "${LINE:0:"${#hellscript_shaprefix}"}" = "$hellscript_shaprefix" ]; then
+					echo "$(echo "${LINE:"${#hellscript_shaprefix}"}" | tr '[:upper:]' '[:lower:]')  ${DISTDIR}/${P}_source.tar.xz" \
+					 > "${WORKDIR}/src_shasum.txt"
+				else
+					die
+				fi
+				break
+			fi
+		done
+		verify-sig_verify_unsigned_checksums "${WORKDIR}/src_shasum.txt" sha256 "${DISTDIR}/${P}_source.tar.xz"
+		#end of hell script
+	fi
+	unpack ${P}_source.tar.xz
 	mv -T "${WORKDIR}"/${PN} "${WORKDIR}"/${P} || die
 }
 

diff --git a/sec-keys/openpgp-keys-schernykh/Manifest b/sec-keys/openpgp-keys-schernykh/Manifest
@@ -0,0 +1 @@
+DIST SChernykh.asc 3139 BLAKE2B 97d27eea4ae8a7822acbf0b5c1470dc711d66c461a35b4d6ea7737cb173d706466e75262c97581222bbb218838070f048840274dd4dfdb400b64a7be45429855 SHA512 d7674c286dd628e0f4a3146cd2b16dab690752db89713630dd1be43febca159be18623b25cdef15273de4c8c0eb16b289203c0130ef7ac03f0371b3767bcd121
diff --git a/sec-keys/openpgp-keys-schernykh/metadata.xml b/sec-keys/openpgp-keys-schernykh/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>[email protected]</email>
+		<name>Adam Pimentel</name>
+	</maintainer>
+</pkgmetadata>
diff --git a/sec-keys/openpgp-keys-schernykh/openpgp-keys-schernykh-20210409.ebuild b/sec-keys/openpgp-keys-schernykh/openpgp-keys-schernykh-20210409.ebuild
@@ -0,0 +1,19 @@
+# Copyright 2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="OpenPGP keys used to sign P2Pool releases"
+HOMEPAGE="https://p2pool.io/"
+SRC_URI="https://p2pool.io/SChernykh.asc"
+S="${WORKDIR}"
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+
+src_install() {
+	local files=( ${A} )
+	insinto /usr/share/openpgp-keys
+	newins - SChernykh.asc < <(cat "${files[@]/#/${DISTDIR}/}")
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		DIST SChernykh.asc 3139 BLAKE2B 97d27eea4ae8a7822acbf0b5c1470dc711d66c461a35b4d6ea7737cb173d706466e75262c97581222bbb218838070f048840274dd4dfdb400b64a7be45429855 SHA512 d7674c286dd628e0f4a3146cd2b16dab690752db89713630dd1be43febca159be18623b25cdef15273de4c8c0eb16b289203c0130ef7ac03f0371b3767bcd121