Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix source verification
'verify-sources' target was broken - even when gpgv exited with failure,
besides printing error message, it continued and didn't interrupted the
buld (because "exit 1" inside subshell created by '(' interrupt only
that subshell).

Fix that by carefully verifying all the files just after downloading
them and remove if verification have failed. The side effect of this
change is not needed 'verify-sources' target at all - whenever sources
are downloaded, are verified, no way to forget about that.

Thanks obotobo@openmailbox.org for the report and the idea how to fix
this!
  • Loading branch information
marmarek committed May 18, 2016
1 parent e323546 commit b48118b
Showing 1 changed file with 11 additions and 8 deletions.
19 changes: 11 additions & 8 deletions Makefile
Expand Up @@ -93,21 +93,24 @@ endif
get-sources: $(ALL_FILES)
git submodule update --init --recursive

$(ALL_FILES):
@wget -qN $(ALL_URLS)

import-keys:
@if [ -n "$$GNUPGHOME" ]; then rm -f "$$GNUPGHOME/vmm-xen-trustedkeys.gpg"; fi
@gpg --no-auto-check-trustdb --no-default-keyring --keyring vmm-xen-trustedkeys.gpg -q --import *-key.asc

verify-sources: import-keys verify-sources-sig verify-sources-sum
verify-sources:
@true

$(SIGN_FILE) $(GRUB_FILE)$(GRUB_SIGN_SUFF) $(LWIP_FILE)$(LWIP_SIGN_SUFF) $(GMP_FILE)$(GMP_SIGN_SUFF): %:
@wget -qN $(filter %$@,$(ALL_URLS))

verify-sources-sig: $(SRC_FILE) $(GRUB_FILE) $(LWIP_FILE) $(GMP_FILE)
@for f in $^; do gpgv --keyring vmm-xen-trustedkeys.gpg $$f.sig $$f 2>/dev/null || (echo "Wrong signature on $$f!"; exit 1); done
$(SRC_FILE) $(GRUB_FILE) $(LWIP_FILE) $(GMP_FILE): %: %.sig import-keys
@wget -qN $(filter %$@,$(ALL_URLS))
@gpgv --keyring vmm-xen-trustedkeys.gpg $< $@ 2>/dev/null || { rm -f $@; echo "Wrong signature on $*!"; exit 1; }

verify-sources-sum: $(NEWLIB_FILE) $(ZLIB_FILE) $(OCAML_FILE) $(GC_FILE) $(VTPM_FILE) $(TBOOT_FILE) $(PCIUTILS_FILE) $(POLARSSL_FILE)
@for f in $^; do sha1sum --quiet -c $$f.sha1sum || exit 1; done

$(NEWLIB_FILE) $(ZLIB_FILE) $(OCAML_FILE) $(GC_FILE) $(VTPM_FILE) $(TBOOT_FILE) $(PCIUTILS_FILE) $(POLARSSL_FILE): %: %.sha1sum
@wget -qN $(filter %$@,$(ALL_URLS))
@sha1sum --quiet -c $< || { rm -f $@; exit 1; }

.PHONY: clean-sources
clean-sources:
Expand Down

0 comments on commit b48118b

Please sign in to comment.