This repository has been archived by the owner on Dec 29, 2017. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathverify.sh
executable file
·93 lines (77 loc) · 2.51 KB
/
verify.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/bin/bash -e
#
# verify.sh - Simple script to verify a grsecurity signature
#
# Copyright (C) 2013 Mickaël Salaün <mic@digikod.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details: <http://gnu.org/licenses/>.
usage() {
local msg="$1"
if [ -n "${msg}" ]; then
echo "${msg}"
echo
fi
echo "usage: $0 [git-commit]" >&2
exit 1
}
error() {
echo "ERROR: $*" >&2
exit 1
}
warning() {
echo "WARNING: $*" >&2
}
COMMIT="${1:-HEAD}"
if ! git cat-file commit "${COMMIT}" &>/dev/null; then
usage "Bad commit"
fi
SIG_TREE="$(git cat-file commit "${COMMIT}" | awk 'END { if ($1=="Signature-tree:") print $2 }')"
if [ -z "${SIG_TREE}" ]; then
usage "No Signature-tree in commit"
fi
NEW_TREE="$(git cat-file blob "${SIG_TREE}:new")"
if [ "$(git cat-file commit "${COMMIT}" | awk 'NR==1 && $1=="tree" { print $2 }')" != "${NEW_TREE}" ]; then
error "Inconsistent commit and Signature-tree"
fi
PATCH="$(git log --no-walk --max-count=1 --pretty=format:%s "${COMMIT}" | awk 'NR==1 && $1=="grsec:" && $2=="Apply" { print $3 }')"
if [ -z "${PATCH}" ]; then
usage "No patch import in commit"
fi
ORIG_TAG="$(git cat-file blob "${SIG_TREE}:orig")"
LINUX_VERSION="$(git describe -- "${ORIG_TAG}")"
if [ -z "${LINUX_VERSION}" ]; then
error "No Linux tag"
fi
#DIFF_OPTS="$(git cat-file blob "${SIG_TREE}:params")"
#if [ "$(echo -n "${DIFF_OPTS}" | sed -r 's/(--(patience|full-index) ?)+/'
echo "Patch: ${PATCH}"
echo "Tree: ${NEW_TREE}"
echo "Linux: ${LINUX_VERSION}"
# Extra tag verification
git verify-tag "${ORIG_TAG}"
# Index diff only
if [ "$(sed -r '/^(---|\+\+\+|@@|-index|\+index) /d' <(git cat-file blob "${SIG_TREE}:delta") | wc -l)" -ne 0 ]; then
err="Suspicious Signature-tree content"
if [[ "${TRUST_DELTA}" != "yes" ]]; then
error "${err}"
else
warning "${err}"
fi
fi
TMP="$(mktemp 2>/dev/null || echo ./grsec.patch)"
cleanup() {
trap - QUIT INT TERM EXIT
rm -f -- "${TMP}" 2>/dev/null
}
trap cleanup QUIT INT TERM EXIT
# PGP signature
git diff --patience --full-index "${ORIG_TAG}" "${NEW_TREE}" > "${TMP}"
patch "${TMP}" < <(git cat-file blob "${SIG_TREE}:delta") >/dev/null
gpg --verify <(git cat-file blob "${SIG_TREE}:sig") "${TMP}"