<pre style='margin:0'>
Joshua Root (jmroot) pushed a commit to branch master
in repository macports-base.
</pre>
<p><a href="https://github.com/macports/macports-base/commit/d9159719d104a7930ef5602c87d66becd6f95917">https://github.com/macports/macports-base/commit/d9159719d104a7930ef5602c87d66becd6f95917</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new d9159719d Add signify support for ports tarball
</span>d9159719d is described below
<span style='display:block; white-space:pre;color:#808000;'>commit d9159719d104a7930ef5602c87d66becd6f95917
</span>Author: Joshua Root <jmr@macports.org>
AuthorDate: Sun Apr 27 13:32:58 2025 +1000
<span style='display:block; white-space:pre;color:#404040;'> Add signify support for ports tarball
</span>---
src/macports1.0/macports.tcl | 122 ++++++++++++++++++++++---------
src/macports1.0/macports_autoconf.tcl.in | 1 +
2 files changed, 88 insertions(+), 35 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/src/macports1.0/macports.tcl b/src/macports1.0/macports.tcl
</span><span style='display:block; white-space:pre;color:#808080;'>index 3ed5ee0c4..c1bd34b69 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/src/macports1.0/macports.tcl
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/src/macports1.0/macports.tcl
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3315,6 +3315,70 @@ proc macports::chown {path user} {
</span> }
}
<span style='display:block; white-space:pre;background:#e0ffe0;'>+proc macports::verify_signature_signify {file pubkey signature} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set verified 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ macports_try -pass_signal {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set command [list \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ $macports::autoconf::signify_path -V \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -p $pubkey \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -x $signature \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -m $file]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ui_debug "Invoking ${command} to verify signature"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ exec {*}$command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set verified 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ui_debug "$file successfully verified with public key $pubkey"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } on error {eMessage} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ui_debug "$file failed to verify with public key $pubkey"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ui_debug "signify output: $eMessage"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return $verified
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+proc macports::verify_signature_openssl {file pubkey signature} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set openssl [findBinary openssl $macports::autoconf::openssl_path]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set verified 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ macports_try -pass_signal {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ run_unprivileged {exec $openssl dgst -ripemd160 -verify $pubkey -signature $signature $file}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set verified 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ui_debug "successful verification with key $pubkey"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } on error {eMessage} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ui_debug "failed verification with key $pubkey"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ui_debug "openssl output: $eMessage"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return $verified
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+proc macports::verify_ports_signature {path} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ variable archivefetch_pubkeys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set signify_pubkeys [glob -nocomplain -directory $macports::autoconf::macports_keys_ports *.pub]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set openssl_pubkeys [list]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach pubkey $archivefetch_pubkeys {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {[file extension $pubkey] eq ".pub"} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ lappend signify_pubkeys $pubkey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } elseif {[file extension $pubkey] eq ".pem"} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ lappend openssl_pubkeys $pubkey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ui_debug "Attempting to verify signature for $path"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set signify_signature ${path}.sig
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {[file isfile $signify_signature]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach signify_pubkey $signify_pubkeys {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {[verify_signature_signify $path $signify_pubkey $signify_signature]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set openssl_signature ${path}.rmd160
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {[file isfile $openssl_signature]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach openssl_pubkey $openssl_pubkeys {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {[verify_signature_openssl $path $openssl_pubkey $openssl_signature]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ error "No known key verified signature for $path"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> proc mportsync {{options {}}} {
global macports::sources macports::ui_prefix \
macports::os_platform macports::os_major \
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3382,7 +3446,7 @@ proc mportsync {{options {}}} {
</span> if {$extension eq "tar"} {
set filename ${filename}.gz
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>- set include_option "--include=/${filename} --include=/${filename}.rmd160"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set include_option "--include=/${filename} --include=/${filename}.rmd160 --include=/${filename}.sig"
</span> # need to do a few things before replacing the ports tree in this case
set extractdir [file dirname $destdir]
set destdir [file join $extractdir remote]
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3417,12 +3481,12 @@ proc mportsync {{options {}}} {
</span> }
if {$is_tarball} {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- global macports::archivefetch_pubkeys macports::hfscompression macports::autoconf::openssl_path
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ global macports::hfscompression
</span> set tarball [file join $destdir $filename]
# Fetch plain .tar if .tar.gz is missing
if {![file isfile $tarball]} {
set filename [file rootname $filename]
<span style='display:block; white-space:pre;background:#ffe0e0;'>- set include_option "--include=/${filename} --include=/${filename}.rmd160"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set include_option "--include=/${filename} --include=/${filename}.rmd160 --include=/${filename}.sig"
</span> set rsync_commandline "$rsync_path $rsync_options $include_option $exclude_option $srcstr $destdir"
macports_try -pass_signal {
macports::run_unprivileged {system $rsync_commandline}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3439,21 +3503,7 @@ proc mportsync {{options {}}} {
</span> }
}
# verify signature for tarball
<span style='display:block; white-space:pre;background:#ffe0e0;'>- set signature ${tarball}.rmd160
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- set openssl [macports::findBinary openssl $openssl_path]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- set verified 0
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- foreach pubkey $archivefetch_pubkeys {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- macports_try -pass_signal {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- macports::run_unprivileged {exec $openssl dgst -ripemd160 -verify $pubkey -signature $signature $tarball}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- set verified 1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ui_debug "successful verification with key $pubkey"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- break
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- } on error {eMessage} {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ui_debug "failed verification with key $pubkey"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ui_debug "openssl output: $eMessage"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if {!$verified} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {[catch {macports::verify_ports_signature ${tarball}}]} {
</span> ui_error "Failed to verify signature for ports tree!"
incr numfailed
continue
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3506,7 +3556,7 @@ proc mportsync {{options {}}} {
</span> if {$is_tarball} {
# chop ports.tar off the end
set index_source [string range $source 0 end-[string length [file tail $source]]]
<span style='display:block; white-space:pre;background:#ffe0e0;'>- set include_option "--include=/PortIndex.rmd160 ${include_option}"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set include_option "--include=/PortIndex.rmd160 --include=/PortIndex.sig ${include_option}"
</span> } else {
set index_source $source
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3521,24 +3571,13 @@ proc mportsync {{options {}}} {
</span> set ok 0
set needs_portindex true
# verify signature for PortIndex
<span style='display:block; white-space:pre;background:#ffe0e0;'>- foreach pubkey $archivefetch_pubkeys {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- macports_try -pass_signal {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- macports::run_unprivileged {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- exec $openssl dgst -ripemd160 -verify $pubkey \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -signature ${destdir}/PortIndex.rmd160 ${destdir}/PortIndex
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- set ok 1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- set needs_portindex false
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ui_debug "successful verification with key $pubkey"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- break
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- } on error {eMessage} {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ui_debug "failed verification with key $pubkey"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ui_debug "openssl output: $eMessage"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if {$ok} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {![catch {macports::verify_ports_signature ${destdir}/PortIndex}]} {
</span> # move PortIndex into place
file rename -force ${destdir}/PortIndex ${extractdir}/ports/
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ set ok 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set needs_portindex false
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ui_debug "failed signature verification for PortIndex"
</span> }
}
if {$ok} {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3600,6 +3639,19 @@ proc mportsync {{options {}}} {
</span> incr numfailed
continue
}
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ # TODO: signatures are not yet deployed for daily tarball
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #macports_try -pass_signal {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # curl fetch {*}$progressflag ${source}.sig ${tarpath}.sig
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #} on error {eMessage} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # ui_error [msgcat::mc "Fetching %s failed: %s" ${source}.sig $eMessage]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # incr numfailed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # continue
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #if {[catch {macports::verify_ports_signature $tarpath}]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # ui_error "Verifying signature failed for ${source}"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # incr numfailed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # continue
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #}
</span>
set extflag {}
switch -- $extension {
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/src/macports1.0/macports_autoconf.tcl.in b/src/macports1.0/macports_autoconf.tcl.in
</span><span style='display:block; white-space:pre;color:#808080;'>index 5cd3813c6..3da558762 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/src/macports1.0/macports_autoconf.tcl.in
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/src/macports1.0/macports_autoconf.tcl.in
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -39,6 +39,7 @@ namespace eval macports::autoconf {
</span> variable gzip_path "@GZIP_BIN@"
variable macports_conf_path "@MPCONFIGDIR_EXPANDED@"
variable macports_keys_base "@prefix_expanded@/share/macports/keys/base"
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ variable macports_keys_ports "@prefix_expanded@/share/macports/keys/ports"
</span> variable macports_user_dir "~/.macports"
variable macports_version "@MACPORTS_VERSION@"
variable macportsuser "@RUNUSR@"
</pre><pre style='margin:0'>
</pre>