These functions can be used in the PRE_BUILD, BUILD, POST_BUILD and POST_INSTALL sections of spells. Original version Copyright 2001 by Kyle Sallee Additions/Corrections Copyright 2002 by the Source Mage Team New World libunpack Additions/Corrections by Seth Woolley (2005)
Set of functions containing the spell writing API.
API
unpack_file takes the SOURCE suffix and figures out if it is supposed to hash or gpg check it -- then it does its dirty work and runs unpack_hash or unpack_gpg depending upon the circumstances. That's the only argument it takes and needs: '' '2' '3', etc. It is run in default_pre_build for the null argument only. Custom unpacking still requires a custom PRE_BUILD. valid formats: vendor-provided gpg, guru-provided gpg, any hash-algorithm provided by gpg (currently md5, sha1, sha256, sha384, sha512, ripemd160 SOURCE=blah SOURCE2=blah.asc SOURCE_URL=http://blah.com/$SOURCE SOURCE2_URL=http://blah.com/$SOURCE2 SOURCE_GPG=blah.gpg:$SOURCE2:UPSTREAM_KEY SOURCE2_IGNORE=signature # for auditing purposes SOURCE=blah SOURCE_URL=http://blah.com/$SOURCE SOURCE_GPG=swoolley.gpg:$SOURCE.asc:WORKS_FOR_ME SOURCE=blah SOURCE_URL=http://blah.com/$SOURCE MD5[0]=d41d8cd98f00b204e9800998ecf8427e SOURCE=blah SOURCE_URL=http://blah.com/$SOURCE SOURCE_HASH=md5:d41d8cd98f00b204e9800998ecf8427e:WORKS_FOR_ME In GPG mode: Validates the verification level (the third parameter) and the hash algorithm against user defined lists. It finds the public key and signature using locate_spell_file, Then it validates it at the beginning. see unpack_gpg() In HASH mode: Validates the verification level (the third parameter) and the hash algorithm against user defined lists. It uses gpg to calculate the hash value except for md5 and sha1, which coreutils provides. see unpack_hash() In IGNORE mode: It checks for the following text: volatile (for cvs/svn/any-other-scm) unversioned (the source file changes frequently, but not a direct scm) signature (for gnupg signatures) as reasons for ignoring the source code validation. Signatures are silently ignored. Everything else respects MD5SUM_DL. see unpack_ignore Otherwise, it falls back to MISSING mode, see unpack_missing (or for now) Otherwise, it falls back to old uncompressed md5sum check with MD5[n]. see real_unpack() The default verification level is "WORKS_FOR_ME" Verification levels are, these indicate how much effort was put into validating the integrity of the source from the upstream vendor. WORKS_FOR_ME No verification was done. UPSTREAM_HASH Checked the upstream hash file UPSTREAM_KEY Checked upstream (gpg) key, signature matched, but the key was not validated ESTABLISHED_UPSTREAM_KEY Upstream key was not validated against multiple independent sources, but has been in use for several years VERIFIED_UPSTREAM_KEY Upstream key id was verified against multiple independent sources. ID_CHECK_UPSTREAM_KEY Key was verified in person with a photo id check. Also if you want to include more than one signature, hash, etc, just put a 2, 3, 4, etc on the end of the variable like so: SOURCE2_HASH2=... For cascading, currently it will still ask abort questions: a no abort will make it fail over all cascades; a yes abort will have it skip to the next cascades. Missing binaries or other failures like that (error 200 below) will silently fail over to the next check. The cascade order is: GPG, HASH, IGNORE, MISSING The cascade setup allows you to place a higher bit checksum earlier in the cascade and even if the binary doesn't work it will just print out an abort query which can be said no to and it will continue to fail over to the lower bit checksum that should be available in coreutils (like sha1/md5). That's if you're not using gpg, which is preferred. If multiple hashes are included of different ciphers, the user can abort on either that go bad, so it can be considered a security increase to have more than one, but only if the harder cipher is first in the cascade order, as the first successful hash match will go ahead and prompt an untarball. I may change it later, but for now I think first successful match skipping the rest is least intrusive, and I'd need to add an interface element to let the user choose to run all checks on a single source.
API
Does the work of verifying a file with the new-world verification system.
uncompressed
Just uncompresses the file, but does not expand it. i.e. bunzip it, but don't untar it. It dumps the expanded file to stdout. Note: zip is a special case because it doesn't work with streams.
uncompressed
unpack_core takes the uncompressed stream and turns it into the fully unarchived form. Note: zip is a special case because it doesn't work with streams.
compressor
API
Guesses what program was used to compress a file Return value is always success due to `file' workings
API
Used to be uncompress_md5(), now it is uncompress_core()
Returns 200 if the user says not to Abort in the face, otherwise
returns 0 if the specified verification level is in the user's list of allowed verification levels, or if they allow unknown verification levels, 1 otherwise
first checks if the hash is in the user specified list in an on state then checks if the hash is there in an off state, if it can't find either then it checks the state of VRF_ALLOW_NEW_HASHES to see if we should succeed or not Returns 0 if the hash is allowed or (VRF_ALLOW_NEW_HASHES is on and the hash is not present in the hash list)
Given a file, unpack checks the gpg signature for that file, and, if appropriate, runs the decompression program for that file, as well as untar'ing the file. Note: zip is a special case because it doesn't work with streams.
Given a file, unpack checks the hash for that file, and, if appropriate, runs the decompression program for that file, as well as untar'ing the file. Note: zip is a special case because it doesn't work with streams.
Does some basic output to tell the user what failed and how then calls unpack_file_user_query Returns 0 if hash succeeded otherwise returns 1 if unpack_file_user_query fails
checks MD5SUM_DL to abort or not Returns what query returns if it's called
Given a file, unpack checks the ignore rules for that file, and, if appropriate, runs the decompression program for that file, as well as untar'ing the file. Note: zip is a special case because it doesn't work with streams.
Given a file, unpack checks the ignore rules for that file, and, if appropriate, runs the decompression program for that file, as well as untar'ing the file. Note: zip is a special case because it doesn't work with streams.
Given a cache file, runs the decompression and the unarchival program on it. A wrapper around uncompress_unpack
'root' if you already have an absolute path Given a file, runs the decompression program for that file, as well as untar'ing the file.
Interface to unpack a file without any verification.
the real path of the file (sometimes relative to CWD)
Given a file, locate_spell_file finds out where it really is within the spell hierarchy down to the grimoire root, and then tries cwd and then the source cache.
API
Given a file, unpack runs the decompression program for that file, as well as untar'ing the file if appropriate and if the MD5 matches. Note: zip is a special case because it doesn't work with streams.
uncompressed
Uncompress_md5 dumps the expanded file via tee to md5_tar_check where it is gobbled up by the bitbucket. It also dumps the main stream out to stdout.
Checks that the stdin matches the argument. Note that DEBUG output may dissapear if it's /dev/stderr due to uncompress' 2>/dev/null.