Compare commits

...

15 Commits

Author SHA1 Message Date
Brett T. Warden 239d8cd618 Limit diff to ~10 lines
Also include content of added files.
2024-04-15 17:13:34 -07:00
Brett T. Warden 16ee88cb20 Don't write source archive comparison tarball to upstreams file
We only use this for source tree comparison, not part of the build, so
don't add it to the upstreams file.
2024-04-15 16:59:57 -07:00
Brett T. Warden 617c67c388 Make flake8 happy 2024-04-15 16:00:38 -07:00
Brett T. Warden 2cf51ddfb9 Move autogenerated source tree to a versionless directory 2024-04-15 15:54:30 -07:00
Brett T. Warden 6174188098 Fix failure on packages that don't have an autogenerated source tarball 2024-04-15 15:25:16 -07:00
Brett T. Warden 61e16733c8 Capture diffs of dist tarballs vs auto-generated source archives from GitHub 2024-04-15 15:12:17 -07:00
Brett T. Warden 5905be97e8 Fix version parsing for x265 2024-04-12 09:23:30 -07:00
Brett T. Warden 81e1eebe28 Extend key ID matching to expired keys
gpg accepts signatures with expired keys as long as the signature was
made prior to key expiration. But it also changes the status-fd output
format that we grep for the expected key ID. Make sure we look for the
alternate EXPKEYSIG line in the output in that case to find the key ID.
2024-04-12 09:08:10 -07:00
Brett T. Warden 658bd0de10 Add gnupg as a buildreq if we'll need it during build 2024-04-11 16:10:02 -07:00
Brett T. Warden b628caf931 Add Config fields for pkey and signature macros 2024-04-11 12:37:09 -07:00
Brett T. Warden 8142032e7c Fix escaping to satisfy flake 2024-04-11 12:22:59 -07:00
Brett T. Warden 5a302d6c91 Check GPG package signatures during build
Add gpg commands to the specfile so we verify the package signature
during every rpmbuild. Also ensure that the signature key ID matches
what we expect.
2024-04-11 12:22:59 -07:00
William Douglas f56f1fa18d Don't autodetect xz build requirements
Signed-off-by: William Douglas <william.douglas@intel.com>
2024-03-29 15:10:55 -07:00
Brett T. Warden 0c408e7089 Yell louder about known bad signing keys 2024-03-29 11:43:38 -07:00
Brett T. Warden 5471f10f61 Implement blocklist for signing key IDs
Implement a blocklist, keyid_blocklist. If a keyid (without leading 0x)
in this file matches the signing key for a release, terminate autospec
with an error.

This is intended as a mechanism to block building releases signed with a
known compromised key.
2024-03-29 11:43:38 -07:00
9 changed files with 54 additions and 11 deletions
-1
View File
@@ -289,7 +289,6 @@ LibIcal, libical-dev
LibKEduVocDocument, libkeduvocdocument-dev LibKEduVocDocument, libkeduvocdocument-dev
LibKWorkspace, plasma-workspace-dev LibKWorkspace, plasma-workspace-dev
LibKompareDiff2, libkomparediff2-dev LibKompareDiff2, libkomparediff2-dev
LibLZMA, xz-dev
LibNotificationManager, plasma-workspace-dev LibNotificationManager, plasma-workspace-dev
LibObs, obs-studio-dev LibObs, obs-studio-dev
LibTaskManager, plasma-workspace-dev LibTaskManager, plasma-workspace-dev
+4
View File
@@ -115,12 +115,15 @@ class Config(object):
self.old_keyid = None self.old_keyid = None
self.profile_payload = None self.profile_payload = None
self.signature = None self.signature = None
self.signature_macro = None
self.pkey_macro = None
self.yum_conf = None self.yum_conf = None
self.failed_pattern_dir = None self.failed_pattern_dir = None
self.alias = None self.alias = None
self.failed_commands = {} self.failed_commands = {}
self.ignored_commands = {} self.ignored_commands = {}
self.gems = {} self.gems = {}
self.keyid_blocklist = {}
self.license_hashes = {} self.license_hashes = {}
self.license_translations = {} self.license_translations = {}
self.license_blacklist = {} self.license_blacklist = {}
@@ -603,6 +606,7 @@ class Config(object):
read_pattern_conf("license_blacklist", self.license_blacklist, list_format=True, path=path) read_pattern_conf("license_blacklist", self.license_blacklist, list_format=True, path=path)
read_pattern_conf("qt_modules", self.qt_modules, path=path) read_pattern_conf("qt_modules", self.qt_modules, path=path)
read_pattern_conf("cmake_modules", self.cmake_modules, path=path) read_pattern_conf("cmake_modules", self.cmake_modules, path=path)
read_pattern_conf("keyid_blocklist", self.keyid_blocklist, list_format=True, path=path)
def parse_existing_spec(self, name): def parse_existing_spec(self, name):
"""Determine the old version, old patch list, old keyid, and cves from old spec file.""" """Determine the old version, old patch list, old keyid, and cves from old spec file."""
-6
View File
@@ -76,7 +76,6 @@
-lkrb5, krb5-dev -lkrb5, krb5-dev
-lldap, openldap-dev -lldap, openldap-dev
-lldb, ldb-dev -lldb, ldb-dev
-llzma, xz-dev
-llzo, lzo-dev -llzo, lzo-dev
-lmagic, file-dev -lmagic, file-dev
-lmenu, ncurses-dev -lmenu, ncurses-dev
@@ -512,7 +511,6 @@ LIBGCRYPT - version >= 1.5.0, libgcrypt-dev
LIBGD, libgd-dev LIBGD, libgd-dev
LIBICAL, libical-dev LIBICAL, libical-dev
LIBKONQ, kde-baseapps-dev LIBKONQ, kde-baseapps-dev
LIBLZMA, xz-dev
LIBNOTIFY, libnotify-dev LIBNOTIFY, libnotify-dev
LIBPCREVERSION, pcre-dev LIBPCREVERSION, pcre-dev
LIBRSVG, librsvg-dev LIBRSVG, librsvg-dev
@@ -534,7 +532,6 @@ LibExiv2, pkgconfig(exiv2)
LibKEduVocDocument, libkeduvocdocument-dev LibKEduVocDocument, libkeduvocdocument-dev
LibKWorkspace, plasma-workspace-dev LibKWorkspace, plasma-workspace-dev
LibKrb5, krb5-dev LibKrb5, krb5-dev
LibLZMA, xz-dev
LibR, R-dev LibR, R-dev
LibSSH, libssh-dev LibSSH, libssh-dev
LibXml2, libxml2-dev LibXml2, libxml2-dev
@@ -1100,7 +1097,6 @@ libhandy-0.0, libhandy-dev
libiberty.h, binutils-dev libiberty.h, binutils-dev
libkmod.h, kmod-dev libkmod.h, kmod-dev
libksba, libksba-dev libksba, libksba-dev
liblzma, xz-dev
libmnl/libmnl.h, libmnl-dev libmnl/libmnl.h, libmnl-dev
libmpfr, mpfr-dev libmpfr, mpfr-dev
libmspack >= 0.0.20040308alpha (via pkg-config), libmspack-dev libmspack >= 0.0.20040308alpha (via pkg-config), libmspack-dev
@@ -1161,8 +1157,6 @@ lxqt-build-tools, lxqt-build-tools
lxqt-globalkeys, lxqt-globalkeys-dev lxqt-globalkeys, lxqt-globalkeys-dev
lxqt-globalkeys-ui, lxqt-globalkeys-dev lxqt-globalkeys-ui, lxqt-globalkeys-dev
lz4.h, lz4-dev lz4.h, lz4-dev
lzma, xz-dev
lzma.h, xz-dev
lzo/lzoconf.h, lzo-dev lzo/lzoconf.h, lzo-dev
magic, file-dev magic, file-dev
magic.h, file-dev magic.h, file-dev
+1
View File
@@ -113,6 +113,7 @@ def commit_to_git(config, name, success):
call("git add whatrequires", check=False, stderr=subprocess.DEVNULL, cwd=path) call("git add whatrequires", check=False, stderr=subprocess.DEVNULL, cwd=path)
call("git add description", check=False, stderr=subprocess.DEVNULL, cwd=path) call("git add description", check=False, stderr=subprocess.DEVNULL, cwd=path)
call("git add attrs", check=False, stderr=subprocess.DEVNULL, cwd=path) call("git add attrs", check=False, stderr=subprocess.DEVNULL, cwd=path)
call("git add archive.diff", check=False, stderr=subprocess.DEVNULL, cwd=path)
# remove deprecated config files # remove deprecated config files
call("git rm make_install_append", check=False, stderr=subprocess.DEVNULL, cwd=path) call("git rm make_install_append", check=False, stderr=subprocess.DEVNULL, cwd=path)
+1
View File
@@ -0,0 +1 @@
59FCF207FEA7F445
+4
View File
@@ -483,6 +483,10 @@ class GPGVerifier(Verifier):
return None return None
# valid signature exists at package_sign_path, operate on it now # valid signature exists at package_sign_path, operate on it now
keyid = get_keyid(self.package_sign_path) keyid = get_keyid(self.package_sign_path)
if keyid in self.config.keyid_blocklist:
self.print_result(False, err_msg='KNOWNBADACTOR: {}'.format(keyid))
self.quit()
# default location first # default location first
pubkey_loc = self.pubkey_path.format(keyid) pubkey_loc = self.pubkey_path.format(keyid)
cache_key = os.path.join(KEY_CACHE_DIR, pubkey_loc) cache_key = os.path.join(KEY_CACHE_DIR, pubkey_loc)
+15
View File
@@ -159,8 +159,17 @@ class Specfile(object):
# if package is verified, include the signature in the source tarball # if package is verified, include the signature in the source tarball
if self.keyid and self.config.signature: if self.keyid and self.config.signature:
# We'll need gnupg to verify the signature. Need to add it here so it's ready before write_buildreq
self.requirements.add_buildreq("gnupg")
count += 1 count += 1
self._write_strip(f"Source{count} : {self.config.signature}") self._write_strip(f"Source{count} : {self.config.signature}")
self.config.signature_macro = f"%{{SOURCE{count}}}"
# Also include the public key in the source tarball.
count += 1
self._write_strip(f"Source{count} : {self.keyid}.pkey")
self.config.pkey_macro = f"%{{SOURCE{count}}}"
for source in self.config.extra_sources: for source in self.config.extra_sources:
count += 1 count += 1
@@ -430,6 +439,12 @@ class Specfile(object):
def write_prep(self): def write_prep(self):
"""Write prep section to spec file.""" """Write prep section to spec file."""
self._write_strip("%prep") self._write_strip("%prep")
if self.keyid and self.config.signature:
self._write_strip("mkdir .gnupg")
self._write_strip("chmod 700 .gnupg")
self._write_strip(f"gpg --homedir .gnupg --import {self.config.pkey_macro}")
self._write_strip(f"gpg --homedir .gnupg --status-fd 1 --verify {self.config.signature_macro} %{{SOURCE0}} > gpg.status")
self._write_strip(f"grep -E '^\\[GNUPG:\\] (GOODSIG|EXPKEYSIG) {self.keyid}' gpg.status")
self.write_prep_prepend() self.write_prep_prepend()
prefix = self.content.prefixes[self.url] prefix = self.content.prefixes[self.url]
if self.config.default_pattern == 'R': if self.config.default_pattern == 'R':
+26 -2
View File
@@ -26,7 +26,7 @@ import tarfile
import zipfile import zipfile
import download import download
from util import do_regex, get_sha1sum, print_fatal, write_out from util import call, do_regex, get_sha1sum, print_fatal, write_out
class Source(): class Source():
@@ -135,7 +135,7 @@ def convert_version(ver_str, name):
# them out with expensive regular expressions # them out with expensive regular expressions
banned_subs = ["x86.64", "source", "src", "all", "bin", "release", "rh", banned_subs = ["x86.64", "source", "src", "all", "bin", "release", "rh",
"ga", ".ce", "lcms", "onig", "linux", "gc", "sdk", "orig", "ga", ".ce", "lcms", "onig", "linux", "gc", "sdk", "orig",
"jurko", "%2f", "%2F", "%20"] "jurko", "%2f", "%2F", "%20", "x265"]
# package names may be modified in the version string by adding "lib" for # package names may be modified in the version string by adding "lib" for
# example. Remove these from the name before trying to remove the name from # example. Remove these from the name before trying to remove the name from
@@ -184,6 +184,7 @@ class Content():
self.prefixes = dict() self.prefixes = dict()
self.config = config self.config = config
self.base_path = base_path self.base_path = base_path
self.autogenerated_tarball = None
def write_upstream(self, sha, tarfile, mode="w"): def write_upstream(self, sha, tarfile, mode="w"):
"""Write the upstream hash to the upstream file.""" """Write the upstream hash to the upstream file."""
@@ -213,6 +214,14 @@ class Content():
main_src = Source(url, '', src_path, self.config.default_pattern) main_src = Source(url, '', src_path, self.config.default_pattern)
return main_src return main_src
def process_autogenerated_source(self, url):
"""Download any autogenerated source tarball for comparison."""
autogenerated_src = None
if url:
src_path = self.check_or_get_file(url, os.path.basename(url), mode="")
autogenerated_src = Source(url, '../autogenerated-tmp', src_path, self.config.default_pattern)
return autogenerated_src
def print_header(self): def print_header(self):
"""Print header for autospec run.""" """Print header for autospec run."""
print("\n") print("\n")
@@ -295,6 +304,9 @@ class Content():
name = re.sub(r"release-", '', name) name = re.sub(r"release-", '', name)
name = re.sub(r"\d*$", '', name) name = re.sub(r"\d*$", '', name)
self.rawname = name self.rawname = name
# Identify the auto-generated tarball URL for comparison
if "/releases/download/" in self.url:
self.autogenerated_tarball = "https://github.com/" + match.group(1).strip() + "/" + self.repo + "/archive/refs/tags/" + match.group(3).strip() + ".tar.gz"
version = match.group(3).replace(name, '') version = match.group(3).replace(name, '')
if "/archive/" not in self.url: if "/archive/" not in self.url:
version = re.sub(r"^[-_.a-zA-Z]+", "", version) version = re.sub(r"^[-_.a-zA-Z]+", "", version)
@@ -427,3 +439,15 @@ class Content():
archives_src = self.process_archives() archives_src = self.process_archives()
# Extract all sources # Extract all sources
self.extract_sources(main_src, archives_src) self.extract_sources(main_src, archives_src)
# Download and process any auto-generated source-tree archive for comparison
autogenerated_src = self.process_autogenerated_source(self.autogenerated_tarball)
# Extract autogenerated source for comparison
if autogenerated_src:
autogenerated_src.extract(os.path.join(self.base_path, 'autogenerated-tmp'))
# Move the autogenerated source to a non-version-named directory for consistent diffs
call(f"mv autogenerated-tmp/{autogenerated_src.prefix} autogenerated", check=True, cwd=self.base_path)
call("diff -u -r --unidirectional-new-file ../autogenerated ./",
logfile="archive.diff.in", check=False, cwd=os.path.join(self.base_path, main_src.prefix))
call("grep -A14 -E '^(diff|Only in)' archive.diff.in",
logfile="archive.diff", check=False, cwd=os.getcwd())
call("rm archive.diff.in", check=False, cwd=os.getcwd())
+3 -2
View File
@@ -150,8 +150,9 @@ def binary_in_path(binary):
def write_out(filename, content, mode="w"): def write_out(filename, content, mode="w"):
"""File.write convenience wrapper.""" """File.write convenience wrapper."""
with open_auto(filename, mode) as require_f: if mode:
require_f.write(content) with open_auto(filename, mode) as require_f:
require_f.write(content)
def open_auto(*args, **kwargs): def open_auto(*args, **kwargs):