<pre style='margin:0'>
Joshua Root (jmroot) pushed a commit to branch master
in repository macports-base.

</pre>
<p><a href="https://github.com/macports/macports-base/commit/d9159719d104a7930ef5602c87d66becd6f95917">https://github.com/macports/macports-base/commit/d9159719d104a7930ef5602c87d66becd6f95917</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'>     new d9159719d Add signify support for ports tarball
</span>d9159719d is described below

<span style='display:block; white-space:pre;color:#808000;'>commit d9159719d104a7930ef5602c87d66becd6f95917
</span>Author: Joshua Root <jmr@macports.org>
AuthorDate: Sun Apr 27 13:32:58 2025 +1000

<span style='display:block; white-space:pre;color:#404040;'>    Add signify support for ports tarball
</span>---
 src/macports1.0/macports.tcl             | 122 ++++++++++++++++++++++---------
 src/macports1.0/macports_autoconf.tcl.in |   1 +
 2 files changed, 88 insertions(+), 35 deletions(-)

<span style='display:block; white-space:pre;color:#808080;'>diff --git a/src/macports1.0/macports.tcl b/src/macports1.0/macports.tcl
</span><span style='display:block; white-space:pre;color:#808080;'>index 3ed5ee0c4..c1bd34b69 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/src/macports1.0/macports.tcl
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/src/macports1.0/macports.tcl
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3315,6 +3315,70 @@ proc macports::chown {path user} {
</span>     }
 }
 
<span style='display:block; white-space:pre;background:#e0ffe0;'>+proc macports::verify_signature_signify {file pubkey signature} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    set verified 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    macports_try -pass_signal {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        set command [list \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+            $macports::autoconf::signify_path -V \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+            -p $pubkey \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+            -x $signature \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+            -m $file]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        ui_debug "Invoking ${command} to verify signature"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        exec {*}$command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        set verified 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        ui_debug "$file successfully verified with public key $pubkey"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    } on error {eMessage} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        ui_debug "$file failed to verify with public key $pubkey"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        ui_debug "signify output: $eMessage"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    return $verified
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+proc macports::verify_signature_openssl {file pubkey signature} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    set openssl [findBinary openssl $macports::autoconf::openssl_path]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    set verified 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    macports_try -pass_signal {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        run_unprivileged {exec $openssl dgst -ripemd160 -verify $pubkey -signature $signature $file}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        set verified 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        ui_debug "successful verification with key $pubkey"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    } on error {eMessage} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        ui_debug "failed verification with key $pubkey"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        ui_debug "openssl output: $eMessage"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    return $verified
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+proc macports::verify_ports_signature {path} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    variable archivefetch_pubkeys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    set signify_pubkeys [glob -nocomplain -directory $macports::autoconf::macports_keys_ports *.pub]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    set openssl_pubkeys [list]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    foreach pubkey $archivefetch_pubkeys {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        if {[file extension $pubkey] eq ".pub"} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+            lappend signify_pubkeys $pubkey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        } elseif {[file extension $pubkey] eq ".pem"} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+            lappend openssl_pubkeys $pubkey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    ui_debug "Attempting to verify signature for $path"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    set signify_signature ${path}.sig
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    if {[file isfile $signify_signature]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        foreach signify_pubkey $signify_pubkeys {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+            if {[verify_signature_signify $path $signify_pubkey $signify_signature]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                return
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+            }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    set openssl_signature ${path}.rmd160
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    if {[file isfile $openssl_signature]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        foreach openssl_pubkey $openssl_pubkeys {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+            if {[verify_signature_openssl $path $openssl_pubkey $openssl_signature]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                return
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+            }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+        }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+    error "No known key verified signature for $path"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> proc mportsync {{options {}}} {
     global macports::sources macports::ui_prefix \
            macports::os_platform macports::os_major \
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3382,7 +3446,7 @@ proc mportsync {{options {}}} {
</span>                     if {$extension eq "tar"} {
                         set filename ${filename}.gz
                     }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-                    set include_option "--include=/${filename} --include=/${filename}.rmd160"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                    set include_option "--include=/${filename} --include=/${filename}.rmd160 --include=/${filename}.sig"
</span>                     # need to do a few things before replacing the ports tree in this case
                     set extractdir [file dirname $destdir]
                     set destdir [file join $extractdir remote]
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3417,12 +3481,12 @@ proc mportsync {{options {}}} {
</span>                 }
 
                 if {$is_tarball} {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-                    global macports::archivefetch_pubkeys macports::hfscompression macports::autoconf::openssl_path
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                    global macports::hfscompression
</span>                     set tarball [file join $destdir $filename]
                     # Fetch plain .tar if .tar.gz is missing
                     if {![file isfile $tarball]} {
                         set filename [file rootname $filename]
<span style='display:block; white-space:pre;background:#ffe0e0;'>-                        set include_option "--include=/${filename} --include=/${filename}.rmd160"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                        set include_option "--include=/${filename} --include=/${filename}.rmd160 --include=/${filename}.sig"
</span>                         set rsync_commandline "$rsync_path $rsync_options $include_option $exclude_option $srcstr $destdir"
                         macports_try -pass_signal {
                             macports::run_unprivileged {system $rsync_commandline}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3439,21 +3503,7 @@ proc mportsync {{options {}}} {
</span>                         }
                     }
                     # verify signature for tarball
<span style='display:block; white-space:pre;background:#ffe0e0;'>-                    set signature ${tarball}.rmd160
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                    set openssl [macports::findBinary openssl $openssl_path]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                    set verified 0
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                    foreach pubkey $archivefetch_pubkeys {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                        macports_try -pass_signal {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                            macports::run_unprivileged {exec $openssl dgst -ripemd160 -verify $pubkey -signature $signature $tarball}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                            set verified 1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                            ui_debug "successful verification with key $pubkey"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                            break
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                        } on error {eMessage} {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                            ui_debug "failed verification with key $pubkey"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                            ui_debug "openssl output: $eMessage"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                        }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                    }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                    if {!$verified} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                    if {[catch {macports::verify_ports_signature ${tarball}}]} {
</span>                         ui_error "Failed to verify signature for ports tree!"
                         incr numfailed
                         continue
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3506,7 +3556,7 @@ proc mportsync {{options {}}} {
</span>                     if {$is_tarball} {
                         # chop ports.tar off the end
                         set index_source [string range $source 0 end-[string length [file tail $source]]]
<span style='display:block; white-space:pre;background:#ffe0e0;'>-                        set include_option "--include=/PortIndex.rmd160 ${include_option}"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                        set include_option "--include=/PortIndex.rmd160 --include=/PortIndex.sig ${include_option}"
</span>                     } else {
                         set index_source $source
                     }
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3521,24 +3571,13 @@ proc mportsync {{options {}}} {
</span>                             set ok 0
                             set needs_portindex true
                             # verify signature for PortIndex
<span style='display:block; white-space:pre;background:#ffe0e0;'>-                            foreach pubkey $archivefetch_pubkeys {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                                macports_try -pass_signal {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                                    macports::run_unprivileged {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                                        exec $openssl dgst -ripemd160 -verify $pubkey \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                                            -signature ${destdir}/PortIndex.rmd160 ${destdir}/PortIndex
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                                    }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                                    set ok 1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                                    set needs_portindex false
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                                    ui_debug "successful verification with key $pubkey"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                                    break
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                                } on error {eMessage} {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                                    ui_debug "failed verification with key $pubkey"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                                    ui_debug "openssl output: $eMessage"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                                }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                            }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                            if {$ok} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                            if {![catch {macports::verify_ports_signature ${destdir}/PortIndex}]} {
</span>                                 # move PortIndex into place
                                 file rename -force ${destdir}/PortIndex ${extractdir}/ports/
<span style='display:block; white-space:pre;background:#e0ffe0;'>+                                set ok 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                                set needs_portindex false
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                            } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                                ui_debug "failed signature verification for PortIndex"
</span>                             }
                         }
                         if {$ok} {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3600,6 +3639,19 @@ proc mportsync {{options {}}} {
</span>                     incr numfailed
                     continue
                 }
<span style='display:block; white-space:pre;background:#e0ffe0;'>+                # TODO: signatures are not yet deployed for daily tarball
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                #macports_try -pass_signal {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                #    curl fetch {*}$progressflag ${source}.sig ${tarpath}.sig
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                #} on error {eMessage} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                #    ui_error [msgcat::mc "Fetching %s failed: %s" ${source}.sig $eMessage]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                #    incr numfailed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                #    continue
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                #}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                #if {[catch {macports::verify_ports_signature $tarpath}]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                #    ui_error "Verifying signature failed for ${source}"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                #    incr numfailed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                #    continue
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                #}
</span> 
                 set extflag {}
                 switch -- $extension {
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/src/macports1.0/macports_autoconf.tcl.in b/src/macports1.0/macports_autoconf.tcl.in
</span><span style='display:block; white-space:pre;color:#808080;'>index 5cd3813c6..3da558762 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/src/macports1.0/macports_autoconf.tcl.in
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/src/macports1.0/macports_autoconf.tcl.in
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -39,6 +39,7 @@ namespace eval macports::autoconf {
</span>     variable gzip_path "@GZIP_BIN@"
     variable macports_conf_path "@MPCONFIGDIR_EXPANDED@"
     variable macports_keys_base "@prefix_expanded@/share/macports/keys/base"
<span style='display:block; white-space:pre;background:#e0ffe0;'>+    variable macports_keys_ports "@prefix_expanded@/share/macports/keys/ports"
</span>     variable macports_user_dir "~/.macports"
     variable macports_version "@MACPORTS_VERSION@"
     variable macportsuser "@RUNUSR@"
</pre><pre style='margin:0'>

</pre>