[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor-browser-bundle/master] Bug 11771: Verify all tags/hashes prior to each build invocation.

To: tor-commits@xxxxxxxxxxxxxxxxxxxx, tbb-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [tor-browser-bundle/master] Bug 11771: Verify all tags/hashes prior to each build invocation.
From: mikeperry@xxxxxxxxxxxxxx
Date: Tue, 6 May 2014 15:01:18 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 06 May 2014 11:01:40 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: Mike Perry <mikeperry-git@xxxxxxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

commit 0f6800a9fe4225915014140077e4ea1ec5919eb5
Author: Mike Perry <mikeperry-git@xxxxxxxxxxxxxx>
Date:   Tue May 6 07:14:49 2014 -0700

    Bug 11771: Verify all tags/hashes prior to each build invocation.
    
    Only if VERIFY_TAGS=1 is set from the versions file though.
---
 gitian/fetch-inputs.sh     |    2 ++
 gitian/mkbundle-linux.sh   |    9 +++++-
 gitian/mkbundle-mac.sh     |    9 +++++-
 gitian/mkbundle-windows.sh |    9 +++++-
 gitian/verify-tags.sh      |   76 ++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 102 insertions(+), 3 deletions(-)

diff --git a/gitian/fetch-inputs.sh b/gitian/fetch-inputs.sh
index b542cf0..03827b6 100755
--- a/gitian/fetch-inputs.sh
+++ b/gitian/fetch-inputs.sh
@@ -44,6 +44,8 @@ cd "$INPUTS_DIR"
 CLEANUP=$(tempfile)
 trap "bash '$CLEANUP'; rm -f '$CLEANUP'" EXIT
 
+# FIXME: This code is copied to verify-tags.sh.. Should we make a bash
+# function library?
 verify() {
   local file="$1"; shift
   local keyring="$1"; shift
diff --git a/gitian/mkbundle-linux.sh b/gitian/mkbundle-linux.sh
index 1328a9c..6101971 100755
--- a/gitian/mkbundle-linux.sh
+++ b/gitian/mkbundle-linux.sh
@@ -65,6 +65,13 @@ $WRAPPER_DIR/build-helpers/dzip.sh $GITIAN_DIR/inputs/linux-skeleton.zip .
 
 cd $WRAPPER_DIR
 
+# FIXME: Library function?
+die_msg() {
+  local msg="$1"; shift
+  printf "\n\n$msg\n"
+  exit 1
+}
+
 # Let's preserve the original $FOO for creating proper symlinks after building
 # the utils both if we verify tags and if we don't.
 
@@ -72,7 +79,7 @@ LIBEVENT_TAG_ORIG=$LIBEVENT_TAG
 
 if [ "z$VERIFY_TAGS" = "z1" ];
 then
-  ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || exit 1
+  ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || die_msg "You should run 'make prep' to ensure your inputs are up to date"
   # If we're verifying tags, be explicit to gitian that we
   # want to build from tags.
   NSIS_TAG=refs/tags/$NSIS_TAG
diff --git a/gitian/mkbundle-mac.sh b/gitian/mkbundle-mac.sh
index a9cbacb..7681ed4 100755
--- a/gitian/mkbundle-mac.sh
+++ b/gitian/mkbundle-mac.sh
@@ -72,9 +72,16 @@ $WRAPPER_DIR/build-helpers/dtar.sh $GITIAN_DIR/inputs/dmg-applications.tar.xz .
 
 cd $WRAPPER_DIR
 
+# FIXME: Library function?
+die_msg() {
+  local msg="$1"; shift
+  printf "\n\n$msg\n"
+  exit 1
+}
+
 if [ "z$VERIFY_TAGS" = "z1" ];
 then
-  ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || exit 1
+  ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || die_msg "You should run 'make prep' to ensure your inputs are up to date"
   # If we're verifying tags, be explicit to gitian that we
   # want to build from tags.
   NSIS_TAG=refs/tags/$NSIS_TAG
diff --git a/gitian/mkbundle-windows.sh b/gitian/mkbundle-windows.sh
index 7ab0aa6..bf6a5d4 100755
--- a/gitian/mkbundle-windows.sh
+++ b/gitian/mkbundle-windows.sh
@@ -67,9 +67,16 @@ $WRAPPER_DIR/build-helpers/dzip.sh $GITIAN_DIR/inputs/windows-skeleton.zip .
 
 cd $WRAPPER_DIR
 
+# FIXME: Library function?
+die_msg() {
+  local msg="$1"; shift
+  printf "\n\n$msg\n"
+  exit 1
+}
+
 if [ "z$VERIFY_TAGS" = "z1" ];
 then
-  ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || exit 1
+  ./verify-tags.sh $GITIAN_DIR/inputs $VERSIONS_FILE || die_msg "You should run 'make prep' to ensure your inputs are up to date"
   # If we're verifying tags, be explicit to gitian that we
   # want to build from tags.
   NSIS_TAG=refs/tags/$NSIS_TAG
diff --git a/gitian/verify-tags.sh b/gitian/verify-tags.sh
index 28c16f1..8829b9d 100755
--- a/gitian/verify-tags.sh
+++ b/gitian/verify-tags.sh
@@ -48,6 +48,43 @@ verify_git() {
   popd
 }
 
+# FIXME: This code is copied from fetch-inputs.sh.. Should we make a bash
+# function library?
+verify() {
+  local file="$1"; shift
+  local keyring="$1"; shift
+  local suffix="$1"; shift
+
+  local f
+  for f in "$file" "$file.$suffix" "$keyring"; do
+    if ! [ -e "$f" ]; then
+      echo >&2 "Error: Required file $f does not exist."; exit 1
+    fi
+  done
+
+  local tmpfile=$(tempfile)
+  echo "rm -f '$tmpfile'" >> "$CLEANUP"
+  local gpghome=$(mktemp -d)
+  echo "rm -rf '$gpghome'" >> "$CLEANUP"
+  exec 3> "$tmpfile"
+
+  GNUPGHOME="$gpghome" gpg --no-options --no-default-keyring --trust-model=always --keyring="$keyring" --status-fd=3 --verify "$file.$suffix" "$file" >/dev/null 2>&1
+  if grep -q '^\[GNUPG:\] GOODSIG ' "$tmpfile"; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+check_git_hash() {
+  local dir="$1"; shift
+  local commit="${1:-}"
+
+  if [ -n "$commit" ]; then
+    (cd "$dir" && git checkout "$commit")
+  fi
+}
+
 
 while read dir keyring tag; do
   verify_git "$dir" "$WRAPPER_DIR/gpg/$keyring" "$tag"
@@ -65,6 +102,45 @@ obfsproxy             obfsproxy.gpg             $OBFSPROXY_TAG
 flashproxy            flashproxy.gpg            $FLASHPROXY_TAG
 EOF
 
+while read dir commit; do
+  check_git_hash "$dir" "$commit"
+done << EOF
+libdmg-hfsplus          $LIBDMG_TAG
+fteproxy                $FTEPROXY_TAG
+EOF
+
+# Verify signatures on signed packages
+for i in BINUTILS GCC PYTHON PYCRYPTO M2CRYPTO PYTHON_MSI GMP LXML
+do
+  PACKAGE="${i}_PACKAGE"
+  URL="${i}_URL"
+  if [ "${i}" == "PYTHON" -o "${i}" == "PYCRYPTO" -o "${i}" == "M2CRYPTO" -o \
+       "${i}" == "PYTHON_MSI" -o "${i}" == "LXML" ]; then
+    SUFFIX="asc"
+  else
+    SUFFIX="sig"
+  fi
+
+  if ! verify "${!PACKAGE}" "$WRAPPER_DIR/gpg/$i.gpg" $SUFFIX; then
+    echo "$i: GPG signature is broken for ${!URL}"
+    mv "${!PACKAGE}" "${!PACKAGE}.badgpg"
+    exit 1
+  fi
+done
+
+# Verify packages with weak or no signatures via direct sha256 check
+# (OpenSSL is signed with MD5, and OSXSDK is not signed at all)
+for i in OSXSDK TOOLCHAIN4 TOOLCHAIN4_OLD NOSCRIPT HTTPSE MINGW MSVCR100 PYCRYPTO ARGPARSE PYYAML ZOPEINTERFACE TWISTED M2CRYPTO SETUPTOOLS OPENSSL GMP
+do
+   PACKAGE="${i}_PACKAGE"
+   HASH="${i}_HASH"
+   if ! echo "${!HASH}  ${!PACKAGE}" | sha256sum -c -; then
+     echo "Package hash for ${!PACKAGE} differs from our locally stored sha256!"
+     exit 1
+   fi
+done
+
+
 cd "$INPUTS_DIR"
 verify_git "." "$WRAPPER_DIR/gpg/torbutton.gpg" "$GITIAN_TAG"
 git checkout "$GITIAN_TAG"



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [tor-browser-bundle/master] Make PT tags explicitly be git tag refs.
Next by Author: [tor-commits] [torbrowser/master] Recommend 3.6.1. Keep 3.6.
Previous by thread: [tor-commits] [tor-browser-bundle/master] Make PT tags explicitly be git tag refs.
Next by thread: [tor-commits] [stem/master] Adding PT_MISSING to ORClosureReason
Index(es):
- Author
- Thread